Check CSPEE subsumption logic from AncestorThrottle

This CL uses the "Subsume" algorithm for Content-Security-Policy Embedded Enforcement https://w3c.github.io/webappsec-cspee implemented n the services/network CSP module from the AncestorThrottle for checking whether a frame should be allowed to embed or not. The same behaviour is currently enforced by blink. The new version is hidden behind a feature flag. Change-Id: I4f72782a209bda967843e290d180167151fca852 Bug: 1094909,1086857 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2270206 Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#804240}

Check CSPEE subsumption logic from AncestorThrottle
This CL uses the "Subsume" algorithm for Content-Security-Policy Embedded Enforcement https://w3c.github.io/webappsec-cspee implemented n the services/network CSP module from the AncestorThrottle for checking whether a frame should be allowed to embed or not. The same behaviour is currently enforced by blink. The new version is hidden behind a feature flag. Change-Id: I4f72782a209bda967843e290d180167151fca852 Bug: 1094909,1086857 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2270206 Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#804240}
f3389755 · Antonio Sartori · Commit Bot · e73aec24 · f3389755 · e73aec24
Commit f3389755 authored Sep 03, 2020 by Antonio Sartori Committed by Commit Bot Sep 03, 2020
16 changed files
--- a/content/browser/frame_host/ancestor_throttle.cc
+++ b/content/browser/frame_host/ancestor_throttle.cc
@@ -471,11 +471,10 @@ AncestorThrottle::EvaluateCSPEmbeddedEnforcement() {
                           sanitized_blocked_url.c_str(),
                           allow_csp_from->get_error_message().c_str()));
  }
+  if (network::Subsumes(
-  // TODO(antoniosartori): This is temporary, since the check in this function
+          *request->required_csp(),
-  // is incomplete and will require iterations in several CLs. For now, let's
+          request->response()->parsed_headers->content_security_policy,
-  // allow anything that has no "allow-csp-from" header.
+          url::Origin::Create(navigation_handle()->GetURL()))) {
-  if (!allow_csp_from) {
    return CheckResult::PROCEED;
  }

--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/allow_csp_from-header-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/allow_csp_from-header-expected.txt
-This is a testharness.js-based test.
-PASS Same origin iframes are always allowed.
-PASS Same origin iframes are allowed even if the Allow-CSP-From is empty.
-PASS Same origin iframes are allowed even if the Allow-CSP-From is not present.
-PASS Same origin iframes are allowed even if Allow-CSP-From does not match origin.
-PASS Cross origin iframe with an empty Allow-CSP-From header gets blocked.
-FAIL Cross origin iframe without Allow-CSP-From header gets blocked. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS Cross origin iframe with correct Allow-CSP-From header is allowed.
-PASS Iframe with improper Allow-CSP-From header gets blocked.
-PASS Allow-CSP-From header with a star value allows cross origin frame.
-PASS Star Allow-CSP-From header enforces EmbeddingCSP.
-PASS Allow-CSP-From header enforces EmbeddingCSP.
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin-expected.txt
-This is a testharness.js-based test.
-PASS Document blocked by embedded enforcement and its parent are cross-origin
-FAIL Two same-origin iframes must appear as cross-origin when one is blocked assert_equals: expected (number) 18 but got (string) "Error: The error page appears same-origin"
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-general-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-general-expected.txt
-This is a testharness.js-based test.
-PASS If there is no required csp, iframe should load.
-FAIL Iframe with empty returned CSP should be blocked. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS Iframe with matching CSP should load.
-PASS Iframe with more restricting CSP should load.
-FAIL Iframe with less restricting CSP should be blocked. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Iframe with a different CSP should be blocked. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS Iframe with a matching and more restrictive ports should load.
-PASS Iframe should load even if the ports are different but are default for the protocols.
-FAIL Iframe should block if intersection allows sources which are not in required_csp. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Iframe should block if intersection allows sources which are not in required_csp (other ordering). assert_unreached: No message should be sent from the frame. Reached unreachable code
-PASS Iframe should load if intersection allows only sources which are in required_csp.
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes-expected.txt
-This is a testharness.js-based test.
-PASS 'sha256-abc123' is properly subsumed.
-FAIL Returned should not include hashes not present in required csp. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS 'sha256-abc123' is properly subsumed with other sources.
-PASS Hashes do not have to be present in returned csp.
-FAIL Hashes do not have to be present in returned csp but must not allow all inline behavior. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Other expressions have to be subsumed. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS Other expressions have to be subsumed but 'unsafe-inline' gets ignored.
-PASS Effective policy is properly found.
-FAIL Required csp must allow 'sha256-abc123'. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Effective policy is properly found where 'sha256-abc123' is not subsumed. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL 'sha256-abc123' is not subsumed by 'sha256-abc456'. assert_unreached: No message should be sent from the frame. Reached unreachable code
-PASS Effective policy now does not allow 'sha256-abc123'.
-PASS Effective policy is properly found where 'sha256-abc123' is not part of it.
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts-expected.txt
-This is a testharness.js-based test.
-FAIL Host must match. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Hosts without wildcards must match. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL More specific subdomain should not match. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Specified host should not match a wildcard host. assert_unreached: No message should be sent from the frame. Reached unreachable code
-PASS A wildcard host should match a more specific host.
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths-expected.txt
-This is a testharness.js-based test.
-FAIL Returned CSP must specify a path. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS Returned CSP has a more specific path.
-PASS Matching paths.
-FAIL Empty path is not subsumed by specified paths. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS All specific paths match except the order.
-PASS Returned CSP allows only one path.
-PASS `/` path should be subsumed by an empty path.
-PASS Unspecified path should be subsumed by `/`.
-FAIL That should not be true when required csp specifies a specific page. assert_unreached: No message should be sent from the frame. Reached unreachable code
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports-expected.txt
-This is a testharness.js-based test.
-FAIL Specified ports must match. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS Returned CSP should be subsumed even if the port is not specified but is a default port for a scheme.
-PASS Returned CSP should be subsumed even if the port is not specified but is a default port for a more secure scheme.
-PASS The same should hold for `ws` case.
-PASS Unspecified ports must match if schemes match.
-PASS Returned CSP should be subsumed if the port is specified.
-PASS Returned CSP should be subsumed if the port is specified but the scheme is more secure.
-FAIL Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS Returned CSP should be subsumed if the ports match but schemes are not identical.
-PASS Returned CSP should be subsumed if the ports match but schemes are not identical for `ws`.
-PASS Wildcard port should match unspecified port.
-PASS Wildcard port should match any specific port.
-PASS Wildcard port should match a wildcard.
-FAIL Wildcard port should not be subsumed by a default port. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Wildcard port should not be subsumed by a spcified port. assert_unreached: No message should be sent from the frame. Reached unreachable code
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols-expected.txt
-This is a testharness.js-based test.
-FAIL `https` is more restrictive than `http`. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS The reverse allows iframe be to be loaded.
-PASS Matching `https` protocols.
-PASS `http:` should subsume all host source expressions with this protocol.
-PASS `http:` should subsume all host source expressions with `https:`.
-FAIL `http:` does not subsume other protocols. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL If scheme source is present in returned csp, it must be specified in required csp too. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS `http:` subsumes other `http:` source expression.
-PASS `http:` subsumes other `https:` source expression and expressions with `http:`.
-FAIL All scheme sources must be subsumed. assert_unreached: No message should be sent from the frame. Reached unreachable code
-PASS All scheme sources are subsumed by their stronger variants.
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces-expected.txt
-This is a testharness.js-based test.
-PASS Exact nonce subsumes.
-PASS Any nonce subsumes.
-FAIL A nonce has to be returned if required by the embedder. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS Multiples nonces returned subsume.
-PASS Nonce intersection is still done on exact match - non-matching nonces.
-FAIL Nonce intersection is still done on exact match - matching nonces. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS Other expressions still have to be subsumed - positive test.
-FAIL Other expressions still have to be subsumed - negative test assert_unreached: No message should be sent from the frame. Reached unreachable code
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-none-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-none-expected.txt
-This is a testharness.js-based test.
-PASS Empty required csp subsumes empty list of returned policies.
-PASS Empty required csp subsumes any list of policies.
-PASS Empty required csp subsumes a policy with `none`.
-FAIL Required policy that allows `none` does not subsume empty list of policies. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Required csp with effective `none` does not subsume a host source expression. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Required csp with `none` does not subsume a host source expression. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Required csp with effective `none` does not subsume `none` of another directive. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Required csp with `none` does not subsume `none` of another directive. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Required csp with `none` does not subsume `none` of different directives. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS Required csp with `none` subsumes effective list of `none`.
-PASS Required csp with `none` subsumes effective list of `none` despite other keywords.
-PASS Source list with exprssions other than `none` make `none` ineffective.
-PASS Returned csp with `none` is subsumed by any required csp.
-PASS Returned csp with effective `none` is subsumed by any required csp.
-PASS Both required and returned csp are `none`.
-FAIL Both required and returned csp are `none` for only one directive. assert_unreached: No message should be sent from the frame. Reached unreachable code
-PASS Both required and returned csp are empty.
-PASS Both required and returned csp are effectively 'none'.
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-self-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-self-expected.txt
-This is a testharness.js-based test.
-PASS 'self' keywords should match.
-PASS Returned CSP does not have to specify 'self'.
-FAIL Returned CSP must not allow 'self' if required CSP does not. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS Returned 'self' should match to an origin's url.
-PASS Required 'self' should match to a origin's url.
-PASS Required 'self' should subsume a more secure version of origin's url.
-FAIL Returned 'self' should not be subsumed by a more secure version of origin's url. assert_unreached: No message should be sent from the frame. Reached unreachable code
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic-expected.txt
-This is a testharness.js-based test.
-PASS 'strict-dynamic' is ineffective for `style-src`.
-PASS 'strict-dynamic' is ineffective for `img-src`.
-PASS 'strict-dynamic' is ineffective for `frame-src`.
-PASS 'strict-dynamic' is ineffective for `child-src`.
-FAIL 'strict-dynamic' is effective only for `script-src`. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL 'strict-dynamic' is properly handled for finding effective policy. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS 'strict-dynamic' makes host source expressions ineffective.
-PASS 'strict-dynamic' makes scheme source expressions ineffective.
-PASS 'strict-dynamic' makes 'self' ineffective.
-PASS 'strict-dynamic' makes 'unsafe-inline' ineffective.
-FAIL 'strict-dynamic' has to be allowed by required csp if it is present in returned csp. assert_unreached: No message should be sent from the frame. Reached unreachable code
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval-expected.txt
-This is a testharness.js-based test.
-PASS 'unsafe-eval' is properly subsumed.
-FAIL No other keyword has the same effect as 'unsafe-eval'. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Other expressions have to be subsumed. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS Effective policy is properly found.
-FAIL Required csp must allow 'unsafe-eval'. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Effective policy is properly found where 'unsafe-eval' is not subsumed. assert_unreached: No message should be sent from the frame. Reached unreachable code
-PASS Effective policy is properly found where 'unsafe-eval' is not part of it.
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes-expected.txt
-This is a testharness.js-based test.
-PASS 'unsafe-hashes' is properly subsumed.
-FAIL No other keyword has the same effect as 'unsafe-hashes'. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Other expressions have to be subsumed. assert_equals: expected (undefined) undefined but got (boolean) true
-PASS Effective policy is properly found.
-FAIL Required csp must allow 'unsafe-hashes'. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Effective policy is properly found where 'unsafe-hashes' is not subsumed. assert_unreached: No message should be sent from the frame. Reached unreachable code
-PASS Effective policy is properly found where 'unsafe-hashes' is not part of it.
-Harness: the test ran to completion.
--- a/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline-expected.txt
+++ b/third_party/blink/web_tests/virtual/out-of-blink-cspee/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline-expected.txt
-This is a testharness.js-based test.
-PASS 'strict-dynamic' is ineffective for `style-src`.
-PASS 'unsafe-inline' is properly subsumed in `style-src`.
-PASS 'unsafe-inline' is only ineffective if the effective returned csp has nonces in `style-src`.
-PASS 'unsafe-inline' is only ineffective if the effective returned csp has hashes in `style-src`.
-PASS Returned csp does not have to allow 'unsafe-inline' in `style-src` to be subsumed.
-PASS 'unsafe-inline' does not matter if returned csp is effectively `none`.
-PASS 'unsafe-inline' is properly subsumed in `script-src`.
-PASS Returned csp only loads 'unsafe-inline' scripts with 'nonce-abc'.
-PASS 'unsafe-inline' is ineffective when nonces are present.
-PASS 'unsafe-inline' is only ineffective if the effective returned csp has hashes in `script-src`.
-FAIL Required csp allows `strict-dynamic`, but retuned csp does. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Required csp does not allow `unsafe-inline`, but retuned csp does. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Returned csp allows a nonce. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Returned csp allows a hash. assert_equals: expected (undefined) undefined but got (boolean) true
-FAIL Effective returned csp allows 'unsafe-inline' assert_unreached: No message should be sent from the frame. Reached unreachable code
-PASS Effective returned csp does not allow 'sha512-321cba' hash.
-Harness: the test ran to completion.