Process CSP's `treat-as-public-address` only outside of Blink.

We handle this in `NavigationRequest` as of [1], and we're likely going
to shift off CSP after some conversations at TPAC anyway.

Tests were relying upon setting the policy via `<meta>`. This patch
adjusts them to rely on a header instead, which matches the behavior
we'd like to support going forward (and, FWIW, the spec:
https://wicg.github.io/cors-rfc1918/#csp).

[1]: https://chromium-review.googlesource.com/c/chromium/src/+/1760742

Bug: 1000226
Change-Id: I7dc584079a064b8664e5ff9122f5b618a8866340
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1778879Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#693097}

third_party/blink/renderer/bindings/core/v8/isolated_world_csp.cc

@@ -60,12 +60,12 @@ class IsolatedWorldCSPDelegate final
   }
 
   // Isolated world CSPs don't support these directives: "sandbox",
-  // "treat-as-public-address", "trusted-types" and "upgrade-insecure-requests".
+  // "trusted-types" and "upgrade-insecure-requests".
+  //
   // These directives depend on ExecutionContext for their implementation and
   // since isolated worlds don't have their own ExecutionContext, these are not
   // supported.
   void SetSandboxFlags(SandboxFlags) override {}
-  void SetAddressSpace(network::mojom::IPAddressSpace) override {}
   void SetRequireTrustedTypes() override {}
   void AddInsecureRequestPolicy(WebInsecureRequestPolicy) override {}
 

third_party/blink/renderer/core/frame/csp/content_security_policy.cc

@@ -28,7 +28,6 @@
 #include <memory>
 #include <utility>
 
-#include "services/network/public/mojom/ip_address_space.mojom-blink.h"
 #include "third_party/blink/public/platform/platform.h"
 #include "third_party/blink/public/platform/task_type.h"
 #include "third_party/blink/public/platform/web_url_request.h"
@@ -153,7 +152,6 @@ ContentSecurityPolicy::ContentSecurityPolicy()
       script_hash_algorithms_used_(kContentSecurityPolicyHashAlgorithmNone),
       style_hash_algorithms_used_(kContentSecurityPolicyHashAlgorithmNone),
       sandbox_mask_(WebSandboxFlags::kNone),
-      treat_as_public_address_(false),
       require_trusted_types_(false),
       insecure_request_policy_(kLeaveInsecureRequestsAlone) {}
 
@@ -200,8 +198,6 @@ void ContentSecurityPolicy::ApplyPolicySideEffectsToDelegate() {
     Count(WebFeature::kSandboxViaCSP);
     delegate_->SetSandboxFlags(sandbox_mask_);
   }
-  if (treat_as_public_address_)
-    delegate_->SetAddressSpace(network::mojom::IPAddressSpace::kPublic);
 
   if (require_trusted_types_)
     delegate_->SetRequireTrustedTypes();
@@ -872,12 +868,6 @@ void ContentSecurityPolicy::EnforceSandboxFlags(SandboxFlags mask) {
   sandbox_mask_ |= mask;
 }
 
-void ContentSecurityPolicy::TreatAsPublicAddress() {
-  if (!RuntimeEnabledFeatures::AddressSpaceEnabled())
-    return;
-  treat_as_public_address_ = true;
-}
-
 void ContentSecurityPolicy::RequireTrustedTypes() {
   // We store whether CSP demands a policy. The caller still needs to check
   // whether the feature is enabled in the first place.
@@ -1454,8 +1444,6 @@ const char* ContentSecurityPolicy::GetDirectiveName(const DirectiveType& type) {
       return "style-src-attr";
     case DirectiveType::kStyleSrcElem:
       return "style-src-elem";
-    case DirectiveType::kTreatAsPublicAddress:
-      return "treat-as-public-address";
     case DirectiveType::kUpgradeInsecureRequests:
       return "upgrade-insecure-requests";
     case DirectiveType::kWorkerSrc:
@@ -1525,8 +1513,6 @@ ContentSecurityPolicy::DirectiveType ContentSecurityPolicy::GetDirectiveType(
     return DirectiveType::kStyleSrcAttr;
   if (name == "style-src-elem")
     return DirectiveType::kStyleSrcElem;
-  if (name == "treat-as-public-address")
-    return DirectiveType::kTreatAsPublicAddress;
   if (name == "upgrade-insecure-requests")
     return DirectiveType::kUpgradeInsecureRequests;
   if (name == "worker-src")

third_party/blink/renderer/core/frame/csp/content_security_policy.h

@@ -97,7 +97,6 @@ class CORE_EXPORT ContentSecurityPolicyDelegate : public GarbageCollectedMixin {
 
   // Directives support.
   virtual void SetSandboxFlags(SandboxFlags) = 0;
-  virtual void SetAddressSpace(network::mojom::IPAddressSpace) = 0;
   virtual void SetRequireTrustedTypes() = 0;
   virtual void AddInsecureRequestPolicy(WebInsecureRequestPolicy) = 0;
 
@@ -185,7 +184,6 @@ class CORE_EXPORT ContentSecurityPolicy
     kStyleSrc,
     kStyleSrcAttr,
     kStyleSrcElem,
-    kTreatAsPublicAddress,
     kUndefined,
     kUpgradeInsecureRequests,
     kWorkerSrc,
@@ -412,7 +410,6 @@ class CORE_EXPORT ContentSecurityPolicy
   const KURL FallbackUrlForPlugin() const;
 
   void EnforceSandboxFlags(SandboxFlags);
-  void TreatAsPublicAddress();
   void RequireTrustedTypes();
   bool IsRequireTrustedTypes() const { return require_trusted_types_; }
   String EvalDisabledErrorMessage() const;
@@ -564,7 +561,6 @@ class CORE_EXPORT ContentSecurityPolicy
 
   // State flags used to configure the environment after parsing a policy.
   SandboxFlags sandbox_mask_;
-  bool treat_as_public_address_;
   bool require_trusted_types_;
   String disable_eval_error_message_;
   WebInsecureRequestPolicy insecure_request_policy_;

third_party/blink/renderer/core/frame/csp/content_security_policy_test.cc

@@ -4,7 +4,6 @@
 
 #include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
 
-#include "services/network/public/mojom/ip_address_space.mojom-blink.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "third_party/blink/public/platform/web_insecure_request_policy.h"
 #include "third_party/blink/renderer/core/dom/document.h"
@@ -100,34 +99,6 @@ TEST_F(ContentSecurityPolicyTest, ParseInsecureRequestPolicy) {
   }
 }
 
-TEST_F(ContentSecurityPolicyTest, ParseEnforceTreatAsPublicAddressDisabled) {
-  ScopedAddressSpaceForTest address_space(false);
-  execution_context->SetAddressSpace(network::mojom::IPAddressSpace::kPrivate);
-  EXPECT_EQ(network::mojom::IPAddressSpace::kPrivate,
-            execution_context->AddressSpace());
-
-  csp->DidReceiveHeader("treat-as-public-address",
-                        kContentSecurityPolicyHeaderTypeEnforce,
-                        kContentSecurityPolicyHeaderSourceHTTP);
-  csp->BindToDelegate(execution_context->GetContentSecurityPolicyDelegate());
-  EXPECT_EQ(network::mojom::IPAddressSpace::kPrivate,
-            execution_context->AddressSpace());
-}
-
-TEST_F(ContentSecurityPolicyTest, ParseEnforceTreatAsPublicAddressEnabled) {
-  ScopedAddressSpaceForTest address_space(true);
-  execution_context->SetAddressSpace(network::mojom::IPAddressSpace::kPrivate);
-  EXPECT_EQ(network::mojom::IPAddressSpace::kPrivate,
-            execution_context->AddressSpace());
-
-  csp->DidReceiveHeader("treat-as-public-address",
-                        kContentSecurityPolicyHeaderTypeEnforce,
-                        kContentSecurityPolicyHeaderSourceHTTP);
-  csp->BindToDelegate(execution_context->GetContentSecurityPolicyDelegate());
-  EXPECT_EQ(network::mojom::IPAddressSpace::kPublic,
-            execution_context->AddressSpace());
-}
-
 TEST_F(ContentSecurityPolicyTest, CopyStateFrom) {
   csp->DidReceiveHeader("script-src 'none'; plugin-types application/x-type-1",
                         kContentSecurityPolicyHeaderTypeReport,
@@ -1011,8 +982,6 @@ TEST_F(ContentSecurityPolicyTest, DirectiveType) {
       {ContentSecurityPolicy::DirectiveType::kStyleSrc, "style-src"},
       {ContentSecurityPolicy::DirectiveType::kStyleSrcAttr, "style-src-attr"},
       {ContentSecurityPolicy::DirectiveType::kStyleSrcElem, "style-src-elem"},
-      {ContentSecurityPolicy::DirectiveType::kTreatAsPublicAddress,
-       "treat-as-public-address"},
       {ContentSecurityPolicy::DirectiveType::kUpgradeInsecureRequests,
        "upgrade-insecure-requests"},
       {ContentSecurityPolicy::DirectiveType::kWorkerSrc, "worker-src"},

third_party/blink/renderer/core/frame/csp/csp_directive_list.cc

@@ -133,7 +133,6 @@ CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy,
       has_sandbox_policy_(false),
       strict_mixed_content_checking_enforced_(false),
       upgrade_insecure_requests_(false),
-      treat_as_public_address_(false),
       require_sri_for_(RequireSRIForToken::kNone),
       use_reporting_api_(false) {}
 
@@ -1233,22 +1232,6 @@ void CSPDirectiveList::ApplySandboxPolicy(const String& name,
     policy_->ReportInvalidSandboxFlags(invalid_tokens);
 }
 
-void CSPDirectiveList::TreatAsPublicAddress(const String& name,
-                                            const String& value) {
-  if (IsReportOnly()) {
-    policy_->ReportInvalidInReportOnly(name);
-    return;
-  }
-  if (treat_as_public_address_) {
-    policy_->ReportDuplicateDirective(name);
-    return;
-  }
-  treat_as_public_address_ = true;
-  policy_->TreatAsPublicAddress();
-  if (!value.IsEmpty())
-    policy_->ReportValueForEmptyDirective(name, value);
-}
-
 void CSPDirectiveList::RequireTrustedTypes(const String& name,
                                            const String& value) {
   if (trusted_types_) {
@@ -1360,9 +1343,6 @@ void CSPDirectiveList::AddDirective(const String& name, const String& value) {
     SetCSPDirective<SourceListDirective>(name, value, manifest_src_);
   } else if (type == ContentSecurityPolicy::DirectiveType::kNavigateTo) {
     SetCSPDirective<SourceListDirective>(name, value, navigate_to_);
-  } else if (type ==
-             ContentSecurityPolicy::DirectiveType::kTreatAsPublicAddress) {
-    TreatAsPublicAddress(name, value);
   } else if (type == ContentSecurityPolicy::DirectiveType::kReportTo &&
              base::FeatureList::IsEnabled(network::features::kReporting)) {
     ParseReportTo(name, value);

third_party/blink/renderer/core/frame/csp/csp_directive_list.h

@@ -183,7 +183,6 @@ class CORE_EXPORT CSPDirectiveList
   void EnforceStrictMixedContentChecking(const String& name,
                                          const String& value);
   void EnableInsecureRequestsUpgrade(const String& name, const String& value);
-  void TreatAsPublicAddress(const String& name, const String& value);
   void RequireTrustedTypes(const String& name, const String& value);
 
   template <class CSPDirectiveType>
@@ -308,7 +307,6 @@ class CORE_EXPORT CSPDirectiveList
   bool strict_mixed_content_checking_enforced_;
 
   bool upgrade_insecure_requests_;
-  bool treat_as_public_address_;
 
   Member<MediaListDirective> plugin_types_;
   Member<SourceListDirective> base_uri_;

third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.cc

@@ -64,11 +64,6 @@ void ExecutionContextCSPDelegate::SetSandboxFlags(SandboxFlags mask) {
   CHECK_EQ(flags | mask, flags);
 }
 
-void ExecutionContextCSPDelegate::SetAddressSpace(
-    network::mojom::IPAddressSpace space) {
-  GetSecurityContext().SetAddressSpace(space);
-}
-
 void ExecutionContextCSPDelegate::SetRequireTrustedTypes() {
   GetSecurityContext().SetRequireTrustedTypes();
 }

third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.h

@@ -27,7 +27,6 @@ class ExecutionContextCSPDelegate final
   const SecurityOrigin* GetSecurityOrigin() override;
   const KURL& Url() const override;
   void SetSandboxFlags(SandboxFlags) override;
-  void SetAddressSpace(network::mojom::IPAddressSpace) override;
   void SetRequireTrustedTypes() override;
   void AddInsecureRequestPolicy(WebInsecureRequestPolicy) override;
   std::unique_ptr<SourceLocation> GetSourceLocation() override;

third_party/blink/renderer/core/workers/worker_or_worklet_global_scope.cc

@@ -81,7 +81,6 @@ class OutsideSettingsCSPDelegate final
   // off-the-main-thread shared worker/service worker top-level script fetch.
   // https://crbug.com/924041 https://crbug.com/924043
   void SetSandboxFlags(SandboxFlags) override {}
-  void SetAddressSpace(network::mojom::IPAddressSpace) override {}
   void SetRequireTrustedTypes() override {}
   void AddInsecureRequestPolicy(WebInsecureRequestPolicy) override {}
   void DisableEval(const String& error_message) override {}

third_party/blink/web_tests/TestExpectations

@@ -2987,9 +2987,11 @@ crbug.com/399507 virtual/threaded/http/tests/devtools/tracing/timeline-paint/lay
 # non-deterministic order.
 crbug.com/705125 fast/mediacapturefromelement/CanvasCaptureMediaStream-capture-out-of-DOM-element.html [ Failure ]
 
-# Skip the non-virtualized CORS-RFC1918 tests:
-crbug.com/763830 http/tests/security/cors-rfc1918/ [ Skip ]
-crbug.com/763830 virtual/blink-cors/http/tests/security/cors-rfc1918/ [ Skip ]
+# Skip the non-virtualized CORS-RFC1918 blocking tests (`.addressSpace` tests are fine):
+crbug.com/763830 http/tests/security/cors-rfc1918/external-to-internal-fetch.php [ Skip ]
+crbug.com/763830 http/tests/security/cors-rfc1918/external-to-internal-xhr.php [ Skip ]
+crbug.com/763830 virtual/blink-cors/http/tests/security/cors-rfc1918/external-to-internal-fetch.php [ Skip ]
+crbug.com/763830 virtual/blink-cors/http/tests/security/cors-rfc1918/external-to-internal-xhr.php [ Skip ]
 
 crbug.com/831729 external/wpt/event-timing/crossiframe.html [ Timeout ]
 crbug.com/831729 external/wpt/event-timing/observer-manual.html [ Skip ]

third_party/blink/web_tests/http/tests/security/cors-rfc1918/addressspace-document-csp.html

@@ -6,7 +6,6 @@
     window.onload = function () {
         addressSpaceTest("http://localhost:8000", "document+csp", "public");
         addressSpaceTest("http://127.0.0.1:8000", "document+csp", "public");
-        addressSpaceTest("http://example.test:8000", "document+csp", "public");
     };
 </script>
 

third_party/blink/web_tests/http/tests/security/cors-rfc1918/external-to-internal-fetch.html → third_party/blink/web_tests/http/tests/security/cors-rfc1918/external-to-internal-fetch.php

-<!doctype html>
+<?php
+  header("Content-Security-Policy: treat-as-public-address");
+?><!doctype html>
 <html>
 <head>
-    <meta http-equiv="Content-Security-Policy" content="treat-as-public-address">
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
     <script src="./resources/preflight.js"></script>

third_party/blink/web_tests/http/tests/security/cors-rfc1918/external-to-internal-xhr.html → third_party/blink/web_tests/http/tests/security/cors-rfc1918/external-to-internal-xhr.php

-<!doctype html>
+<?php
+  header("Content-Security-Policy: treat-as-public-address");
+?><!doctype html>
 <html>
 <head>
-    <meta http-equiv="Content-Security-Policy" content="treat-as-public-address">
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
     <script src="./resources/preflight.js"></script>

third_party/blink/web_tests/http/tests/security/cors-rfc1918/resources/addressspace-test.js

 function createIFrame(origin, type) {
     var file;
     if (type == "document") {
-        file = "post-addressspace-to-parent.html";
+        file = "post-addressspace-to-parent.php";
     } else if (type == "document+csp") {
-        file = "post-addressspace-to-parent.html?csp";
+        file = "post-addressspace-to-parent.php?csp";
     } else if (type == "document+appcache") {
-        file = "post-addressspace-to-parent-with-appcache.html";
+        file = "post-addressspace-to-parent-with-appcache.php";
     } else if (type == "document+appcache+csp") {
-        file = "post-addressspace-to-parent-with-appcache.html?csp";
+        file = "post-addressspace-to-parent-with-appcache.php?csp";
     } else if (type == "worker") {
         file = "post-addressspace-from-worker.html";
     } else if (type == "sharedworker") {

third_party/blink/web_tests/http/tests/security/cors-rfc1918/resources/appcache.php

 <?php
 header("Content-Type: text/cache-manifest");
 print("CACHE MANIFEST\n\n");
-print("post-addressspace-to-parent-with-appcache.html");
+print("post-addressspace-to-parent-with-appcache.php");
 ?>

third_party/blink/web_tests/http/tests/security/cors-rfc1918/resources/post-addressspace-to-parent-with-appcache.html → third_party/blink/web_tests/http/tests/security/cors-rfc1918/resources/post-addressspace-to-parent-with-appcache.php

+<?php
+  if (isset($_GET["csp"]))
+    header("Content-Security-Policy: treat-as-public-address");
+?>
 <html manifest="/security/cors-rfc1918/resources/appcache.php">
 <script>
-    if (window.location.search == "?csp") {
-        var m = document.createElement("meta");
-        m.setAttribute("http-equiv", "Content-Security-Policy");
-        m.setAttribute("content", "treat-as-public-address");
-        document.head.appendChild(m);
-    }
-
     window.applicationCache.oncached = window.applicationCache.onnoupdate = function (e) {
         window.parent.postMessage({
             "origin": window.location.origin,

third_party/blink/web_tests/http/tests/security/cors-rfc1918/resources/post-addressspace-to-parent.html → third_party/blink/web_tests/http/tests/security/cors-rfc1918/resources/post-addressspace-to-parent.php

-<script>
-    if (window.location.search == "?csp") {
-        var m = document.createElement("meta");
-        m.setAttribute("http-equiv", "Content-Security-Policy");
-        m.setAttribute("content", "treat-as-public-address");
-        document.head.appendChild(m);
-    }
-
+<?php
+  if (isset($_GET["csp"]))
+    header("Content-Security-Policy: treat-as-public-address");
+?><script>
     window.parent.postMessage({
         "origin": window.location.origin,
         "addressSpace": document.addressSpace