Add "connect-src" to content security policy

Add connect-src to CSP so we can override it in untrusted WebUI. BUG=1087443 Change-Id: Ib93c326e629c2225ddfad0740c4befc26d39b757 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2246902 Commit-Queue: Becca Hughes <beccahughes@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Reviewed-by: Clark DuVall <cduvall@chromium.org> Cr-Commit-Position: refs/heads/master@{#781352}

Add "connect-src" to content security policy
Add connect-src to CSP so we can override it in untrusted WebUI. BUG=1087443 Change-Id: Ib93c326e629c2225ddfad0740c4befc26d39b757 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2246902 Commit-Queue: Becca Hughes <beccahughes@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Reviewed-by: Clark DuVall <cduvall@chromium.org> Cr-Commit-Position: refs/heads/master@{#781352}
7cd2c6d4 · Becca Hughes · Commit Bot · 582f4a6a · 7cd2c6d4 · 7cd2c6d4
Commit 7cd2c6d4 authored Jun 23, 2020 by Becca Hughes Committed by Commit Bot Jun 23, 2020
6 changed files
--- a/content/browser/webui/url_data_manager_backend.cc
+++ b/content/browser/webui/url_data_manager_backend.cc
@@ -174,7 +174,8 @@ scoped_refptr<net::HttpResponseHeaders> URLDataManagerBackend::GetHeaders(
        network::mojom::CSPDirectiveName::ObjectSrc,
        network::mojom::CSPDirectiveName::ScriptSrc,
        network::mojom::CSPDirectiveName::StyleSrc,
-        network::mojom::CSPDirectiveName::WorkerSrc};
+        network::mojom::CSPDirectiveName::WorkerSrc,
+        network::mojom::CSPDirectiveName::ConnectSrc};
    for (auto& directive : kAllDirectives) {
      csp_header.append(source->GetContentSecurityPolicy(directive));

--- a/content/browser/webui/web_ui_data_source_unittest.cc
+++ b/content/browser/webui/web_ui_data_source_unittest.cc
@@ -291,6 +291,8 @@ TEST_F(WebUIDataSourceTest, SetCspValues) {
                network::mojom::CSPDirectiveName::ScriptSrc));
  EXPECT_EQ("", url_data_source->GetContentSecurityPolicy(
                    network::mojom::CSPDirectiveName::StyleSrc));
+  EXPECT_EQ("", url_data_source->GetContentSecurityPolicy(
+                    network::mojom::CSPDirectiveName::ConnectSrc));
  // Override each directive and test it updates the underlying URLDataSource.
  source()->OverrideContentSecurityPolicy(
@@ -336,6 +338,13 @@ TEST_F(WebUIDataSourceTest, SetCspValues) {
  EXPECT_EQ("style-src 'self' 'unsafe-inline';",
            url_data_source->GetContentSecurityPolicy(
                network::mojom::CSPDirectiveName::StyleSrc));
+  source()->OverrideContentSecurityPolicy(
+      network::mojom::CSPDirectiveName::ConnectSrc,
+      "connect-src 'self' 'unsafe-inline';");
+  EXPECT_EQ("connect-src 'self' 'unsafe-inline';",
+            url_data_source->GetContentSecurityPolicy(
+                network::mojom::CSPDirectiveName::ConnectSrc));
 }
 }  // namespace content
--- a/content/public/browser/url_data_source.cc
+++ b/content/public/browser/url_data_source.cc
@@ -91,6 +91,7 @@ std::string URLDataSource::GetContentSecurityPolicy(
      return "script-src chrome://resources 'self';";
    case network::mojom::CSPDirectiveName::FrameAncestors:
      return "frame-ancestors 'none';";
+    case network::mojom::CSPDirectiveName::ConnectSrc:
    case network::mojom::CSPDirectiveName::FormAction:
    case network::mojom::CSPDirectiveName::FrameSrc:
    case network::mojom::CSPDirectiveName::ImgSrc:

--- a/services/network/public/cpp/content_security_policy/content_security_policy.cc
+++ b/services/network/public/cpp/content_security_policy/content_security_policy.cc
@@ -41,6 +41,7 @@ static CSPDirectiveName CSPFallback(CSPDirectiveName directive) {
    case CSPDirectiveName::ScriptSrc:
    case CSPDirectiveName::StyleSrc:
    case CSPDirectiveName::WorkerSrc:
+    case CSPDirectiveName::ConnectSrc:
      return CSPDirectiveName::Unknown;
    case CSPDirectiveName::FrameSrc:
@@ -90,6 +91,7 @@ const char* ErrorMessage(CSPDirectiveName directive) {
    case CSPDirectiveName::ScriptSrc:
    case CSPDirectiveName::StyleSrc:
    case CSPDirectiveName::WorkerSrc:
+    case CSPDirectiveName::ConnectSrc:
      NOTREACHED();
      return nullptr;
  };
@@ -638,6 +640,8 @@ CSPDirectiveName ToCSPDirectiveName(const std::string& name) {
    return CSPDirectiveName::StyleSrc;
  if (name == "worker-src")
    return CSPDirectiveName::WorkerSrc;
+  if (name == "connect-src")
+    return CSPDirectiveName::ConnectSrc;
  return CSPDirectiveName::Unknown;
 }
@@ -667,6 +671,8 @@ std::string ToString(CSPDirectiveName name) {
      return "style-src";
    case CSPDirectiveName::WorkerSrc:
      return "worker-src";
+    case CSPDirectiveName::ConnectSrc:
+      return "connect-src";
    case CSPDirectiveName::Unknown:
      return "";
  }

--- a/services/network/public/mojom/content_security_policy.mojom
+++ b/services/network/public/mojom/content_security_policy.mojom
@@ -86,7 +86,8 @@ enum CSPDirectiveName {
  ObjectSrc,
  ScriptSrc,
  StyleSrc,
-  WorkerSrc
+  WorkerSrc,
+  ConnectSrc
 };
 struct ContentSecurityPolicy {

--- a/third_party/blink/renderer/core/exported/local_frame_client_impl.cc
+++ b/third_party/blink/renderer/core/exported/local_frame_client_impl.cc
@@ -217,6 +217,8 @@ WebString ConvertToPublic(
      return "style-src";
    case CSPDirectiveName::WorkerSrc:
      return "worker-src";
+    case CSPDirectiveName::ConnectSrc:
+      return "connect-src";
    case CSPDirectiveName::Unknown:
      NOTREACHED();
      return "";