CSP: Fix protocolless 'frame-ancestor' source expressions.

When checking 'frame-ancestor', we end up asking for the SecurityOrigin of the protected resource before we actually have a protected resource whose origin we could ask for. This, unsurprisingly, crashes. This patch adds a protocol property to the ContentSecurityPolicy object so that we can perform all the checks for source expressions that don't specify protocols without crashing the renderer. BUG=424074 R=jochen@chromium.org Review URL: https://codereview.chromium.org/658073002 git-svn-id: svn://svn.chromium.org/blink/trunk@183801 bbb929c8-8fbe-4397-9dbb-9b2b20218538

CSP: Fix protocolless 'frame-ancestor' source expressions.
When checking 'frame-ancestor', we end up asking for the SecurityOrigin of the protected resource before we actually have a protected resource whose origin we could ask for. This, unsurprisingly, crashes. This patch adds a protocol property to the ContentSecurityPolicy object so that we can perform all the checks for source expressions that don't specify protocols without crashing the renderer. BUG=424074 R=jochen@chromium.org Review URL: https://codereview.chromium.org/658073002 git-svn-id: svn://svn.chromium.org/blink/trunk@183801 bbb929c8-8fbe-4397-9dbb-9b2b20218538
7ef38961 · mkwst@chromium.org · 0b5151cd · 7ef38961 · 7ef38961 · 7ef38961
Commit 7ef38961 authored Oct 16, 2014 by mkwst@chromium.org
4 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow-expected.txt
+CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=*.0.0.1:8000'.
+A 'frame-ancestors' CSP directive with a value '*.0.0.1' should allow render in same-origin nested frames.
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+PASS The inner IFrame passed.
+PASS successfullyParsed is true
+TEST COMPLETE
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Testing a same-origin child with a policy of "*.0.0.1:8000" nested in a same-origin parent.
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+PASS The IFrame should not have been blocked. It wasn't.
+--------
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
+--------
+This is an IFrame sending a Content Security Policy header containing "frame-ancestors *.0.0.1:8000".
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow.html
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/js-test-resources/js-test.js"></script>
+    <script src="../../resources/frame-ancestors-test.js"></script>
+</head>
+<body>
+    <script>
+        description("A 'frame-ancestors' CSP directive with a value '*.0.0.1' should allow render in same-origin nested frames.");
+        testNestedIFrame("*.0.0.1:8000", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); 
+    </script>
+</body>
+</html>
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -155,7 +155,8 @@ void ContentSecurityPolicy::applyPolicySideEffectsToExecutionContext()
 {
    ASSERT(m_executionContext);
    // Ensure that 'self' processes correctly.
-    m_selfSource = adoptPtr(new CSPSource(this, securityOrigin()->protocol(), securityOrigin()->host(), securityOrigin()->port(), String(), CSPSource::NoWildcard, CSPSource::NoWildcard));
+    m_selfProtocol = securityOrigin()->protocol();
+    m_selfSource = adoptPtr(new CSPSource(this, m_selfProtocol, securityOrigin()->host(), securityOrigin()->port(), String(), CSPSource::NoWildcard, CSPSource::NoWildcard));
    // If we're in a Document, set the referrer policy and sandbox flags, then dump all the
    // parsing error messages, then poke at histograms.
@@ -266,7 +267,8 @@ void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url)
    // an execution context (for 'frame-ancestor' resolution, for example). This CSPSource will
    // be overwritten when we bind this object to an execution context.
    RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url);
-    m_selfSource = adoptPtr(new CSPSource(this, origin->protocol(), origin->host(), origin->port(), String(), CSPSource::NoWildcard, CSPSource::NoWildcard));
+    m_selfProtocol = origin->protocol();
+    m_selfSource = adoptPtr(new CSPSource(this, m_selfProtocol, origin->host(), origin->port(), String(), CSPSource::NoWildcard, CSPSource::NoWildcard));
 }
 const String& ContentSecurityPolicy::deprecatedHeader() const
@@ -852,10 +854,9 @@ bool ContentSecurityPolicy::urlMatchesSelf(const KURL& url) const
 bool ContentSecurityPolicy::protocolMatchesSelf(const KURL& url) const
 {
-    String protectedResourceScheme(securityOrigin()->protocol());
+    if (equalIgnoringCase("http", m_selfProtocol))
-    if (equalIgnoringCase("http", protectedResourceScheme))
        return url.protocolIsInHTTPFamily();
-    return equalIgnoringCase(url.protocol(), protectedResourceScheme);
+    return equalIgnoringCase(url.protocol(), m_selfProtocol);
 }
 bool ContentSecurityPolicy::shouldBypassMainWorld(ExecutionContext* context)

--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
@@ -230,6 +230,7 @@ private:
    String m_disableEvalErrorMessage;
    OwnPtr<CSPSource> m_selfSource;
+    String m_selfProtocol;
 };
 }