Mixed Content: Implement strict mode.

Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 44 matching lines @@
 #include "platform/weborigin/KnownPorts.h"
 #include "platform/weborigin/SchemeRegistry.h"
 #include "platform/weborigin/SecurityOrigin.h"
 #include "public/platform/Platform.h"
 #include "wtf/StringHasher.h"
 #include "wtf/text/StringBuilder.h"
 #include "wtf/text/StringUTF8Adaptor.h"
 
 namespace blink {
 
-// CSP 1.0 Directives
+// CSP Level 1 Directives
 const char ContentSecurityPolicy::ConnectSrc[] = "connect-src";
 const char ContentSecurityPolicy::DefaultSrc[] = "default-src";
 const char ContentSecurityPolicy::FontSrc[] = "font-src";
 const char ContentSecurityPolicy::FrameSrc[] = "frame-src";
 const char ContentSecurityPolicy::ImgSrc[] = "img-src";
 const char ContentSecurityPolicy::MediaSrc[] = "media-src";
 const char ContentSecurityPolicy::ObjectSrc[] = "object-src";
 const char ContentSecurityPolicy::ReportURI[] = "report-uri";
 const char ContentSecurityPolicy::Sandbox[] = "sandbox";
 const char ContentSecurityPolicy::ScriptSrc[] = "script-src";
 const char ContentSecurityPolicy::StyleSrc[] = "style-src";
 
-// CSP 1.1 Directives
+// CSP Level 2 Directives
 const char ContentSecurityPolicy::BaseURI[] = "base-uri";
 const char ContentSecurityPolicy::ChildSrc[] = "child-src";
 const char ContentSecurityPolicy::FormAction[] = "form-action";
 const char ContentSecurityPolicy::FrameAncestors[] = "frame-ancestors";
 const char ContentSecurityPolicy::PluginTypes[] = "plugin-types";
 const char ContentSecurityPolicy::ReflectedXSS[] = "reflected-xss";
 const char ContentSecurityPolicy::Referrer[] = "referrer";
 
 // Manifest Directives
 // https://w3c.github.io/manifest/#content-security-policy
 const char ContentSecurityPolicy::ManifestSrc[] = "manifest-src";
 
+// Mixed Content Directive
+// https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode
+const char ContentSecurityPolicy::StrictMixedContentChecking[] = "strict-mixed-content-checking";
+
 bool ContentSecurityPolicy::isDirectiveName(const String& name)
 {
     return (equalIgnoringCase(name, ConnectSrc)
         || equalIgnoringCase(name, DefaultSrc)
         || equalIgnoringCase(name, FontSrc)
         || equalIgnoringCase(name, FrameSrc)
         || equalIgnoringCase(name, ImgSrc)
         || equalIgnoringCase(name, MediaSrc)
         || equalIgnoringCase(name, ObjectSrc)
         || equalIgnoringCase(name, ReportURI)
         || equalIgnoringCase(name, Sandbox)
         || equalIgnoringCase(name, ScriptSrc)
         || equalIgnoringCase(name, StyleSrc)
         || equalIgnoringCase(name, BaseURI)
         || equalIgnoringCase(name, ChildSrc)
         || equalIgnoringCase(name, FormAction)
         || equalIgnoringCase(name, FrameAncestors)
         || equalIgnoringCase(name, PluginTypes)
         || equalIgnoringCase(name, ReflectedXSS)
         || equalIgnoringCase(name, Referrer)
         || equalIgnoringCase(name, ManifestSrc)
-    );
+        || equalIgnoringCase(name, StrictMixedContentChecking));
 }
 
 static UseCounter::Feature getUseCounterType(ContentSecurityPolicyHeaderType type)
 {
     switch (type) {
     case ContentSecurityPolicyHeaderTypeEnforce:
         return UseCounter::ContentSecurityPolicy;
     case ContentSecurityPolicyHeaderTypeReport:
         return UseCounter::ContentSecurityPolicyReportOnly;
     }
     ASSERT_NOT_REACHED();
     return UseCounter::NumberOfFeatures;
 }
 
 static ReferrerPolicy mergeReferrerPolicies(ReferrerPolicy a, ReferrerPolicy b)
 {
     if (a != b)
         return ReferrerPolicyNever;
     return a;
 }
 
 ContentSecurityPolicy::ContentSecurityPolicy()
     : m_executionContext(nullptr)
     , m_overrideInlineStyleAllowed(false)
     , m_scriptHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone)
     , m_styleHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone)
     , m_sandboxMask(0)
+    , m_enforceStrictMixedContentChecking(false)
     , m_referrerPolicy(ReferrerPolicyDefault)
 {
 }
 
 void ContentSecurityPolicy::bindToExecutionContext(ExecutionContext* executionContext)
 {
     m_executionContext = executionContext;
     applyPolicySideEffectsToExecutionContext();
 }
 
 void ContentSecurityPolicy::applyPolicySideEffectsToExecutionContext()
 {
     ASSERT(m_executionContext);
     // Ensure that 'self' processes correctly.
     m_selfProtocol = securityOrigin()->protocol();
     m_selfSource = adoptPtr(new CSPSource(this, m_selfProtocol, securityOrigin()->host(), securityOrigin()->port(), String(), CSPSource::NoWildcard, CSPSource::NoWildcard));
 
-    // If we're in a Document, set the referrer policy and sandbox flags, then dump all the
-    // parsing error messages, then poke at histograms.
+    // If we're in a Document, set the referrer policy, mixed content checking, and sandbox
+    // flags, then dump all the parsing error messages, then poke at histograms.
     if (Document* document = this->document()) {
         document->enforceSandboxFlags(m_sandboxMask);
+        if (m_enforceStrictMixedContentChecking)
+            document->enforceStrictMixedContentChecking();
         if (didSetReferrerPolicy())
             document->setReferrerPolicy(m_referrerPolicy);
 
         for (const auto& consoleMessage : m_consoleMessages)
             m_executionContext->addConsoleMessage(consoleMessage);
         m_consoleMessages.clear();
 
         for (const auto& policy : m_policies)
             UseCounter::count(*document, getUseCounterType(policy->headerType()));
     }
@@ skipping 421 matching lines @@
 KURL ContentSecurityPolicy::completeURL(const String& url) const
 {
     return m_executionContext->contextCompleteURL(url);
 }
 
 void ContentSecurityPolicy::enforceSandboxFlags(SandboxFlags mask)
 {
     m_sandboxMask |= mask;
 }
 
+void ContentSecurityPolicy::enforceStrictMixedContentChecking()
+{
+    m_enforceStrictMixedContentChecking = true;
+}
+
 static String stripURLForUseInReport(Document* document, const KURL& url)
 {
     if (!url.isValid())
         return String();
     if (!url.isHierarchical() || url.protocolIs("file"))
         return url.protocol();
     return document->securityOrigin()->canRequest(url) ? url.strippedForUseAsReferrer() : SecurityOrigin::create(url)->toString();
 }
 
 static void gatherSecurityPolicyViolationEventData(SecurityPolicyViolationEventInit& init, Document* document, const String& directiveText, const String& effectiveDirective, const KURL& blockedURL, const String& header)
@@ skipping 109 matching lines @@
 void ContentSecurityPolicy::reportReportOnlyInMeta(const String& header)
 {
     logToConsole("The report-only Content Security Policy '" + header + "' was delivered via a <meta> element, which is disallowed. The policy has been ignored.");
 }
 
 void ContentSecurityPolicy::reportMetaOutsideHead(const String& header)
 {
     logToConsole("The Content Security Policy '" + header + "' was delivered via a <meta> element outside the document's <head>, which is disallowed. The policy has been ignored.");
 }
 
+void ContentSecurityPolicy::reportValueForEmptyDirective(const String& name, const String& value)
+{
+    logToConsole("The Content Security Policy directive '" + name + "' should be empty, but was delivered with a value of '" + value + "'. The directive has been applied, and the value ignored.");
+}
+
 void ContentSecurityPolicy::reportInvalidInReportOnly(const String& name)
 {
     logToConsole("The Content Security Policy directive '" + name + "' is ignored when delivered in a report-only policy.");
 }
 
 void ContentSecurityPolicy::reportUnsupportedDirective(const String& name)
 {
     DEFINE_STATIC_LOCAL(String, allow, ("allow"));
     DEFINE_STATIC_LOCAL(String, options, ("options"));
     DEFINE_STATIC_LOCAL(String, policyURI, ("policy-uri"));
@@ skipping 131 matching lines @@
     // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
     return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report)
 {
     m_violationReportsSent.add(report.impl()->hash());
 }
 
 } // namespace blink