webui: make `default-src 'self';` the default CSP for chrome-untrusted:// URLDataSource

This CL makes `default-src 'self';` the default Content Security Policy for chrome-untrusted:// URLDataSource. This stops chrome-untrusted:// from using resources from a different origin, unless CSP explicitly allows them. To prevent breakage of existing chrome-untrusted:// WebUIs, we override their default-src to an empty value, and create bug tracker issues for relevant teams to update their CSP. This is a preparation for enabling Fetch API for chrome-untrusted:// scheme. Bug: 1023741 Change-Id: I2e5cfe3877c1e996a678e04aacd378f044332bb5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2208588 Commit-Queue: Jiewei Qian <qjw@chromium.org> Reviewed-by: Oleh Lamzin <lamzin@google.com> Reviewed-by: Tibor Goldschwendt <tiborg@chromium.org> Reviewed-by: dpapad <dpapad@chromium.org> Reviewed-by: Rachel Carpenter <carpenterr@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Giovanni Ortuño Urquidi <ortuno@chromium.org> Cr-Commit-Position: refs/heads/master@{#772076}

webui: make `default-src 'self';` the default CSP for chrome-untrusted:// URLDataSource
This CL makes `default-src 'self';` the default Content Security Policy for chrome-untrusted:// URLDataSource. This stops chrome-untrusted:// from using resources from a different origin, unless CSP explicitly allows them. To prevent breakage of existing chrome-untrusted:// WebUIs, we override their default-src to an empty value, and create bug tracker issues for relevant teams to update their CSP. This is a preparation for enabling Fetch API for chrome-untrusted:// scheme. Bug: 1023741 Change-Id: I2e5cfe3877c1e996a678e04aacd378f044332bb5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2208588 Commit-Queue: Jiewei Qian <qjw@chromium.org> Reviewed-by: Oleh Lamzin <lamzin@google.com> Reviewed-by: Tibor Goldschwendt <tiborg@chromium.org> Reviewed-by: dpapad <dpapad@chromium.org> Reviewed-by: Rachel Carpenter <carpenterr@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Giovanni Ortuño Urquidi <ortuno@chromium.org> Cr-Commit-Position: refs/heads/master@{#772076}
230a1786 · Jiewei Qian · Commit Bot · 9293b4a8 · 230a1786 · 230a1786
Commit 230a1786 authored May 27, 2020 by Jiewei Qian Committed by Commit Bot May 27, 2020
11 changed files
--- a/chrome/browser/chromeos/web_applications/terminal_source.cc
+++ b/chrome/browser/chromeos/web_applications/terminal_source.cc
@@ -150,3 +150,8 @@ bool TerminalSource::ShouldServeMimeTypeAsContentTypeHeader() {
 const ui::TemplateReplacements* TerminalSource::GetReplacements() {
  return &replacements_;
 }
+
+std::string TerminalSource::GetContentSecurityPolicyDefaultSrc() {
+  // TODO(https://crbug.com/1085324): Audit and tighten CSP.
+  return std::string();
+}
--- a/chrome/browser/chromeos/web_applications/terminal_source.h
+++ b/chrome/browser/chromeos/web_applications/terminal_source.h
@@ -43,6 +43,7 @@ class TerminalSource : public content::URLDataSource {
  std::string GetMimeType(const std::string& path) override;
  bool ShouldServeMimeTypeAsContentTypeHeader() override;
  const ui::TemplateReplacements* GetReplacements() override;
+  std::string GetContentSecurityPolicyDefaultSrc() override;

  Profile* profile_;
  std::string source_;

--- a/chrome/browser/ui/webui/new_tab_page/untrusted_source.cc
+++ b/chrome/browser/ui/webui/new_tab_page/untrusted_source.cc
@@ -90,6 +90,11 @@ std::string UntrustedSource::GetContentSecurityPolicyChildSrc() {
  return "child-src https:;";
 }

+std::string UntrustedSource::GetContentSecurityPolicyDefaultSrc() {
+  // TODO(https://crbug.com/1085325): Audit and tighten CSP.
+  return std::string();
+}
+
 std::string UntrustedSource::GetSource() {
  return chrome::kChromeUIUntrustedNewTabPageUrl;
 }

--- a/chrome/browser/ui/webui/new_tab_page/untrusted_source.h
+++ b/chrome/browser/ui/webui/new_tab_page/untrusted_source.h
@@ -54,6 +54,7 @@ class UntrustedSource : public content::URLDataSource,
  // content::URLDataSource:
  std::string GetContentSecurityPolicyScriptSrc() override;
  std::string GetContentSecurityPolicyChildSrc() override;
+  std::string GetContentSecurityPolicyDefaultSrc() override;
  std::string GetSource() override;
  void StartDataRequest(
      const GURL& url,

--- a/chrome/browser/ui/webui/theme_source.cc
+++ b/chrome/browser/ui/webui/theme_source.cc
@@ -239,3 +239,12 @@ std::string ThemeSource::GetAccessControlAllowOriginForOrigin(

  return content::URLDataSource::GetAccessControlAllowOriginForOrigin(origin);
 }
+
+std::string ThemeSource::GetContentSecurityPolicyDefaultSrc() {
+  if (serve_untrusted_) {
+    // TODO(https://crbug.com/1085327): Audit and tighten CSP.
+    return std::string();
+  }
+
+  return content::URLDataSource::GetContentSecurityPolicyDefaultSrc();
+}
--- a/chrome/browser/ui/webui/theme_source.h
+++ b/chrome/browser/ui/webui/theme_source.h
@@ -34,6 +34,7 @@ class ThemeSource : public content::URLDataSource {
                            int render_process_id) override;
  std::string GetAccessControlAllowOriginForOrigin(
      const std::string& origin) override;
+  std::string GetContentSecurityPolicyDefaultSrc() override;

 private:
  // Fetches and sends the theme bitmap.

--- a/chromeos/components/help_app_ui/help_app_untrusted_ui.cc
+++ b/chromeos/components/help_app_ui/help_app_untrusted_ui.cc
@@ -36,6 +36,9 @@ content::WebUIDataSource* CreateHelpAppUntrustedDataSource(

  source->UseStringsJs();
  source->AddFrameAncestor(GURL(kChromeUIHelpAppURL));
+
+  // TODO(https://crbug.com/1085328): Audit and tighten CSP.
+  source->OverrideContentSecurityPolicyDefaultSrc("");
  return source;
 }


--- a/chromeos/components/telemetry_extension_ui/telemetry_extension_ui.cc
+++ b/chromeos/components/telemetry_extension_ui/telemetry_extension_ui.cc
@@ -23,6 +23,10 @@ content::WebUIDataSource* CreateUntrustedTelemetryExtensionDataSource() {
  untrusted_source->AddResourcePath("untrusted.js",
                                    IDR_TELEMETRY_EXTENSION_UNTRUSTED_JS);
  untrusted_source->AddFrameAncestor(GURL(kChromeUITelemetryExtensionURL));
+
+  // TODO(https://crbug.com/1085330): tighten CSP.
+  untrusted_source->OverrideContentSecurityPolicyDefaultSrc(std::string());
+
  return untrusted_source;
 }
 }  // namespace

--- a/content/browser/webui/web_ui_navigation_browsertest.cc
+++ b/content/browser/webui/web_ui_navigation_browsertest.cc
@@ -241,7 +241,7 @@ IN_PROC_BROWSER_TEST_F(WebUINavigationBrowserTest,
                       WebFrameInChromeUntrustedSchemeAllowedByCSP) {
  // Add a DataSource with no iframe restrictions.
  TestUntrustedDataSourceCSP csp;
-  csp.child_src = "";
+  csp.child_src = "child-src * data:;";
  AddUntrustedDataSource(shell()->web_contents()->GetBrowserContext(),
                         "test-host", csp);
  GURL main_frame_url(GetChromeUntrustedUIURL("test-host/title1.html"));

--- a/content/browser/webui/web_ui_security_browsertest.cc
+++ b/content/browser/webui/web_ui_security_browsertest.cc
@@ -570,7 +570,7 @@ IN_PROC_BROWSER_TEST_F(
    MAYBE_ChromeUntrustedFramesCanUseChromeUntrustedResources) {
  // Add a DataSource whose CSP allows chrome-untrusted://resources scripts.
  TestUntrustedDataSourceCSP csp;
-  csp.script_src = "chrome-untrusted://resources";
+  csp.script_src = "script-src chrome-untrusted://resources;";
  AddUntrustedDataSource(shell()->web_contents()->GetBrowserContext(),
                         "test-host", csp);
  GURL main_frame_url(GetChromeUntrustedUIURL("test-host/title1.html"));

--- a/content/public/browser/url_data_source.cc
+++ b/content/public/browser/url_data_source.cc
@@ -7,6 +7,9 @@
 #include <utility>

 #include "base/memory/ptr_util.h"
+#include "base/no_destructor.h"
+#include "base/strings/strcat.h"
+#include "base/strings/string_util.h"
 #include "base/task_runner_util.h"
 #include "content/browser/webui/url_data_manager.h"
 #include "content/browser/webui/url_data_manager_backend.h"
@@ -17,6 +20,19 @@
 #include "content/public/common/url_constants.h"
 #include "net/url_request/url_request.h"

+namespace {
+// A chrome-untrusted data source's name starts with chrome-untrusted://.
+bool IsChromeUntrustedDataSource(content::URLDataSource* source) {
+  static const base::NoDestructor<std::string> kChromeUntrustedSourceNamePrefix(
+      base::StrCat(
+          {content::kChromeUIUntrustedScheme, url::kStandardSchemeSeparator}));
+
+  return base::StartsWith(source->GetSource(),
+                          *kChromeUntrustedSourceNamePrefix,
+                          base::CompareCase::SENSITIVE);
+}
+}  // namespace
+
 namespace content {

 // static
@@ -63,7 +79,8 @@ std::string URLDataSource::GetContentSecurityPolicyChildSrc() {
 }

 std::string URLDataSource::GetContentSecurityPolicyDefaultSrc() {
-  return std::string();
+  return IsChromeUntrustedDataSource(this) ? "default-src 'self';"
+                                           : std::string();
 }

 std::string URLDataSource::GetContentSecurityPolicyImgSrc() {