Add isReportOnly field to CSP Issue messages

This CL enhances the existing CSP Issues with information about whether the header is report-only or not. This CL will be extended with another CL to surface those changes in the Devtools frontend. It includes the corresponding layout tests and the existing layout tests. Bug: chromium:1139223 Change-Id: Ic63c7edd68e56cb5464e451030d9fcf2900ecd77 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2480243 Commit-Queue: Alfonso Castaño <alcastano@google.com> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Cr-Commit-Position: refs/heads/master@{#818835}

Add isReportOnly field to CSP Issue messages
This CL enhances the existing CSP Issues with information about whether the header is report-only or not. This CL will be extended with another CL to surface those changes in the Devtools frontend. It includes the corresponding layout tests and the existing layout tests. Bug: chromium:1139223 Change-Id: Ic63c7edd68e56cb5464e451030d9fcf2900ecd77 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2480243 Commit-Queue: Alfonso Castaño <alcastano@google.com> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Cr-Commit-Position: refs/heads/master@{#818835}
1e09f146 · Alfonso Castaño · Commit Bot · f5ad57f1 · 1e09f146 · 1e09f146
Commit 1e09f146 authored Oct 20, 2020 by Alfonso Castaño Committed by Commit Bot Oct 20, 2020
17 changed files
--- a/third_party/blink/public/devtools_protocol/browser_protocol.pdl
+++ b/third_party/blink/public/devtools_protocol/browser_protocol.pdl
@@ -642,6 +642,7 @@ experimental domain Audits
      optional string blockedURL
      # Specific directive that is violated, causing the CSP issue.
      string violatedDirective
+      boolean isReportOnly
      ContentSecurityPolicyViolationType contentSecurityPolicyViolationType
      optional AffectedFrame frameAncestor
      optional SourceCodeLocation sourceCodeLocation

--- a/third_party/blink/public/mojom/devtools/inspector_issue.mojom
+++ b/third_party/blink/public/mojom/devtools/inspector_issue.mojom
@@ -79,6 +79,7 @@ enum ContentSecurityPolicyViolationType {
 struct ContentSecurityPolicyIssueDetails {
  url.mojom.Url? blocked_url;
  string violated_directive;
+  bool is_report_only;
  ContentSecurityPolicyViolationType content_security_policy_violation_type;
  AffectedFrame? frame_ancestor;
  network.mojom.SourceLocation? source_location;

--- a/third_party/blink/renderer/core/frame/csp/content_security_policy.cc
+++ b/third_party/blink/renderer/core/frame/csp/content_security_policy.cc
@@ -1131,7 +1131,7 @@ void ContentSecurityPolicy::ReportViolation(
  if (delegate_)
    delegate_->DispatchViolationEvent(*violation_data, element);

-  ReportContentSecurityPolicyIssue(*violation_data, violation_type,
+  ReportContentSecurityPolicyIssue(*violation_data, header_type, violation_type,
                                   context_frame, element);
 }

@@ -1408,10 +1408,13 @@ ContentSecurityPolicy::BuildCSPViolationType(

 void ContentSecurityPolicy::ReportContentSecurityPolicyIssue(
    const blink::SecurityPolicyViolationEventInit& violation_data,
+    ContentSecurityPolicyType header_type,
    ContentSecurityPolicyViolationType violation_type,
    LocalFrame* frame_ancestor,
    Element* element) {
  auto cspDetails = mojom::blink::ContentSecurityPolicyIssueDetails::New();
+  cspDetails->is_report_only =
+      header_type == ContentSecurityPolicyType::kReport;
  if (violation_type == ContentSecurityPolicyViolationType::kURLViolation ||
      violation_data.violatedDirective() == "frame-ancestors") {
    cspDetails->blocked_url = KURL(violation_data.blockedURI());

--- a/third_party/blink/renderer/core/frame/csp/content_security_policy.h
+++ b/third_party/blink/renderer/core/frame/csp/content_security_policy.h
@@ -574,6 +574,7 @@ class CORE_EXPORT ContentSecurityPolicy final

  void ReportContentSecurityPolicyIssue(
      const blink::SecurityPolicyViolationEventInit& violation_data,
+      network::mojom::ContentSecurityPolicyType header_type,
      ContentSecurityPolicyViolationType violation_type,
      LocalFrame* = nullptr,
      Element* = nullptr);

--- a/third_party/blink/renderer/core/inspector/inspector_audits_agent.cc
+++ b/third_party/blink/renderer/core/inspector/inspector_audits_agent.cc
@@ -497,6 +497,7 @@ void InspectorAuditsAgent::InspectorIssueAdded(InspectorIssue* issue) {
    auto cspDetails =
        std::move(protocol::Audits::ContentSecurityPolicyIssueDetails::create()
                      .setViolatedDirective(d->violated_directive)
+                      .setIsReportOnly(d->is_report_only)
                      .setContentSecurityPolicyViolationType(BuildViolationType(
                          d->content_security_policy_violation_type)));
    if (d->blocked_url) {

--- a/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-creation-eval-expected.txt
+++ b/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-creation-eval-expected.txt
@@ -6,10 +6,11 @@ Inspector issue: {
        details : {
            contentSecurityPolicyIssueDetails : {
                contentSecurityPolicyViolationType : kEvalViolation
+                isReportOnly : false
                sourceCodeLocation : {
                    columnNumber : 13
-                    lineNumber : 7
-                    url : https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-eval.html
+                    lineNumber : 5
+                    url : https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-eval.php
                }
                violatedDirective : script-src
            }

--- a/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-creation-eval.js
+++ b/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-creation-eval.js
@@ -4,7 +4,7 @@

    await dp.Network.enable();
    await dp.Audits.enable();
-    page.navigate('https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-eval.html');
+    page.navigate('https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-eval.php');
    const issue = await dp.Audits.onceIssueAdded();

    testRunner.log(issue.params, "Inspector issue: ");

--- a/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-creation-img-expected.txt
+++ b/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-creation-img-expected.txt
@@ -7,6 +7,7 @@ Inspector issue: {
            contentSecurityPolicyIssueDetails : {
                blockedURL : https://thirdparty.test/network/resources/to-be-blocked.jpg
                contentSecurityPolicyViolationType : kURLViolation
+                isReportOnly : false
                violatedDirective : img-src
            }
        }

--- a/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-creation-img.js
+++ b/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-creation-img.js
@@ -4,7 +4,7 @@

    await dp.Network.enable();
    await dp.Audits.enable();
-    page.navigate('https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-image.html');
+    page.navigate('https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-image.php');
    const issue = await dp.Audits.onceIssueAdded();

    testRunner.log(issue.params, "Inspector issue: ");

--- a/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-report-only-expected.txt
+++ b/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-report-only-expected.txt
+Verifies multiple CSP issues in report-only mode.
+
+Inspector issue: {
+    issue : {
+        code : ContentSecurityPolicyIssue
+        details : {
+            contentSecurityPolicyIssueDetails : {
+                blockedURL : https://devtools.test:8443/inspector-protocol/resources/style.css
+                contentSecurityPolicyViolationType : kURLViolation
+                isReportOnly : true
+                sourceCodeLocation : {
+                    columnNumber : 0
+                    lineNumber : 2
+                    url : https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-report-only.php
+                }
+                violatedDirective : style-src-elem
+            }
+        }
+    }
+}
+Inspector issue: {
+    issue : {
+        code : ContentSecurityPolicyIssue
+        details : {
+            contentSecurityPolicyIssueDetails : {
+                contentSecurityPolicyViolationType : kEvalViolation
+                isReportOnly : true
+                sourceCodeLocation : {
+                    columnNumber : 13
+                    lineNumber : 4
+                    url : https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-report-only.php
+                }
+                violatedDirective : script-src
+            }
+        }
+    }
+}
+Inspector issue: {
+    issue : {
+        code : ContentSecurityPolicyIssue
+        details : {
+            contentSecurityPolicyIssueDetails : {
+                contentSecurityPolicyViolationType : kInlineViolation
+                isReportOnly : true
+                sourceCodeLocation : {
+                    columnNumber : 0
+                    lineNumber : 5
+                    url : https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-report-only.php
+                }
+                violatedDirective : style-src-attr
+                violatingNodeId : <number>
+            }
+        }
+    }
+}
+
--- a/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-report-only.js
+++ b/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-report-only.js
+(async function(testRunner) {
+    const {page, session, dp} = await testRunner.startBlank(
+      `Verifies multiple CSP issues in report-only mode.\n`);
+
+    await dp.Network.enable();
+    await dp.Audits.enable();
+    page.navigate('https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-report-only.php');
+
+    const issues = new Array();
+    dp.Audits.onIssueAdded(issue => {
+      issues.push(issue);
+      if (issues.length == 3) {
+        issues.sort((a, b) => {
+          const lineNumberDiff = a.params.issue.details.contentSecurityPolicyIssueDetails.sourceCodeLocation.lineNumber - b.params.issue.details.contentSecurityPolicyIssueDetails.sourceCodeLocation.lineNumber;
+          return lineNumberDiff || a.params.issue.details.contentSecurityPolicyIssueDetails.sourceCodeLocation.columnNumber - b.params.issue.details.contentSecurityPolicyIssueDetails.sourceCodeLocation.columnNumber;
+        });
+        for (const issue of issues) {
+          testRunner.log(issue.params, "Inspector issue: ", ["violatingNodeId"]);
+        }
+        testRunner.completeTest();
+      }
+    });
+  })
\ No newline at end of file
--- a/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-src-location-added-expected.txt
+++ b/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-src-location-added-expected.txt
@@ -7,10 +7,11 @@ Inspector issue: {
            contentSecurityPolicyIssueDetails : {
                blockedURL : https://devtools.test:8443/inspector-protocol/resources/style.css
                contentSecurityPolicyViolationType : kURLViolation
+                isReportOnly : false
                sourceCodeLocation : {
                    columnNumber : 0
-                    lineNumber : 3
-                    url : https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-with-src-location.html
+                    lineNumber : 2
+                    url : https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-with-src-location.php
                }
                violatedDirective : style-src-elem
            }

--- a/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-src-location-added.js
+++ b/third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-src-location-added.js
@@ -4,7 +4,7 @@

    await dp.Network.enable();
    await dp.Audits.enable();
-    page.navigate('https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-with-src-location.html');
+    page.navigate('https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-with-src-location.php');
    const issue = await dp.Audits.onceIssueAdded();

    testRunner.log(issue.params, "Inspector issue: ");

--- a/third_party/blink/web_tests/http/tests/inspector-protocol/resources/content-security-policy-issue-eval.html
+++ b/third_party/blink/web_tests/http/tests/inspector-protocol/resources/content-security-policy-issue-eval.html
+<?php
+header("Content-Security-Policy: script-src 'self' 'unsafe-inline';");
+?>
 <!DOCTYPE html>
-<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
-
 <html>
  <body>
    <h2>Webpage with not allowed eval()</h2>

--- a/third_party/blink/web_tests/http/tests/inspector-protocol/resources/content-security-policy-issue-image.html
+++ b/third_party/blink/web_tests/http/tests/inspector-protocol/resources/content-security-policy-issue-image.html
+<?php
+header("Content-Security-Policy: img-src 'self';");
+?>
 <!DOCTYPE html>
-<meta http-equiv="Content-Security-Policy" content="img-src 'self';">
-
 <html>
  <body>
    <h2>Webpage with blocked image source issue</h2>

    <div> <img src="https://thirdparty.test/network/resources/to-be-blocked.jpg" style="width:500px" alt="Image blocked|CSP violation"></div>
-
  </body>
 </html>
--- a/third_party/blink/web_tests/http/tests/inspector-protocol/resources/content-security-policy-issue-report-only.php
+++ b/third_party/blink/web_tests/http/tests/inspector-protocol/resources/content-security-policy-issue-report-only.php
+<?php
+header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline'; style-src https://thirdparty.test/network/resources/;");
+?>
+<!DOCTYPE html>
+<html>
+  <link rel="stylesheet" type="text/css" href="style.css">
+  <body>
+    <script>eval('7+10')</script>
+    <img src="to-be-allowed.jpg" style="width:500px" alt="Image blocked|CSP violation">
+  </body>
+</html>
--- a/third_party/blink/web_tests/http/tests/inspector-protocol/resources/content-security-policy-issue-with-src-location.html
+++ b/third_party/blink/web_tests/http/tests/inspector-protocol/resources/content-security-policy-issue-with-src-location.html
+<?php
+header("Content-Security-Policy: style-src https://thirdparty.test/network/resources/;");
+?>
 <!DOCTYPE html>
-<meta http-equiv="Content-Security-Policy" content="style-src https://thirdparty.test/network/resources/;">

 <link rel="stylesheet" type="text/css" href="style.css">