[Backport] CVE-2017-5033

CSP: "local schemes" should inherit policy when embedded.

https://w3c.github.io/webappsec-csp/#initialize-document-csp mandates
that resources with "local schemes" ('data:', 'blob:', 'filesystem:',
'about:') inherit the policy of their embedding context when pulled in
via an '<iframe>'.

I'm pretty sure this worked at some point in the past, but I apparently
didn't put a test on it. It does work in Firefox. Let's match their
behavior and lock it in.

BUG=513860
R=jochen@chromium.org, dcheng@chromium.org
Review-Url: https://codereview.chromium.org/2472333003
Cr-Commit-Position: refs/heads/master@{#435165}

CSP: "local schemes" should inherit policy when window.opened.

https://w3c.github.io/webappsec-csp/#initialize-document-csp mandates
that resources with "local schemes" ('data:', 'blob:', 'filesystem:',
'about:') inherit the policy of their opening context when opened via
things like 'window.open'. We're not doing that, but we ought to.

BUG=669086
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2530343006
Cr-Commit-Position: refs/heads/master@{#435233}

Change-Id: I2d78d455eb6ff995438601f9f1cc785cc0da2288
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 27 insertions, 9 deletions

diff --git a/chromium/third_party/WebKit/Source/core/dom/Document.cpp b/chromium/third_party/WebKit/Source/core/dom/Document.cpp
index 19d546715c4..7c2a403f957 100644
--- a/chromium/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/chromium/third_party/WebKit/Source/core/dom/Document.cpp
@@ -4975,15 +4975,33 @@ void Document::initSecurityContext(const DocumentInit& initializer)
 void Document::initContentSecurityPolicy(PassRefPtrWillBeRawPtr<ContentSecurityPolicy> csp)
 {
     setContentSecurityPolicy(csp ? csp : ContentSecurityPolicy::create());
-    if (m_frame && m_frame->tree().parent() && m_frame->tree().parent()->isLocalFrame()) {
-        ContentSecurityPolicy* parentCSP = toLocalFrame(m_frame->tree().parent())->document()->contentSecurityPolicy();
-        if (shouldInheritSecurityOriginFromOwner(m_url)) {
-            contentSecurityPolicy()->copyStateFrom(parentCSP);
-        } else if (isPluginDocument()) {
-            // Per CSP2, plugin-types for plugin documents in nested browsing
-            // contexts gets inherited from the parent.
-            contentSecurityPolicy()->copyPluginTypesFrom(parentCSP);
-        }
+    // We inherit the parent/opener's CSP for documents with "local" schemes:
+    // 'about', 'blob', 'data', and 'filesystem'. We also inherit CSP for
+    // documents with empty/invalid URLs because we treat those URLs as
+    // 'about:blank' in Blink.
+    //
+    // https://w3c.github.io/webappsec-csp/#initialize-document-csp
+    //
+    // TODO(dcheng): This is similar enough to work we're doing in
+    // 'DocumentLoader::ensureWriter' that it might make sense to combine them.
+    if (m_frame) {
+        Frame* inheritFrom = m_frame->tree().parent() ? m_frame->tree().parent()
+                                                   : m_frame->client()->opener();
+        if (inheritFrom && m_frame != inheritFrom) {
+            ASSERT(inheritFrom->securityContext() &&
+                inheritFrom->securityContext()->contentSecurityPolicy());
+            ContentSecurityPolicy* policyToInherit =
+                inheritFrom->securityContext()->contentSecurityPolicy();
+            if (m_url.isEmpty() || m_url.protocolIsAbout() ||
+                m_url.protocolIsData() || m_url.protocolIs("blob") ||
+                m_url.protocolIs("filesystem")) {
+                contentSecurityPolicy()->copyStateFrom(policyToInherit);
+            }
+      // Plugin documents inherit their parent/opener's 'plugin-types' directive
+      // regardless of URL.
+        if (isPluginDocument())
+          contentSecurityPolicy()->copyPluginTypesFrom(policyToInherit);
+	}
     }
     contentSecurityPolicy()->bindToExecutionContext(this);
 }