Make CSP default-src without 'unsafe-eval' block eval in iframes

This CL fixes the fallback behaviour of the Content Security Policy script-src to default-src with regards to blocking eval in iframes and, under certain conditions, when navigating to a new page. Bug: 1107824 Change-Id: Ia5cbe82188fde25cec8ccb5a09322e598a419434 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2316105 Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#792281}

Make CSP default-src without 'unsafe-eval' block eval in iframes
This CL fixes the fallback behaviour of the Content Security Policy script-src to default-src with regards to blocking eval in iframes and, under certain conditions, when navigating to a new page. Bug: 1107824 Change-Id: Ia5cbe82188fde25cec8ccb5a09322e598a419434 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2316105 Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#792281}
3bd086b0 · Antonio Sartori · Commit Bot · ad3755b5 · 3bd086b0 · 3bd086b0
Commit 3bd086b0 authored Jul 28, 2020 by Antonio Sartori Committed by Commit Bot Jul 28, 2020
3 changed files
--- a/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc
+++ b/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc
@@ -675,7 +675,8 @@ bool CSPDirectiveList::AllowInline(
 }
 bool CSPDirectiveList::ShouldCheckEval() const {
-  return script_src_ && !script_src_->AllowEval();
+  return !CheckEval(
+      OperativeDirective(ContentSecurityPolicy::DirectiveType::kScriptSrc));
 }
 bool CSPDirectiveList::AllowEval(

--- a/third_party/blink/web_tests/external/wpt/content-security-policy/unsafe-eval/eval-in-iframe.html
+++ b/third_party/blink/web_tests/external/wpt/content-security-policy/unsafe-eval/eval-in-iframe.html
+<!DOCTYPE html>
+<html>
+<head>
+    <title>eval-in-iframe</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+    <p>This test checks that iframes correctly block the eval function.</p>
+    <script>
+      var tests = [
+          { "name": "script-src blocks eval unless 'unsafe-eval' is specified.",
+            "csp": "script-src 'unsafe-inline'" },
+          { "name": "default-src blocks eval unless 'unsafe-eval' is specified.",
+            "csp": "default-src 'unsafe-inline'" },
+      ];
+      tests.forEach(test => {
+          async_test(t => {
+              var child = document.createElement('iframe');
+              child.src = '/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py?policy=' + encodeURIComponent(test.csp);
+              window.addEventListener('message', t.step_func(e => {
+                  if (e.source != child.contentWindow)
+                      return;
+                  if (e.data === "eval blocked") {
+                      t.done();
+                  }
+                  else if (e.data === "eval allowed") {
+                      assert_unreached("Eval code was executed in iframe");
+                  }
+              }));
+              document.body.appendChild(child);
+          }, test.name);
+      });
+    </script>
+</body>
+</html>
--- a/third_party/blink/web_tests/external/wpt/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py
+++ b/third_party/blink/web_tests/external/wpt/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py
+def main(request, response):
+    policy = request.GET.first(b"policy")
+    return [(b"Content-Type", b"text/html"), (b"Content-Security-Policy", policy)], b"""
+<!DOCTYPE html>
+<html>
+<script>
+var id = 0;
+try {
+  id = eval("id + 1");
+} catch (e) {}
+window.parent.postMessage(id === 1 ? "eval allowed" : "eval blocked");
+</script>
+</html>
+"""