Add COEP parsing logic for response coming from service workers

Bug: 887967 Change-Id: I1352c4a1f4dccc294c6765e609da8c9e92c6f90d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2098190Reviewed-by: Makoto Shimazu <shimazu@chromium.org> Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#749566}

Add COEP parsing logic for response coming from service workers
Bug: 887967 Change-Id: I1352c4a1f4dccc294c6765e609da8c9e92c6f90d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2098190Reviewed-by: Makoto Shimazu <shimazu@chromium.org> Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#749566}
0d5aa4bd · Yutaka Hirano · Commit Bot · b2a0559a · 0d5aa4bd · b2a0559a
Commit 0d5aa4bd authored Mar 12, 2020 by Yutaka Hirano Committed by Commit Bot Mar 12, 2020
2 changed files
--- a/content/common/service_worker/service_worker_loader_helpers.cc
+++ b/content/common/service_worker/service_worker_loader_helpers.cc
@@ -14,8 +14,11 @@
 #include "content/public/common/content_features.h"
 #include "mojo/public/cpp/bindings/self_owned_receiver.h"
 #include "net/http/http_util.h"
+#include "net/http/structured_headers.h"
 #include "net/url_request/redirect_util.h"
 #include "services/network/public/cpp/content_security_policy/content_security_policy.h"
+#include "services/network/public/cpp/cross_origin_embedder_policy.h"
+#include "services/network/public/cpp/features.h"
 #include "services/network/public/cpp/resource_request.h"
 #include "services/network/public/cpp/resource_request_body.h"
 #include "services/network/public/mojom/url_response_head.mojom.h"
@@ -45,6 +48,37 @@ class BlobCompleteCaller : public blink::mojom::BlobReaderClient {
  BlobCompleteCallback callback_;
 };
+std::pair<network::mojom::CrossOriginEmbedderPolicyValue,
+          base::Optional<std::string>>
+ParseCrossOriginEmbedderPolicyValueInternal(
+    const net::HttpResponseHeaders* headers,
+    base::StringPiece header_name) {
+  static constexpr char kRequireCorp[] = "require-corp";
+  constexpr auto kNone = network::mojom::CrossOriginEmbedderPolicyValue::kNone;
+  using Item = net::structured_headers::Item;
+  std::string header_value;
+  if (!headers ||
+      !headers->GetNormalizedHeader(header_name.as_string(), &header_value)) {
+    return std::make_pair(kNone, base::nullopt);
+  }
+  const auto item = net::structured_headers::ParseItem(header_value);
+  if (!item || item->item.Type() != Item::kTokenType ||
+      item->item.GetString() != kRequireCorp) {
+    return std::make_pair(kNone, base::nullopt);
+  }
+  base::Optional<std::string> endpoint;
+  auto it = std::find_if(item->params.cbegin(), item->params.cend(),
+                         [](const std::pair<std::string, Item>& param) {
+                           return param.first == "report-to";
+                         });
+  if (it != item->params.end() && it->second.Type() == Item::kStringType) {
+    endpoint = it->second.GetString();
+  }
+  return std::make_pair(
+      network::mojom::CrossOriginEmbedderPolicyValue::kRequireCorp,
+      std::move(endpoint));
+}
 }  // namespace
 // static
@@ -88,6 +122,27 @@ void ServiceWorkerLoaderHelpers::SaveResponseHeaders(
  // headers.
  if (out_head->content_length == -1)
    out_head->content_length = out_head->headers->GetContentLength();
+  // TODO(yhirano): Remove the code duplication with
+  // //services/network/url_loader.cc.
+  if (base::FeatureList::IsEnabled(network::features::kCrossOriginIsolation)) {
+    // Parse the Cross-Origin-Embedder-Policy and
+    // Cross-Origin-Embedder-Policy-Report-Only headers.
+    static constexpr char kCrossOriginEmbedderPolicyValueHeader[] =
+        "Cross-Origin-Embedder-Policy";
+    static constexpr char kCrossOriginEmbedderPolicyValueReportOnlyHeader[] =
+        "Cross-Origin-Embedder-Policy-Report-Only";
+    network::CrossOriginEmbedderPolicy coep;
+    std::tie(coep.value, coep.reporting_endpoint) =
+        ParseCrossOriginEmbedderPolicyValueInternal(
+            out_head->headers.get(), kCrossOriginEmbedderPolicyValueHeader);
+    std::tie(coep.report_only_value, coep.report_only_reporting_endpoint) =
+        ParseCrossOriginEmbedderPolicyValueInternal(
+            out_head->headers.get(),
+            kCrossOriginEmbedderPolicyValueReportOnlyHeader);
+    out_head->cross_origin_embedder_policy = coep;
+  }
 }
 // static

--- a/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/reporting.https-expected.txt
+++ b/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/reporting.https-expected.txt
-This is a testharness.js-based test.
-PASS subresource CORP
-PASS navigation CORP
-PASS COEP violation on nested frame navigation
-PASS subresource CORP in a passthrough iframe hosted by a service worker without COEP
-FAIL subresource CORP in a respondWith(fetch) iframe hosted by a service worker without COEP assert_unreached: A report whose blocked-url is https://www1.web-platform.test:8444/common/text-plain.txt?abc&subresource-corp-respondwith-fetch-sw and url is https://web-platform.test:8444/html/cross-origin-embedder-policy/resources/reporting-empty-frame.html is not found. Reached unreachable code
-Harness: the test ran to completion.