[Extensions] Have web accessible resources loadable from COEP frames

Currently web accessible resources in Chrome extensions[A] cannot be
loaded as an iframe via content scripts from two reasons.

1. The response does not have a cross-origin-embedder-policy header.
2. The response does not have a cross-origin-resource-policy header.

To fix the issue, we make iframes inherit parent COEP implicitly for
chrome-extension:// URLs. This is similar to blob:// URLs. We also
attach cross-origin-resource-policy: cross-origin to every web
accessible resource. This is aligned with the fact that it also has
access-control-allow-origin: *.


A: https://developer.chrome.com/extensions/manifest/web_accessible_resources

Bug: 1085915
Change-Id: I4574b4dbf55ab2d815e9b6ab22fd7b0a8ab28887
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2212200
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#773957}

chrome/browser/chrome_content_browser_client.cc

@@ -2256,7 +2256,6 @@ void ChromeContentBrowserClient::AppendExtraCommandLineSwitches(
         command_line->AppendSwitch(switches::kAllowSyncXHRInPageDismissal);
       }
 
-
       if (prefs->HasPrefPath(prefs::kScrollToTextFragmentEnabled) &&
           !prefs->GetBoolean(prefs::kScrollToTextFragmentEnabled)) {
         command_line->AppendSwitch(switches::kDisableScrollToTextFragment);
@@ -5707,3 +5706,12 @@ bool ChromeContentBrowserClient::IsOriginTrialRequiredForAppCache(
 
   return false;
 }
+
+bool ChromeContentBrowserClient::
+    ShouldInheritCrossOriginEmbedderPolicyImplicitly(const GURL& url) {
+#if BUILDFLAG(ENABLE_EXTENSIONS)
+  return url.SchemeIs(extensions::kExtensionScheme);
+#else
+  return false;
+#endif
+}

chrome/browser/chrome_content_browser_client.h

@@ -676,6 +676,8 @@ class ChromeContentBrowserClient : public content::ContentBrowserClient {
 
   bool IsOriginTrialRequiredForAppCache(
       content::BrowserContext* browser_context) override;
+  bool ShouldInheritCrossOriginEmbedderPolicyImplicitly(
+      const GURL& url) override;
 
  protected:
   static bool HandleWebUI(GURL* url, content::BrowserContext* browser_context);

chrome/browser/extensions/content_script_apitest.cc

@@ -46,6 +46,8 @@
 #include "extensions/test/test_extension_dir.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
+#include "net/test/embedded_test_server/http_request.h"
+#include "net/test/embedded_test_server/http_response.h"
 #include "ui/base/page_transition_types.h"
 #include "url/gurl.h"
 
@@ -72,7 +74,7 @@ testing::AssertionResult CheckStyleInjection(Browser* browser,
           "        getPropertyValue('display') == 'none');",
           &css_injected)) {
     return testing::AssertionFailure()
-        << "Failed to execute script and extract bool for injection status.";
+           << "Failed to execute script and extract bool for injection status.";
   }
 
   if (css_injected != expected_injection) {
@@ -91,11 +93,12 @@ testing::AssertionResult CheckStyleInjection(Browser* browser,
           "    document.styleSheets.length == 0);",
           &css_doesnt_add_to_list)) {
     return testing::AssertionFailure()
-        << "Failed to execute script and extract bool for stylesheets length.";
+           << "Failed to execute script and extract bool for stylesheets "
+              "length.";
   }
   if (!css_doesnt_add_to_list) {
     return testing::AssertionFailure()
-        << "CSS injection added to number of stylesheets.";
+           << "CSS injection added to number of stylesheets.";
   }
 
   return testing::AssertionSuccess();
@@ -190,8 +193,8 @@ IN_PROC_BROWSER_TEST_F(ContentScriptApiTest, ContentScriptExtensionIframe) {
 
 IN_PROC_BROWSER_TEST_F(ContentScriptApiTest, ContentScriptExtensionProcess) {
   ASSERT_TRUE(StartEmbeddedTestServer());
-  ASSERT_TRUE(
-      RunExtensionTest("content_scripts/extension_process")) << message_;
+  ASSERT_TRUE(RunExtensionTest("content_scripts/extension_process"))
+      << message_;
 }
 
 IN_PROC_BROWSER_TEST_F(ContentScriptApiTest, ContentScriptFragmentNavigation) {
@@ -214,8 +217,8 @@ IN_PROC_BROWSER_TEST_F(ContentScriptApiTest, ContentScriptIsolatedWorlds) {
 IN_PROC_BROWSER_TEST_F(ContentScriptApiTest,
                        ContentScriptIgnoreHostPermissions) {
   ASSERT_TRUE(StartEmbeddedTestServer());
-  ASSERT_TRUE(RunExtensionTest(
-      "content_scripts/dont_match_host_permissions")) << message_;
+  ASSERT_TRUE(RunExtensionTest("content_scripts/dont_match_host_permissions"))
+      << message_;
 }
 
 // crbug.com/39249 -- content scripts js should not run on view source.
@@ -353,7 +356,7 @@ IN_PROC_BROWSER_TEST_F(ContentScriptCssInjectionTest,
   ASSERT_TRUE(StartEmbeddedTestServer());
 
   ASSERT_TRUE(LoadExtension(test_data_dir_.AppendASCII("content_scripts")
-                                          .AppendASCII("css_injection")));
+                                .AppendASCII("css_injection")));
 
   // CSS injection should be allowed on an aribitrary web page.
   GURL url =
@@ -368,7 +371,8 @@ IN_PROC_BROWSER_TEST_F(ContentScriptCssInjectionTest,
   // We disallow all injection on the webstore.
   GURL::Replacements replacements;
   replacements.SetHostStr(kWebstoreDomain);
-  url = embedded_test_server()->GetURL("/extensions/test_file_with_body.html")
+  url = embedded_test_server()
+            ->GetURL("/extensions/test_file_with_body.html")
             .ReplaceComponents(replacements);
   EXPECT_TRUE(CheckStyleInjection(browser(), url, false));
 }
@@ -1330,4 +1334,38 @@ IN_PROC_BROWSER_TEST_F(NTPInterceptionTest, ContentScript) {
   EXPECT_FALSE(script_injected_in_ntp);
 }
 
+IN_PROC_BROWSER_TEST_F(ContentScriptApiTest, CoepFrameTest) {
+  using HttpRequest = net::test_server::HttpRequest;
+  using HttpResponse = net::test_server::HttpResponse;
+
+  // We have a separate server because COEP only works in secure contexts.
+  net::EmbeddedTestServer server(net::EmbeddedTestServer::TYPE_HTTPS);
+  server.RegisterRequestHandler(base::BindRepeating(
+      [](const HttpRequest& request) -> std::unique_ptr<HttpResponse> {
+        auto response = std::make_unique<net::test_server::BasicHttpResponse>();
+        response->set_content_type("text/html");
+        response->AddCustomHeader("cross-origin-embedder-policy",
+                                  "require-corp");
+        response->set_content("<!doctpye html><html></html>");
+        return response;
+      }));
+
+  const extensions::Extension* extension =
+      LoadExtension(test_data_dir_.AppendASCII("content_scripts/coep_frame"));
+  ASSERT_TRUE(extension);
+
+  auto handle = server.StartAndReturnHandle();
+  const GURL url = server.GetURL("/hello.html");
+
+  ui_test_utils::NavigateToURL(browser(), url);
+
+  const auto kPassed = base::ASCIIToUTF16("PASSED");
+  const auto kFailed = base::ASCIIToUTF16("FAILED");
+  content::TitleWatcher watcher(
+      browser()->tab_strip_model()->GetActiveWebContents(), kPassed);
+  watcher.AlsoWaitForTitle(kFailed);
+
+  ASSERT_EQ(kPassed, watcher.WaitAndGetTitle());
+}
+
 }  // namespace extensions

chrome/test/data/extensions/api_test/content_scripts/coep_frame/content-script.js

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(async () => {
+  try {
+    const iframe = document.createElement('iframe');
+    iframe.src = chrome.runtime.getURL('iframe.html?href=' + location.href);
+    document.body.appendChild(iframe);
+
+    await Promise.all([
+      new Promise((resolve, reject) => {
+        iframe.onload = resolve;
+        iframe.onerror = reject;
+      }),
+      new Promise((resolve, reject) => {
+        // The fetch request made from |iframe| is a no-cors cross-origin
+        // request, and the response doesn't have a CORP header.
+        // Hence it should be blocked (note that COEP is enabled on *this*
+        // frame, and hence on |iframe|).
+        self.addEventListener('message', (e) => {
+          if (e.data === 'SUCCESS') {
+            reject(Error('fetch succeeded unexpectedly'));
+            return;
+          }
+          if (e.data === 'FAIL') {
+            resolve();
+          }
+        });
+      })
+    ]);
+    document.title = 'PASSED';
+  } catch (e) {
+    document.title = 'FAILED';
+  }
+})();

chrome/test/data/extensions/api_test/content_scripts/coep_frame/iframe.html

+<!doctype html>
+<html>
+<script src="script.js"></script>
+</html>
\ No newline at end of file

chrome/test/data/extensions/api_test/content_scripts/coep_frame/manifest.json

+{
+  "name": "Load an iframe from content script",
+  "version": "0.1",
+  "manifest_version": 2,
+  "description": "Web accessible resource can be loaded as an iframe in a COEP frame.",
+  "permissions": ["https://*/*"],
+  "content_scripts": [
+    {
+      "matches": ["https://*/hello.html"],
+      "js": ["content-script.js"]
+    }
+  ],
+  "web_accessible_resources": [
+    "iframe.html",
+    "script.js"
+  ]
+}

chrome/test/data/extensions/api_test/content_scripts/coep_frame/script.js

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const params = new URLSearchParams(location.search);
+
+fetch(params.get('href'), {mode: 'no-cors'}).then(() => {
+  parent.postMessage('SUCCESS', '*');
+}, () => {
+  parent.postMessage('FAIL', '*');
+});
\ No newline at end of file

content/browser/frame_host/navigation_request.cc

@@ -2003,7 +2003,10 @@ void NavigationRequest::OnResponseStarted(
       // Some special URLs not loaded using the network are inheriting the
       // Cross-Origin-Embedder-Policy header from their parent.
       const bool has_allowed_scheme =
-          url.SchemeIsBlob() || url.SchemeIs(url::kDataScheme);
+          url.SchemeIsBlob() || url.SchemeIs(url::kDataScheme) ||
+          GetContentClient()
+              ->browser()
+              ->ShouldInheritCrossOriginEmbedderPolicyImplicitly(url);
       if (parent_coep.value == kRequireCorp && has_allowed_scheme) {
         cross_origin_embedder_policy.value = kRequireCorp;
       }

content/public/browser/content_browser_client.cc

@@ -1098,4 +1098,9 @@ bool ContentBrowserClient::IsOriginTrialRequiredForAppCache(
 void ContentBrowserClient::BindBrowserControlInterface(
     mojo::GenericPendingReceiver receiver) {}
 
+bool ContentBrowserClient::ShouldInheritCrossOriginEmbedderPolicyImplicitly(
+    const GURL& url) {
+  return false;
+}
+
 }  // namespace content

content/public/browser/content_browser_client.h

@@ -1848,6 +1848,11 @@ class CONTENT_EXPORT ContentBrowserClient {
   // request received from an external client is passed to this method.
   virtual void BindBrowserControlInterface(
       mojo::GenericPendingReceiver receiver);
+
+  // Returns true when a context (e.g., iframe) whose URL is |url| should
+  // inherit the parent COEP value implicitly, similar to "blob:"
+  virtual bool ShouldInheritCrossOriginEmbedderPolicyImplicitly(
+      const GURL& url);
 };
 
 }  // namespace content

extensions/browser/extension_protocols.cc

@@ -641,6 +641,8 @@ scoped_refptr<net::HttpResponseHeaders> BuildHttpHeaders(
   if (send_cors_header) {
     raw_headers.append(1, '\0');
     raw_headers.append("Access-Control-Allow-Origin: *");
+    raw_headers.append(1, '\0');
+    raw_headers.append("Cross-Origin-Resource-Policy: cross-origin");
   }
 
   if (!last_modified_time.is_null()) {