CSP: Don't perform NFC normalization prior to hashing

Normalization is lossy and not called for in the spec. Don't do it.

BUG=487510,545678
R=jww@chromium.org

Review URL: https://codereview.chromium.org/1420483005

Cr-Commit-Position: refs/heads/master@{#357132}

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization-expected.txt

-ALERT: PASS
-ALERT: PASS
-This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken.
+ALERT: PASS (1/1)
+CONSOLE ERROR: line 20: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha1-zv73epHrGLk/k/onuSBPoZAxzaA=' 'sha256-6VVrnAGI98OnlK9Y20hAMwfwBE8c8FOtE/jDYM7tPFk='". Either the 'unsafe-inline' keyword, a hash ('sha256-1YpMZRdgC0WhwwFBK0bksRyUnuhzlCJp0nKmbZYUi+Q='), or a nonce ('nonce-...') is required to enable inline execution.
+
+This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points. Unicode NFC normalization would make both match the hash, but normalization should not be performed, and so the second script should not run.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html

@@ -2,30 +2,32 @@
 <html>
     <head>
         <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
-        <meta http-equiv="Content-Security-Policy" content="script-src 'sha1-zv73epHrGLk/k/onuSBPoZAxzaA=' 'sha1-gbGNUiHncUNJ+diPbIoc+x6KrLo='">
+        <meta http-equiv="Content-Security-Policy" content="script-src 'sha1-zv73epHrGLk/k/onuSBPoZAxzaA=' 'sha256-6VVrnAGI98OnlK9Y20hAMwfwBE8c8FOtE/jDYM7tPFk='">
         <script>
             if (window.testRunner)
                 testRunner.dumpAsText();
         </script>
         <!-- The following two scripts contain two separate code points (U+00C5
         and U+212B, respectively) which, depending on your text editor, might be
-        rendered the same. However, their difference is important as they should
-        be NFC normalized to the same code point, thus they should hash to the
-        same value.-->
-        <script>
+        rendered the same. However, their difference is important as they would
+        be NFC normalized to the same code point, matching the hash. Since NFC
+        normalization should not be performed, the second script should not
+        match the hash and must not be executed. -->
+        <script data-alert="PASS (1/1)">
             'Å';
-            alert('PASS');
+            alert(document.currentScript.dataset.alert);
         </script>
-        <script>
+        <script data-alert="FAIL">
             'Å';
-            alert('PASS');
+            alert(document.currentScript.dataset.alert);
         </script>
     </head>
     <body>
         <p>
             This tests Unicode normalization. While appearing the same, the
-            strings in the scripts are different Unicode points, but through
-            normalization, should be the same when the hash is taken.
+            strings in the scripts are different Unicode points. Unicode NFC
+            normalization would make both match the hash, but normalization
+            should not be performed, and so the second script should not run.
         </p>
     </body>
 </html>

third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

@@ -26,8 +26,8 @@ namespace {
 String getSha256String(const String& content)
 {
     DigestValue digest;
-    StringUTF8Adaptor normalizedContent = normalizeSource(content);
-    bool digestSuccess = computeDigest(HashAlgorithmSha256, normalizedContent.data(), normalizedContent.length(), digest);
+    StringUTF8Adaptor utf8Content(content);
+    bool digestSuccess = computeDigest(HashAlgorithmSha256, utf8Content.data(), utf8Content.length(), digest);
     if (!digestSuccess) {
         return "sha256-...";
     }

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

@@ -430,12 +430,12 @@ bool checkDigest(const String& source, uint8_t hashAlgorithmsUsed, const CSPDire
     if (hashAlgorithmsUsed == ContentSecurityPolicyHashAlgorithmNone)
         return false;
 
-    StringUTF8Adaptor normalizedSource = normalizeSource(source);
+    StringUTF8Adaptor utf8Source(source);
 
     for (const auto& algorithmMap : kAlgorithmMap) {
         DigestValue digest;
         if (algorithmMap.cspHashAlgorithm & hashAlgorithmsUsed) {
-            bool digestSuccess = computeDigest(algorithmMap.algorithm, normalizedSource.data(), normalizedSource.length(), digest);
+            bool digestSuccess = computeDigest(algorithmMap.algorithm, utf8Source.data(), utf8Source.length(), digest);
             if (digestSuccess && isAllowedByAllWithHash<allowed>(policies, CSPHashValue(algorithmMap.cspHashAlgorithm, digest)))
                 return true;
         }

third_party/WebKit/Source/platform/network/ContentSecurityPolicyParsers.cpp

@@ -67,9 +67,4 @@ bool isMediaTypeCharacter(UChar c)
     return !isASCIISpace(c) && c != '/';
 }
 
-WTF::StringUTF8Adaptor normalizeSource(const String& source)
-{
-    return WTF::StringUTF8Adaptor(source, WTF::StringUTF8Adaptor::Normalize, WTF::EntitiesForUnencodables);
-}
-
 } // namespace

third_party/WebKit/Source/platform/network/ContentSecurityPolicyParsers.h

@@ -52,9 +52,6 @@ PLATFORM_EXPORT bool isMediaTypeCharacter(UChar);
 // positional and may only appear at the end of a Base64 encoded string.
 PLATFORM_EXPORT bool isBase64EncodedCharacter(UChar);
 
-// Normalize script or style source for script hash use.
-PLATFORM_EXPORT WTF::StringUTF8Adaptor normalizeSource(const String& source);
-
 } // namespace blink
 
 #endif