Issue 76303002: CSP: Check <param> element values against the document's CSP before loading.

Issue 76303002: CSP: Check <param> element values against the document's CSP before loading. (Closed)

Created:
7 years, 1 month ago by Mike West

Modified:
6 years, 11 months ago

Reviewers:
Tom Sepez, abarth-chromium

CC:
blink-reviews, dglazkov+blink, adamk+blink_chromium.org, mkwst+watchlist_chromium.org, jochen (gone - plz use gerrit)

Base URL:
svn://svn.chromium.org/blink/trunk

Visibility:
Public.

More Reviews

Description

CSP: Check <param> element values against the document's CSP before loading. We ought to take account of the 'param' element parsing behavior that happens in 'HTMLObjectElement'. This patch moves the pluginIsLoadable check to make that happen. To avoid 'setTimeout' in the test, and to align with the spec[1], this patch also starts dispatching an 'error' event on load failure for 'object' elements. [1]: #4.6 ("If the load failed...") of http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#the-object-element BUG=320796 R=tsepez@chromium.org,abarth@chromium.org Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=164952

Patch Set 1 #

Patch Set 2 : Event. #

Total comments: 8

Patch Set 3 : Feedback. #

Patch Set 4 : Empty URLs. #

Patch Set 5 : Async. #

Created: 6 years, 11 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+125 lines, -14 lines)			Patch
M	LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt	View	1 2 3	1 chunk	+0 lines, -5 lines	0 comments	Download
A	LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html	View	1 2	1 chunk	+13 lines, -0 lines	0 comments	Download
A	LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt	View	1 2 3 4	1 chunk	+4 lines, -0 lines	0 comments	Download
A	LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html	View	1 2	1 chunk	+13 lines, -0 lines	0 comments	Download
A	LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt	View	1 2 3 4	1 chunk	+4 lines, -0 lines	0 comments	Download
A	LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html	View	1 2	1 chunk	+13 lines, -0 lines	0 comments	Download
A	LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt	View	1 2 3 4	1 chunk	+4 lines, -0 lines	0 comments	Download
A	LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html	View	1 2	1 chunk	+13 lines, -0 lines	0 comments	Download
A	LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt	View	1 2 3 4	1 chunk	+4 lines, -0 lines	0 comments	Download
A	LayoutTests/http/tests/security/contentSecurityPolicy/resources/object-src-param.js	View	1 2 3 4	1 chunk	+29 lines, -0 lines	0 comments	Download
M	Source/core/html/HTMLObjectElement.cpp	View	1 2 3 4	3 chunks	+15 lines, -6 lines	0 comments	Download
M	Source/core/html/HTMLPlugInElement.h	View	1 2 3 4	1 chunk	+2 lines, -0 lines	0 comments	Download
M	Source/core/html/HTMLPlugInElement.cpp	View	1 2 3 4	4 chunks	+11 lines, -3 lines	0 comments	Download

Messages

Total messages: 12 (0 generated)

Expand Messages | Collapse Messages

abarth-chromium

LGTM assuming the test isn't flaky. https://codereview.chromium.org/76303002/diff/30001/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked-expected.txt File LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked-expected.txt (right): https://codereview.chromium.org/76303002/diff/30001/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked-expected.txt#newcode13 LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked-expected.txt:13: This test passes ...

7 years, 1 month ago (2013-11-19 17:22:07 UTC) #2

Tom Sepez

LGTM with comments. https://codereview.chromium.org/76303002/diff/30001/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked.html File LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked.html (right): https://codereview.chromium.org/76303002/diff/30001/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked.html#newcode15 LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked.html:15: var names = ['src', 'movie', 'code', ...

7 years, 1 month ago (2013-11-19 17:54:22 UTC) #3

Mike West

Thank you both. I'll fix this up tomorrow and CQ it. https://codereview.chromium.org/76303002/diff/30001/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked-expected.txt File LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked-expected.txt (right): ...

7 years, 1 month ago (2013-11-19 18:35:05 UTC) #4

Thank you both. I'll fix this up tomorrow and CQ it.

https://codereview.chromium.org/76303002/diff/30001/LayoutTests/http/tests/se...
File
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked-expected.txt
(right):

https://codereview.chromium.org/76303002/diff/30001/LayoutTests/http/tests/se...
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked-expected.txt:13:
This test passes if there is are four console messages saying the plugins were
blocked.
On 2013/11/19 17:22:08, abarth wrote:
> Do these messages arrive in a predictable order or is this test going to be
> flaky?

I'm fairly sure they're predictable (e.g. they don't deal with network requests,
so they happen along with parsing).

That said, you're right that we should not rely on the events always dispatching
in the same order; I'll split this into multiple tests

https://codereview.chromium.org/76303002/diff/30001/LayoutTests/http/tests/se...
File
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked.html
(right):

https://codereview.chromium.org/76303002/diff/30001/LayoutTests/http/tests/se...
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked.html:15:
var names = ['src', 'movie', 'code', 'url'];
On 2013/11/19 17:54:22, Tom Sepez wrote:
> nit: maybe a link to the section of the spec that calls out these 4 names.

This is non-standard behavior, based (I think) on something IE did/does.

There's a comment (like, literally an HTML comment) in the spec that notes "we
may have to define magic fallback to <param> if it turns out to be needed in
testing", and quotes Hyatt from IRC.

https://codereview.chromium.org/76303002/diff/30001/LayoutTests/http/tests/se...
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked.html:27:

On 2013/11/19 17:54:22, Tom Sepez wrote:
> Can we also use an onload handler to keep track of failures?  If we break this
> down the road, having a text diff vs a timeout when the expected number of
> handlers don't fire ...

Sure. It's probably worth rewriting all the object-src tests in that pattern.

Of course, it would require implementing the 'load' event, which I don't think
exists at the moment either. I'd like to defer that to the next CL if at all
possible. :)

https://codereview.chromium.org/76303002/diff/30001/Source/core/html/HTMLObje...
File Source/core/html/HTMLObjectElement.cpp (right):

https://codereview.chromium.org/76303002/diff/30001/Source/core/html/HTMLObje...
Source/core/html/HTMLObjectElement.cpp:315: if (!success) {
On 2013/11/19 17:54:22, Tom Sepez wrote:
> nit: not sure having the local |success| buys us anything over if
> (!beforeLoadAllowed || !...)

Yeah, not anymore. I'll fold those in.