Add missing directives to network CSP parser

I recently (https://crrev.com/c/2220053) extended the network CSP parser adding support for almost all missing directives so that it can be used for CSP: Embedded Enforcement (https://crbug.com/1094909). I did not add a few directives which are ignored for CSPEE at the moment. However, with https://crrev.com/c/2279976 they will generate a warning, which we do not want. This CL adds support for the missing directives in the network CSP parser. Although the values of the directives are not being parsed, they are recognized as being valid directives ad will not generate any warning. Bug: 1094909 Change-Id: I2c4b74ede0ca56b4b7582db9cc3eb809b36ce19d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2300300Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#790791}

Add missing directives to network CSP parser
I recently (https://crrev.com/c/2220053) extended the network CSP parser adding support for almost all missing directives so that it can be used for CSP: Embedded Enforcement (https://crbug.com/1094909). I did not add a few directives which are ignored for CSPEE at the moment. However, with https://crrev.com/c/2279976 they will generate a warning, which we do not want. This CL adds support for the missing directives in the network CSP parser. Although the values of the directives are not being parsed, they are recognized as being valid directives ad will not generate any warning. Bug: 1094909 Change-Id: I2c4b74ede0ca56b4b7582db9cc3eb809b36ce19d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2300300Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#790791}
f628e927 · Antonio Sartori · Commit Bot · 8116594e · f628e927 · f628e927
Commit f628e927 authored Jul 22, 2020 by Antonio Sartori Committed by Commit Bot Jul 22, 2020
3 changed files
--- a/content/public/browser/url_data_source.cc
+++ b/content/public/browser/url_data_source.cc
@@ -83,6 +83,7 @@ std::string URLDataSource::GetContentSecurityPolicy(
    case network::mojom::CSPDirectiveName::FrameAncestors:
      return "frame-ancestors 'none';";
    case network::mojom::CSPDirectiveName::BaseURI:
+    case network::mojom::CSPDirectiveName::BlockAllMixedContent:
    case network::mojom::CSPDirectiveName::ConnectSrc:
    case network::mojom::CSPDirectiveName::FrameSrc:
    case network::mojom::CSPDirectiveName::FontSrc:
@@ -92,6 +93,7 @@ std::string URLDataSource::GetContentSecurityPolicy(
    case network::mojom::CSPDirectiveName::MediaSrc:
    case network::mojom::CSPDirectiveName::PrefetchSrc:
    case network::mojom::CSPDirectiveName::ReportURI:
+    case network::mojom::CSPDirectiveName::RequireTrustedTypesFor:
    case network::mojom::CSPDirectiveName::Sandbox:
    case network::mojom::CSPDirectiveName::ScriptSrcAttr:
    case network::mojom::CSPDirectiveName::ScriptSrcElem:
@@ -100,6 +102,7 @@ std::string URLDataSource::GetContentSecurityPolicy(
    case network::mojom::CSPDirectiveName::StyleSrcElem:
    case network::mojom::CSPDirectiveName::UpgradeInsecureRequests:
    case network::mojom::CSPDirectiveName::TreatAsPublicAddress:
+    case network::mojom::CSPDirectiveName::TrustedTypes:
    case network::mojom::CSPDirectiveName::WorkerSrc:
    case network::mojom::CSPDirectiveName::ReportTo:
    case network::mojom::CSPDirectiveName::NavigateTo:

--- a/services/network/public/cpp/content_security_policy/content_security_policy.cc
+++ b/services/network/public/cpp/content_security_policy/content_security_policy.cc
@@ -87,14 +87,17 @@ static CSPDirectiveName CSPFallback(CSPDirectiveName directive,
      return CSPDirectiveName::DefaultSrc;
    case CSPDirectiveName::BaseURI:
+    case CSPDirectiveName::BlockAllMixedContent:
    case CSPDirectiveName::DefaultSrc:
    case CSPDirectiveName::FormAction:
    case CSPDirectiveName::FrameAncestors:
    case CSPDirectiveName::NavigateTo:
    case CSPDirectiveName::ReportTo:
    case CSPDirectiveName::ReportURI:
+    case CSPDirectiveName::RequireTrustedTypesFor:
    case CSPDirectiveName::Sandbox:
    case CSPDirectiveName::TreatAsPublicAddress:
+    case CSPDirectiveName::TrustedTypes:
    case CSPDirectiveName::UpgradeInsecureRequests:
      return CSPDirectiveName::Unknown;
    case CSPDirectiveName::Unknown:
@@ -128,6 +131,7 @@ const char* ErrorMessage(CSPDirectiveName directive) {
             "following Content Security Policy directive: \"$2\".";
    case CSPDirectiveName::BaseURI:
+    case CSPDirectiveName::BlockAllMixedContent:
    case CSPDirectiveName::ChildSrc:
    case CSPDirectiveName::ConnectSrc:
    case CSPDirectiveName::DefaultSrc:
@@ -139,6 +143,7 @@ const char* ErrorMessage(CSPDirectiveName directive) {
    case CSPDirectiveName::PrefetchSrc:
    case CSPDirectiveName::ReportTo:
    case CSPDirectiveName::ReportURI:
+    case CSPDirectiveName::RequireTrustedTypesFor:
    case CSPDirectiveName::Sandbox:
    case CSPDirectiveName::ScriptSrc:
    case CSPDirectiveName::ScriptSrcAttr:
@@ -147,6 +152,7 @@ const char* ErrorMessage(CSPDirectiveName directive) {
    case CSPDirectiveName::StyleSrcAttr:
    case CSPDirectiveName::StyleSrcElem:
    case CSPDirectiveName::TreatAsPublicAddress:
+    case CSPDirectiveName::TrustedTypes:
    case CSPDirectiveName::UpgradeInsecureRequests:
    case CSPDirectiveName::WorkerSrc:
    case CSPDirectiveName::Unknown:
@@ -765,6 +771,16 @@ void AddContentSecurityPolicyFromHeader(base::StringPiece header,
              directive.second.as_string().c_str()));
        }
        break;
+        // We check the following three directives so that we do not trigger a
+        // warning because of an unrecognized directive. However, we skip
+        // parsing them for now since we do not need these directives here (they
+        // are parsed and enforced in the blink CSP parser).
+      case CSPDirectiveName::BlockAllMixedContent:
+      case CSPDirectiveName::RequireTrustedTypesFor:
+      case CSPDirectiveName::TrustedTypes:
+        break;
      case CSPDirectiveName::ReportTo:
        out->use_reporting_api = true;
        out->report_endpoints.clear();
@@ -931,6 +947,8 @@ void UpgradeInsecureRequest(GURL* url) {
 CSPDirectiveName ToCSPDirectiveName(const std::string& name) {
  if (name == "base-uri")
    return CSPDirectiveName::BaseURI;
+  if (name == "block-all-mixed-content")
+    return CSPDirectiveName::BlockAllMixedContent;
  if (name == "child-src")
    return CSPDirectiveName::ChildSrc;
  if (name == "connect-src")
@@ -957,6 +975,8 @@ CSPDirectiveName ToCSPDirectiveName(const std::string& name) {
    return CSPDirectiveName::PrefetchSrc;
  if (name == "report-uri")
    return CSPDirectiveName::ReportURI;
+  if (name == "require-trusted-types-for")
+    return CSPDirectiveName::RequireTrustedTypesFor;
  if (name == "sandbox")
    return CSPDirectiveName::Sandbox;
  if (name == "script-src")
@@ -973,6 +993,8 @@ CSPDirectiveName ToCSPDirectiveName(const std::string& name) {
    return CSPDirectiveName::StyleSrcElem;
  if (name == "treat-as-public-address")
    return CSPDirectiveName::TreatAsPublicAddress;
+  if (name == "trusted-types")
+    return CSPDirectiveName::TrustedTypes;
  if (name == "upgrade-insecure-requests")
    return CSPDirectiveName::UpgradeInsecureRequests;
  if (name == "worker-src")
@@ -989,6 +1011,8 @@ std::string ToString(CSPDirectiveName name) {
  switch (name) {
    case CSPDirectiveName::BaseURI:
      return "base-uri";
+    case CSPDirectiveName::BlockAllMixedContent:
+      return "block-all-mixed-content";
    case CSPDirectiveName::ChildSrc:
      return "child-src";
    case CSPDirectiveName::ConnectSrc:
@@ -1015,6 +1039,8 @@ std::string ToString(CSPDirectiveName name) {
      return "prefetch-src";
    case CSPDirectiveName::ReportURI:
      return "report-uri";
+    case CSPDirectiveName::RequireTrustedTypesFor:
+      return "require-trusted-types-for";
    case CSPDirectiveName::Sandbox:
      return "sandbox";
    case CSPDirectiveName::ScriptSrc:
@@ -1033,6 +1059,8 @@ std::string ToString(CSPDirectiveName name) {
      return "upgrade-insecure-requests";
    case CSPDirectiveName::TreatAsPublicAddress:
      return "treat-as-public-address";
+    case CSPDirectiveName::TrustedTypes:
+      return "trusted-types";
    case CSPDirectiveName::WorkerSrc:
      return "worker-src";
    case CSPDirectiveName::ReportTo:

--- a/services/network/public/mojom/content_security_policy.mojom
+++ b/services/network/public/mojom/content_security_policy.mojom
@@ -96,6 +96,7 @@ enum CSPDirectiveName {
  Unknown,
  BaseURI,
+  BlockAllMixedContent,
  ChildSrc,
  ConnectSrc,
  DefaultSrc,
@@ -111,6 +112,7 @@ enum CSPDirectiveName {
  PrefetchSrc,
  ReportTo,
  ReportURI,
+  RequireTrustedTypesFor,
  Sandbox,
  ScriptSrc,
  ScriptSrcAttr,
@@ -119,6 +121,7 @@ enum CSPDirectiveName {
  StyleSrcAttr,
  StyleSrcElem,
  TreatAsPublicAddress,
+  TrustedTypes,
  UpgradeInsecureRequests,
  WorkerSrc,
 };