CSP: initial blank page inherits 'self'.

Content-Security-Policy: The CSP source 'self' is usually the origin of
the current document. Immediately after an new window or new frame is
created, there are no current document. In this case, the origin used is
the one of the opener (in case of a new window) or the parent (in case of a
new iframe).

For you intention: The frame's CSP are already the one of its opener when
there are still no committed document. It makes sense to do the same
with 'self'.

Several web platform tests are added.

Bug: 807206
Change-Id: I2acf66d9b6d63d4efb14370a4d0ff2206c943aeb
Reviewed-on: https://chromium-review.googlesource.com/895589
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534017}

content/browser/frame_host/render_frame_host_impl.cc

@@ -584,6 +584,18 @@ RenderFrameHostImpl::RenderFrameHostImpl(SiteInstance* site_instance,
 
   ax_tree_id_ = ui::AXTreeIDRegistry::GetInstance()->GetOrCreateAXTreeID(
       GetProcess()->GetID(), routing_id_);
+
+  // Content-Security-Policy: The CSP source 'self' is usually the origin of the
+  // current document, set by SetLastCommittedOrigin(). However, before a new
+  // frame commits its first navigation, 'self' should correspond to the origin
+  // of the parent (in case of a new iframe) or the opener (in case of a new
+  // window). This is necessary to correctly enforce CSP during the initial
+  // navigation.
+  FrameTreeNode* frame_owner = frame_tree_node_->parent()
+                                   ? frame_tree_node_->parent()
+                                   : frame_tree_node_->opener();
+  if (frame_owner)
+    CSPContext::SetSelf(frame_owner->current_origin());
 }
 
 RenderFrameHostImpl::~RenderFrameHostImpl() {

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html

+<!DOCTYPE html>
+<html>
+<head>
+  <title>form-action-src-redirect-allowed-target-blank</title>
+  <meta http-equiv="Content-Security-Policy" content="form-action 'self'">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script>
+    function OnDocumentLoaded() {
+      let test = async_test("form submission targetting _blank allowed after a redirect");
+      window.addEventListener("message", function(event) {
+        if (event.data == "DocumentNotBlocked") {
+          event.source.close();
+          test.done();
+        }
+      });
+
+      let form = document.getElementById("form");
+      form.action =
+        "/content-security-policy/form-action/support/post-message-to-opener.sub.html";
+
+      let submit = document.getElementById("submit");
+      submit.click();
+    }
+  </script>
+</head>
+<body onload="OnDocumentLoaded();">
+  <form id="form" method="GET" target="_blank">
+    <input type="hidden" name="message" value="DocumentNotBlocked">
+    <input type="submit" id="submit">
+  </form>
+</body>
+</html>
+

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html

+<!DOCTYPE html>
+<html>
+<head>
+  <title>form-action-src-allowed-target-frame</title>
+  <meta http-equiv="Content-Security-Policy" content="form-action 'self'">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script>
+    function OnDocumentLoaded() {
+      let test = async_test("form submission targetting a frame allowed");
+      window.addEventListener("message", function(event) {
+        if (event.data == "DocumentNotBlocked") {
+          test.done();
+        }
+      });
+
+      let form = document.getElementById("form");
+      form.action =
+        "/content-security-policy/form-action/support/post-message-to-parent.sub.html";
+
+      let submit = document.getElementById("submit");
+      submit.click();
+    }
+  </script>
+</head>
+<body onload="OnDocumentLoaded();">
+  <form id="form" method="GET" target="frame">
+    <input type="hidden" name="message" value="DocumentNotBlocked">
+    <input type="submit" id="submit">
+  </form>
+  <iframe name="frame"></iframe>
+</body>
+</html>
+

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html

+<!DOCTYPE html>
+<html>
+<head>
+  <title>form-action-src-redirect-allowed-target-blank</title>
+  <meta http-equiv="Content-Security-Policy" content="form-action 'self'">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script>
+    function OnDocumentLoaded() {
+      let test = async_test("form submission targetting _blank allowed after a redirect");
+      window.addEventListener("message", function(event) {
+        if (event.data == "DocumentNotBlocked") {
+          event.source.close();
+          test.done();
+        }
+      });
+
+      let form = document.getElementById("form");
+      let final_url = "/content-security-policy/form-action/support/post-message-to-opener.sub.html?message=DocumentNotBlocked";
+      let redirect_url = "/common/redirect.py?location=";
+      form.action = redirect_url + encodeURIComponent(final_url);
+
+      let submit = document.getElementById("submit");
+      submit.click();
+    }
+  </script>
+</head>
+<body onload="OnDocumentLoaded();">
+  <form id="form" method="POST" target="_blank">
+    <input type="submit" id="submit">
+  </form>
+</body>
+</html>
+

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html

+<!DOCTYPE html>
+<html>
+<head>
+  <title>form-action-src-redirect-allowed-target-frame</title>
+  <meta http-equiv="Content-Security-Policy" content="form-action 'self'">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script>
+    function OnDocumentLoaded() {
+      let test = async_test("form submission targetting a frame allowed after a redirect");
+      window.addEventListener("message", function(event) {
+        if (event.data == "DocumentNotBlocked") {
+          test.done();
+        }
+      });
+
+      let form = document.getElementById("form");
+      let final_url = "/content-security-policy/form-action/support/post-message-to-parent.sub.html?message=DocumentNotBlocked";
+      let redirect_url = "/common/redirect.py?location=";
+      form.action = redirect_url + encodeURIComponent(final_url);
+
+      let submit = document.getElementById("submit");
+      submit.click();
+    }
+  </script>
+</head>
+<body onload="OnDocumentLoaded();">
+  <form id="form" method="POST" target="frame">
+    <input type="submit" id="submit">
+  </form>
+  <iframe name="frame"></iframe>
+</body>
+</html>
+

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/form-action/support/post-message-to-opener.sub.html

+<script>
+  opener.postMessage("{{GET[message]}}", "*");
+</script>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/form-action/support/post-message-to-parent.sub.html

+<script>
+  parent.postMessage("{{GET[message]}}", "*");
+</script>