Don't Bind CSP of all non-attached Documents

This is necessary for HTML imports, but other cases appear to break. Add a special-case in HTMLImportLoader Bug: 1090440 Change-Id: I85f8e8f9c3846e3e616efd983b4c037ca741122f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2229152 Commit-Queue: Nate Chapin <japhet@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#775271}

Don't Bind CSP of all non-attached Documents
This is necessary for HTML imports, but other cases appear to break. Add a special-case in HTMLImportLoader Bug: 1090440 Change-Id: I85f8e8f9c3846e3e616efd983b4c037ca741122f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2229152 Commit-Queue: Nate Chapin <japhet@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#775271}
4f3c3cf4 · Nate Chapin · Commit Bot · 64445726 · 4f3c3cf4 · 4f3c3cf4
Commit 4f3c3cf4 authored Jun 04, 2020 by Nate Chapin Committed by Commit Bot Jun 04, 2020
4 changed files
--- a/third_party/blink/renderer/core/dom/document.cc
+++ b/third_party/blink/renderer/core/dom/document.cc
@@ -857,12 +857,6 @@ Document::Document(const DocumentInit& initializer,
  PoliciesInitialized(initializer);
  InitDNSPrefetch();

-  // Documents associated with a dom_window_ need to BindContentSecurityPolicy()
-  // later, because they depend on state that isn't fully initialized until this
-  // constructor exits.
-  if (!dom_window_ && GetExecutionContext())
-    BindContentSecurityPolicy();
-
  InstanceCounters::IncrementCounter(InstanceCounters::kDocumentCounter);

  lifecycle_.AdvanceTo(DocumentLifecycle::kInactive);

--- a/third_party/blink/renderer/core/html/imports/html_import_loader.cc
+++ b/third_party/blink/renderer/core/html/imports/html_import_loader.cc
@@ -103,6 +103,9 @@ HTMLImportLoader::State HTMLImportLoader::StartWritingAndParsing(
          .WithExecutionContext(master->GetExecutionContext())
          .WithRegistrationContext(master->RegistrationContext())
          .WithURL(response.CurrentRequestUrl()));
+  // imports expect to be able to log CSP errors, which requires binding the CSP
+  // to a CSP delegate.
+  document_->BindContentSecurityPolicy();
  document_->OpenForNavigation(
      RuntimeEnabledFeatures::ForceSynchronousHTMLParsingEnabled()
          ? kAllowDeferredParsing

--- a/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/DOMParser-parseFromString-does-not-clobber-csp-expected.txt
+++ b/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/DOMParser-parseFromString-does-not-clobber-csp-expected.txt
+ALERT: PASS
+
--- a/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/DOMParser-parseFromString-does-not-clobber-csp.html
+++ b/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/DOMParser-parseFromString-does-not-clobber-csp.html
+<body>
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+
+const doc = new DOMParser().parseFromString(`
+    <meta http-equiv="Content-Security-Policy" content="frame-src 'none'">
+    <body>></body>"`, "text/html");
+var i = document.createElement('iframe');
+i.src = "resources/alert-pass.html";
+document.body.appendChild(i);
+</script>
+</body>