Commit 824e5ec8 authored by Antonio Sartori's avatar Antonio Sartori Committed by Chromium LUCI CQ

CSP: Ignore strict-dynamic for sources that are not scripts

The Content-Security-Policy source expression 'strict-dynamic' should
only apply to scripts:
https://w3c.github.io/webappsec-csp/#allow-all-inline

Previously, we where applying it to all kind of sources. This fixes it.

Bug: 694525, 651742
Change-Id: Ie92f45665b6b78902f6b511441a5096b9d93d135
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2203197
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: default avatarMike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#835154}
parent 40b6d0f6
......@@ -306,7 +306,16 @@ bool CSPDirectiveList::CheckUnsafeHashesAllowed(
return !directive || directive->AllowUnsafeHashes();
}
bool CSPDirectiveList::CheckDynamic(SourceListDirective* directive) const {
bool CSPDirectiveList::CheckDynamic(
SourceListDirective* directive,
ContentSecurityPolicy::DirectiveType effective_type) const {
// 'strict-dynamic' only applies to scripts
if (effective_type != ContentSecurityPolicy::DirectiveType::kScriptSrc &&
effective_type != ContentSecurityPolicy::DirectiveType::kScriptSrcAttr &&
effective_type != ContentSecurityPolicy::DirectiveType::kScriptSrcElem &&
effective_type != ContentSecurityPolicy::DirectiveType::kWorkerSrc) {
return false;
}
return !directive || directive->AllowDynamic();
}
......@@ -498,7 +507,8 @@ bool CSPDirectiveList::CheckSourceAndReportViolation(
return true;
// We ignore URL-based allowlists if we're allowing dynamic script injection.
if (CheckSource(directive, url, redirect_status) && !CheckDynamic(directive))
if (CheckSource(directive, url, redirect_status) &&
!CheckDynamic(directive, effective_type))
return true;
// We should never have a violation against `child-src` or `default-src`
......@@ -538,7 +548,7 @@ bool CSPDirectiveList::CheckSourceAndReportViolation(
prefix = prefix + "navigate to '";
String suffix = String();
if (CheckDynamic(directive)) {
if (CheckDynamic(directive, effective_type)) {
suffix =
" 'strict-dynamic' is present, so host-based allowlisting is disabled.";
}
......@@ -807,13 +817,14 @@ bool CSPDirectiveList::AllowHash(
bool CSPDirectiveList::AllowDynamic(
ContentSecurityPolicy::DirectiveType directive_type) const {
return CheckDynamic(OperativeDirective(directive_type));
return CheckDynamic(OperativeDirective(directive_type), directive_type);
}
bool CSPDirectiveList::AllowDynamicWorker() const {
SourceListDirective* worker_src =
OperativeDirective(ContentSecurityPolicy::DirectiveType::kWorkerSrc);
return CheckDynamic(worker_src);
return CheckDynamic(worker_src,
ContentSecurityPolicy::DirectiveType::kWorkerSrc);
}
const String& CSPDirectiveList::PluginTypesText() const {
......
......@@ -234,7 +234,8 @@ class CORE_EXPORT CSPDirectiveList final
bool CheckEval(SourceListDirective*) const;
bool CheckWasmEval(SourceListDirective*) const;
bool CheckDynamic(SourceListDirective*) const;
bool CheckDynamic(SourceListDirective*,
ContentSecurityPolicy::DirectiveType) const;
bool IsMatchingNoncePresent(SourceListDirective*, const String&) const;
bool AreAllMatchingHashesPresent(SourceListDirective*,
const IntegrityMetadataSet&) const;
......
......@@ -1905,7 +1905,6 @@ crbug.com/694525 external/wpt/content-security-policy/connect-src/worker-from-gu
crbug.com/694525 external/wpt/content-security-policy/connect-src/worker-connect-src-blocked.sub.html [ Skip ]
crbug.com/694525 external/wpt/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html [ Skip ]
crbug.com/694525 external/wpt/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html [ Skip ]
crbug.com/694525 external/wpt/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html [ Skip ]
crbug.com/694525 external/wpt/content-security-policy/script-src/worker-importscripts-blocked.sub.html [ Skip ]
crbug.com/694525 external/wpt/content-security-policy/script-src/worker-set-timeout-blocked.sub.html [ Skip ]
crbug.com/694525 external/wpt/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html [ Skip ]
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment