Send CSP frame-ancestors violations also when XFO is present

If a Content-Security-Policy frame-ancestors directive is enforced, then the X-Frame-Options header is ignored. However, if the frame-ancestors directive is report-only, the X-Frame-Options header is checked and the frame possibly blocked. However, in this second case, we must still check whether we have to send a Content-Security-Policy violation report. Bug: 1097078 Change-Id: I9768a3859184ac1d35bd938f45cc40e111e2af4b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339115Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#795022}

Send CSP frame-ancestors violations also when XFO is present
If a Content-Security-Policy frame-ancestors directive is enforced, then the X-Frame-Options header is ignored. However, if the frame-ancestors directive is report-only, the X-Frame-Options header is checked and the frame possibly blocked. However, in this second case, we must still check whether we have to send a Content-Security-Policy violation report. Bug: 1097078 Change-Id: I9768a3859184ac1d35bd938f45cc40e111e2af4b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339115Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#795022}
0f15bf84 · Antonio Sartori · Commit Bot · da7e03d6 · 0f15bf84 · 0f15bf84
Commit 0f15bf84 authored Aug 05, 2020 by Antonio Sartori Committed by Commit Bot Aug 05, 2020
6 changed files
--- a/content/browser/frame_host/ancestor_throttle.cc
+++ b/content/browser/frame_host/ancestor_throttle.cc
@@ -188,24 +188,24 @@ NavigationThrottle::ThrottleCheckResult AncestorThrottle::ProcessResponseImpl(
    return NavigationThrottle::PROCEED;
  }
-  if (EvaluateXFrameOptions(logging) == CheckResult::BLOCK) {
-    return NavigationThrottle::BLOCK_RESPONSE;
-  }
-  // X-Frame-Option is checked on both redirect and final responses. However,
-  // CSP:Frame-ancestor is checked only for the final response.
-  if (!is_response_check)
-    return NavigationThrottle::PROCEED;
  const std::vector<network::mojom::ContentSecurityPolicyPtr>&
      content_security_policies =
          request->response()->parsed_headers->content_security_policy;
-  if (EvaluateFrameAncestors(content_security_policies) == CheckResult::BLOCK)
+  // CSP: frame-ancestors is checked only for the final response.
+  if (is_response_check &&
+      EvaluateFrameAncestors(content_security_policies) == CheckResult::BLOCK) {
+    return NavigationThrottle::BLOCK_RESPONSE;
+  }
+  if (EvaluateXFrameOptions(logging) == CheckResult::BLOCK)
    return NavigationThrottle::BLOCK_RESPONSE;
-  if (EvaluateCSPEmbeddedEnforcement() == CheckResult::BLOCK)
+  // CSPEE is checked only for the final response.
+  if (is_response_check &&
+      EvaluateCSPEmbeddedEnforcement() == CheckResult::BLOCK) {
    return NavigationThrottle::BLOCK_RESPONSE;
+  }
  return NavigationThrottle::PROCEED;
 }

--- a/third_party/blink/web_tests/external/wpt/content-security-policy/reporting/report-frame-ancestors-with-x-frame-options.sub.html
+++ b/third_party/blink/web_tests/external/wpt/content-security-policy/reporting/report-frame-ancestors-with-x-frame-options.sub.html
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <title>Reporting works with report-only frame-ancestors even if frame is blocked by X-Frame-Options</title>
+</head>
+<body>
+    <iframe src="./support/not-embeddable-frame.py?reportID={{$id:uuid()}}&reportOnly=true&xFrameOptions=DENY"></iframe>
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-ancestors&reportID={{$id}}'></script>
+</body>
+</html>
--- a/third_party/blink/web_tests/external/wpt/content-security-policy/reporting/report-frame-ancestors.sub.html
+++ b/third_party/blink/web_tests/external/wpt/content-security-policy/reporting/report-frame-ancestors.sub.html
@@ -6,7 +6,7 @@
    <title>Reporting works with frame-ancestors</title>
 </head>
 <body>
-    <iframe src="./support/not-embeddable-frame.html?reportID={{$id:uuid()}}"></iframe>
+    <iframe src="./support/not-embeddable-frame.py?reportID={{$id:uuid()}}"></iframe>
    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-ancestors&reportID={{$id}}'></script>
 </body>
 </html>
--- a/third_party/blink/web_tests/external/wpt/content-security-policy/reporting/support/not-embeddable-frame.html
+++ b/third_party/blink/web_tests/external/wpt/content-security-policy/reporting/support/not-embeddable-frame.html
--- a/third_party/blink/web_tests/external/wpt/content-security-policy/reporting/support/not-embeddable-frame.html.sub.headers
+++ b/third_party/blink/web_tests/external/wpt/content-security-policy/reporting/support/not-embeddable-frame.html.sub.headers
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Content-Security-Policy: frame-ancestors 'none'; report-uri ../../support/report.py?op=put&reportID={{GET[reportID]}}
\ No newline at end of file
--- a/third_party/blink/web_tests/external/wpt/content-security-policy/reporting/support/not-embeddable-frame.py
+++ b/third_party/blink/web_tests/external/wpt/content-security-policy/reporting/support/not-embeddable-frame.py
+def main(request, response):
+    headers = []
+    if request.GET.first(b'xFrameOptions', None):
+        headers.append((b'X-Frame-Options', request.GET[b'xFrameOptions']))
+    csp_header = b'Content-Security-Policy-Report-Only' \
+        if request.GET.first(b'reportOnly', None) == 'true' else b'Content-Security-Policy'
+    headers.append((csp_header, b"frame-ancestors 'none'; report-uri ../../support/report.py?op=put&reportID=" + request.GET[b'reportID']))
+    return headers, b'{}'