Trust Tokens: Require secure contexts for the Fetch interface

To be in line with other new security-relevant Web Platform features, we only allow callers to execute Trust Tokens operations in secure contexts. Usually, WebIDL restricts functionality to secure contexts with the [SecureContext] extended attribute. This is how we initially implemented the restrictions on the three Trust Tokens interfaces (fetch, XHR, and iframe). However, this doesn't work for the fetch interface, because the [SecureContext] extended attribute doesn't work on dictionary members (like the `trustToken` member in request_init.idl); instead, it silently no-ops! This change: 1. removes the useless SecureContext attribute from RequestInit; 2. adds an explicit check that a Fetch request bearing Trust Tokens parameters is coming from a secure context, throwing a TypeError if not; and 3. for good measure, adds tests ensuring the XHR and iframe interfaces are only available in secure contexts, too. R=csharrison, yhirano Fixed: 1087200 Change-Id: If19f89251d9ab0ea16e8bb80216b5ef8d2f91b68 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2217855Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Charlie Harrison <csharrison@chromium.org> Commit-Queue: David Van Cleve <davidvc@chromium.org> Cr-Commit-Position: refs/heads/master@{#772702}

Trust Tokens: Require secure contexts for the Fetch interface
To be in line with other new security-relevant Web Platform features, we only allow callers to execute Trust Tokens operations in secure contexts. Usually, WebIDL restricts functionality to secure contexts with the [SecureContext] extended attribute. This is how we initially implemented the restrictions on the three Trust Tokens interfaces (fetch, XHR, and iframe). However, this doesn't work for the fetch interface, because the [SecureContext] extended attribute doesn't work on dictionary members (like the `trustToken` member in request_init.idl); instead, it silently no-ops! This change: 1. removes the useless SecureContext attribute from RequestInit; 2. adds an explicit check that a Fetch request bearing Trust Tokens parameters is coming from a secure context, throwing a TypeError if not; and 3. for good measure, adds tests ensuring the XHR and iframe interfaces are only available in secure contexts, too. R=csharrison, yhirano Fixed: 1087200 Change-Id: If19f89251d9ab0ea16e8bb80216b5ef8d2f91b68 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2217855Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Charlie Harrison <csharrison@chromium.org> Commit-Queue: David Van Cleve <davidvc@chromium.org> Cr-Commit-Position: refs/heads/master@{#772702}
0211bf0e · David Van Cleve · Commit Bot · cc73c243 · 0211bf0e · 0211bf0e
Commit 0211bf0e authored May 28, 2020 by David Van Cleve Committed by Commit Bot May 28, 2020
3 changed files
--- a/content/test/trust_token_browsertest.cc
+++ b/content/test/trust_token_browsertest.cc
@@ -18,9 +18,11 @@
 #include "content/public/test/url_loader_monitor.h"
 #include "content/shell/browser/shell.h"
 #include "net/base/escape.h"
+#include "net/dns/mock_host_resolver.h"
 #include "net/test/embedded_test_server/http_request.h"
 #include "net/test/embedded_test_server/http_response.h"
 #include "services/network/public/cpp/features.h"
+#include "services/network/public/cpp/is_potentially_trustworthy.h"
 #include "services/network/public/cpp/resource_request.h"
 #include "services/network/public/mojom/trust_tokens.mojom.h"
 #include "services/network/trust_tokens/test/test_server_handler_registration.h"
@@ -34,6 +36,7 @@ namespace content {
 namespace {

 using network::test::TrustTokenRequestHandler;
+using ::testing::HasSubstr;

 // TrustTokenBrowsertest is a fixture containing boilerplate for initializing an
 // HTTPS test server and passing requests through to an embedded instance of
@@ -64,6 +67,10 @@ class TrustTokenBrowsertest : public ContentBrowserTest {
    server_.AddDefaultHandlers(
        base::FilePath(FILE_PATH_LITERAL("content/test/data")));

+    host_resolver()->AddRule("*", "127.0.0.1");
+    SetupCrossSiteRedirector(embedded_test_server());
+    SetupCrossSiteRedirector(&server_);
+
    network::test::RegisterTrustTokenTestHandlers(&server_, &request_handler_);

    ASSERT_TRUE(server_.Start());
@@ -304,7 +311,6 @@ IN_PROC_BROWSER_TEST_F(TrustTokenBrowsertest, FetchEndToEndInIsolatedWorld) {

 IN_PROC_BROWSER_TEST_F(TrustTokenBrowsertest, RecordsTimers) {
  base::HistogramTester histograms;
-
  base::RunLoop run_loop;
  GetNetworkService()->SetTrustTokenKeyCommitments(
      network::WrapKeyCommitmentForIssuer(
@@ -349,4 +355,51 @@ IN_PROC_BROWSER_TEST_F(TrustTokenBrowsertest, RecordsTimers) {
  }
 }

+// Trust Tokens should require that their executing contexts be secure.
+IN_PROC_BROWSER_TEST_F(TrustTokenBrowsertest, OperationsRequireSecureContext) {
+  ASSERT_TRUE(embedded_test_server()->Start());
+
+  GURL start_url(
+      embedded_test_server()->GetURL("a.com", "/page_with_iframe.html"));
+  // Make sure that we are, in fact, using an insecure page.
+  ASSERT_FALSE(network::IsUrlPotentiallyTrustworthy(start_url));
+
+  EXPECT_TRUE(NavigateToURL(shell(), start_url));
+
+  // 1. Confirm that the Fetch interface doesn't work:
+  std::string cmd = R"(fetch($1, {trustToken: {type: 'token-request'}});)";
+  EXPECT_THAT(EvalJs(shell(), JsReplace(cmd, server_.GetURL("/issue"))).error,
+              HasSubstr("secure context"));
+
+  // 2. Confirm that the XHR interface isn't present:
+  EXPECT_EQ(
+      false,
+      EvalJs(shell(), "(new XMLHttpRequest).hasOwnProperty('setTrustToken');"));
+
+  // 3. Confirm that the iframe interface doesn't work:
+
+  // It's important to set the trust token arguments before updating src, as
+  // the latter triggers a load.
+  EXPECT_TRUE(ExecJs(
+      shell(), JsReplace(
+                   R"( const myFrame = document.getElementById("test_iframe");
+                       myFrame.trustToken = $1;
+                       myFrame.src = $2;)",
+                   R"({"type": "token-request"})", server_.GetURL("/issue"))));
+  TestNavigationObserver load_observer(shell()->web_contents());
+  load_observer.WaitForNavigationFinished();
+
+  // In order to verify the result of the iframe operation, we need to execute
+  // hasTrustToken, which requires a secure context; navigate to a secure page,
+  // using server_, to run hasTrustToken.
+  EXPECT_TRUE(NavigateToURL(shell(), server_.GetURL("/title1.html")));
+
+  // The iframe issuance shouldn't have succeeded:
+  EXPECT_EQ(
+      false,
+      EvalJs(shell(),
+             JsReplace("document.hasTrustToken($1);",
+                       url::Origin::Create(server_.base_url()).Serialize())));
+}
+
 }  // namespace content
--- a/third_party/blink/renderer/core/fetch/request.cc
+++ b/third_party/blink/renderer/core/fetch/request.cc
@@ -522,6 +522,13 @@ Request* Request::CreateRequestWithRequestOrString(
      return nullptr;
    }

+    if (!execution_context->IsSecureContext()) {
+      exception_state.ThrowTypeError(
+          "trustToken: TrustTokens operations are only available in secure "
+          "contexts.");
+      return nullptr;
+    }
+
    if ((params.type == TrustTokenOperationType::kRedemption ||
         params.type == TrustTokenOperationType::kSigning) &&
        !execution_context->IsFeatureEnabled(

--- a/third_party/blink/renderer/core/fetch/request_init.idl
+++ b/third_party/blink/renderer/core/fetch/request_init.idl
@@ -23,7 +23,11 @@ dictionary RequestInit {
    boolean keepalive;
    [RuntimeEnabled=PriorityHints] RequestImportance importance;
    AbortSignal? signal;
-    [RuntimeEnabled=TrustTokens, SecureContext] TrustToken trustToken;
+    // Even though Trust Tokens operations are only available in secure
+    // contexts, this has to be enforced after the fact because the
+    // SecureContext IDL attribute doesn't affect dictionary members.
+    [RuntimeEnabled=TrustTokens] TrustToken trustToken;
+
    // TODO(domfarolino): add support for RequestInit window member.
    //any window; // can only be set to null
 };