CSP: Replace blink::StringListDirective with mojo type

In the Blink Content Security Policy code, we switch from using the
internal Blink type blink::StringListDirective to using the mojo type
network::mojom::blink::CSPTrustedTypes for parsing the directive
'trusted-types'.

This is part of a project to harmonize the CSP code in Blink and in
services/network, and will make it easier to synchronize Content
Security Policies between the two.

Bug: 1021462,1149272
Change-Id: I5b70a681e817a291c6552cdcdabbccefbb30af6c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2574279Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Cr-Commit-Position: refs/heads/master@{#839077}

third_party/blink/renderer/core/BUILD.gn

@@ -1251,7 +1251,7 @@ source_set("unit_tests") {
     "frame/csp/csp_source_test.cc",
     "frame/csp/require_trusted_types_for_directive_test.cc",
     "frame/csp/source_list_directive_test.cc",
-    "frame/csp/string_list_directive_test.cc",
+    "frame/csp/trusted_types_directive_test.cc",
     "frame/deprecation_report_body_test.cc",
     "frame/document_loading_rendering_test.cc",
     "frame/document_policy_violation_report_body_test.cc",

third_party/blink/renderer/core/frame/build.gni

@@ -13,7 +13,6 @@ blink_core_sources_frame = [
   "coop_access_violation_report_body.h",
   "csp/content_security_policy.cc",
   "csp/content_security_policy.h",
-  "csp/csp_directive.h",
   "csp/csp_directive_list.cc",
   "csp/csp_directive_list.h",
   "csp/csp_source.cc",
@@ -30,8 +29,8 @@ blink_core_sources_frame = [
   "csp/require_trusted_types_for_directive.h",
   "csp/source_list_directive.cc",
   "csp/source_list_directive.h",
-  "csp/string_list_directive.cc",
-  "csp/string_list_directive.h",
+  "csp/trusted_types_directive.cc",
+  "csp/trusted_types_directive.h",
   "dactyloscoper.cc",
   "dactyloscoper.h",
   "deprecated_schedule_style_recalc_during_layout.cc",

third_party/blink/renderer/core/frame/csp/csp_directive.h

-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_CSP_DIRECTIVE_H_
-#define THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_CSP_DIRECTIVE_H_
-
-#include "base/macros.h"
-#include "third_party/blink/renderer/core/core_export.h"
-#include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
-#include "third_party/blink/renderer/platform/heap/handle.h"
-#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
-
-namespace blink {
-
-class CORE_EXPORT CSPDirective : public GarbageCollected<CSPDirective> {
- public:
-  CSPDirective(const String& name,
-               const String& value,
-               ContentSecurityPolicy* policy)
-      : name_(name), text_(name + ' ' + value), policy_(policy) {}
-  virtual ~CSPDirective() = default;
-  virtual void Trace(Visitor* visitor) const { visitor->Trace(policy_); }
-
-  const String& GetName() const { return name_; }
-  const String& GetText() const { return text_; }
-
- protected:
-  ContentSecurityPolicy* Policy() const { return policy_; }
-
- private:
-  String name_;
-  String text_;
-  Member<ContentSecurityPolicy> policy_;
-
-  DISALLOW_COPY_AND_ASSIGN(CSPDirective);
-};
-
-}  // namespace blink
-
-#endif  // THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_CSP_DIRECTIVE_H_

third_party/blink/renderer/core/frame/csp/csp_directive_list.cc

@@ -802,18 +802,20 @@ bool CSPDirectiveList::AllowTrustedTypePolicy(
     ContentSecurityPolicy::AllowTrustedTypePolicyDetails& violation_details)
     const {
   if (!trusted_types_ ||
-      trusted_types_->Allows(policy_name, is_duplicate, violation_details)) {
+      CSPTrustedTypesAllows(*trusted_types_, policy_name, is_duplicate,
+                            violation_details)) {
     return true;
   }
 
+  String raw_directive = GetRawDirectiveForMessage(
+      raw_directives_, network::mojom::blink::CSPDirectiveName::TrustedTypes);
   ReportViolation(
       "trusted-types", CSPDirectiveName::TrustedTypes,
       String::Format(
           "Refused to create a TrustedTypePolicy named '%s' because "
           "it violates the following Content Security Policy directive: "
           "\"%s\".",
-          policy_name.Utf8().c_str(),
-          trusted_types_.Get()->GetText().Utf8().c_str()),
+          policy_name.Utf8().c_str(), raw_directive.Utf8().c_str()),
       KURL(), RedirectStatus::kNoRedirect,
       ContentSecurityPolicy::kTrustedTypesPolicyViolation, policy_name);
 
@@ -1134,16 +1136,6 @@ void CSPDirectiveList::ApplyTreatAsPublicAddress() {
   // browser process.
 }
 
-void CSPDirectiveList::AddTrustedTypes(const String& name,
-                                       const String& value) {
-  if (trusted_types_) {
-    policy_->ReportDuplicateDirective(name);
-    return;
-  }
-  trusted_types_ =
-      MakeGarbageCollected<StringListDirective>(name, value, policy_);
-}
-
 void CSPDirectiveList::EnforceStrictMixedContentChecking(const String& name,
                                                          const String& value) {
   if (strict_mixed_content_checking_enforced_) {
@@ -1302,7 +1294,7 @@ void CSPDirectiveList::AddDirective(const String& name, const String& value) {
       ApplyTreatAsPublicAddress();
       return;
     case CSPDirectiveName::TrustedTypes:
-      AddTrustedTypes(name, value);
+      trusted_types_ = CSPTrustedTypesParse(value, policy_);
       return;
     case CSPDirectiveName::UpgradeInsecureRequests:
       EnableInsecureRequestsUpgrade(name, value);
@@ -1521,7 +1513,6 @@ bool CSPDirectiveList::IsScriptRestrictionReasonable() const {
 
 void CSPDirectiveList::Trace(Visitor* visitor) const {
   visitor->Trace(policy_);
-  visitor->Trace(trusted_types_);
 }
 
 }  // namespace blink

third_party/blink/renderer/core/frame/csp/csp_directive_list.h

@@ -10,7 +10,7 @@
 #include "third_party/blink/renderer/core/frame/csp/media_list_directive.h"
 #include "third_party/blink/renderer/core/frame/csp/require_trusted_types_for_directive.h"
 #include "third_party/blink/renderer/core/frame/csp/source_list_directive.h"
-#include "third_party/blink/renderer/core/frame/csp/string_list_directive.h"
+#include "third_party/blink/renderer/core/frame/csp/trusted_types_directive.h"
 #include "third_party/blink/renderer/platform/heap/handle.h"
 #include "third_party/blink/renderer/platform/loader/fetch/resource_request.h"
 #include "third_party/blink/renderer/platform/network/content_security_policy_parsers.h"
@@ -168,7 +168,7 @@ class CORE_EXPORT CSPDirectiveList final
   bool RequiresTrustedTypes() const;
 
   bool TrustedTypesAllowDuplicates() const {
-    return trusted_types_ && trusted_types_->IsAllowDuplicates();
+    return trusted_types_ && trusted_types_->allow_duplicates;
   }
 
   void Trace(Visitor*) const;
@@ -191,7 +191,6 @@ class CORE_EXPORT CSPDirectiveList final
   void EnforceStrictMixedContentChecking(const String& name,
                                          const String& value);
   void EnableInsecureRequestsUpgrade(const String& name, const String& value);
-  void AddTrustedTypes(const String& name, const String& value);
 
   CSPDirectiveName FallbackDirective(CSPDirectiveName current_directive,
                                      CSPDirectiveName original_directive) const;
@@ -321,7 +320,7 @@ class CORE_EXPORT CSPDirectiveList final
   network::mojom::blink::CSPSourceListPtr style_src_elem_;
   network::mojom::blink::CSPSourceListPtr worker_src_;
   network::mojom::blink::CSPSourceListPtr navigate_to_;
-  Member<StringListDirective> trusted_types_;
+  network::mojom::blink::CSPTrustedTypesPtr trusted_types_;
   network::mojom::blink::CSPRequireTrustedTypesFor require_trusted_types_for_;
 
   // If a "report-to" directive is used:

third_party/blink/renderer/core/frame/csp/string_list_directive.h

-// Copyright 2018 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_STRING_LIST_DIRECTIVE_H_
-#define THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_STRING_LIST_DIRECTIVE_H_
-
-#include "base/macros.h"
-#include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
-#include "third_party/blink/renderer/core/frame/csp/csp_directive.h"
-#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
-
-namespace blink {
-
-class ContentSecurityPolicy;
-
-class CORE_EXPORT StringListDirective final : public CSPDirective {
- public:
-  StringListDirective(const String& name,
-                      const String& value,
-                      ContentSecurityPolicy*);
-  void Trace(Visitor*) const override;
-  bool Allows(
-      const String& string_piece,
-      bool is_duplicate,
-      ContentSecurityPolicy::AllowTrustedTypePolicyDetails& violation_details);
-  bool IsAllowDuplicates() const { return allow_duplicates_; }
-
- private:
-  // Determine whether a given string is a valid policy name or a special token
-  // ("*" or "'allow-duplicates'"). In the token case, set the appropriate flags
-  // as a side effect.
-  bool AllowOrProcessValue(const String& src);
-
-  static bool IsPolicyName(const String& name);
-  static bool IsNotPolicyNameChar(UChar c);
-
-  Vector<String> list_;
-  bool allow_any_;
-  bool allow_duplicates_;
-};
-
-}  // namespace blink
-
-#endif  // THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_STRING_LIST_DIRECTIVE_H_

third_party/blink/renderer/core/frame/csp/string_list_directive.cc → third_party/blink/renderer/core/frame/csp/trusted_types_directive.cc

@@ -2,42 +2,17 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "third_party/blink/renderer/core/frame/csp/string_list_directive.h"
+#include "third_party/blink/renderer/core/frame/csp/trusted_types_directive.h"
 
-#include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
 #include "third_party/blink/renderer/platform/network/content_security_policy_parsers.h"
 #include "third_party/blink/renderer/platform/wtf/text/parsing_utilities.h"
 #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
 
 namespace blink {
 
-StringListDirective::StringListDirective(const String& name,
-                                         const String& value,
-                                         ContentSecurityPolicy* policy)
-    : CSPDirective(name, value, policy),
-      allow_any_(false),
-      allow_duplicates_(false) {
-  // Turn whitespace-y characters into ' ' and then split on ' ' into list_.
-  value.SimplifyWhiteSpace().Split(' ', false, list_);
-
-  auto drop_fn = [this](const String& value) -> bool {
-    return !AllowOrProcessValue(value);
-  };
-
-  // There appears to be no wtf::Vector equivalent to STLs erase(from, to)
-  // method, so we can't do the canonical .erase(remove_if(..), end) and have
-  // to emulate this:
-  list_.Shrink(std::remove_if(list_.begin(), list_.end(), drop_fn) -
-               list_.begin());
-}
-
-bool StringListDirective::IsPolicyName(const String& name) {
-  // This implements tt-policy-name from
-  // https://w3c.github.io/webappsec-trusted-types/dist/spec/#trusted-types-csp-directive/
-  return name.Find(&IsNotPolicyNameChar) == kNotFound;
-}
+namespace {
 
-bool StringListDirective::IsNotPolicyNameChar(UChar c) {
+bool IsNotPolicyNameChar(UChar c) {
   // This implements the negation of one char of tt-policy-name from
   // https://w3c.github.io/webappsec-trusted-types/dist/spec/#trusted-types-csp-directive/
   bool is_name_char = (c >= '0' && c <= '9') || (c >= 'a' && c <= 'z') ||
@@ -47,31 +22,58 @@ bool StringListDirective::IsNotPolicyNameChar(UChar c) {
   return !is_name_char;
 }
 
-bool StringListDirective::AllowOrProcessValue(const String& src) {
-  DCHECK_EQ(src, src.StripWhiteSpace());
-  // Handle keywords and special tokens first:
-  if (src == "'allow-duplicates'") {
-    allow_duplicates_ = true;
-    return false;
-  }
-  if (src == "*") {
-    allow_any_ = true;
-    return false;
-  }
-  if (src == "'none'") {
-    if (list_.size() > 1) {
-      Policy()->ReportInvalidSourceExpression(GetName(), src);
+bool IsPolicyName(const String& name) {
+  // This implements tt-policy-name from
+  // https://w3c.github.io/webappsec-trusted-types/dist/spec/#trusted-types-csp-directive/
+  return name.Find(&IsNotPolicyNameChar) == kNotFound;
+}
+
+}  // namespace
+
+network::mojom::blink::CSPTrustedTypesPtr CSPTrustedTypesParse(
+    const String& value,
+    ContentSecurityPolicy* policy) {
+  auto result = network::mojom::blink::CSPTrustedTypes::New();
+
+  // Turn whitespace-y characters into ' ' and then split on ' ' into list_.
+  value.SimplifyWhiteSpace().Split(' ', false, result->list);
+
+  auto drop_fn = [policy, &result](const String& src) -> bool {
+    DCHECK_EQ(src, src.StripWhiteSpace());
+    // Handle keywords and special tokens first:
+    if (src == "'allow-duplicates'") {
+      result->allow_duplicates = true;
+      return true;
     }
-    return false;
-  }
-  return IsPolicyName(src);
+    if (src == "*") {
+      result->allow_any = true;
+      return true;
+    }
+    if (src == "'none'") {
+      if (result->list.size() > 1) {
+        policy->ReportInvalidSourceExpression("trusted-types", src);
+      }
+      return true;
+    }
+    return !IsPolicyName(src);
+  };
+
+  // There appears to be no wtf::Vector equivalent to STLs erase(from, to)
+  // method, so we can't do the canonical .erase(remove_if(..), end) and have
+  // to emulate this:
+  result->list.Shrink(
+      std::remove_if(result->list.begin(), result->list.end(), drop_fn) -
+      result->list.begin());
+
+  return result;
 }
 
-bool StringListDirective::Allows(
+bool CSPTrustedTypesAllows(
+    const network::mojom::blink::CSPTrustedTypes& trusted_types,
     const String& value,
     bool is_duplicate,
     ContentSecurityPolicy::AllowTrustedTypePolicyDetails& violation_details) {
-  if (is_duplicate && !allow_duplicates_) {
+  if (is_duplicate && !trusted_types.allow_duplicates) {
     violation_details = ContentSecurityPolicy::AllowTrustedTypePolicyDetails::
         kDisallowedDuplicateName;
   } else if (is_duplicate && value == "default") {
@@ -80,7 +82,7 @@ bool StringListDirective::Allows(
   } else if (!IsPolicyName(value)) {
     violation_details =
         ContentSecurityPolicy::AllowTrustedTypePolicyDetails::kDisallowedName;
-  } else if (!(allow_any_ || list_.Contains(value))) {
+  } else if (!(trusted_types.allow_any || trusted_types.list.Contains(value))) {
     violation_details =
         ContentSecurityPolicy::AllowTrustedTypePolicyDetails::kDisallowedName;
   } else {
@@ -91,8 +93,4 @@ bool StringListDirective::Allows(
          ContentSecurityPolicy::AllowTrustedTypePolicyDetails::kAllowed;
 }
 
-void StringListDirective::Trace(Visitor* visitor) const {
-  CSPDirective::Trace(visitor);
-}
-
 }  // namespace blink

third_party/blink/renderer/core/frame/csp/trusted_types_directive.h

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_TRUSTED_TYPES_DIRECTIVE_H_
+#define THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_TRUSTED_TYPES_DIRECTIVE_H_
+
+#include "third_party/blink/renderer/core/core_export.h"
+#include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
+#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
+
+namespace blink {
+
+CORE_EXPORT
+network::mojom::blink::CSPTrustedTypesPtr CSPTrustedTypesParse(
+    const String& value,
+    ContentSecurityPolicy* policy);
+
+CORE_EXPORT
+bool CSPTrustedTypesAllows(
+    const network::mojom::blink::CSPTrustedTypes& trusted_types,
+    const String& string_piece,
+    bool is_duplicate,
+    ContentSecurityPolicy::AllowTrustedTypePolicyDetails& violation_details);
+
+}  // namespace blink
+
+#endif  // THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_TRUSTED_TYPES_DIRECTIVE_H_

third_party/blink/renderer/core/frame/csp/string_list_directive_test.cc → third_party/blink/renderer/core/frame/csp/trusted_types_directive_test.cc

@@ -2,24 +2,23 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "third_party/blink/renderer/core/frame/csp/string_list_directive.h"
+#include "third_party/blink/renderer/core/frame/csp/trusted_types_directive.h"
 
 #include "testing/gtest/include/gtest/gtest.h"
 #include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
-#include "third_party/blink/renderer/core/frame/csp/csp_directive_list.h"
 
 namespace blink {
 
-class StringListDirectiveTest : public testing::Test {
+class TrustedTypesDirectiveTest : public testing::Test {
  public:
-  StringListDirectiveTest()
+  TrustedTypesDirectiveTest()
       : csp_(MakeGarbageCollected<ContentSecurityPolicy>()) {}
 
  protected:
   Persistent<ContentSecurityPolicy> csp_;
 };
 
-TEST_F(StringListDirectiveTest, TestAllowLists) {
+TEST_F(TrustedTypesDirectiveTest, TestAllowLists) {
   struct {
     const char* directive;
     const char* should_be_allowed;
@@ -44,8 +43,8 @@ TEST_F(StringListDirectiveTest, TestAllowLists) {
   ContentSecurityPolicy::AllowTrustedTypePolicyDetails violation_details;
 
   for (const auto& test_case : test_cases) {
-    StringListDirective directive("trusted-types", test_case.directive,
-                                  csp_.Get());
+    network::mojom::blink::CSPTrustedTypesPtr directive =
+        CSPTrustedTypesParse(test_case.directive, csp_.Get());
 
     Vector<String> allowed;
     String(test_case.should_be_allowed).Split(' ', allowed);
@@ -53,11 +52,13 @@ TEST_F(StringListDirectiveTest, TestAllowLists) {
       SCOPED_TRACE(testing::Message()
                    << " trusted-types " << test_case.directive
                    << "; allow: " << value);
-      EXPECT_TRUE(directive.Allows(value, false, violation_details));
+      EXPECT_TRUE(
+          CSPTrustedTypesAllows(*directive, value, false, violation_details));
       EXPECT_EQ(violation_details,
                 ContentSecurityPolicy::AllowTrustedTypePolicyDetails::kAllowed);
-      EXPECT_EQ(directive.Allows(value, true, violation_details),
-                test_case.allow_dupes);
+      EXPECT_EQ(
+          CSPTrustedTypesAllows(*directive, value, true, violation_details),
+          test_case.allow_dupes);
       if (test_case.allow_dupes) {
         EXPECT_EQ(
             violation_details,
@@ -75,11 +76,13 @@ TEST_F(StringListDirectiveTest, TestAllowLists) {
       SCOPED_TRACE(testing::Message()
                    << " trusted-types " << test_case.directive
                    << "; do not allow: " << value);
-      EXPECT_FALSE(directive.Allows(value, false, violation_details));
+      EXPECT_FALSE(
+          CSPTrustedTypesAllows(*directive, value, false, violation_details));
       EXPECT_EQ(violation_details,
                 ContentSecurityPolicy::AllowTrustedTypePolicyDetails::
                     kDisallowedName);
-      EXPECT_FALSE(directive.Allows(value, true, violation_details));
+      EXPECT_FALSE(
+          CSPTrustedTypesAllows(*directive, value, true, violation_details));
       if (!test_case.allow_dupes || value == "default") {
         EXPECT_EQ(violation_details,
                   ContentSecurityPolicy::AllowTrustedTypePolicyDetails::