[CP] Add a histogram for CSPEE same-origin blanket enforcement

This change adds a histogram to check the usage of same-origin blanket enforcement in CSPEE the the wild. See w3c/webappsec-cspee#26. (cherry picked from commit 8921662) Bug: 1263288 Change-Id: I4f7076f165431e159d4109e24c66d8992416a818 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4659780 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Antonio Sartori <antoniosartori@chromium.org> Commit-Queue: Jun Kokatsu <jkokatsu@google.com> Cr-Original-Commit-Position: refs/heads/main@{#1168120} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4679231 Auto-Submit: Jun Kokatsu <jkokatsu@google.com> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/branch-heads/5845@{#433} Cr-Branched-From: 5a5dff6-refs/heads/main@{#1160321}
chromium · Jul 12, 2023 · e22e317 · e22e317
1 parent a1e39e0
commit e22e317
Show file tree

Hide file tree

Showing 6 changed files with 123 additions and 12 deletions.
diff --git a/chrome/browser/chrome_web_platform_security_metrics_browsertest.cc b/chrome/browser/chrome_web_platform_security_metrics_browsertest.cc
@@ -2563,6 +2563,71 @@ IN_PROC_BROWSER_TEST_F(ChromeWebPlatformSecurityMetricsBrowserTest,
   )"));
 }
 
+IN_PROC_BROWSER_TEST_F(ChromeWebPlatformSecurityMetricsBrowserTest,
+                       CSPEESameOriginBlanketEnforcement) {
+  GURL url = https_server().GetURL("a.test", "/empty.html");
+
+  EXPECT_TRUE(content::NavigateToURL(web_contents(), url));
+  EXPECT_TRUE(content::ExecJs(web_contents(), R"(
+    const iframe = document.createElement("iframe");
+    iframe.csp = "script-src 'none'";
+    iframe.src = location.href;
+    document.body.appendChild(iframe);
+  )"));
+  CheckCounter(WebFeature::kCSPEESameOriginBlanketEnforcement, 1);
+}
+
+IN_PROC_BROWSER_TEST_F(ChromeWebPlatformSecurityMetricsBrowserTest,
+                       CSPEECrossOrigin) {
+  GURL url = https_server().GetURL("a.test", "/empty.html");
+  GURL cross_origin_url = https_server().GetURL("b.test", "/empty.html");
+
+  EXPECT_TRUE(content::NavigateToURL(web_contents(), url));
+  EXPECT_TRUE(
+      content::ExecJs(web_contents(), content::JsReplace(R"(
+    const iframe = document.createElement("iframe");
+    iframe.csp = "script-src 'none'";
+    iframe.src = $1;
+    document.body.appendChild(iframe);
+  )",
+                                                         cross_origin_url)));
+  CheckCounter(WebFeature::kCSPEESameOriginBlanketEnforcement, 0);
+}
+
+IN_PROC_BROWSER_TEST_F(ChromeWebPlatformSecurityMetricsBrowserTest,
+                       CSPEESameOriginWithAllowCSPHeader) {
+  GURL url = http_server().GetURL("a.test",
+                                  "/set-header?"
+                                  "Allow-CSP-From: *");
+
+  EXPECT_TRUE(content::NavigateToURL(web_contents(), url));
+  EXPECT_TRUE(content::ExecJs(web_contents(), content::JsReplace(R"(
+    const iframe = document.createElement("iframe");
+    iframe.csp = "script-src 'none'";
+    iframe.src = $1;
+    document.body.appendChild(iframe);
+  )",
+                                                                 url)));
+  CheckCounter(WebFeature::kCSPEESameOriginBlanketEnforcement, 0);
+}
+
+IN_PROC_BROWSER_TEST_F(ChromeWebPlatformSecurityMetricsBrowserTest,
+                       CSPEESameOriginWithSameCSPHeader) {
+  GURL url = http_server().GetURL("a.test",
+                                  "/set-header?"
+                                  "Content-Security-Policy: img-src 'none'");
+
+  EXPECT_TRUE(content::NavigateToURL(web_contents(), url));
+  EXPECT_TRUE(content::ExecJs(web_contents(), content::JsReplace(R"(
+    const iframe = document.createElement("iframe");
+    iframe.csp = "img-src 'none'";
+    iframe.src = $1;
+    document.body.appendChild(iframe);
+  )",
+                                                                 url)));
+  CheckCounter(WebFeature::kCSPEESameOriginBlanketEnforcement, 0);
+}
+
 // TODO(arthursonzogni): Add basic test(s) for the WebFeatures:
 // [ ] CrossOriginOpenerPolicySameOrigin
 // [ ] CrossOriginOpenerPolicySameOriginAllowPopups

diff --git a/content/browser/renderer_host/navigation_request.cc b/content/browser/renderer_host/navigation_request.cc
@@ -6295,9 +6295,20 @@ NavigationRequest::CheckCSPEmbeddedEnforcement() {
   const network::mojom::AllowCSPFromHeaderValue* allow_csp_from =
       response() ? response()->parsed_headers->allow_csp_from.get() : nullptr;
 
+  const url::Origin& request_origin =
+      GetParentFrame()->GetLastCommittedOrigin();
+
   if (network::AllowsBlanketEnforcementOfRequiredCSP(
-          GetParentFrame()->GetLastCommittedOrigin(), GetURL(), allow_csp_from,
-          required_csp_)) {
+          request_origin, GetURL(), allow_csp_from, required_csp_)) {
+    if (request_origin.IsSameOriginWith(GetURL()) && response() &&
+        !network::AllowCspFromAllowOrigin(request_origin, allow_csp_from) &&
+        !network::Subsumes(
+            *required_csp_,
+            response()->parsed_headers->content_security_policy)) {
+      GetContentClient()->browser()->LogWebFeatureForCurrentPage(
+          GetParentFrame(),
+          blink::mojom::WebFeature::kCSPEESameOriginBlanketEnforcement);
+    }
     // Enforce the required CSPs on the frame by passing them down to blink.
     policy_container_builder_->AddContentSecurityPolicy(required_csp_->Clone());
     return CSPEmbeddedEnforcementResult::ALLOW_RESPONSE;

diff --git a/services/network/public/cpp/content_security_policy/content_security_policy.cc b/services/network/public/cpp/content_security_policy/content_security_policy.cc
@@ -1572,6 +1572,25 @@ std::string ToString(CSPDirectiveName name) {
   return "";
 }
 
+bool AllowCspFromAllowOrigin(
+    const url::Origin& request_origin,
+    const network::mojom::AllowCSPFromHeaderValue* allow_csp_from) {
+  if (!allow_csp_from) {
+    return false;
+  }
+
+  if (allow_csp_from->is_allow_star()) {
+    return true;
+  }
+
+  if (allow_csp_from->is_origin() &&
+      request_origin.IsSameOriginWith(allow_csp_from->get_origin())) {
+    return true;
+  }
+
+  return false;
+}
+
 bool AllowsBlanketEnforcementOfRequiredCSP(
     const url::Origin& request_origin,
     const GURL& response_url,
@@ -1589,16 +1608,7 @@ bool AllowsBlanketEnforcementOfRequiredCSP(
     return true;
   }
 
-  if (!allow_csp_from)
-    return false;
-
-  if (allow_csp_from->is_allow_star()) {
-    required_csp->self_origin = ComputeSelfOrigin(response_url);
-    return true;
-  }
-
-  if (allow_csp_from->is_origin() &&
-      request_origin.IsSameOriginWith(allow_csp_from->get_origin())) {
+  if (AllowCspFromAllowOrigin(request_origin, allow_csp_from)) {
     required_csp->self_origin = ComputeSelfOrigin(response_url);
     return true;
   }

diff --git a/services/network/public/cpp/content_security_policy/content_security_policy.h b/services/network/public/cpp/content_security_policy/content_security_policy.h
@@ -117,6 +117,13 @@ bool Subsumes(const mojom::ContentSecurityPolicy& policy_a,
 COMPONENT_EXPORT(NETWORK_CPP)
 std::string ToString(mojom::CSPDirectiveName name);
 
+// Return true if |request_origin| is allowed by Allow-CSP-From header. Note
+// that |allow_csp_from| can be a null pointer.
+COMPONENT_EXPORT(NETWORK_CPP)
+bool AllowCspFromAllowOrigin(
+    const url::Origin& request_origin,
+    const network::mojom::AllowCSPFromHeaderValue* allow_csp_from);
+
 // Return true if the response allows the embedder to enforce arbitrary policy
 // on its behalf. |required_csp| is modified so that its self_origin matches the
 // correct origin. Specification:

diff --git a/third_party/blink/public/mojom/use_counter/metrics/web_feature.mojom b/third_party/blink/public/mojom/use_counter/metrics/web_feature.mojom
@@ -3928,6 +3928,15 @@ enum WebFeature {
   kEditContext = 4588,
   kServiceWorkerStaticRouter_RegisterRouter = 4589,
   kServiceWorkerStaticRouter_Evaluate = 4590,
+  kClientHintsUAFormFactor = 4591,
+  kURLSearchParamsHasFnBehaviourDiverged = 4592,
+  kURLSearchParamsDeleteFnBehaviourDiverged = 4593,
+  kTextWrapPretty = 4594,
+  kTextWrapPrettyFail = 4595,
+  kContainerQueryEvalUnknown = 4596,
+  kEventTimingPresentationPromiseResolvedAfterReport = 4597,
+  kGetCoalescedEventsInInsecureContext = 4598,
+  kCSPEESameOriginBlanketEnforcement = 4599,
 
   // Add new features immediately above this line. Don't change assigned
   // numbers of any item, and don't reuse removed slots.

diff --git a/tools/metrics/histograms/enums.xml b/tools/metrics/histograms/enums.xml
@@ -43489,6 +43489,15 @@ Called by update_use_counter_feature_enum.py.-->
   <int value="4588" label="EditContext"/>
   <int value="4589" label="ServiceWorkerStaticRouter_RegisterRouter"/>
   <int value="4590" label="ServiceWorkerStaticRouter_Evaluate"/>
+  <int value="4591" label="ClientHintsUAFormFactor"/>
+  <int value="4592" label="URLSearchParamsHasFnBehaviourDiverged"/>
+  <int value="4593" label="URLSearchParamsDeleteFnBehaviourDiverged"/>
+  <int value="4594" label="TextWrapPretty"/>
+  <int value="4595" label="TextWrapPrettyFail"/>
+  <int value="4596" label="ContainerQueryEvalUnknown"/>
+  <int value="4597" label="EventTimingPresentationPromiseResolvedAfterReport"/>
+  <int value="4598" label="GetCoalescedEventsInInsecureContext"/>
+  <int value="4599" label="CSPEESameOriginBlanketEnforcement"/>
 </enum>
 
 <enum name="FeaturePolicyAllowlistType">