diff options
author | Michal Klocek <michal.klocek@qt.io> | 2017-05-23 16:28:51 +0200 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2017-05-29 10:22:28 +0000 |
commit | 7632de2b4cfc9570cb71dfcedd4088ae651b33eb (patch) | |
tree | 090a46ee14c82129f655e21f37a55f36f46f88f1 | |
parent | defc5379f040c1dee5680418233c74e95492d43e (diff) |
[Backport] CVE-2017-5033
CSP: "local schemes" should inherit policy when embedded.
https://w3c.github.io/webappsec-csp/#initialize-document-csp mandates
that resources with "local schemes" ('data:', 'blob:', 'filesystem:',
'about:') inherit the policy of their embedding context when pulled in
via an '<iframe>'.
I'm pretty sure this worked at some point in the past, but I apparently
didn't put a test on it. It does work in Firefox. Let's match their
behavior and lock it in.
BUG=513860
R=jochen@chromium.org, dcheng@chromium.org
Review-Url: https://codereview.chromium.org/2472333003
Cr-Commit-Position: refs/heads/master@{#435165}
CSP: "local schemes" should inherit policy when window.opened.
https://w3c.github.io/webappsec-csp/#initialize-document-csp mandates
that resources with "local schemes" ('data:', 'blob:', 'filesystem:',
'about:') inherit the policy of their opening context when opened via
things like 'window.open'. We're not doing that, but we ought to.
BUG=669086
R=jochen@chromium.org
Review-Url: https://codereview.chromium.org/2530343006
Cr-Commit-Position: refs/heads/master@{#435233}
Change-Id: I2d78d455eb6ff995438601f9f1cc785cc0da2288
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/WebKit/Source/core/dom/Document.cpp | 36 |
1 files changed, 27 insertions, 9 deletions
diff --git a/chromium/third_party/WebKit/Source/core/dom/Document.cpp b/chromium/third_party/WebKit/Source/core/dom/Document.cpp index 19d546715c4..7c2a403f957 100644 --- a/chromium/third_party/WebKit/Source/core/dom/Document.cpp +++ b/chromium/third_party/WebKit/Source/core/dom/Document.cpp @@ -4975,15 +4975,33 @@ void Document::initSecurityContext(const DocumentInit& initializer) void Document::initContentSecurityPolicy(PassRefPtrWillBeRawPtr<ContentSecurityPolicy> csp) { setContentSecurityPolicy(csp ? csp : ContentSecurityPolicy::create()); - if (m_frame && m_frame->tree().parent() && m_frame->tree().parent()->isLocalFrame()) { - ContentSecurityPolicy* parentCSP = toLocalFrame(m_frame->tree().parent())->document()->contentSecurityPolicy(); - if (shouldInheritSecurityOriginFromOwner(m_url)) { - contentSecurityPolicy()->copyStateFrom(parentCSP); - } else if (isPluginDocument()) { - // Per CSP2, plugin-types for plugin documents in nested browsing - // contexts gets inherited from the parent. - contentSecurityPolicy()->copyPluginTypesFrom(parentCSP); - } + // We inherit the parent/opener's CSP for documents with "local" schemes: + // 'about', 'blob', 'data', and 'filesystem'. We also inherit CSP for + // documents with empty/invalid URLs because we treat those URLs as + // 'about:blank' in Blink. + // + // https://w3c.github.io/webappsec-csp/#initialize-document-csp + // + // TODO(dcheng): This is similar enough to work we're doing in + // 'DocumentLoader::ensureWriter' that it might make sense to combine them. + if (m_frame) { + Frame* inheritFrom = m_frame->tree().parent() ? m_frame->tree().parent() + : m_frame->client()->opener(); + if (inheritFrom && m_frame != inheritFrom) { + ASSERT(inheritFrom->securityContext() && + inheritFrom->securityContext()->contentSecurityPolicy()); + ContentSecurityPolicy* policyToInherit = + inheritFrom->securityContext()->contentSecurityPolicy(); + if (m_url.isEmpty() || m_url.protocolIsAbout() || + m_url.protocolIsData() || m_url.protocolIs("blob") || + m_url.protocolIs("filesystem")) { + contentSecurityPolicy()->copyStateFrom(policyToInherit); + } + // Plugin documents inherit their parent/opener's 'plugin-types' directive + // regardless of URL. + if (isPluginDocument()) + contentSecurityPolicy()->copyPluginTypesFrom(policyToInherit); + } } contentSecurityPolicy()->bindToExecutionContext(this); } |