Worker: Stop setting the shadow page to CSP and referrer policy

Thanks to recent works that make network APIs (fetch, importScripts, WebSocket,
etc) off-the-main-thread, the shadow page is now used only for fetching the
top-level classic script. Therefore the shadow page no longer needs CSP and
referrer policy for subresource fetch.

This change is useful for deprecating the shadow page.

Bug: 538751
Change-Id: Id192a17068de0e3a20f08cbe9ba2463bc56ffb1f
Reviewed-on: https://chromium-review.googlesource.com/1098427
Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Makoto Shimazu <shimazu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#577151}

third_party/blink/renderer/core/exported/web_shared_worker_impl.cc

@@ -318,7 +318,7 @@ void WebSharedWorkerImpl::ContinueOnScriptLoaderFinished() {
                                     std::move(web_worker_fetch_context));
 
   ContentSecurityPolicy* content_security_policy =
-      main_script_loader_->ReleaseContentSecurityPolicy();
+      main_script_loader_->GetContentSecurityPolicy();
   ReferrerPolicy referrer_policy = kReferrerPolicyDefault;
   if (!main_script_loader_->GetReferrerPolicy().IsNull()) {
     SecurityPolicy::ReferrerPolicyFromHeaderValue(

third_party/blink/renderer/core/exported/worker_shadow_page.cc

@@ -8,7 +8,6 @@
 #include "third_party/blink/public/platform/platform.h"
 #include "third_party/blink/public/web/web_settings.h"
 #include "third_party/blink/renderer/core/exported/web_view_impl.h"
-#include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
 #include "third_party/blink/renderer/core/frame/settings.h"
 #include "third_party/blink/renderer/core/loader/frame_load_request.h"
 #include "third_party/blink/renderer/platform/loader/fetch/substitute_data.h"
@@ -66,16 +65,6 @@ void WorkerShadowPage::Initialize(const KURL& script_url) {
       nullptr, ResourceRequest(script_url), SubstituteData(buffer)));
 }
 
-void WorkerShadowPage::SetContentSecurityPolicyAndReferrerPolicy(
-    ContentSecurityPolicy* content_security_policy,
-    String referrer_policy) {
-  DCHECK(IsMainThread());
-  content_security_policy->SetOverrideURLForSelf(GetDocument()->Url());
-  GetDocument()->InitContentSecurityPolicy(content_security_policy);
-  if (!referrer_policy.IsNull())
-    GetDocument()->ParseAndSetReferrerPolicy(referrer_policy);
-}
-
 void WorkerShadowPage::DidFinishDocumentLoad() {
   DCHECK(IsMainThread());
   AdvanceState(State::kInitialized);

third_party/blink/renderer/core/exported/worker_shadow_page.h

@@ -18,7 +18,6 @@ class SharedURLLoaderFactory;
 
 namespace blink {
 
-class ContentSecurityPolicy;
 class WebApplicationCacheHost;
 class WebApplicationCacheHostClient;
 class WebSettings;
@@ -28,7 +27,7 @@ class WebSettings;
 // Loading components are strongly associated with frames, but out-of-process
 // workers (i.e., SharedWorker and ServiceWorker) don't have frames. To enable
 // loading on such workers, this class provides a virtual frame (a.k.a, shadow
-// page) to them.
+// page) to them. Note that this class is now only used for main script loading.
 //
 // WorkerShadowPage lives on the main thread.
 //
@@ -64,9 +63,6 @@ class CORE_EXPORT WorkerShadowPage : public WebLocalFrameClient {
   // complete.
   void Initialize(const KURL& script_url);
 
-  void SetContentSecurityPolicyAndReferrerPolicy(ContentSecurityPolicy*,
-                                                 String referrer_policy);
-
   // WebLocalFrameClient overrides.
   std::unique_ptr<WebApplicationCacheHost> CreateApplicationCacheHost(
       WebApplicationCacheHostClient*) override;

third_party/blink/renderer/core/workers/worker_classic_script_loader.h

@@ -96,9 +96,6 @@ class CORE_EXPORT WorkerClassicScriptLoader final
   ContentSecurityPolicy* GetContentSecurityPolicy() {
     return content_security_policy_.Get();
   }
-  ContentSecurityPolicy* ReleaseContentSecurityPolicy() {
-    return content_security_policy_.Release();
-  }
 
   const String& GetReferrerPolicy() const { return referrer_policy_; }
 

third_party/blink/renderer/core/workers/worker_reporting_proxy.h

@@ -37,7 +37,6 @@
 #include "third_party/blink/renderer/core/frame/web_feature_forward.h"
 #include "third_party/blink/renderer/core/inspector/console_types.h"
 #include "third_party/blink/renderer/platform/heap/handle.h"
-#include "third_party/blink/renderer/platform/network/content_security_policy_response_headers.h"
 #include "third_party/blink/renderer/platform/wtf/forward.h"
 
 namespace blink {
@@ -74,15 +73,8 @@ class CORE_EXPORT WorkerReportingProxy {
   // Invoked when the worker's main script is loaded on
   // WorkerThread::InitializeOnWorkerThread(). Only invoked when the script was
   // loaded on the worker thread, i.e., via InstalledScriptsManager rather than
-  // via ResourceLoader. ContentSecurityPolicy and ReferrerPolicy are read from
-  // the response header of the main script.
-  // This may block until CSP/ReferrerPolicy are set on the main thread
-  // since they are required for script evaluation, which happens soon after
-  // this function is called.
-  // Called before WillEvaluateClassicScript().
-  virtual void DidLoadInstalledScript(
-      const ContentSecurityPolicyResponseHeaders&,
-      const String& referrer_policy_on_worker_thread) {}
+  // via ResourceLoader. Called before WillEvaluateClassicScript().
+  virtual void DidLoadInstalledScript() {}
 
   // Invoked when the main classic script is about to be evaluated.
   virtual void WillEvaluateClassicScript(size_t script_size,

third_party/blink/renderer/modules/exported/web_embedded_worker_impl.cc

@@ -67,7 +67,9 @@
 #include "third_party/blink/renderer/platform/network/network_utils.h"
 #include "third_party/blink/renderer/platform/runtime_enabled_features.h"
 #include "third_party/blink/renderer/platform/shared_buffer.h"
+#include "third_party/blink/renderer/platform/weborigin/referrer_policy.h"
 #include "third_party/blink/renderer/platform/weborigin/security_origin.h"
+#include "third_party/blink/renderer/platform/weborigin/security_policy.h"
 #include "third_party/blink/renderer/platform/wtf/functional.h"
 
 namespace blink {
@@ -247,14 +249,6 @@ void WebEmbeddedWorkerImpl::PostMessageToPageInspector(int session_id,
   worker_inspector_proxy_->DispatchMessageFromWorker(session_id, message);
 }
 
-void WebEmbeddedWorkerImpl::SetContentSecurityPolicyAndReferrerPolicy(
-    ContentSecurityPolicy* content_security_policy,
-    String referrer_policy) {
-  DCHECK(IsMainThread());
-  shadow_page_->SetContentSecurityPolicyAndReferrerPolicy(
-      content_security_policy, std::move(referrer_policy));
-}
-
 std::unique_ptr<WebApplicationCacheHost>
 WebEmbeddedWorkerImpl::CreateApplicationCacheHost(
     WebApplicationCacheHostClient*) {
@@ -371,17 +365,21 @@ void WebEmbeddedWorkerImpl::StartWorkerThread() {
   // |main_script_loader_| isn't created if the InstalledScriptsManager had the
   // script.
   if (main_script_loader_) {
-    // We need to set the CSP to both the shadow page's document and the
-    // ServiceWorkerGlobalScope.
-    SetContentSecurityPolicyAndReferrerPolicy(
-        main_script_loader_->ReleaseContentSecurityPolicy(),
-        main_script_loader_->GetReferrerPolicy());
+    ContentSecurityPolicy* content_security_policy =
+        main_script_loader_->GetContentSecurityPolicy();
+    ReferrerPolicy referrer_policy = kReferrerPolicyDefault;
+    if (!main_script_loader_->GetReferrerPolicy().IsNull()) {
+      SecurityPolicy::ReferrerPolicyFromHeaderValue(
+          main_script_loader_->GetReferrerPolicy(),
+          kDoNotSupportReferrerPolicyLegacyKeywords, &referrer_policy);
+    }
     global_scope_creation_params = std::make_unique<GlobalScopeCreationParams>(
         worker_start_data_.script_url, script_type,
         worker_start_data_.user_agent,
-        document->GetContentSecurityPolicy()->Headers(),
-        document->GetReferrerPolicy(), starter_origin, starter_secure_context,
-        worker_clients, main_script_loader_->ResponseAddressSpace(),
+        content_security_policy ? content_security_policy->Headers()
+                                : Vector<CSPHeaderAndType>(),
+        referrer_policy, starter_origin, starter_secure_context, worker_clients,
+        main_script_loader_->ResponseAddressSpace(),
         main_script_loader_->OriginTrialTokens(), devtools_worker_token_,
         std::move(worker_settings),
         static_cast<V8CacheOptions>(worker_start_data_.v8_cache_options),
@@ -391,9 +389,8 @@ void WebEmbeddedWorkerImpl::StartWorkerThread() {
     cached_meta_data = main_script_loader_->ReleaseCachedMetadata();
     main_script_loader_ = nullptr;
   } else {
-    // ContentSecurityPolicy and ReferrerPolicy are applied to |document| at
-    // SetContentSecurityPolicyAndReferrerPolicy() before evaluating the main
-    // script.
+    // We don't have to set ContentSecurityPolicy and ReferrerPolicy. They're
+    // served by the installed scripts manager on the worker thread.
     global_scope_creation_params = std::make_unique<GlobalScopeCreationParams>(
         worker_start_data_.script_url, script_type,
         worker_start_data_.user_agent, Vector<CSPHeaderAndType>(),

third_party/blink/renderer/modules/exported/web_embedded_worker_impl.h

@@ -46,7 +46,6 @@
 
 namespace blink {
 
-class ContentSecurityPolicy;
 class ServiceWorkerInstalledScriptsManager;
 class WorkerClassicScriptLoader;
 class WorkerInspectorProxy;
@@ -76,13 +75,6 @@ class MODULES_EXPORT WebEmbeddedWorkerImpl final
 
   void PostMessageToPageInspector(int session_id, const WTF::String&);
 
-  // Applies the specified CSP and referrer policy to the worker, so that
-  // fetches initiated by the worker (other than for the main worker script
-  // itself) are affected by these policies. This must be called before starting
-  // script execution on the worker thread.
-  void SetContentSecurityPolicyAndReferrerPolicy(ContentSecurityPolicy*,
-                                                 String referrer_policy);
-
   // WorkerShadowPage::Client overrides.
   std::unique_ptr<WebApplicationCacheHost> CreateApplicationCacheHost(
       WebApplicationCacheHostClient*) override;

third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc

@@ -159,10 +159,7 @@ void ServiceWorkerGlobalScope::EvaluateClassicScript(
         script_data.CreateOriginTrialTokens();
     OriginTrialContext::AddTokens(this, origin_trial_tokens.get());
 
-    // This may block until CSP and referrer policy are set on the main
-    // thread.
-    ReportingProxy().DidLoadInstalledScript(
-        content_security_policy_raw_headers.value(), referrer_policy);
+    ReportingProxy().DidLoadInstalledScript();
   }
 
   WorkerGlobalScope::EvaluateClassicScript(script_url, source_code,

third_party/blink/renderer/modules/service_worker/service_worker_global_scope_proxy.cc

@@ -44,7 +44,6 @@
 #include "third_party/blink/renderer/bindings/core/v8/worker_or_worklet_script_controller.h"
 #include "third_party/blink/renderer/core/execution_context/execution_context.h"
 #include "third_party/blink/renderer/core/fetch/headers.h"
-#include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
 #include "third_party/blink/renderer/core/inspector/console_message.h"
 #include "third_party/blink/renderer/core/messaging/blink_transferable_message.h"
 #include "third_party/blink/renderer/core/messaging/message_port.h"
@@ -88,31 +87,11 @@
 #include "third_party/blink/renderer/modules/service_worker/wait_until_observer.h"
 #include "third_party/blink/renderer/platform/cross_thread_functional.h"
 #include "third_party/blink/renderer/platform/loader/fetch/resource_response.h"
-#include "third_party/blink/renderer/platform/network/content_security_policy_response_headers.h"
-#include "third_party/blink/renderer/platform/waitable_event.h"
 #include "third_party/blink/renderer/platform/wtf/assertions.h"
 #include "third_party/blink/renderer/platform/wtf/functional.h"
 
 namespace blink {
 
-namespace {
-
-void SetContentSecurityPolicyAndReferrerPolicyOnMainThread(
-    WebEmbeddedWorkerImpl* embedded_worker,
-    ContentSecurityPolicyResponseHeaders csp_headers,
-    String referrer_policy,
-    WaitableEvent* waitable_event) {
-  DCHECK(IsMainThread());
-  ContentSecurityPolicy* content_security_policy =
-      ContentSecurityPolicy::Create();
-  content_security_policy->DidReceiveHeaders(csp_headers);
-  embedded_worker->SetContentSecurityPolicyAndReferrerPolicy(
-      content_security_policy, std::move(referrer_policy));
-  waitable_event->Signal();
-}
-
-}  // namespace
-
 ServiceWorkerGlobalScopeProxy* ServiceWorkerGlobalScopeProxy::Create(
     WebEmbeddedWorkerImpl& embedded_worker,
     WebServiceWorkerContextClient& client) {
@@ -599,27 +578,9 @@ void ServiceWorkerGlobalScopeProxy::DidInitializeWorkerContext() {
       WorkerGlobalScope()->ScriptController()->GetContext());
 }
 
-void ServiceWorkerGlobalScopeProxy::DidLoadInstalledScript(
-    const ContentSecurityPolicyResponseHeaders& csp_headers_on_worker_thread,
-    const String& referrer_policy_on_worker_thread) {
-  // Post a task to the main thread to set CSP and ReferrerPolicy on the shadow
-  // page.
-  DCHECK(embedded_worker_);
-  WaitableEvent waitable_event;
-  PostCrossThreadTask(
-      *parent_execution_context_task_runners_->Get(TaskType::kInternalWorker),
-      FROM_HERE,
-      CrossThreadBind(&SetContentSecurityPolicyAndReferrerPolicyOnMainThread,
-                      CrossThreadUnretained(embedded_worker_),
-                      csp_headers_on_worker_thread,
-                      referrer_policy_on_worker_thread,
-                      CrossThreadUnretained(&waitable_event)));
+void ServiceWorkerGlobalScopeProxy::DidLoadInstalledScript() {
+  DCHECK(WorkerGlobalScope()->IsContextThread());
   Client().WorkerScriptLoaded();
-
-  // Wait for the task to complete before returning. This ensures that worker
-  // script evaluation can't start and issue any fetches until CSP and
-  // ReferrerPolicy are set.
-  waitable_event.Wait();
 }
 
 void ServiceWorkerGlobalScopeProxy::WillEvaluateClassicScript(

third_party/blink/renderer/modules/service_worker/service_worker_global_scope_proxy.h

@@ -159,9 +159,7 @@ class ServiceWorkerGlobalScopeProxy final
   void PostMessageToPageInspector(int session_id, const String&) override;
   void DidCreateWorkerGlobalScope(WorkerOrWorkletGlobalScope*) override;
   void DidInitializeWorkerContext() override;
-  void DidLoadInstalledScript(
-      const ContentSecurityPolicyResponseHeaders&,
-      const String& referrer_policy_on_worker_thread) override;
+  void DidLoadInstalledScript() override;
   void WillEvaluateClassicScript(size_t script_size,
                                  size_t cached_metadata_size) override;
   void WillEvaluateImportedClassicScript(size_t script_size,