[Trusted Types] Block eval if the policy rejects a source.

Bug: 993372, 992424 Change-Id: I23bd70836fd70ef1fa98de797f04b4a7f7d1546e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1782851 Commit-Queue: Stefano Sanfilippo <ssanfilippo@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#693162}

[Trusted Types] Block eval if the policy rejects a source.
Bug: 993372, 992424 Change-Id: I23bd70836fd70ef1fa98de797f04b4a7f7d1546e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1782851 Commit-Queue: Stefano Sanfilippo <ssanfilippo@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#693162}
6a6e2d09 · Stefano Sanfilippo · Commit Bot · 3a98755d · 6a6e2d09 · 6a6e2d09
Commit 6a6e2d09 authored Sep 04, 2019 by Stefano Sanfilippo Committed by Commit Bot Sep 04, 2019
10 changed files
--- a/third_party/blink/renderer/bindings/core/v8/v8_initializer.cc
+++ b/third_party/blink/renderer/bindings/core/v8/v8_initializer.cc
@@ -405,27 +405,33 @@ static v8::MaybeLocal<v8::String> TrustedTypesCodeGenerationCheck(
 static v8::MaybeLocal<v8::String> CodeGenerationCheckCallbackInMainThread(
    v8::Local<v8::Context> context,
    v8::Local<v8::Value> source) {
-  bool allowed_by_csp =
-      source->IsString() && ContentSecurityPolicyCodeGenerationCheck(
-                                context, source.As<v8::String>());
  // Without trusted types, we decide based on CSP.
  if (!RequireTrustedTypesCheck(ToExecutionContext(context))) {
-    if (allowed_by_csp)
-      return source.As<v8::String>();
-    return v8::MaybeLocal<v8::String>();
+    bool allowed_by_csp =
+        source->IsString() && ContentSecurityPolicyCodeGenerationCheck(
+                                  context, source.As<v8::String>());
+    return allowed_by_csp ? source.As<v8::String>()
+                          : v8::MaybeLocal<v8::String>();
  }

-  // With Trusted Types, we pass when either CSP or TT allow the value.
+  // With Trusted Types, we pass when both CSP and TT allow the value.
  // We will always run the TT check because of reporting, and because a
  // default policy might want to modify the string.
-  v8::MaybeLocal<v8::String> trusted_types_string =
-      TrustedTypesCodeGenerationCheck(context, source);
-  if (allowed_by_csp || !trusted_types_string.IsEmpty()) {
-    if (trusted_types_string.IsEmpty()) {
-      return source.As<v8::String>();
-    }
+  v8::Local<v8::String> trusted_types_string;
+  if (TrustedTypesCodeGenerationCheck(context, source)
+          .ToLocal(&trusted_types_string) &&
+      ContentSecurityPolicyCodeGenerationCheck(context, trusted_types_string)) {
    return trusted_types_string;
  }
+
+  // TODO(ssanfilippo) returning an empty local covers two different messages:
+  //
+  //  * The source was not a string or TrustedScript.
+  //  * TT or CSP has rejected this source.
+  //
+  // We need to patch the V8 callback to differentiate these two. For now,
+  // rejected TSs are passed through. CSP reports are still sent as side-effect.
+  // See crbug.com/992424.
  return v8::MaybeLocal<v8::String>();
 }


--- a/third_party/blink/web_tests/TestExpectations
+++ b/third_party/blink/web_tests/TestExpectations
@@ -6534,3 +6534,6 @@ crbug.com/1000336 [ Linux ] http/tests/devtools/a11y-axe-core/sources/source-nav
 crbug.com/1000336 [ Linux ] http/tests/devtools/a11y-axe-core/sources/source-navigator-network-a11y-test.js [ Pass Failure ]
 crbug.com/1000336 [ Linux ] http/tests/devtools/a11y-axe-core/sources/sources-editor-pane-a11y-test.js [ Pass Failure ]
 crbug.com/1000396 [ Win ] virtual/audio-service/media/video-remove-insert-repaints.html [ Pass Failure ]
+
+# Partial fix to avoid a regression on eval(string) with Trusted Types enabled in Chrome 77.
+crbug.com/992424 external/wpt/trusted-types/block-eval.tentative.html [ Failure ]
--- a/third_party/blink/web_tests/external/wpt/trusted-types/block-eval.tentative.html
+++ b/third_party/blink/web_tests/external/wpt/trusted-types/block-eval.tentative.html
@@ -12,19 +12,19 @@
 <script nonce="abc">
  let p = createScript_policy(window, 1);
  test(t => {
+    let a = 0;
    assert_throws(new EvalError(), _ => {
-      eval('"hello there"') });
-  }, "eval with plain string throws.");
+      eval('a="hello there"')
+    });
+    assert_equals(a, 0);
+  }, "eval with plain string throws (both block).");

  test(t => {
-    let s = eval(p.createScript('"Hello transformed string"'));
-    assert_equals(s, "Hello a cat string");
-  }, "eval with TrustedScript works.");
-
-  TrustedTypes.createPolicy("default", { createScript: createScriptJS }, true);
-  test(t => {
-    let s = eval('"Hello transformed untrusted string"');
-    assert_equals(s, "Hello a cat untrusted string");
-  }, "eval obeys default policy.");
+    let a = 0;
+    assert_throws(new EvalError(), _ => {
+      eval(p.createScript('a="Hello transformed string"'));
+    });
+    assert_equals(a, 0);
+  }, "eval with TrustedScript throws (script-src blocks).");
 </script>

--- a/third_party/blink/web_tests/external/wpt/trusted-types/eval-with-permissive-csp.tentative.html
+++ b/third_party/blink/web_tests/external/wpt/trusted-types/eval-with-permissive-csp.tentative.html
@@ -13,9 +13,12 @@
 <script nonce="abc">
  let p = createScript_policy(window, 1);
  test(t => {
-    let s = eval('"hello there"');
-    assert_equals(s, "hello there");
-  }, "eval with plain string with Trusted Types and permissive CSP works.");
+    let a = 0;
+    assert_throws(new EvalError(), _ => {
+      eval('a="hello there"');
+    });
+    assert_equals(a, 0);
+  }, "eval with plain string with Trusted Types and permissive CSP throws (no type).");

  test(t => {
    let s = eval(p.createScript('"Hello transformed string"'));

--- a/third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html
+++ b/third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html
+<!DOCTYPE html>
+<head>
+  <script nonce="123" src="/resources/testharness.js"></script>
+  <script nonce="123"src="/resources/testharnessreport.js"></script>
+  <script nonce="123"src="/content-security-policy/support/testharness-helper.js"></script>
+</head>
+<body>
+  <script nonce="123">
+  // CSP insists the "trusted-types: ..." directives are deliverd as headers
+  // (rather than as "<meta http-equiv" tags). This test assumes the following
+  // headers are set in the .headers file:
+  //
+  //   Content-Security-Policy: trusted-types *
+  //   Content-Security-Policy: script-src 'unsafe-inline'; report-uri ...
+  //   Content-Security-Policy: plugin-types bla/blubb
+  //
+  // The last rule is there so we can provoke a CSP violation report at will.
+  // The intent is that in order to test that a violation has *not* been thrown
+  // (and without resorting to abominations like timeouts), we force a *another*
+  // CSP violation (by violating the img-src rule) and when that event is
+  // processed we can we sure that an earlier event - if it indeed occurred -
+  // must have already been processed.
+
+  // Return function that returns a promise that resolves on the given
+  // violation report.
+  // how_many - how many violation events are expected.
+  // filter_arg - iff function, call it with the event object.
+  //              Else, string-ify and compare against event.originalPolicy.
+  function promise_violation(filter_arg) {
+    return _ => new Promise((resolve, reject) => {
+      function handler(e) {
+        let matches = (filter_arg instanceof Function)
+            ? filter_arg(e)
+            : (e.originalPolicy.includes(filter_arg));
+        if (matches) {
+          document.removeEventListener("securitypolicyviolation", handler);
+          e.stopPropagation();
+          resolve(e);
+        }
+      }
+      document.addEventListener("securitypolicyviolation", handler);
+    });
+  }
+
+  // Like assert_throws, but we don't care about the exact error. We just want
+  // to run the code and continue.
+  function expect_throws(fn) {
+    try { fn(); assert_unreached(); } catch (err) { /* ignore */ }
+  }
+
+  // A sample policy we use to test TrustedTypes.createPolicy behaviour.
+  const id = x => x;
+  const a_policy = {
+    createHTML: id,
+    createScriptURL: id,
+    createURL: id,
+    createScript: id,
+  };
+
+  const scriptyPolicy = TrustedTypes.createPolicy('allowEval', a_policy);
+
+  // Provoke/wait for a CSP violation, in order to be sure that all previous
+  // CSP violations have been delivered.
+  function promise_flush() {
+    return promise_violation("plugin-types bla/blubb");
+  }
+  function flush() {
+   expect_throws(_ => {
+      var o = document.createElement('object');
+      o.type = "application/x-shockwave-flash";
+      document.body.appendChild(o);
+    });
+  }
+
+  window.script_run_beacon = 'never_overwritten';
+
+  promise_test(t => {
+    let p = Promise.resolve()
+        .then(promise_violation("trusted-types *"))
+        .then(promise_flush());
+    expect_throws(_ => eval('script_run_beacon="should not run"'));
+    assert_equals(script_run_beacon, 'never_overwritten');
+    flush();
+    return p;
+  }, "Trusted Type violation report: evaluating a string violates both script-src and trusted-types.");
+
+  promise_test(t => {
+    let p = Promise.resolve()
+        .then(promise_violation("script-src"))
+        .then(promise_flush());
+    expect_throws(_ => eval('script_run_beacon="should not run"'));
+    // TODO(ssanfilippo) This should throw, but doesn't yet. See crbug.com/992424.
+    eval(scriptyPolicy.createScript('script_run_beacon="i ran"'));
+    flush();
+    assert_not_equals(script_run_beacon, 'i ran'); // Code did not run.
+    return p;
+  }, "Trusted Type violation report: evaluating a Trusted Script violates script-src.");
+
+  promise_test(t => {
+    TrustedTypes.createPolicy('default', {
+      createScript: s => s.replace('payload', 'default policy'),
+    }, true);
+    let p = Promise.resolve()
+        .then(promise_violation((e) =>
+           e.effectiveDirective.includes('script-src') &&
+           e.sample.includes("default policy")))
+        .then(promise_flush());
+    expect_throws(_ => eval('script_run_beacon="payload"')); // script-src will block.
+    assert_not_equals(script_run_beacon, 'default policy'); // Code did not run.
+    flush();
+    return p;
+  }, "Trusted Type violation report: script-src restrictions apply after the default policy runs.");
+
+  </script>
+</body>
--- a/third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html.headers
+++ b/third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html.headers
+Content-Security-Policy: trusted-types *
+Content-Security-Policy: script-src http: https: 'nonce-123' 'report-sample'
+Content-Security-Policy: plugin-types bla/blubb
+
--- a/third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html
+++ b/third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html
+<!DOCTYPE html>
+<head>
+  <script nonce="123" src="/resources/testharness.js"></script>
+  <script nonce="123"src="/resources/testharnessreport.js"></script>
+  <script nonce="123"src="/content-security-policy/support/testharness-helper.js"></script>
+</head>
+<body>
+  <script nonce="123">
+  // CSP insists the "trusted-types: ..." directives are deliverd as headers
+  // (rather than as "<meta http-equiv" tags). This test assumes the following
+  // headers are set in the .headers file:
+  //
+  //   Content-Security-Policy: trusted-types *
+  //   Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval'; report-uri ...
+  //   Content-Security-Policy: plugin-types bla/blubb
+  //
+  // The last rule is there so we can provoke a CSP violation report at will.
+  // The intent is that in order to test that a violation has *not* been thrown
+  // (and without resorting to abominations like timeouts), we force a *another*
+  // CSP violation (by violating the img-src rule) and when that event is
+  // processed we can we sure that an earlier event - if it indeed occurred -
+  // must have already been processed.
+
+  // Return function that returns a promise that resolves on the given
+  // violation report.
+  //
+  // filter_arg - iff function, call it with the event object.
+  //              Else, string-ify and compare against event.originalPolicy.
+  function promise_violation(filter_arg) {
+    return _ => new Promise((resolve, reject) => {
+      function handler(e) {
+        let matches = (filter_arg instanceof Function)
+            ? filter_arg(e)
+            : (e.originalPolicy.includes(filter_arg));
+        if (matches) {
+          document.removeEventListener("securitypolicyviolation", handler);
+          e.stopPropagation();
+          resolve(e);
+        }
+      }
+      document.addEventListener("securitypolicyviolation", handler);
+    });
+  }
+
+  // Like assert_throws, but we don't care about the exact error. We just want
+  // to run the code and continue.
+  function expect_throws(fn) {
+    try { fn(); assert_unreached(); } catch (err) { /* ignore */ }
+  }
+
+  // A sample policy we use to test TrustedTypes.createPolicy behaviour.
+  const id = x => x;
+  const a_policy = {
+    createHTML: id,
+    createScriptURL: id,
+    createURL: id,
+    createScript: id,
+  };
+
+  const scriptyPolicy = TrustedTypes.createPolicy('allowEval', a_policy);
+
+  // Provoke/wait for a CSP violation, in order to be sure that all previous
+  // CSP violations have been delivered.
+  function promise_flush() {
+    return promise_violation("plugin-types bla/blubb");
+  }
+  function flush() {
+   expect_throws(_ => {
+      var o = document.createElement('object');
+      o.type = "application/x-shockwave-flash";
+      document.body.appendChild(o);
+    });
+  }
+
+  window.script_run_beacon = 'vanilla';
+
+  promise_test(t => {
+    let p = Promise.resolve()
+        .then(promise_violation("trusted-types *"))
+        .then(promise_flush());
+    eval('script_run_beacon="report-only-does-not-stop"');
+    assert_equals(script_run_beacon, 'report-only-does-not-stop');
+    flush();
+    return p;
+  }, "Trusted Type violation report: evaluating a string.");
+
+  promise_test(t => {
+    let p = promise_flush()();
+    eval(scriptyPolicy.createScript('script_run_beacon="trusted-script-ok"'));
+    flush();
+    assert_equals(script_run_beacon, 'trusted-script-ok');
+    return p;
+  }, "Trusted Type violation report: evaluating a Trusted Script.");
+
+  promise_test(t => {
+    TrustedTypes.createPolicy('default', {
+      createScript: s => s.replace('payload', 'default policy'),
+    }, true);
+    let p = promise_flush()();
+    eval('script_run_beacon="payload"');
+    assert_equals(script_run_beacon, 'default policy');
+    flush();
+    return p;
+  }, "Trusted Type violation report: default policy runs in report-only mode.");
+
+  </script>
+</body>
--- a/third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html.headers
+++ b/third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html.headers
+Content-Security-Policy-Report-Only: trusted-types *
+Content-Security-Policy: script-src http: https: 'nonce-123' 'unsafe-eval'
+Content-Security-Policy: plugin-types bla/blubb
+
--- a/third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-eval-reporting.tentative.https.html
+++ b/third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-eval-reporting.tentative.https.html
+<!DOCTYPE html>
+<head>
+  <script nonce="123" src="/resources/testharness.js"></script>
+  <script nonce="123"src="/resources/testharnessreport.js"></script>
+  <script nonce="123"src="/content-security-policy/support/testharness-helper.js"></script>
+</head>
+<body>
+  <script nonce="123">
+  // CSP insists the "trusted-types: ..." directives are deliverd as headers
+  // (rather than as "<meta http-equiv" tags). This test assumes the following
+  // headers are set in the .headers file:
+  //
+  //   Content-Security-Policy: trusted-types *
+  //   Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval'; report-uri ...
+  //   Content-Security-Policy: plugin-types bla/blubb
+  //
+  // The last rule is there so we can provoke a CSP violation report at will.
+  // The intent is that in order to test that a violation has *not* been thrown
+  // (and without resorting to abominations like timeouts), we force a *another*
+  // CSP violation (by violating the img-src rule) and when that event is
+  // processed we can we sure that an earlier event - if it indeed occurred -
+  // must have already been processed.
+
+  // Return function that returns a promise that resolves on the given
+  // violation report.
+  //
+  // filter_arg - iff function, call it with the event object.
+  //              Else, string-ify and compare against event.originalPolicy.
+  function promise_violation(filter_arg) {
+    return _ => new Promise((resolve, reject) => {
+      function handler(e) {
+        let matches = (filter_arg instanceof Function)
+            ? filter_arg(e)
+            : (e.originalPolicy.includes(filter_arg));
+        if (matches) {
+          document.removeEventListener("securitypolicyviolation", handler);
+          e.stopPropagation();
+          resolve(e);
+        }
+      }
+      document.addEventListener("securitypolicyviolation", handler);
+    });
+  }
+
+  // Like assert_throws, but we don't care about the exact error. We just want
+  // to run the code and continue.
+  function expect_throws(fn) {
+    try { fn(); assert_unreached(); } catch (err) { /* ignore */ }
+  }
+
+  // A sample policy we use to test TrustedTypes.createPolicy behaviour.
+  const id = x => x;
+  const a_policy = {
+    createHTML: id,
+    createScriptURL: id,
+    createURL: id,
+    createScript: id,
+  };
+
+  const scriptyPolicy = TrustedTypes.createPolicy('allowEval', a_policy);
+
+  // Provoke/wait for a CSP violation, in order to be sure that all previous
+  // CSP violations have been delivered.
+  function promise_flush() {
+    return promise_violation("plugin-types bla/blubb");
+  }
+  function flush() {
+   expect_throws(_ => {
+      var o = document.createElement('object');
+      o.type = "application/x-shockwave-flash";
+      document.body.appendChild(o);
+    });
+  }
+
+  window.script_run_beacon = 'never_overwritten';
+
+  promise_test(t => {
+    let p = Promise.resolve()
+        .then(promise_violation("trusted-types *"))
+        .then(promise_flush());
+    expect_throws(_ => eval('script_run_beacon="should not run"'));
+    assert_equals(script_run_beacon, 'never_overwritten');
+    flush();
+    return p;
+  }, "Trusted Type violation report: evaluating a string.");
+
+  promise_test(t => {
+    let p = promise_flush()();
+    eval(scriptyPolicy.createScript('script_run_beacon="i ran"'));
+    flush();
+    assert_equals(script_run_beacon, 'i ran');
+    return p;
+  }, "Trusted Type violation report: evaluating a Trusted Script.");
+
+  promise_test(t => {
+    TrustedTypes.createPolicy('default', {
+      createScript: s => s.replace('payload', 'default policy'),
+    }, true);
+    let p = promise_flush()();
+    eval('script_run_beacon="payload"');
+    assert_equals(script_run_beacon, 'default policy');
+    flush();
+    return p;
+  }, "Trusted Type violation report: default policy transforms the script before CSP checks runs.");
+
+  </script>
+</body>
--- a/third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-eval-reporting.tentative.https.html.headers
+++ b/third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-eval-reporting.tentative.https.html.headers
+Content-Security-Policy: trusted-types *
+Content-Security-Policy: script-src http: https: 'nonce-123' 'unsafe-eval'
+Content-Security-Policy: plugin-types bla/blubb
+