Fixes and technical debt for hash-based policies

Fixed an issue where multiple policies with different algorithms would
deny scripts/styles
Fixed an issue where report-only policies could cause hash-based policies
to incorrectly deny scripts/styles
Fixed an issue where mixing hash based and not hash based policies would
deny scripts/styles because the checks were done independently
Got rid of the IsAllowedByAll template system and replaced it with for loops
Ensured that checks that check hashes are now incorporated in their
respective allows function
Removed the need for external callers to know to call the hash specific
functions checks since now they are integrated
Added LayoutTests relevant to the issues above

Bug: 617065, 739292, 740688
Change-Id: I1b56afe899eac6358d2ef33fc7030aef568f89ac
Reviewed-on: https://chromium-review.googlesource.com/570248Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#486822}

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html

+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Multiple policies with different hashing algorithms still work.</title>
+  <!-- nonces are here just to let all of our scripts run -->
+  <script nonce="abc" src='/resources/testharness.js'></script>
+  <script nonce="abc" src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script nonce="abc">
+    var t = async_test("Test that script executes if allowed by proper hash values");
+    document.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered a security event"));
+    var executed = false;
+  </script>
+
+  <!-- test will fail if this script is not allowed to run -->
+  <script>executed = true;</script>
+
+  <script nonce="abc">
+    t.step(function() {
+      assert_true(executed);
+      t.done();
+    });
+  </script>
+
+  <script nonce="abc" async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers

+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-multiple-policies-multiple-hashing-algorithms={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
+Content-Security-Policy: script-src 'sha384-skw7BVxHbmE2umPGMd1kX+ye6qBeHAb875erPoD8ilKv1LkjKR+WFi7N85ORMdhS' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html

+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Multiple policies some using hashes some not using hashes still work.</title>
+  <!-- nonces are here just to let all of our scripts run -->
+  <script nonce="abc" src='/resources/testharness.js'></script>
+  <script nonce="abc" src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script nonce="abc">
+    var t = async_test("Test that script executes if allowed by proper hash values");
+    document.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered a security event"));
+    var executed = false;
+  </script>
+
+  <!-- test will fail if this script is not allowed to run -->
+  <script>executed = true;</script>
+
+  <script nonce="abc">
+    t.step(function() {
+      assert_true(executed);
+      t.done();
+    });
+  </script>
+
+  <script nonce="abc" async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers

+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-multiple-policies-multiple-hashing-algorithms-work={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html

+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>A report-only policy that does not allow a script should not affect an enforcing policy using hashes.</title>
+  <!-- nonces are here just to let all of our scripts run -->
+  <script nonce="abc" src='/resources/testharness.js'></script>
+  <script nonce="abc" src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script nonce="abc">
+    var externalRan = false;
+  </script>
+  <script src='./externalScript.js'
+          integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script>
+  <script nonce="abc">
+    test(function() {
+      assert_true(externalRan, 'External script ran.');
+    }, 'External script in a script tag with matching SRI hash should run.');
+  </script>
+
+  <script nonce="abc" async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
+</body>
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers

+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-report-only-policy-works-with-external-hash-policy={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'nonce-abc'
+Content-Security-Policy-Report-Only: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html

+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>A report-only policy that does not allow a script should not affect an enforcing policy using hashes.</title>
+  <!-- nonces are here just to let all of our scripts run -->
+  <script nonce="abc" src='/resources/testharness.js'></script>
+  <script nonce="abc" src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script nonce="abc">
+    var t = async_test("Test that script executes if allowed by proper hash values");
+    var t_spv = async_test("Test that the securitypolicyviolation event is fired");
+    document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+      assert_equals(e.violatedDirective, "script-src");
+      assert_equals(e.disposition, "report");
+      assert_equals(e.blockedURI, "inline");
+    }));
+    var executed = false;
+  </script>
+
+  <!-- test will fail if this script is not allowed to run -->
+  <script>executed = true;</script>
+
+  <script nonce="abc">
+    t.step(function() {
+      assert_true(executed);
+      t.done();
+    });
+  </script>
+
+  <script nonce="abc" async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
+</body>
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers

+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-report-only-policy-works-with-hash-policy={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'
+Content-Security-Policy-Report-Only: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html

+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Multiple policies with different hashing algorithms still work.</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var t = async_test("Test that style loads if allowed by proper hash values");
+    document.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered a security event"));
+  </script>
+
+  <!-- test will time out if this style is not allowed to load -->
+  <style onload="t.done();" onerror="t.unreached_func('Should have loaded the style');">p {color:blue;}</style>
+
+  <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers

+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: style-src-multiple-policies-multiple-hashing-algorithms={{$id:uuid()}}; Path=/content-security-policy/style-src/
+Content-Security-Policy: style-src 'sha256-rB6kiow2O3eFUeTNyyLeK3wV0+l7vNB90J1aqllKvjg='; script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
+Content-Security-Policy: style-src 'sha384-DAShdG5sejEaOdWfT+TQMRP5mHssKiUNjFggNnElIvIoj048XQlacVRs+za2AM1a'; script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file

third_party/WebKit/Source/core/dom/Element.cpp

@@ -4166,7 +4166,7 @@ void Element::StyleAttributeChanged(
                                             ShadowRootType::kUserAgent) ||
              GetDocument().GetContentSecurityPolicy()->AllowInlineStyle(
                  this, GetDocument().Url(), String(), start_line_number,
-                 new_style_string)) {
+                 new_style_string, ContentSecurityPolicy::InlineType::kBlock)) {
     SetInlineStyleFromString(new_style_string);
   }
 

third_party/WebKit/Source/core/dom/MockScriptElementBase.h

@@ -43,10 +43,11 @@ class MockScriptElementBase
   MOCK_CONST_METHOD0(HasChildren, bool());
   MOCK_CONST_METHOD0(GetNonceForElement, const AtomicString&());
   MOCK_CONST_METHOD0(InitiatorName, AtomicString());
-  MOCK_METHOD3(AllowInlineScriptForCSP,
+  MOCK_METHOD4(AllowInlineScriptForCSP,
                bool(const AtomicString&,
                     const WTF::OrdinalNumber&,
-                    const String&));
+                    const String&,
+                    ContentSecurityPolicy::InlineType));
   MOCK_CONST_METHOD0(GetDocument, Document&());
   MOCK_METHOD1(SetScriptElementForBinding,
                void(HTMLScriptElementOrSVGScriptElement&));

third_party/WebKit/Source/core/dom/ScriptElementBase.h

@@ -22,6 +22,7 @@
 #define ScriptElementBase_h
 
 #include "core/CoreExport.h"
+#include "core/frame/csp/ContentSecurityPolicy.h"
 #include "platform/heap/Handle.h"
 #include "platform/heap/Heap.h"
 #include "platform/wtf/text/AtomicString.h"
@@ -59,7 +60,8 @@ class CORE_EXPORT ScriptElementBase : public GarbageCollectedMixin {
 
   virtual bool AllowInlineScriptForCSP(const AtomicString& nonce,
                                        const WTF::OrdinalNumber&,
-                                       const String& script_content) = 0;
+                                       const String& script_content,
+                                       ContentSecurityPolicy::InlineType) = 0;
   virtual Document& GetDocument() const = 0;
   virtual void SetScriptElementForBinding(
       HTMLScriptElementOrSVGScriptElement&) = 0;

third_party/WebKit/Source/core/dom/ScriptLoader.cpp

@@ -822,17 +822,14 @@ ScriptLoader::ExecuteScriptResult ScriptLoader::DoExecuteScript(
     return ExecuteScriptResult::kShouldFireNone;
 
   if (!is_external_script_) {
-    const ContentSecurityPolicy* csp =
-        element_document->GetContentSecurityPolicy();
     bool should_bypass_main_world_csp =
-        (frame->GetScriptController().ShouldBypassMainWorldCSP()) ||
-        csp->AllowScriptWithHash(script->InlineSourceTextForCSP(),
-                                 ContentSecurityPolicy::InlineType::kBlock);
+        (frame->GetScriptController().ShouldBypassMainWorldCSP());
 
     AtomicString nonce = element_->GetNonceForElement();
     if (!should_bypass_main_world_csp &&
-        !element_->AllowInlineScriptForCSP(nonce, start_line_number_,
-                                           script->InlineSourceTextForCSP())) {
+        !element_->AllowInlineScriptForCSP(
+            nonce, start_line_number_, script->InlineSourceTextForCSP(),
+            ContentSecurityPolicy::InlineType::kBlock)) {
       return ExecuteScriptResult::kShouldFireErrorEvent;
     }
   }

third_party/WebKit/Source/core/dom/StyleElement.cpp

@@ -139,10 +139,9 @@ StyleElement::ProcessingResult StyleElement::CreateSheet(Element& element,
   const ContentSecurityPolicy* csp = document.GetContentSecurityPolicy();
   bool passes_content_security_policy_checks =
       ShouldBypassMainWorldCSP(element) ||
-      csp->AllowStyleWithHash(text,
-                              ContentSecurityPolicy::InlineType::kBlock) ||
       csp->AllowInlineStyle(&element, document.Url(), element.nonce(),
-                            start_position_.line_, text);
+                            start_position_.line_, text,
+                            ContentSecurityPolicy::InlineType::kBlock);
 
   // Clearing the current sheet may remove the cache entry so create the new
   // sheet first

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h

@@ -270,6 +270,7 @@ class CORE_EXPORT ContentSecurityPolicy
                          const String& nonce,
                          const WTF::OrdinalNumber& context_line,
                          const String& script_content,
+                         InlineType,
                          SecurityViolationReportingPolicy =
                              SecurityViolationReportingPolicy::kReport) const;
   bool AllowInlineStyle(Element*,
@@ -277,6 +278,7 @@ class CORE_EXPORT ContentSecurityPolicy
                         const String& nonce,
                         const WTF::OrdinalNumber& context_line,
                         const String& style_content,
+                        InlineType,
                         SecurityViolationReportingPolicy =
                             SecurityViolationReportingPolicy::kReport) const;
 
@@ -292,18 +294,6 @@ class CORE_EXPORT ContentSecurityPolicy
                           SecurityViolationReportingPolicy::kReport) const;
   bool IsFrameAncestorsEnforced() const;
 
-  // The hash allow functions are guaranteed to not have any side
-  // effects, including reporting.
-  // Hash functions check all policies relating to use of a script/style
-  // with the given hash and return true all CSP policies allow it.
-  // If these return true, callers can then process the content or
-  // issue a load and be safe disabling any further CSP checks.
-  //
-  // TODO(mkwst): Fold hashes into 'allow{Script,Style}' checks above, just
-  // as we've done with nonces. https://crbug.com/617065
-  bool AllowScriptWithHash(const String& source, InlineType) const;
-  bool AllowStyleWithHash(const String& source, InlineType) const;
-
   bool AllowRequestWithoutIntegrity(
       WebURLRequest::RequestContext,
       const KURL&,
@@ -467,6 +457,19 @@ class CORE_EXPORT ContentSecurityPolicy
                            LocalFrame*,
                            const Vector<String>& report_endpoints);
 
+  static void FillInCSPHashValues(const String& source,
+                                  uint8_t hash_algorithms_used,
+                                  Vector<CSPHashValue>& csp_hash_values);
+
+  // checks a vector of csp hashes against policy, probably a good idea
+  // to use in tandem with FillInCSPHashValues.
+  static bool CheckScriptHashAgainstPolicy(Vector<CSPHashValue>&,
+                                           const Member<CSPDirectiveList>&,
+                                           InlineType);
+  static bool CheckStyleHashAgainstPolicy(Vector<CSPHashValue>&,
+                                          const Member<CSPDirectiveList>&,
+                                          InlineType);
+
   Member<ExecutionContext> execution_context_;
   bool override_inline_style_allowed_;
   CSPDirectiveListVector policies_;

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

@@ -737,9 +737,10 @@ TEST_F(ContentSecurityPolicyTest, NonceInline) {
     policy->DidReceiveHeader(String("script-src ") + test.policy,
                              kContentSecurityPolicyHeaderTypeEnforce,
                              kContentSecurityPolicyHeaderSourceHTTP);
-    EXPECT_EQ(test.allowed, policy->AllowInlineScript(element, context_url,
-                                                      String(test.nonce),
-                                                      context_line, content));
+    EXPECT_EQ(test.allowed,
+              policy->AllowInlineScript(
+                  element, context_url, String(test.nonce), context_line,
+                  content, ContentSecurityPolicy::InlineType::kBlock));
     EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size());
 
     // Enforce 'style-src'
@@ -749,8 +750,9 @@ TEST_F(ContentSecurityPolicyTest, NonceInline) {
                              kContentSecurityPolicyHeaderTypeEnforce,
                              kContentSecurityPolicyHeaderSourceHTTP);
     EXPECT_EQ(test.allowed,
-              policy->AllowInlineStyle(element, context_url, String(test.nonce),
-                                       context_line, content));
+              policy->AllowInlineStyle(
+                  element, context_url, String(test.nonce), context_line,
+                  content, ContentSecurityPolicy::InlineType::kBlock));
     EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size());
 
     // Report 'script-src'
@@ -760,7 +762,8 @@ TEST_F(ContentSecurityPolicyTest, NonceInline) {
                              kContentSecurityPolicyHeaderTypeReport,
                              kContentSecurityPolicyHeaderSourceHTTP);
     EXPECT_TRUE(policy->AllowInlineScript(
-        element, context_url, String(test.nonce), context_line, content));
+        element, context_url, String(test.nonce), context_line, content,
+        ContentSecurityPolicy::InlineType::kBlock));
     EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size());
 
     // Report 'style-src'
@@ -770,7 +773,8 @@ TEST_F(ContentSecurityPolicyTest, NonceInline) {
                              kContentSecurityPolicyHeaderTypeReport,
                              kContentSecurityPolicyHeaderSourceHTTP);
     EXPECT_TRUE(policy->AllowInlineStyle(
-        element, context_url, String(test.nonce), context_line, content));
+        element, context_url, String(test.nonce), context_line, content,
+        ContentSecurityPolicy::InlineType::kBlock));
     EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size());
   }
 }

third_party/WebKit/Source/core/html/HTMLScriptElement.cpp

@@ -199,9 +199,11 @@ const AtomicString& HTMLScriptElement::GetNonceForElement() const {
 bool HTMLScriptElement::AllowInlineScriptForCSP(
     const AtomicString& nonce,
     const WTF::OrdinalNumber& context_line,
-    const String& script_content) {
+    const String& script_content,
+    ContentSecurityPolicy::InlineType inline_type) {
   return GetDocument().GetContentSecurityPolicy()->AllowInlineScript(
-      this, GetDocument().Url(), nonce, context_line, script_content);
+      this, GetDocument().Url(), nonce, context_line, script_content,
+      inline_type);
 }
 
 AtomicString HTMLScriptElement::InitiatorName() const {

third_party/WebKit/Source/core/html/HTMLScriptElement.h

@@ -94,7 +94,8 @@ class CORE_EXPORT HTMLScriptElement final : public HTMLElement,
   const AtomicString& GetNonceForElement() const override;
   bool AllowInlineScriptForCSP(const AtomicString& nonce,
                                const WTF::OrdinalNumber&,
-                               const String& script_content) override;
+                               const String& script_content,
+                               ContentSecurityPolicy::InlineType) override;
   AtomicString InitiatorName() const override;
   void DispatchLoadEvent() override;
   void DispatchErrorEvent() override;

third_party/WebKit/Source/core/loader/HttpEquiv.cpp

@@ -108,6 +108,7 @@ void HttpEquiv::ProcessHttpEquivRefresh(Document& document,
   UseCounter::Count(document, WebFeature::kMetaRefresh);
   if (!document.GetContentSecurityPolicy()->AllowInlineScript(
           element, NullURL(), "", OrdinalNumber(), "",
+          ContentSecurityPolicy::InlineType::kBlock,
           SecurityViolationReportingPolicy::kSuppressReporting)) {
     UseCounter::Count(document,
                       WebFeature::kMetaRefreshWhenCSPBlocksInlineScript);
@@ -127,6 +128,7 @@ void HttpEquiv::ProcessHttpEquivSetCookie(Document& document,
   UseCounter::Count(document, WebFeature::kMetaSetCookie);
   if (!document.GetContentSecurityPolicy()->AllowInlineScript(
           element, NullURL(), "", OrdinalNumber(), "",
+          ContentSecurityPolicy::InlineType::kBlock,
           SecurityViolationReportingPolicy::kSuppressReporting)) {
     UseCounter::Count(document,
                       WebFeature::kMetaSetCookieWhenCSPBlocksInlineScript);

third_party/WebKit/Source/core/svg/SVGScriptElement.cpp

@@ -137,9 +137,11 @@ const AtomicString& SVGScriptElement::GetNonceForElement() const {
 bool SVGScriptElement::AllowInlineScriptForCSP(
     const AtomicString& nonce,
     const WTF::OrdinalNumber& context_line,
-    const String& script_content) {
+    const String& script_content,
+    ContentSecurityPolicy::InlineType inline_type) {
   return GetDocument().GetContentSecurityPolicy()->AllowInlineScript(
-      this, GetDocument().Url(), nonce, context_line, script_content);
+      this, GetDocument().Url(), nonce, context_line, script_content,
+      inline_type);
 }
 
 AtomicString SVGScriptElement::InitiatorName() const {

third_party/WebKit/Source/core/svg/SVGScriptElement.h

@@ -88,7 +88,8 @@ class SVGScriptElement final : public SVGElement,
   const AtomicString& GetNonceForElement() const override;
   bool AllowInlineScriptForCSP(const AtomicString& nonce,
                                const WTF::OrdinalNumber&,
-                               const String& script_content) override;
+                               const String& script_content,
+                               ContentSecurityPolicy::InlineType) override;
   AtomicString InitiatorName() const override;
   Document& GetDocument() const override;
   void DispatchLoadEvent() override;