Enable Dedicated Workers to inherit Feature Policy

This change enables Dedicated Workers to inherit the Feature Policy of the context that created the worker. Bug: 843780 Change-Id: I2afaf7ee8547853a2f1c639961c78260efbd9633 Reviewed-on: https://chromium-review.googlesource.com/1091635 Commit-Queue: Ovidio Henriquez <odejesush@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Chong Zhang <chongz@chromium.org> Reviewed-by: Reilly Grant <reillyg@chromium.org> Cr-Commit-Position: refs/heads/master@{#568102}

Enable Dedicated Workers to inherit Feature Policy
This change enables Dedicated Workers to inherit the Feature Policy of the context that created the worker. Bug: 843780 Change-Id: I2afaf7ee8547853a2f1c639961c78260efbd9633 Reviewed-on: https://chromium-review.googlesource.com/1091635 Commit-Queue: Ovidio Henriquez <odejesush@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Chong Zhang <chongz@chromium.org> Reviewed-by: Reilly Grant <reillyg@chromium.org> Cr-Commit-Position: refs/heads/master@{#568102}
cdf20cb9 · Ovidio Henriquez · Commit Bot · 4308ace4 · cdf20cb9 · cdf20cb9
Commit cdf20cb9 authored Jun 18, 2018 by Ovidio Henriquez Committed by Commit Bot Jun 18, 2018
7 changed files
--- a/third_party/blink/renderer/core/execution_context/security_context.cc
+++ b/third_party/blink/renderer/core/execution_context/security_context.cc
@@ -105,6 +105,13 @@ String SecurityContext::addressSpaceForBindings() const {
  return "public";
 }

+void SecurityContext::SetFeaturePolicy(
+    std::unique_ptr<FeaturePolicy> feature_policy) {
+  // This method should be called before a FeaturePolicy has been created.
+  DCHECK(!feature_policy_);
+  feature_policy_ = std::move(feature_policy);
+}
+
 void SecurityContext::InitializeFeaturePolicy(
    const ParsedFeaturePolicy& parsed_header,
    const ParsedFeaturePolicy& container_policy,

--- a/third_party/blink/renderer/core/execution_context/security_context.h
+++ b/third_party/blink/renderer/core/execution_context/security_context.h
@@ -114,6 +114,7 @@ class CORE_EXPORT SecurityContext : public GarbageCollectedMixin {
  }

  FeaturePolicy* GetFeaturePolicy() const { return feature_policy_.get(); }
+  void SetFeaturePolicy(std::unique_ptr<FeaturePolicy> feature_policy);
  void InitializeFeaturePolicy(const ParsedFeaturePolicy& parsed_header,
                               const ParsedFeaturePolicy& container_policy,
                               const FeaturePolicy* parent_feature_policy);

--- a/third_party/blink/renderer/core/workers/dedicated_worker.cc
+++ b/third_party/blink/renderer/core/workers/dedicated_worker.cc
@@ -300,7 +300,8 @@ DedicatedWorker::CreateGlobalScopeCreationParams() {
      nullptr /* worklet_module_responses_map */,
      ConnectToWorkerInterfaceProvider(GetExecutionContext(),
                                       SecurityOrigin::Create(script_url_)),
-      CreateBeginFrameProviderParams());
+      CreateBeginFrameProviderParams(),
+      GetExecutionContext()->GetSecurityContext().GetFeaturePolicy());
 }

 const AtomicString& DedicatedWorker::InterfaceName() const {

--- a/third_party/blink/renderer/core/workers/global_scope_creation_params.cc
+++ b/third_party/blink/renderer/core/workers/global_scope_creation_params.cc
@@ -26,7 +26,8 @@ GlobalScopeCreationParams::GlobalScopeCreationParams(
    WorkletModuleResponsesMap* module_responses_map,
    service_manager::mojom::blink::InterfaceProviderPtrInfo
        interface_provider_info,
-    BeginFrameProviderParams begin_frame_provider_params)
+    BeginFrameProviderParams begin_frame_provider_params,
+    const FeaturePolicy* parent_feature_policy)
    : script_url(script_url.Copy()),
      script_type(script_type),
      user_agent(user_agent.IsolatedCopy()),
@@ -40,7 +41,13 @@ GlobalScopeCreationParams::GlobalScopeCreationParams(
      v8_cache_options(v8_cache_options),
      module_responses_map(module_responses_map),
      interface_provider(std::move(interface_provider_info)),
-      begin_frame_provider_params(std::move(begin_frame_provider_params)) {
+      begin_frame_provider_params(std::move(begin_frame_provider_params)),
+      // At the moment, workers do not support their container policy being set,
+      // so it will just be an empty ParsedFeaturePolicy for now.
+      worker_feature_policy(FeaturePolicy::CreateFromParentPolicy(
+          parent_feature_policy,
+          ParsedFeaturePolicy() /* container_policy */,
+          starter_origin->ToUrlOrigin())) {
  this->content_security_policy_parsed_headers.ReserveInitialCapacity(
      content_security_policy_parsed_headers.size());
  for (const auto& header : content_security_policy_parsed_headers) {

--- a/third_party/blink/renderer/core/workers/global_scope_creation_params.h
+++ b/third_party/blink/renderer/core/workers/global_scope_creation_params.h
@@ -10,6 +10,7 @@
 #include "base/optional.h"
 #include "base/unguessable_token.h"
 #include "services/service_manager/public/mojom/interface_provider.mojom-blink.h"
+#include "third_party/blink/public/common/feature_policy/feature_policy.h"
 #include "third_party/blink/public/mojom/net/ip_address_space.mojom-blink.h"
 #include "third_party/blink/renderer/bindings/core/v8/v8_cache_options.h"
 #include "third_party/blink/renderer/core/core_export.h"
@@ -51,7 +52,8 @@ struct CORE_EXPORT GlobalScopeCreationParams final {
      V8CacheOptions,
      WorkletModuleResponsesMap*,
      service_manager::mojom::blink::InterfaceProviderPtrInfo = {},
-      BeginFrameProviderParams begin_frame_provider_params = {});
+      BeginFrameProviderParams begin_frame_provider_params = {},
+      const FeaturePolicy* parent_feature_policy = nullptr);

  ~GlobalScopeCreationParams() = default;

@@ -118,6 +120,8 @@ struct CORE_EXPORT GlobalScopeCreationParams final {

  BeginFrameProviderParams begin_frame_provider_params;

+  std::unique_ptr<FeaturePolicy> worker_feature_policy;
+
  DISALLOW_COPY_AND_ASSIGN(GlobalScopeCreationParams);
 };


--- a/third_party/blink/renderer/core/workers/worker_global_scope.cc
+++ b/third_party/blink/renderer/core/workers/worker_global_scope.cc
@@ -374,6 +374,11 @@ WorkerGlobalScope::WorkerGlobalScope(
            creation_params->interface_provider.PassHandle(),
            service_manager::mojom::InterfaceProvider::Version_)));
  }
+
+  // A FeaturePolicy is created by FeaturePolicy::CreateFromParentPolicy, even
+  // if the parent policy is null.
+  DCHECK(creation_params->worker_feature_policy);
+  SetFeaturePolicy(std::move(creation_params->worker_feature_policy));
 }

 void WorkerGlobalScope::ApplyContentSecurityPolicyFromHeaders(

--- a/third_party/blink/renderer/modules/webusb/usb.cc
+++ b/third_party/blink/renderer/modules/webusb/usb.cc
@@ -288,19 +288,16 @@ bool USB::IsContextSupported() const {
 }

 bool USB::IsFeatureEnabled() const {
-  // At the moment, FeaturePolicy is not supported in workers, so we skip the
-  // check on workers.
-  // TODO(https://crbug.com/843780): Enable the FeaturePolicy check for the
-  // supported worker contexts once it is available for workers.
-  if (GetExecutionContext()->IsDocument()) {
-    FeaturePolicy* policy =
-        GetExecutionContext()->GetSecurityContext().GetFeaturePolicy();
+  ExecutionContext* context = GetExecutionContext();
+  FeaturePolicy* policy = context->GetSecurityContext().GetFeaturePolicy();
+  // Feature policy is not yet supported in all contexts.
+  if (policy)
    return policy->IsFeatureEnabled(mojom::FeaturePolicyFeature::kUsb);
-  }
-  if (GetExecutionContext()->IsDedicatedWorkerGlobalScope() ||
-      GetExecutionContext()->IsSharedWorkerGlobalScope()) {
+
+  // TODO(https://crbug.com/843780): Enable this check for shared workers.
+  if (context->IsSharedWorkerGlobalScope())
    return true;
-  }
+
  return false;
 }