CSP 'self' is not interpreted correctly for iframes,

CSP 'self' is not interpreted correctly for iframes,

According to the CSP spec, if 'self' is in the source-list, loaded
resources should be matched to the URL of the resource context. However,
Chrome has defined 'self' in terms of the execution context's security
origin, which works for most cases. Unfortunately, if the frame is in a
sandbox, the security origin is 'unique', which doesn't match to any
other resource origin. The solution is to build the 'self' source from
the execution context's URL, not it's security origin.

R=mkwst@chromium.org

BUG=443444

[jww, 2014-12-20 01:34:42]

Mike, can you take a look at this? I'm a little scared about this CL. Are there
any consequences about not using the security origin that I haven't thought of?
I feel like it's safe, but...

Also, I'll obviously want to build a bunch of tests for this, but I figured I'd
wait until you tell me this isn't totally bonkers before I do it (it does pass
the test the reporter uploaded, of course).

[Mike West, 2014-12-21 09:01:48]

This isn't quite so straightforward (you need to consider srcdoc frames, for
instance). https://codereview.chromium.org/150893004/ is an earlier attempt that
I think is closer to correct. Reviewing it, Adam suggested that we change the
spec instead to require explicit whitelisting of resources inside a sandbox
rather than relying on location-based behavior.

I'm inclined to agree with that; it's worth starting a webappsec thread in any
event (which I intended to do, but apparently didn't). Would you be interested
in kicking off that conversation in the new year?

It would also be interesting to see what Firefox and IE do here. If they've
already made it work, that'd be an argument for aligning with them rather than
changing the spec.

[jww, 2014-12-29 21:31:18]

On 2014/12/21 09:01:48, Mike West (OOO until Jan 7th) wrote:
> This isn't quite so straightforward (you need to consider srcdoc frames, for
> instance). https://codereview.chromium.org/150893004/ is an earlier attempt
that
> I think is closer to correct. Reviewing it, Adam suggested that we change the
> spec instead to require explicit whitelisting of resources inside a sandbox
> rather than relying on location-based behavior.
Good point.
> 
> I'm inclined to agree with that; it's worth starting a webappsec thread in any
> event (which I intended to do, but apparently didn't). Would you be interested
> in kicking off that conversation in the new year?
Yup, I'll shoot out an email. I agree that it doesn't make sense to land any
solution until we have agreement on what to do.
> 
> It would also be interesting to see what Firefox and IE do here. If they've
> already made it work, that'd be an argument for aligning with them rather than
> changing the spec.
I haven't tested it myself, but the original bug filer claims that their demo
passes on Firefox and IE and only fails on Chrome.