Only allow insecure object-src directives for whitelisted mime types

extensions/common/csp_validator.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/common/csp_validator.h"
 
 #include <vector>
 
 #include "base/strings/string_split.h"
 #include "base/strings/string_tokenizer.h"
 #include "base/strings/string_util.h"
 #include "content/public/common/url_constants.h"
 #include "extensions/common/constants.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 
 namespace extensions {
 
 namespace csp_validator {
 
 namespace {
 
 const char kDefaultSrc[] = "default-src";
 const char kScriptSrc[] = "script-src";
 const char kObjectSrc[] = "object-src";
+const char kPluginTypes[] = "plugin-types";
 
 const char kSandboxDirectiveName[] = "sandbox";
 const char kAllowSameOriginToken[] = "allow-same-origin";
 const char kAllowTopNavigation[] = "allow-top-navigation";
 
+// This is the list of plugin types which are fully sandboxed and are safe to
+// load up in an extension, regardless of the URL they are navigated to.
+const char* const kSandboxedPluginTypes[] = {
+  "application/pdf",
+  "application/x-google-chrome-pdf",
+  "application/x-pnacl"
+};
+
 struct DirectiveStatus {
   explicit DirectiveStatus(const char* name)
     : directive_name(name)
     , seen_in_policy(false)
     , is_secure(false) {
   }
 
   const char* directive_name;
   bool seen_in_policy;
   bool is_secure;
@@ skipping 109 matching lines @@
                   int options) {
   if (status->seen_in_policy)
     return false;
   if (directive_name != status->directive_name)
     return false;
   status->seen_in_policy = true;
   status->is_secure = HasOnlySecureTokens(tokenizer, options);
   return true;
 }
 
+// Parses the plugin-types directive and returns the list of mime types
+// specified in |plugin_types|.
+bool ParsePluginTypes(const std::string& directive_name,
+                      base::StringTokenizer& tokenizer,
+                      std::vector<std::string>* plugin_types) {
+  DCHECK(plugin_types);
+
+  if (directive_name != kPluginTypes || !plugin_types->empty())
+    return false;
+
+  while (tokenizer.GetNext()) {
+    std::string mime_type = tokenizer.token();
+    base::StringToLowerASCII(&mime_type);
+    // Since we're comparing the mime types to a whitelist, we don't check them
+    // for strict validity right now.
+    plugin_types->push_back(mime_type);
+  }
+
+  return true;
+}
+
+// Returns true if the |plugin_type| is one of the fully sandboxed plugin types.
+bool PluginTypeAllowed(const std::string& plugin_type) {
+  for (size_t i = 0; i < arraysize(kSandboxedPluginTypes); ++i) {
+    if (plugin_type == kSandboxedPluginTypes[i])
+      return true;
+  }
+  return false;
+}
+
+// Returns true if the policy is allowed to contain an insecure object-src
+// directive. This requires OPTIONS_ALLOW_INSECURE_OBJECT_SRC to be specified
+// as an option and the plugin-types that can be loaded must be restricted to
+// the set specified in kSandboxedPluginTypes.
+bool AllowedToHaveInsecureObjectSrc(
+    int options,
+    const std::vector<std::string>& plugin_types) {
+  if (!(options & OPTIONS_ALLOW_INSECURE_OBJECT_SRC))
+    return false;
+
+  // plugin-types must be specified.
+  if (plugin_types.empty())
+    return false;
+
+  for (const auto& plugin_type : plugin_types) {
+    if (!PluginTypeAllowed(plugin_type))
+      return false;
+  }
+
+  return true;
+}
+
 }  //  namespace
 
 bool ContentSecurityPolicyIsLegal(const std::string& policy) {
   // We block these characters to prevent HTTP header injection when
   // representing the content security policy as an HTTP header.
   const char kBadChars[] = {',', '\r', '\n', '\0'};
 
   return policy.find_first_of(kBadChars, 0, arraysize(kBadChars)) ==
       std::string::npos;
 }
 
 bool ContentSecurityPolicyIsSecure(const std::string& policy,
                                    int options) {
   // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm.
   std::vector<std::string> directives;
   base::SplitString(policy, ';', &directives);
 
   DirectiveStatus default_src_status(kDefaultSrc);
   DirectiveStatus script_src_status(kScriptSrc);
   DirectiveStatus object_src_status(kObjectSrc);
 
+  std::vector<std::string> plugin_types;
+
   for (size_t i = 0; i < directives.size(); ++i) {
     std::string& input = directives[i];
     base::StringTokenizer tokenizer(input, " \t\r\n");
     if (!tokenizer.GetNext())
       continue;
 
     std::string directive_name = tokenizer.token();
     base::StringToLowerASCII(&directive_name);
 
     if (UpdateStatus(directive_name, tokenizer, &default_src_status, options))
       continue;
     if (UpdateStatus(directive_name, tokenizer, &script_src_status, options))
       continue;
     if (UpdateStatus(directive_name, tokenizer, &object_src_status, options))
       continue;
+    if (ParsePluginTypes(directive_name, tokenizer, &plugin_types))
+      continue;
   }
 
   if (script_src_status.seen_in_policy && !script_src_status.is_secure)
     return false;
 
   if (object_src_status.seen_in_policy && !object_src_status.is_secure) {
     // Note that this does not fully check the object-src source list for
     // validity but Blink will do this anyway.
-    if (!(options & OPTIONS_ALLOW_INSECURE_OBJECT_SRC))
+    if (!AllowedToHaveInsecureObjectSrc(options, plugin_types))
       return false;
   }
 
   if (default_src_status.seen_in_policy && !default_src_status.is_secure) {
     return script_src_status.seen_in_policy &&
            object_src_status.seen_in_policy;
   }
 
   return default_src_status.seen_in_policy ||
       (script_src_status.seen_in_policy && object_src_status.seen_in_policy);
@@ skipping 36 matching lines @@
       }
     }
   }
 
   return seen_sandbox;
 }
 
 }  // namespace csp_validator
 
 }  // namespace extensions