Respect FrameSrc directive in WebUI

Respect FrameSrc directive in WebUI, otherwise WebUIs use wider ChildSrc CSP to be able to embed iframes. In many places we are using 'frame-src' CSP with ChildSrc directive which is wrong. We have to either use 'frame-src' with FrameSrc or 'child-src' with ChildSrc. Mostly we just need to be able to embed iframe and do not need web workers, so 'frame-src' will be enough. Bug: 1105408 Change-Id: I6d7bd555f6411971db24fdfe9e3f299bf83a8a0e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2302990Reviewed-by: Trent Apted <tapted@chromium.org> Reviewed-by: dpapad <dpapad@chromium.org> Reviewed-by: Giovanni Ortuño Urquidi <ortuno@chromium.org> Commit-Queue: Oleh Lamzin <lamzin@google.com> Cr-Commit-Position: refs/heads/master@{#789399}

Respect FrameSrc directive in WebUI
Respect FrameSrc directive in WebUI, otherwise WebUIs use wider ChildSrc CSP to be able to embed iframes. In many places we are using 'frame-src' CSP with ChildSrc directive which is wrong. We have to either use 'frame-src' with FrameSrc or 'child-src' with ChildSrc. Mostly we just need to be able to embed iframe and do not need web workers, so 'frame-src' will be enough. Bug: 1105408 Change-Id: I6d7bd555f6411971db24fdfe9e3f299bf83a8a0e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2302990Reviewed-by: Trent Apted <tapted@chromium.org> Reviewed-by: dpapad <dpapad@chromium.org> Reviewed-by: Giovanni Ortuño Urquidi <ortuno@chromium.org> Commit-Queue: Oleh Lamzin <lamzin@google.com> Cr-Commit-Position: refs/heads/master@{#789399}
171aff9f · Oleh Lamzin · Commit Bot · 7a671fe2 · 171aff9f · 171aff9f
Commit 171aff9f authored Jul 17, 2020 by Oleh Lamzin Committed by Commit Bot Jul 17, 2020
7 changed files
--- a/chromeos/components/help_app_ui/help_app_ui.cc
+++ b/chromeos/components/help_app_ui/help_app_ui.cc
@@ -53,7 +53,7 @@ HelpAppUI::HelpAppUI(content::WebUI* web_ui,
  std::string csp =
      std::string("frame-src ") + kChromeUIHelpAppUntrustedURL + ";";
  host_source->OverrideContentSecurityPolicy(
-      network::mojom::CSPDirectiveName::ChildSrc, csp);
+      network::mojom::CSPDirectiveName::FrameSrc, csp);
  content::WebUIDataSource* untrusted_source =
      CreateHelpAppUntrustedDataSource(delegate_.get());

--- a/chromeos/components/media_app_ui/media_app_ui.cc
+++ b/chromeos/components/media_app_ui/media_app_ui.cc
@@ -62,7 +62,7 @@ MediaAppUI::MediaAppUI(content::WebUI* web_ui,
  // The guest is in an <iframe>. Add it to CSP.
  std::string csp = std::string("frame-src ") + kChromeUIMediaAppGuestURL + ";";
  host_source->OverrideContentSecurityPolicy(
-      network::mojom::CSPDirectiveName::ChildSrc, csp);
+      network::mojom::CSPDirectiveName::FrameSrc, csp);
  // Register auto-granted permissions.
  auto* allowlist = WebUIAllowlist::GetOrCreate(browser_context);

--- a/chromeos/components/sample_system_web_app_ui/sample_system_web_app_ui.cc
+++ b/chromeos/components/sample_system_web_app_ui/sample_system_web_app_ui.cc
@@ -56,7 +56,7 @@ SampleSystemWebAppUI::SampleSystemWebAppUI(content::WebUI* web_ui)
  std::string csp =
      std::string("frame-src ") + kChromeUIUntrustedSampleSystemWebAppURL + ";";
  trusted_source->OverrideContentSecurityPolicy(
-      network::mojom::CSPDirectiveName::ChildSrc, csp);
+      network::mojom::CSPDirectiveName::FrameSrc, csp);
  auto* browser_context = web_ui->GetWebContents()->GetBrowserContext();
  content::WebUIDataSource::Add(browser_context, trusted_source.release());
  content::WebUIDataSource::Add(browser_context,

--- a/chromeos/components/telemetry_extension_ui/telemetry_extension_ui.cc
+++ b/chromeos/components/telemetry_extension_ui/telemetry_extension_ui.cc
@@ -71,7 +71,7 @@ TelemetryExtensionUI::TelemetryExtensionUI(content::WebUI* web_ui)
  std::string csp =
      std::string("frame-src ") + kChromeUIUntrustedTelemetryExtensionURL + ";";
  trusted_source->OverrideContentSecurityPolicy(
-      network::mojom::CSPDirectiveName::ChildSrc, csp);
+      network::mojom::CSPDirectiveName::FrameSrc, csp);
  auto* browser_context = web_ui->GetWebContents()->GetBrowserContext();
  content::WebUIDataSource::Add(browser_context, trusted_source.release());
  content::WebUIDataSource::Add(browser_context,

--- a/chromeos/components/web_applications/test/js_library_test.cc
+++ b/chromeos/components/web_applications/test/js_library_test.cc
@@ -62,11 +62,10 @@ content::WebUIDataSource* CreateTrustedSysemAppTestDataSource() {
  auto* trusted_source = content::WebUIDataSource::Create(kSystemAppTestHost);
  // We need a CSP override to be able to embed a chrome-untrusted:// iframe.
-  // TODO(crbug.com/1105408): use FrameSrc instead of ChildSrc.
  std::string csp =
-      std::string("child-src ") + kUntrustedSystemAppTestURL + ";";
+      std::string("frame-src ") + kUntrustedSystemAppTestURL + ";";
  trusted_source->OverrideContentSecurityPolicy(
-      network::mojom::CSPDirectiveName::ChildSrc, csp);
+      network::mojom::CSPDirectiveName::FrameSrc, csp);
  SetRequestFilterForDataSource(*trusted_source);
  return trusted_source;

--- a/content/browser/webui/url_data_manager_backend.cc
+++ b/content/browser/webui/url_data_manager_backend.cc
@@ -164,6 +164,7 @@ scoped_refptr<net::HttpResponseHeaders> URLDataManagerBackend::GetHeaders(
    const network::mojom::CSPDirectiveName kAllDirectives[] = {
        network::mojom::CSPDirectiveName::ChildSrc,
        network::mojom::CSPDirectiveName::DefaultSrc,
+        network::mojom::CSPDirectiveName::FrameSrc,
        network::mojom::CSPDirectiveName::ImgSrc,
        network::mojom::CSPDirectiveName::MediaSrc,
        network::mojom::CSPDirectiveName::ObjectSrc,

--- a/content/browser/webui/web_ui_data_source_unittest.cc
+++ b/content/browser/webui/web_ui_data_source_unittest.cc
@@ -279,6 +279,8 @@ TEST_F(WebUIDataSourceTest, SetCspValues) {
                network::mojom::CSPDirectiveName::ChildSrc));
  EXPECT_EQ("", url_data_source->GetContentSecurityPolicy(
                    network::mojom::CSPDirectiveName::DefaultSrc));
+  EXPECT_EQ("", url_data_source->GetContentSecurityPolicy(
+                    network::mojom::CSPDirectiveName::FrameSrc));
  EXPECT_EQ("", url_data_source->GetContentSecurityPolicy(
                    network::mojom::CSPDirectiveName::ImgSrc));
  EXPECT_EQ("", url_data_source->GetContentSecurityPolicy(
@@ -307,6 +309,12 @@ TEST_F(WebUIDataSourceTest, SetCspValues) {
            url_data_source->GetContentSecurityPolicy(
                network::mojom::CSPDirectiveName::DefaultSrc));
+  source()->OverrideContentSecurityPolicy(
+      network::mojom::CSPDirectiveName::FrameSrc, "frame-src 'self';");
+  EXPECT_EQ("frame-src 'self';",
+            url_data_source->GetContentSecurityPolicy(
+                network::mojom::CSPDirectiveName::FrameSrc));
  source()->OverrideContentSecurityPolicy(
      network::mojom::CSPDirectiveName::ImgSrc, "img-src 'self' blob:;");
  EXPECT_EQ("img-src 'self' blob:;",