[issues] Add reporting of source location of url violations to CSP issues.

Change-Id: I561d5893976fac92acf02329bf13b7422a9a2e91
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2279211
Commit-Queue: Kateryna Prokopenko <kprokopenko@google.com>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#788652}

third_party/blink/public/devtools_protocol/browser_protocol.pdl

@@ -605,6 +605,12 @@ experimental domain Audits
       kTrustedTypesSinkViolation
       kTrustedTypesPolicyViolation
 
+  type SourceCodeLocation extends object
+    properties
+      string url
+      integer lineNumber
+      integer columnNumber
+
   type ContentSecurityPolicyIssueDetails extends object
     properties
       # The url not included in allowed sources.
@@ -613,6 +619,7 @@ experimental domain Audits
       string violatedDirective
       ContentSecurityPolicyViolationType contentSecurityPolicyViolationType
       optional AffectedFrame frameAncestor
+      optional SourceCodeLocation sourceCodeLocation
 
   # A unique identifier for the type of issue. Each type may use one of the
   # optional fields in InspectorIssueDetails to convey more specific

third_party/blink/public/mojom/devtools/inspector_issue.mojom

@@ -79,6 +79,13 @@ struct ContentSecurityPolicyIssueDetails {
   string violated_directive;
   ContentSecurityPolicyViolationType content_security_policy_violation_type;
   AffectedFrame? frame_ancestor;
+  SourceCodeLocation? source_code_location;
+};
+
+struct SourceCodeLocation {
+  string url;
+  uint32 line_number;
+  uint32 column_number;
 };
 
 enum SameSiteCookieOperation {

third_party/blink/renderer/core/frame/csp/content_security_policy.cc

@@ -1147,7 +1147,7 @@ void ContentSecurityPolicy::ReportViolation(
   if (delegate_)
     delegate_->DispatchViolationEvent(*violation_data, element);
 
-  ReportContentSecurityPolicyIssue(blocked_url, directive_text, violation_type,
+  ReportContentSecurityPolicyIssue(*violation_data, violation_type,
                                    context_frame);
 }
 
@@ -1423,13 +1423,15 @@ ContentSecurityPolicy::BuildCSPViolationType(
 }
 
 void ContentSecurityPolicy::ReportContentSecurityPolicyIssue(
-    const KURL& blocked_url,
-    String violated_directive,
+    const blink::SecurityPolicyViolationEventInit& violation_data,
     ContentSecurityPolicyViolationType violation_type,
     LocalFrame* frame_ancestor) {
   auto cspDetails = mojom::blink::ContentSecurityPolicyIssueDetails::New();
-  cspDetails->blocked_url = blocked_url;
-  cspDetails->violated_directive = violated_directive;
+  if (violation_type == ContentSecurityPolicyViolationType::kURLViolation ||
+      violation_data.violatedDirective() == "frame-ancestors") {
+    cspDetails->blocked_url = KURL(violation_data.blockedURI());
+  }
+  cspDetails->violated_directive = violation_data.violatedDirective();
   cspDetails->content_security_policy_violation_type =
       BuildCSPViolationType(violation_type);
   if (frame_ancestor) {
@@ -1438,6 +1440,14 @@ void ContentSecurityPolicy::ReportContentSecurityPolicyIssue(
         frame_ancestor->GetDevToolsFrameToken().ToString().c_str();
     cspDetails->frame_ancestor = std::move(affected_frame);
   }
+  if (violation_data.sourceFile() && violation_data.lineNumber()) {
+    auto source_code_location = mojom::blink::SourceCodeLocation::New();
+    source_code_location->url = violation_data.sourceFile();
+    // The frontend expects 0-based line numbers.
+    source_code_location->line_number = violation_data.lineNumber() - 1;
+    source_code_location->column_number = violation_data.columnNumber();
+    cspDetails->source_code_location = std::move(source_code_location);
+  }
 
   auto details = mojom::blink::InspectorIssueDetails::New();
   details->csp_issue_details = std::move(cspDetails);

third_party/blink/renderer/core/frame/csp/content_security_policy.h

@@ -576,8 +576,7 @@ class CORE_EXPORT ContentSecurityPolicy final
       ContentSecurityPolicy::ContentSecurityPolicyViolationType violation_type);
 
   void ReportContentSecurityPolicyIssue(
-      const KURL&,
-      String violated_directive,
+      const blink::SecurityPolicyViolationEventInit& violation_data,
       ContentSecurityPolicyViolationType violation_type,
       LocalFrame* = nullptr);
 

third_party/blink/renderer/core/inspector/inspector_audits_agent.cc

@@ -491,6 +491,15 @@ void InspectorAuditsAgent::InspectorIssueAdded(InspectorIssue* issue) {
     }
     if (d->frame_ancestor)
       cspDetails.setFrameAncestor(BuildAffectedFrame(d->frame_ancestor));
+    if (d->source_code_location) {
+      auto source_location =
+          protocol::Audits::SourceCodeLocation::create()
+              .setUrl(d->source_code_location->url)
+              .setColumnNumber(d->source_code_location->column_number)
+              .setLineNumber(d->source_code_location->line_number)
+              .build();
+      cspDetails.setSourceCodeLocation(std::move(source_location));
+    }
     issueDetails.setContentSecurityPolicyIssueDetails(cspDetails.build());
   }
 

third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-creation-img-expected.txt

@@ -7,7 +7,7 @@ Inspector issue: {
             contentSecurityPolicyIssueDetails : {
                 blockedURL : https://thirdparty.test/network/resources/to-be-blocked.jpg
                 contentSecurityPolicyViolationType : kURLViolation
-                violatedDirective : img-src 'self'
+                violatedDirective : img-src
             }
         }
     }

third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-src-location-added-expected.txt

+Verifies that CSP issue contains source location.
+
+Inspector issue: {
+    issue : {
+        code : ContentSecurityPolicyIssue
+        details : {
+            contentSecurityPolicyIssueDetails : {
+                blockedURL : https://devtools.test:8443/inspector-protocol/resources/style.css
+                contentSecurityPolicyViolationType : kURLViolation
+                sourceCodeLocation : {
+                    columnNumber : 0
+                    lineNumber : 3
+                    url : https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-with-src-location.html
+                }
+                violatedDirective : style-src-elem
+            }
+        }
+    }
+}
+

third_party/blink/web_tests/http/tests/inspector-protocol/issues/content-security-policy-issue-src-location-added.js

+(async function(testRunner) {
+    const {page, session, dp} = await testRunner.startBlank(
+      `Verifies that CSP issue contains source location.\n`);
+
+    await dp.Network.enable();
+    await dp.Audits.enable();
+    page.navigate('https://devtools.test:8443/inspector-protocol/resources/content-security-policy-issue-with-src-location.html');
+    const issue = await dp.Audits.onceIssueAdded();
+
+    testRunner.log(issue.params, "Inspector issue: ");
+    testRunner.completeTest();
+  })
\ No newline at end of file

third_party/blink/web_tests/http/tests/inspector-protocol/resources/content-security-policy-issue-with-src-location.html

+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="style-src 'https://thirdparty.test/network/resources/';">
+
+<link rel="stylesheet" type="text/css" href="style.css">
+
+<html>
+    <body>
+    </body>
+</html>
\ No newline at end of file