diff options
| author | Antonio Sartori <antoniosartori@chromium.org> | 2020-05-19 15:59:40 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-09-21 07:16:34 +0000 |
| commit | 607bff335b15ce98465fdf860e693b4dff1ac681 (patch) | |
| tree | e0328de1ff699354e44c97bd1b3acae279117b5a | |
| parent | c223f4238085dc7018af0da28c9670f7f71971a7 (diff) | |
| download | qtwebengine-chromium-607bff335b15ce98465fdf860e693b4dff1ac681.tar.gz | |
[Backport] CVE-2020-6561: Inappropriate implementation in Content Security Policy
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2181363:
Use original URL before redirects as blocked URL in CSP reporting
When a resource was being blocked because of a Content Security Policy
violation after a redirect happened, we were using the final
URL (after the redirect) in the CSP reporting. This is a security
issue, since it could expose confidential information such as a token
contained in the redirect URL. As stated in
https://w3c.github.io/webappsec-csp/#create-violation-for-request
("We use request's url, and not its current url, as the latter might
contain information about redirect targets to which the page MUST NOT
be given access."), whe should instead report the request's original URL.
Bug: 932892
Change-Id: I1864e6e9e4cc266615e49276012ba7f9d96672f7
Fixed: 932892
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
37 files changed, 194 insertions, 157 deletions
diff --git a/chromium/content/browser/frame_host/mixed_content_navigation_throttle.cc b/chromium/content/browser/frame_host/mixed_content_navigation_throttle.cc index b401e4410c3..170440248e5 100644 --- a/chromium/content/browser/frame_host/mixed_content_navigation_throttle.cc +++ b/chromium/content/browser/frame_host/mixed_content_navigation_throttle.cc @@ -77,6 +77,8 @@ void UpdateRendererOnMixedContentFound(NavigationRequest* navigation_request, params.request_context_type = navigation_request->request_context_type(); params.request_destination = navigation_request->request_destination(); params.was_allowed = was_allowed; + DCHECK(!navigation_request->GetRedirectChain().empty()); + params.url_before_redirects = navigation_request->GetRedirectChain()[0]; params.had_redirect = for_redirect; params.source_location = *(navigation_request->common_params().source_location.get()); diff --git a/chromium/content/common/frame_messages.h b/chromium/content/common/frame_messages.h index 7ab1cd4f86a..a3083440580 100644 --- a/chromium/content/common/frame_messages.h +++ b/chromium/content/common/frame_messages.h @@ -451,6 +451,7 @@ IPC_STRUCT_BEGIN(FrameMsg_MixedContentFound_Params) IPC_STRUCT_MEMBER(blink::mojom::RequestContextType, request_context_type) IPC_STRUCT_MEMBER(network::mojom::RequestDestination, request_destination) IPC_STRUCT_MEMBER(bool, was_allowed) + IPC_STRUCT_MEMBER(GURL, url_before_redirects) IPC_STRUCT_MEMBER(bool, had_redirect) IPC_STRUCT_MEMBER(network::mojom::SourceLocation, source_location) IPC_STRUCT_END() diff --git a/chromium/content/renderer/render_frame_impl.cc b/chromium/content/renderer/render_frame_impl.cc index d07c0512915..a25bc15671b 100644 --- a/chromium/content/renderer/render_frame_impl.cc +++ b/chromium/content/renderer/render_frame_impl.cc @@ -5944,7 +5944,8 @@ void RenderFrameImpl::OnMixedContentFound( params.request_context_type); frame_->MixedContentFound(params.main_resource_url, params.mixed_content_url, request_context, params.was_allowed, - params.had_redirect, source_location); + params.url_before_redirects, params.had_redirect, + source_location); } void RenderFrameImpl::RequestOverlayRoutingToken( diff --git a/chromium/third_party/blink/public/web/web_local_frame.h b/chromium/third_party/blink/public/web/web_local_frame.h index 05c9d26d587..814e173d4c0 100644 --- a/chromium/third_party/blink/public/web/web_local_frame.h +++ b/chromium/third_party/blink/public/web/web_local_frame.h @@ -258,6 +258,7 @@ class WebLocalFrame : public WebFrame { const WebURL& mixed_content_url, mojom::RequestContextType, bool was_allowed, + const WebURL& url_before_redirects, bool had_redirect, const WebSourceLocation&) = 0; diff --git a/chromium/third_party/blink/renderer/core/fetch/fetch_manager.cc b/chromium/third_party/blink/renderer/core/fetch/fetch_manager.cc index 5c62a59abe1..50aefb07a3e 100644 --- a/chromium/third_party/blink/renderer/core/fetch/fetch_manager.cc +++ b/chromium/third_party/blink/renderer/core/fetch/fetch_manager.cc @@ -561,7 +561,9 @@ void FetchManager::Loader::Start(ExceptionState& exception_state) { // "- should fetching |request| be blocked as content security returns // blocked" if (!execution_context_->GetContentSecurityPolicyForWorld() - ->AllowConnectToSource(fetch_request_data_->Url())) { + ->AllowConnectToSource(fetch_request_data_->Url(), + fetch_request_data_->Url(), + RedirectStatus::kNoRedirect)) { // "A network error." PerformNetworkError( "Refused to connect to '" + fetch_request_data_->Url().ElidedString() + diff --git a/chromium/third_party/blink/renderer/core/frame/csp/content_security_policy.cc b/chromium/third_party/blink/renderer/core/frame/csp/content_security_policy.cc index f1d1de01b78..2872d10d7b9 100644 --- a/chromium/third_party/blink/renderer/core/frame/csp/content_security_policy.cc +++ b/chromium/third_party/blink/renderer/core/frame/csp/content_security_policy.cc @@ -650,6 +650,7 @@ bool ContentSecurityPolicy::AllowPluginTypeForDocument( bool ContentSecurityPolicy::AllowRequestWithoutIntegrity( mojom::RequestContextType context, const KURL& url, + const KURL& url_before_redirect, RedirectStatus redirect_status, ReportingDisposition reporting_disposition, CheckHeaderType check_header_type) const { @@ -733,11 +734,12 @@ bool ContentSecurityPolicy::AllowRequest( const String& nonce, const IntegrityMetadataSet& integrity_metadata, ParserDisposition parser_disposition, + const KURL& url_before_redirects, RedirectStatus redirect_status, ReportingDisposition reporting_disposition, CheckHeaderType check_header_type) const { if (integrity_metadata.IsEmpty() && - !AllowRequestWithoutIntegrity(context, url, redirect_status, + !AllowRequestWithoutIntegrity(context, url, url_before_redirects, redirect_status, reporting_disposition, check_header_type)) { return false; } @@ -746,9 +748,9 @@ bool ContentSecurityPolicy::AllowRequest( GetDirectiveTypeFromRequestContextType(context); if (!type) return true; - return AllowFromSource(*type, url, redirect_status, reporting_disposition, - check_header_type, nonce, integrity_metadata, - parser_disposition); + return AllowFromSource(*type, url, url_before_redirects, redirect_status, + reporting_disposition, check_header_type, nonce, + integrity_metadata, parser_disposition); } void ContentSecurityPolicy::UsesScriptHashAlgorithms(uint8_t algorithms) { @@ -762,6 +764,7 @@ void ContentSecurityPolicy::UsesStyleHashAlgorithms(uint8_t algorithms) { bool ContentSecurityPolicy::AllowFromSource( ContentSecurityPolicy::DirectiveType type, const KURL& url, + const KURL& url_before_redirects, RedirectStatus redirect_status, ReportingDisposition reporting_disposition, CheckHeaderType check_header_type, @@ -802,9 +805,9 @@ bool ContentSecurityPolicy::AllowFromSource( for (const auto& policy : policies_) { if (!CheckHeaderTypeMatches(check_header_type, policy->HeaderType())) continue; - is_allowed &= policy->AllowFromSource(type, url, redirect_status, - reporting_disposition, nonce, hashes, - parser_disposition); + is_allowed &= policy->AllowFromSource( + type, url, url_before_redirects, redirect_status, reporting_disposition, + nonce, hashes, parser_disposition); } return is_allowed; @@ -814,40 +817,45 @@ bool ContentSecurityPolicy::AllowBaseURI(const KURL& url) const { // `base-uri` isn't affected by 'upgrade-insecure-requests', so we use // CheckHeaderType::kCheckAll to check both report-only and enforce headers // here. - return AllowFromSource(ContentSecurityPolicy::DirectiveType::kBaseURI, url); + return AllowFromSource(ContentSecurityPolicy::DirectiveType::kBaseURI, url, + url, RedirectStatus::kNoRedirect); } bool ContentSecurityPolicy::AllowConnectToSource( const KURL& url, + const KURL& url_before_redirects, RedirectStatus redirect_status, ReportingDisposition reporting_disposition, CheckHeaderType check_header_type) const { return AllowFromSource(ContentSecurityPolicy::DirectiveType::kConnectSrc, url, - redirect_status, reporting_disposition, - check_header_type); + url_before_redirects, redirect_status, + reporting_disposition, check_header_type); } bool ContentSecurityPolicy::AllowFormAction(const KURL& url) const { - return AllowFromSource(ContentSecurityPolicy::DirectiveType::kFormAction, - url); + return AllowFromSource(ContentSecurityPolicy::DirectiveType::kFormAction, url, + url, RedirectStatus::kNoRedirect); } bool ContentSecurityPolicy::AllowImageFromSource( const KURL& url, + const KURL& url_before_redirects, RedirectStatus redirect_status, ReportingDisposition reporting_disposition, CheckHeaderType check_header_type) const { return AllowFromSource(ContentSecurityPolicy::DirectiveType::kImgSrc, url, - redirect_status, reporting_disposition, - check_header_type); + url_before_redirects, redirect_status, + reporting_disposition, check_header_type); } bool ContentSecurityPolicy::AllowMediaFromSource(const KURL& url) const { - return AllowFromSource(ContentSecurityPolicy::DirectiveType::kMediaSrc, url); + return AllowFromSource(ContentSecurityPolicy::DirectiveType::kMediaSrc, url, + url, RedirectStatus::kNoRedirect); } bool ContentSecurityPolicy::AllowObjectFromSource(const KURL& url) const { - return AllowFromSource(ContentSecurityPolicy::DirectiveType::kObjectSrc, url); + return AllowFromSource(ContentSecurityPolicy::DirectiveType::kObjectSrc, url, + url, RedirectStatus::kNoRedirect); } bool ContentSecurityPolicy::AllowScriptFromSource( @@ -855,17 +863,20 @@ bool ContentSecurityPolicy::AllowScriptFromSource( const String& nonce, const IntegrityMetadataSet& hashes, ParserDisposition parser_disposition, + const KURL& url_before_redirects, RedirectStatus redirect_status, ReportingDisposition reporting_disposition, CheckHeaderType check_header_type) const { return AllowFromSource(ContentSecurityPolicy::DirectiveType::kScriptSrcElem, - url, redirect_status, reporting_disposition, - check_header_type, nonce, hashes, parser_disposition); + url, url_before_redirects, redirect_status, + reporting_disposition, check_header_type, nonce, + hashes, parser_disposition); } bool ContentSecurityPolicy::AllowWorkerContextFromSource( const KURL& url) const { - return AllowFromSource(ContentSecurityPolicy::DirectiveType::kWorkerSrc, url); + return AllowFromSource(ContentSecurityPolicy::DirectiveType::kWorkerSrc, url, + url, RedirectStatus::kNoRedirect); } bool ContentSecurityPolicy::AllowTrustedTypePolicy(const String& policy_name, @@ -1013,9 +1024,13 @@ static void GatherSecurityPolicyViolationEventData( init->setBlockedURI("eval"); break; case ContentSecurityPolicy::kURLViolation: - init->setBlockedURI( - StripURLForUseInReport(delegate->GetSecurityOrigin(), blocked_url, - redirect_status, effective_type)); + // We pass RedirectStatus::kNoRedirect so that StripURLForUseInReport + // does not strip path and query from the URL. This is safe since + // blocked_url at this point is always the original url (before + // redirects). + init->setBlockedURI(StripURLForUseInReport( + delegate->GetSecurityOrigin(), blocked_url, + RedirectStatus::kNoRedirect, effective_type)); break; case ContentSecurityPolicy::kTrustedTypesSinkViolation: init->setBlockedURI("trusted-types-sink"); @@ -1237,10 +1252,10 @@ void ContentSecurityPolicy::PostViolationReport( } void ContentSecurityPolicy::ReportMixedContent( - const KURL& mixed_url, + const KURL& blocked_url, RedirectStatus redirect_status) const { for (const auto& policy : policies_) - policy->ReportMixedContent(mixed_url, redirect_status); + policy->ReportMixedContent(blocked_url, redirect_status); } void ContentSecurityPolicy::ReportReportOnlyInMeta(const String& header) { diff --git a/chromium/third_party/blink/renderer/core/frame/csp/content_security_policy.h b/chromium/third_party/blink/renderer/core/frame/csp/content_security_policy.h index 54d3b7c35e7..648fd7c10d5 100644 --- a/chromium/third_party/blink/renderer/core/frame/csp/content_security_policy.h +++ b/chromium/third_party/blink/renderer/core/frame/csp/content_security_policy.h @@ -275,13 +275,15 @@ class CORE_EXPORT ContentSecurityPolicy final bool AllowBaseURI(const KURL&) const; bool AllowConnectToSource( const KURL&, - RedirectStatus = RedirectStatus::kNoRedirect, + const KURL& url_before_redirects, + RedirectStatus, ReportingDisposition = ReportingDisposition::kReport, CheckHeaderType = CheckHeaderType::kCheckAll) const; bool AllowFormAction(const KURL&) const; bool AllowImageFromSource( const KURL&, - RedirectStatus = RedirectStatus::kNoRedirect, + const KURL& url_before_redirects, + RedirectStatus, ReportingDisposition = ReportingDisposition::kReport, CheckHeaderType = CheckHeaderType::kCheckAll) const; bool AllowMediaFromSource(const KURL&) const; @@ -291,7 +293,8 @@ class CORE_EXPORT ContentSecurityPolicy final const String& nonce, const IntegrityMetadataSet&, ParserDisposition, - RedirectStatus = RedirectStatus::kNoRedirect, + const KURL& url_before_redirects, + RedirectStatus, ReportingDisposition = ReportingDisposition::kReport, CheckHeaderType = CheckHeaderType::kCheckAll) const; bool AllowWorkerContextFromSource(const KURL&) const; @@ -335,7 +338,8 @@ class CORE_EXPORT ContentSecurityPolicy final bool AllowRequestWithoutIntegrity( mojom::RequestContextType, const KURL&, - RedirectStatus = RedirectStatus::kNoRedirect, + const KURL& url_before_redirect, + RedirectStatus, ReportingDisposition = ReportingDisposition::kReport, CheckHeaderType = CheckHeaderType::kCheckAll) const; @@ -344,7 +348,8 @@ class CORE_EXPORT ContentSecurityPolicy final const String& nonce, const IntegrityMetadataSet&, ParserDisposition, - RedirectStatus = RedirectStatus::kNoRedirect, + const KURL& url_before_redirects, + RedirectStatus, ReportingDisposition = ReportingDisposition::kReport, CheckHeaderType = CheckHeaderType::kCheckAll) const; @@ -417,7 +422,7 @@ class CORE_EXPORT ContentSecurityPolicy final // Called when mixed content is detected on a page; will trigger a violation // report if the 'block-all-mixed-content' directive is specified for a // policy. - void ReportMixedContent(const KURL& mixed_url, RedirectStatus) const; + void ReportMixedContent(const KURL& blocked_url, RedirectStatus) const; void ReportBlockedScriptExecutionToInspector( const String& directive_text) const; @@ -541,7 +546,8 @@ class CORE_EXPORT ContentSecurityPolicy final bool AllowFromSource(ContentSecurityPolicy::DirectiveType, const KURL&, - RedirectStatus = RedirectStatus::kNoRedirect, + const KURL& url_before_redirects, + RedirectStatus, ReportingDisposition = ReportingDisposition::kReport, CheckHeaderType = CheckHeaderType::kCheckAll, const String& = String(), diff --git a/chromium/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc b/chromium/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc index faa75575624..88d53b70ab5 100644 --- a/chromium/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc +++ b/chromium/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc @@ -318,14 +318,14 @@ bool CSPDirectiveList::CheckDynamic(SourceListDirective* directive) const { } void CSPDirectiveList::ReportMixedContent( - const KURL& mixed_url, + const KURL& blocked_url, ResourceRequest::RedirectStatus redirect_status) const { if (StrictMixedContentChecking()) { policy_->ReportViolation( ContentSecurityPolicy::GetDirectiveName( ContentSecurityPolicy::DirectiveType::kBlockAllMixedContent), ContentSecurityPolicy::DirectiveType::kBlockAllMixedContent, String(), - mixed_url, report_endpoints_, use_reporting_api_, header_, header_type_, + blocked_url, report_endpoints_, use_reporting_api_, header_, header_type_, ContentSecurityPolicy::kURLViolation, std::unique_ptr<SourceLocation>(), nullptr, // contextFrame, redirect_status); @@ -592,6 +592,7 @@ bool CSPDirectiveList::CheckSourceAndReportViolation( SourceListDirective* directive, const KURL& url, const ContentSecurityPolicy::DirectiveType effective_type, + const KURL& url_before_redirects, ResourceRequest::RedirectStatus redirect_status) const { if (!directive) return true; @@ -655,7 +656,7 @@ bool CSPDirectiveList::CheckSourceAndReportViolation( "' because it violates the following Content Security " "Policy directive: \"" + directive->GetText() + "\"." + suffix + "\n", - url, redirect_status); + url_before_redirects, redirect_status); return DenyIfEnforcingPolicy(); } @@ -814,6 +815,7 @@ bool CSPDirectiveList::AllowPluginType( bool CSPDirectiveList::AllowFromSource( ContentSecurityPolicy::DirectiveType type, const KURL& url, + const KURL& url_before_redirects, ResourceRequest::RedirectStatus redirect_status, ReportingDisposition reporting_disposition, const String& nonce, @@ -859,7 +861,7 @@ bool CSPDirectiveList::AllowFromSource( bool result = reporting_disposition == ReportingDisposition::kReport ? CheckSourceAndReportViolation(OperativeDirective(type), url, type, - redirect_status) + url_before_redirects, redirect_status) : CheckSource(OperativeDirective(type), url, redirect_status); if (type == ContentSecurityPolicy::DirectiveType::kBaseURI) { diff --git a/chromium/third_party/blink/renderer/core/frame/csp/csp_directive_list.h b/chromium/third_party/blink/renderer/core/frame/csp/csp_directive_list.h index 6bf18836d1d..a70208eecb8 100644 --- a/chromium/third_party/blink/renderer/core/frame/csp/csp_directive_list.h +++ b/chromium/third_party/blink/renderer/core/frame/csp/csp_directive_list.h @@ -79,6 +79,7 @@ class CORE_EXPORT CSPDirectiveList final bool AllowFromSource(ContentSecurityPolicy::DirectiveType, const KURL&, + const KURL& url_before_redirects, ResourceRequest::RedirectStatus, ReportingDisposition, const String& nonce = String(), @@ -110,7 +111,7 @@ class CORE_EXPORT CSPDirectiveList final bool StrictMixedContentChecking() const { return strict_mixed_content_checking_enforced_; } - void ReportMixedContent(const KURL& mixed_url, + void ReportMixedContent(const KURL& blocked_url, ResourceRequest::RedirectStatus) const; bool ShouldDisableEval() const { @@ -293,6 +294,7 @@ class CORE_EXPORT CSPDirectiveList final bool CheckSourceAndReportViolation(SourceListDirective*, const KURL&, const ContentSecurityPolicy::DirectiveType, + const KURL& url_before_redirects, ResourceRequest::RedirectStatus) const; bool CheckMediaTypeAndReportViolation(MediaListDirective*, const String& type, diff --git a/chromium/third_party/blink/renderer/core/frame/dom_window.cc b/chromium/third_party/blink/renderer/core/frame/dom_window.cc index 0bf6a7d15ad..8101ea54124 100644 --- a/chromium/third_party/blink/renderer/core/frame/dom_window.cc +++ b/chromium/third_party/blink/renderer/core/frame/dom_window.cc @@ -482,7 +482,7 @@ void DOMWindow::DoPostMessage(scoped_refptr<SerializedScriptValue> message, } if (!source_document->GetContentSecurityPolicy()->AllowConnectToSource( - target_url, RedirectStatus::kNoRedirect, + target_url, target_url, RedirectStatus::kNoRedirect, ReportingDisposition::kSuppressReporting)) { UseCounter::Count( source_document, diff --git a/chromium/third_party/blink/renderer/core/frame/local_dom_window.cc b/chromium/third_party/blink/renderer/core/frame/local_dom_window.cc index 558e2a8b2da..354b55290f6 100644 --- a/chromium/third_party/blink/renderer/core/frame/local_dom_window.cc +++ b/chromium/third_party/blink/renderer/core/frame/local_dom_window.cc @@ -840,7 +840,7 @@ void LocalDOMWindow::DispatchMessageEventWithOriginCheck( KURL sender(event->origin()); if (!document()->GetContentSecurityPolicy()->AllowConnectToSource( - sender, RedirectStatus::kNoRedirect, + sender, sender, RedirectStatus::kNoRedirect, ReportingDisposition::kSuppressReporting)) { UseCounter::Count( document(), WebFeature::kPostMessageIncomingWouldBeBlockedByConnectSrc); diff --git a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc index 6fad53870d7..b2c357c984a 100644 --- a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc +++ b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.cc @@ -2175,6 +2175,7 @@ void WebLocalFrameImpl::MixedContentFound( const WebURL& mixed_content_url, mojom::RequestContextType request_context, bool was_allowed, + const WebURL& url_before_redirects, bool had_redirect, const WebSourceLocation& source_location) { DCHECK(GetFrame()); @@ -2186,7 +2187,7 @@ void WebLocalFrameImpl::MixedContentFound( } MixedContentChecker::MixedContentFound( GetFrame(), main_resource_url, mixed_content_url, request_context, - was_allowed, had_redirect, std::move(source)); + was_allowed, url_before_redirects, had_redirect, std::move(source)); } void WebLocalFrameImpl::DidDropNavigation() { diff --git a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h index cb69367487d..16935df04e7 100644 --- a/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h +++ b/chromium/third_party/blink/renderer/core/frame/web_local_frame_impl.h @@ -133,6 +133,7 @@ class CORE_EXPORT WebLocalFrameImpl final const WebURL& mixed_content_url, mojom::RequestContextType, bool was_allowed, + const WebURL& url_before_redirects, bool had_redirect, const WebSourceLocation&) override; void SendOrientationChangeEvent() override; diff --git a/chromium/third_party/blink/renderer/core/html/html_plugin_element.cc b/chromium/third_party/blink/renderer/core/html/html_plugin_element.cc index a1564b5d615..6b559ea5360 100644 --- a/chromium/third_party/blink/renderer/core/html/html_plugin_element.cc +++ b/chromium/third_party/blink/renderer/core/html/html_plugin_element.cc @@ -726,7 +726,7 @@ bool HTMLPlugInElement::AllowedToLoadObject(const KURL& url, // is specified. return (!mime_type.IsEmpty() && url.IsEmpty()) || !MixedContentChecker::ShouldBlockFetch( - frame, mojom::RequestContextType::OBJECT, + frame, mojom::RequestContextType::OBJECT, url, ResourceRequest::RedirectStatus::kNoRedirect, url); } diff --git a/chromium/third_party/blink/renderer/core/html/link_style.cc b/chromium/third_party/blink/renderer/core/html/link_style.cc index 7e88349611c..f082eb587a0 100644 --- a/chromium/third_party/blink/renderer/core/html/link_style.cc +++ b/chromium/third_party/blink/renderer/core/html/link_style.cc @@ -321,7 +321,7 @@ void LinkStyle::Process() { if (!GetDocument().GetSecurityOrigin()->CanDisplay(params.href)) return; if (!GetDocument().GetContentSecurityPolicy()->AllowImageFromSource( - params.href)) + params.href, params.href, RedirectStatus::kNoRedirect)) return; if (GetDocument().GetFrame()) GetDocument().GetFrame()->UpdateFaviconURL(); diff --git a/chromium/third_party/blink/renderer/core/html/media/html_media_element.cc b/chromium/third_party/blink/renderer/core/html/media/html_media_element.cc index f14430417bc..8fa636145be 100644 --- a/chromium/third_party/blink/renderer/core/html/media/html_media_element.cc +++ b/chromium/third_party/blink/renderer/core/html/media/html_media_element.cc @@ -1818,6 +1818,7 @@ void HTMLMediaElement::SetReadyState(ReadyState state) { frame, HasVideo() ? mojom::blink::RequestContextType::VIDEO : mojom::blink::RequestContextType::AUDIO, + current_src_, // Strictly speaking, this check is an approximation; a request could // have have redirected back to its original URL, for example. // However, the redirect status is only used to prevent leaking diff --git a/chromium/third_party/blink/renderer/core/loader/base_fetch_context.cc b/chromium/third_party/blink/renderer/core/loader/base_fetch_context.cc index 275794cdbd4..0e270cc1305 100644 --- a/chromium/third_party/blink/renderer/core/loader/base_fetch_context.cc +++ b/chromium/third_party/blink/renderer/core/loader/base_fetch_context.cc @@ -33,10 +33,10 @@ base::Optional<ResourceRequestBlockedReason> BaseFetchContext::CanRequest( const KURL& url, const ResourceLoaderOptions& options, ReportingDisposition reporting_disposition, - const base::Optional<ResourceRequest::RedirectInfo>& redirect_info) const { + const Vector<KURL>& redirect_chain) const { base::Optional<ResourceRequestBlockedReason> blocked_reason = CanRequestInternal(type, resource_request, url, options, - reporting_disposition, redirect_info); + reporting_disposition, redirect_chain); if (blocked_reason && reporting_disposition == ReportingDisposition::kReport) { DispatchDidBlockRequest(resource_request, options.initiator_info, @@ -58,7 +58,7 @@ bool BaseFetchContext::CalculateIfAdSubresource(const ResourceRequest& request, bool BaseFetchContext::SendConversionRequestInsteadOfRedirecting( const KURL& url, - const base::Optional<ResourceRequest::RedirectInfo>& redirect_info, + const Vector<KURL>& redirect_chain, ReportingDisposition reporting_disposition) const { return false; } @@ -91,9 +91,11 @@ BaseFetchContext::CheckCSPForRequest( const KURL& url, const ResourceLoaderOptions& options, ReportingDisposition reporting_disposition, + const KURL& url_before_redirects, ResourceRequest::RedirectStatus redirect_status) const { return CheckCSPForRequestInternal( - request_context, url, options, reporting_disposition, redirect_status, + request_context, url, options, reporting_disposition, + url_before_redirects, redirect_status, ContentSecurityPolicy::CheckHeaderType::kCheckReportOnly); } @@ -103,6 +105,7 @@ BaseFetchContext::CheckCSPForRequestInternal( const KURL& url, const ResourceLoaderOptions& options, ReportingDisposition reporting_disposition, + const KURL& url_before_redirects, ResourceRequest::RedirectStatus redirect_status, ContentSecurityPolicy::CheckHeaderType check_header_type) const { if (ShouldBypassMainWorldCSP() || @@ -112,25 +115,26 @@ BaseFetchContext::CheckCSPForRequestInternal( } const ContentSecurityPolicy* csp = GetContentSecurityPolicy(); - if (csp && !csp->AllowRequest( - request_context, url, options.content_security_policy_nonce, + if (csp && + !csp->AllowRequest(request_context, url, + options.content_security_policy_nonce, options.integrity_metadata, options.parser_disposition, - redirect_status, reporting_disposition, check_header_type)) { + url_before_redirects, redirect_status, + reporting_disposition, check_header_type)) { return ResourceRequestBlockedReason::kCSP; } return base::nullopt; } base::Optional<ResourceRequestBlockedReason> -BaseFetchContext::CanRequestInternal( - ResourceType type, - const ResourceRequest& resource_request, - const KURL& url, - const ResourceLoaderOptions& options, - ReportingDisposition reporting_disposition, - const base::Optional<ResourceRequest::RedirectInfo>& redirect_info) const { +BaseFetchContext::CanRequestInternal(ResourceType type, + const ResourceRequest& resource_request, + const KURL& url, + const ResourceLoaderOptions& options, + ReportingDisposition reporting_disposition, + const Vector<KURL>& redirect_chain) const { if (GetResourceFetcherProperties().IsDetached()) { - if (!resource_request.GetKeepalive() || !redirect_info) { + if (!resource_request.GetKeepalive() || redirect_chain.IsEmpty()) { return ResourceRequestBlockedReason::kOther; } } @@ -179,14 +183,17 @@ BaseFetchContext::CanRequestInternal( mojom::RequestContextType request_context = resource_request.GetRequestContext(); - ResourceRequest::RedirectStatus redirect_status = - redirect_info ? ResourceRequest::RedirectStatus::kFollowedRedirect - : ResourceRequest::RedirectStatus::kNoRedirect; + const KURL& url_before_redirects = + redirect_chain.IsEmpty() ? url : redirect_chain.front(); + const ResourceRequestHead::RedirectStatus redirect_status = + redirect_chain.IsEmpty() + ? ResourceRequestHead::RedirectStatus::kNoRedirect + : ResourceRequestHead::RedirectStatus::kFollowedRedirect; // We check the 'report-only' headers before upgrading the request (in // populateResourceRequest). We check the enforced headers here to ensure we // block things we ought to block. if (CheckCSPForRequestInternal( - request_context, url, options, reporting_disposition, redirect_status, + request_context, url, options, reporting_disposition, url_before_redirects, redirect_status, ContentSecurityPolicy::CheckHeaderType::kCheckEnforce) == ResourceRequestBlockedReason::kCSP) { return ResourceRequestBlockedReason::kCSP; @@ -227,7 +234,7 @@ BaseFetchContext::CanRequestInternal( // Check for mixed content. We do this second-to-last so that when folks block // mixed content via CSP, they don't get a mixed content warning, but a CSP // warning instead. - if (ShouldBlockFetchByMixedContentCheck(request_context, redirect_status, url, + if (ShouldBlockFetchByMixedContentCheck(request_context, redirect_chain, url, reporting_disposition)) { return ResourceRequestBlockedReason::kMixedContent; } @@ -244,7 +251,7 @@ BaseFetchContext::CanRequestInternal( return ResourceRequestBlockedReason::kOther; } - if (SendConversionRequestInsteadOfRedirecting(url, redirect_info, + if (SendConversionRequestInsteadOfRedirecting(url, redirect_chain, reporting_disposition)) { return ResourceRequestBlockedReason::kOther; } diff --git a/chromium/third_party/blink/renderer/core/loader/base_fetch_context.h b/chromium/third_party/blink/renderer/core/loader/base_fetch_context.h index 9f55459b8a7..cd69e79dfdf 100644 --- a/chromium/third_party/blink/renderer/core/loader/base_fetch_context.h +++ b/chromium/third_party/blink/renderer/core/loader/base_fetch_context.h @@ -37,12 +37,13 @@ class CORE_EXPORT BaseFetchContext : public FetchContext { const KURL&, const ResourceLoaderOptions&, ReportingDisposition, - const base::Optional<ResourceRequest::RedirectInfo>&) const override; + const Vector<KURL>&) const override; base::Optional<ResourceRequestBlockedReason> CheckCSPForRequest( mojom::RequestContextType, const KURL&, const ResourceLoaderOptions&, ReportingDisposition, + const KURL& url_before_redirects, ResourceRequest::RedirectStatus) const override; void Trace(Visitor*) override; @@ -74,7 +75,7 @@ class CORE_EXPORT BaseFetchContext : public FetchContext { // registration endpoint. virtual bool SendConversionRequestInsteadOfRedirecting( const KURL& url, - const base::Optional<ResourceRequest::RedirectInfo>& redirect_info, + const Vector<KURL>& redirect_chain, ReportingDisposition reporting_disposition) const; virtual const ContentSecurityPolicy* GetContentSecurityPolicy() const = 0; @@ -99,7 +100,7 @@ class CORE_EXPORT BaseFetchContext : public FetchContext { virtual bool IsSVGImageChromeClient() const = 0; virtual bool ShouldBlockFetchByMixedContentCheck( mojom::RequestContextType, - ResourceRequest::RedirectStatus, + const Vector<KURL>& redirect_chain, const KURL&, ReportingDisposition) const = 0; virtual bool ShouldBlockFetchAsCredentialedSubresource(const ResourceRequest&, @@ -123,13 +124,14 @@ class CORE_EXPORT BaseFetchContext : public FetchContext { const KURL&, const ResourceLoaderOptions&, ReportingDisposition, - const base::Optional<ResourceRequest::RedirectInfo>& redirect_info) const; + const Vector<KURL>& redirect_chain) const; base::Optional<ResourceRequestBlockedReason> CheckCSPForRequestInternal( mojom::RequestContextType, const KURL&, const ResourceLoaderOptions&, ReportingDisposition, + const KURL& url_before_redirects, ResourceRequest::RedirectStatus, ContentSecurityPolicy::CheckHeaderType) const; }; diff --git a/chromium/third_party/blink/renderer/core/loader/frame_fetch_context.cc b/chromium/third_party/blink/renderer/core/loader/frame_fetch_context.cc index 6ff2d5cbada..ee7f7d6236b 100644 --- a/chromium/third_party/blink/renderer/core/loader/frame_fetch_context.cc +++ b/chromium/third_party/blink/renderer/core/loader/frame_fetch_context.cc @@ -421,7 +421,7 @@ void FrameFetchContext::PrepareRequest( ResourceType resource_type) { // TODO(yhirano): Clarify which statements are actually needed when // this is called during redirect. - const bool for_redirect = request.GetRedirectInfo().has_value(); + const bool for_redirect = !request.GetRedirectChain().IsEmpty(); SetFirstPartyCookie(request); if (request.GetRequestContext() == @@ -872,15 +872,20 @@ FrameFetchContext::CreateWebSocketHandshakeThrottle() { bool FrameFetchContext::ShouldBlockFetchByMixedContentCheck( mojom::RequestContextType request_context, - ResourceRequest::RedirectStatus redirect_status, + const Vector<KURL>& redirect_chain, const KURL& url, ReportingDisposition reporting_disposition) const { if (GetResourceFetcherProperties().IsDetached()) { // TODO(yhirano): Implement the detached case. return false; } + RedirectStatus redirect_status = redirect_chain.IsEmpty() + ? RedirectStatus::kNoRedirect + : RedirectStatus::kFollowedRedirect; + const KURL& url_before_redirects = + redirect_chain.IsEmpty() ? url : redirect_chain.front(); return MixedContentChecker::ShouldBlockFetch( - GetFrame(), request_context, redirect_status, url, reporting_disposition); + GetFrame(), request_context, url_before_redirects, redirect_status, url, reporting_disposition); } bool FrameFetchContext::ShouldBlockFetchAsCredentialedSubresource( @@ -1060,7 +1065,7 @@ bool FrameFetchContext::CalculateIfAdSubresource( bool FrameFetchContext::SendConversionRequestInsteadOfRedirecting( const KURL& url, - const base::Optional<ResourceRequest::RedirectInfo>& redirect_info, + const Vector<KURL>& redirect_chain, ReportingDisposition reporting_disposition) const { if (!RuntimeEnabledFeatures::ConversionMeasurementEnabled()) return false; @@ -1070,8 +1075,8 @@ bool FrameFetchContext::SendConversionRequestInsteadOfRedirecting( // redirect is same origin to ensure that the reporting domain has consented // to the registration event. if (!frame_or_imported_document_ || !GetFrame() || - !GetFrame()->IsMainFrame()|| !redirect_info || - !SecurityOrigin::AreSameOrigin(url, redirect_info->previous_url)) { + !GetFrame()->IsMainFrame()|| redirect_chain.IsEmpty() || + !SecurityOrigin::AreSameOrigin(url, redirect_chain.back())) { return false; } @@ -1130,7 +1135,7 @@ base::Optional<ResourceRequestBlockedReason> FrameFetchContext::CanRequest( const KURL& url, const ResourceLoaderOptions& options, ReportingDisposition reporting_disposition, - const base::Optional<ResourceRequest::RedirectInfo>& redirect_info) const { + const Vector<KURL>& redirect_chain) const { if (!GetResourceFetcherProperties().IsDetached() && frame_or_imported_document_->GetDocument().IsFreezingInProgress() && !resource_request.GetKeepalive()) { @@ -1141,7 +1146,7 @@ base::Optional<ResourceRequestBlockedReason> FrameFetchContext::CanRequest( return ResourceRequestBlockedReason::kOther; } return BaseFetchContext::CanRequest(type, resource_request, url, options, - reporting_disposition, redirect_info); + reporting_disposition, redirect_chain); } CoreProbeSink* FrameFetchContext::Probe() const { diff --git a/chromium/third_party/blink/renderer/core/loader/frame_fetch_context.h b/chromium/third_party/blink/renderer/core/loader/frame_fetch_context.h index e11cd30cb69..e2f68214742 100644 --- a/chromium/third_party/blink/renderer/core/loader/frame_fetch_context.h +++ b/chromium/third_party/blink/renderer/core/loader/frame_fetch_context.h @@ -79,8 +79,7 @@ class CORE_EXPORT FrameFetchContext final : public BaseFetchContext { const KURL& url, const ResourceLoaderOptions& options, ReportingDisposition reporting_disposition, - const base::Optional<ResourceRequest::RedirectInfo>& redirect_info) - const override; + const Vector<KURL>& redirect_chain) const override; mojom::FetchCacheMode ResourceRequestCachePolicy( const ResourceRequest&, ResourceType, @@ -113,7 +112,7 @@ class CORE_EXPORT FrameFetchContext final : public BaseFetchContext { bool SendConversionRequestInsteadOfRedirecting( const KURL& url, - const base::Optional<ResourceRequest::RedirectInfo>& redirect_info, + const Vector<KURL>& redirect_chain, ReportingDisposition reporting_disposition) const override; mojo::PendingReceiver<mojom::blink::WorkerTimingContainer> @@ -153,7 +152,7 @@ class CORE_EXPORT FrameFetchContext final : public BaseFetchContext { std::unique_ptr<WebSocketHandshakeThrottle> CreateWebSocketHandshakeThrottle() override; bool ShouldBlockFetchByMixedContentCheck(mojom::RequestContextType, - ResourceRequest::RedirectStatus, + const Vector<KURL>& redirect_chain, const KURL&, ReportingDisposition) const override; bool ShouldBlockFetchAsCredentialedSubresource(const ResourceRequest&, diff --git a/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc b/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc index 76cf757241c..30439c216dc 100644 --- a/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc +++ b/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.cc @@ -379,6 +379,7 @@ void MixedContentChecker::Count(Frame* frame, bool MixedContentChecker::ShouldBlockFetch( LocalFrame* frame, mojom::RequestContextType request_context, + const KURL& url_before_redirects, ResourceRequest::RedirectStatus redirect_status, const KURL& url, ReportingDisposition reporting_disposition) { @@ -408,7 +409,7 @@ bool MixedContentChecker::ShouldBlockFetch( MixedContentChecker::Count(mixed_frame, request_context, frame); if (ContentSecurityPolicy* policy = frame->GetSecurityContext()->GetContentSecurityPolicy()) - policy->ReportMixedContent(url, redirect_status); + policy->ReportMixedContent(url_before_redirects, redirect_status); Settings* settings = mixed_frame->GetSettings(); // Use the current local frame's client; the embedder doesn't distinguish @@ -503,6 +504,7 @@ bool MixedContentChecker::ShouldBlockFetch( bool MixedContentChecker::ShouldBlockFetchOnWorker( const WorkerFetchContext& worker_fetch_context, mojom::RequestContextType request_context, + const KURL& url_before_redirects, ResourceRequest::RedirectStatus redirect_status, const KURL& url, ReportingDisposition reporting_disposition, @@ -517,7 +519,7 @@ bool MixedContentChecker::ShouldBlockFetchOnWorker( worker_fetch_context.CountUsage(WebFeature::kMixedContentPresent); worker_fetch_context.CountUsage(WebFeature::kMixedContentBlockable); if (auto* policy = worker_fetch_context.GetContentSecurityPolicy()) - policy->ReportMixedContent(url, redirect_status); + policy->ReportMixedContent(url_before_redirects, redirect_status); // Blocks all mixed content request from worklets. // TODO(horo): Revise this when the spec is updated. @@ -769,6 +771,7 @@ void MixedContentChecker::MixedContentFound( const KURL& mixed_content_url, mojom::RequestContextType request_context, bool was_allowed, + const KURL& url_before_redirects, bool had_redirect, std::unique_ptr<SourceLocation> source_location) { // Logs to the frame console. @@ -780,7 +783,7 @@ void MixedContentChecker::MixedContentFound( frame->GetSecurityContext()->GetContentSecurityPolicy(); if (policy) { policy->ReportMixedContent( - mixed_content_url, + url_before_redirects, had_redirect ? ResourceRequest::RedirectStatus::kFollowedRedirect : ResourceRequest::RedirectStatus::kNoRedirect); } diff --git a/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.h b/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.h index 66b5f126416..f81e3e5e2e1 100644 --- a/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.h +++ b/chromium/third_party/blink/renderer/core/loader/mixed_content_checker.h @@ -72,12 +72,14 @@ class CORE_EXPORT MixedContentChecker final { static bool ShouldBlockFetch( LocalFrame*, mojom::RequestContextType, + const KURL& url_before_redirects, ResourceRequest::RedirectStatus, const KURL&, ReportingDisposition = ReportingDisposition::kReport); static bool ShouldBlockFetchOnWorker(const WorkerFetchContext&, mojom::RequestContextType, + const KURL& url_before_redirects, ResourceRequest::RedirectStatus, const KURL&, ReportingDisposition, @@ -117,6 +119,7 @@ class CORE_EXPORT MixedContentChecker final { const KURL& mixed_content_url, mojom::RequestContextType, bool was_allowed, + const KURL& url_before_redirects, bool had_redirect, std::unique_ptr<SourceLocation>); diff --git a/chromium/third_party/blink/renderer/core/loader/ping_loader.cc b/chromium/third_party/blink/renderer/core/loader/ping_loader.cc index 181b50c9f92..0d80a63ad60 100644 --- a/chromium/third_party/blink/renderer/core/loader/ping_loader.cc +++ b/chromium/third_party/blink/renderer/core/loader/ping_loader.cc @@ -190,7 +190,7 @@ bool SendBeaconCommon(LocalFrame* frame, if (!frame->GetDocument() ->GetContentSecurityPolicyForWorld() - ->AllowConnectToSource(url)) { + ->AllowConnectToSource(url, url, RedirectStatus::kNoRedirect)) { // We're simulating a network failure here, so we return 'true'. return true; } diff --git a/chromium/third_party/blink/renderer/core/loader/threadable_loader.cc b/chromium/third_party/blink/renderer/core/loader/threadable_loader.cc index 2eabb5f8cf7..8b7bd18d419 100644 --- a/chromium/third_party/blink/renderer/core/loader/threadable_loader.cc +++ b/chromium/third_party/blink/renderer/core/loader/threadable_loader.cc @@ -685,7 +685,6 @@ bool ThreadableLoader::RedirectReceived( ResourceRequest cross_origin_request; cross_origin_request.CopyFrom(new_request); - cross_origin_request.SetInitialUrlForResourceTiming(initial_request_url_); // Remove any headers that may have been added by the network layer that cause // access control to fail. diff --git a/chromium/third_party/blink/renderer/core/loader/worker_fetch_context.cc b/chromium/third_party/blink/renderer/core/loader/worker_fetch_context.cc index afa9b00db12..14b983bde85 100644 --- a/chromium/third_party/blink/renderer/core/loader/worker_fetch_context.cc +++ b/chromium/third_party/blink/renderer/core/loader/worker_fetch_context.cc @@ -142,12 +142,17 @@ WorkerFetchContext::CreateWebSocketHandshakeThrottle() { bool WorkerFetchContext::ShouldBlockFetchByMixedContentCheck( mojom::RequestContextType request_context, - ResourceRequest::RedirectStatus redirect_status, + const Vector<KURL>& redirect_chain, const KURL& url, ReportingDisposition reporting_disposition) const { + RedirectStatus redirect_status = redirect_chain.IsEmpty() + ? RedirectStatus::kNoRedirect + : RedirectStatus::kFollowedRedirect; + const KURL& url_before_redirects = + redirect_chain.IsEmpty() ? url : redirect_chain.front(); return MixedContentChecker::ShouldBlockFetchOnWorker( - *this, request_context, redirect_status, url, reporting_disposition, - global_scope_->IsWorkletGlobalScope()); + *this, request_context, url_before_redirects, redirect_status, url, + reporting_disposition, global_scope_->IsWorkletGlobalScope()); } bool WorkerFetchContext::ShouldBlockFetchAsCredentialedSubresource( diff --git a/chromium/third_party/blink/renderer/core/loader/worker_fetch_context.h b/chromium/third_party/blink/renderer/core/loader/worker_fetch_context.h index f7f18854f7c..83fa290194b 100644 --- a/chromium/third_party/blink/renderer/core/loader/worker_fetch_context.h +++ b/chromium/third_party/blink/renderer/core/loader/worker_fetch_context.h @@ -60,7 +60,7 @@ class WorkerFetchContext final : public BaseFetchContext { std::unique_ptr<WebSocketHandshakeThrottle> CreateWebSocketHandshakeThrottle() override; bool ShouldBlockFetchByMixedContentCheck(mojom::RequestContextType, - ResourceRequest::RedirectStatus, + const Vector<KURL>& redirect_chain, const KURL&, ReportingDisposition) const override; bool ShouldBlockFetchAsCredentialedSubresource(const ResourceRequest&, diff --git a/chromium/third_party/blink/renderer/core/workers/abstract_worker.cc b/chromium/third_party/blink/renderer/core/workers/abstract_worker.cc index eb5eef37994..e3d9a5b7b35 100644 --- a/chromium/third_party/blink/renderer/core/workers/abstract_worker.cc +++ b/chromium/third_party/blink/renderer/core/workers/abstract_worker.cc @@ -67,7 +67,7 @@ KURL AbstractWorker::ResolveURL(ExecutionContext* execution_context, if (ContentSecurityPolicy* csp = execution_context->GetContentSecurityPolicy()) { - if (!csp->AllowRequestWithoutIntegrity(request_context, script_url) || + if (!csp->AllowRequestWithoutIntegrity(request_context, script_url, script_url, RedirectStatus::kNoRedirect) || !csp->AllowWorkerContextFromSource(script_url)) { exception_state.ThrowSecurityError( "Access to the script at '" + script_url.ElidedString() + diff --git a/chromium/third_party/blink/renderer/core/workers/worker_global_scope.cc b/chromium/third_party/blink/renderer/core/workers/worker_global_scope.cc index fd13c1f4268..16453af0cfd 100644 --- a/chromium/third_party/blink/renderer/core/workers/worker_global_scope.cc +++ b/chromium/third_party/blink/renderer/core/workers/worker_global_scope.cc @@ -247,7 +247,8 @@ void WorkerGlobalScope::ImportScriptsInternal(const Vector<String>& urls, return; } if (!GetContentSecurityPolicy()->AllowScriptFromSource( - url, AtomicString(), IntegrityMetadataSet(), kNotParserInserted)) { + url, AtomicString(), IntegrityMetadataSet(), kNotParserInserted, + url, RedirectStatus::kNoRedirect)) { exception_state.ThrowDOMException( DOMExceptionCode::kNetworkError, "The script at '" + url.ElidedString() + "' failed to load."); diff --git a/chromium/third_party/blink/renderer/modules/background_fetch/background_fetch_manager.cc b/chromium/third_party/blink/renderer/modules/background_fetch/background_fetch_manager.cc index 474808db4cd..5a4a54a773f 100644 --- a/chromium/third_party/blink/renderer/modules/background_fetch/background_fetch_manager.cc +++ b/chromium/third_party/blink/renderer/modules/background_fetch/background_fetch_manager.cc @@ -68,7 +68,8 @@ ScriptPromise RejectWithTypeError(ScriptState* script_state, bool ShouldBlockDueToCSP(ExecutionContext* execution_context, const KURL& request_url) { return !execution_context->GetContentSecurityPolicyForWorld() - ->AllowConnectToSource(request_url); + ->AllowConnectToSource(request_url, request_url, + RedirectStatus::kNoRedirect); } bool ShouldBlockPort(const KURL& request_url) { diff --git a/chromium/third_party/blink/renderer/modules/service_worker/service_worker_container.cc b/chromium/third_party/blink/renderer/modules/service_worker/service_worker_container.cc index 4795fc804c7..7d0259b715f 100644 --- a/chromium/third_party/blink/renderer/modules/service_worker/service_worker_container.cc +++ b/chromium/third_party/blink/renderer/modules/service_worker/service_worker_container.cc @@ -333,7 +333,7 @@ ScriptPromise ServiceWorkerContainer::registerServiceWorker( ContentSecurityPolicy* csp = execution_context->GetContentSecurityPolicy(); if (csp) { if (!csp->AllowRequestWithoutIntegrity( - mojom::RequestContextType::SERVICE_WORKER, script_url) || + mojom::RequestContextType::SERVICE_WORKER, script_url, script_url, RedirectStatus::kNoRedirect) || !csp->AllowWorkerContextFromSource(script_url)) { callbacks->OnError(WebServiceWorkerError( mojom::blink::ServiceWorkerErrorType::kSecurity, diff --git a/chromium/third_party/blink/renderer/modules/websockets/websocket_common.cc b/chromium/third_party/blink/renderer/modules/websockets/websocket_common.cc index a416644e20d..4cd6d80b700 100644 --- a/chromium/third_party/blink/renderer/modules/websockets/websocket_common.cc +++ b/chromium/third_party/blink/renderer/modules/websockets/websocket_common.cc @@ -88,7 +88,7 @@ WebSocketCommon::ConnectResult WebSocketCommon::Connect( } if (!execution_context->GetContentSecurityPolicyForWorld() - ->AllowConnectToSource(url_)) { + ->AllowConnectToSource(url_, url_, RedirectStatus::kNoRedirect)) { state_ = kClosed; return ConnectResult::kAsyncError; diff --git a/chromium/third_party/blink/renderer/modules/webtransport/quic_transport.cc b/chromium/third_party/blink/renderer/modules/webtransport/quic_transport.cc index bb5f950c836..6e284d55fb2 100644 --- a/chromium/third_party/blink/renderer/modules/webtransport/quic_transport.cc +++ b/chromium/third_party/blink/renderer/modules/webtransport/quic_transport.cc @@ -456,7 +456,7 @@ void QuicTransport::Init(const String& url, ExceptionState& exception_state) { auto* execution_context = GetExecutionContext(); if (!execution_context->GetContentSecurityPolicyForWorld() - ->AllowConnectToSource(url_)) { + ->AllowConnectToSource(url_, url_, RedirectStatus::kNoRedirect)) { // TODO(ricea): This error should probably be asynchronous like it is for // WebSockets and fetch. exception_state.ThrowSecurityError( diff --git a/chromium/third_party/blink/renderer/platform/loader/fetch/fetch_context.h b/chromium/third_party/blink/renderer/platform/loader/fetch/fetch_context.h index 58b63dae8d7..19ef24f1275 100644 --- a/chromium/third_party/blink/renderer/platform/loader/fetch/fetch_context.h +++ b/chromium/third_party/blink/renderer/platform/loader/fetch/fetch_context.h @@ -113,8 +113,7 @@ class PLATFORM_EXPORT FetchContext : public GarbageCollected<FetchContext> { const KURL&, const ResourceLoaderOptions&, ReportingDisposition, - const base::Optional<ResourceRequest::RedirectInfo>& redirect_info) - const { + const Vector<KURL>& redirect_chain) const { return ResourceRequestBlockedReason::kOther; } virtual base::Optional<ResourceRequestBlockedReason> CheckCSPForRequest( @@ -122,6 +121,7 @@ class PLATFORM_EXPORT FetchContext : public GarbageCollected<FetchContext> { const KURL&, const ResourceLoaderOptions&, ReportingDisposition, + const KURL& url_before_redirects, ResourceRequest::RedirectStatus) const { return ResourceRequestBlockedReason::kOther; } diff --git a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc index cb0e4e76d6b..3984fe91d04 100644 --- a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc +++ b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc @@ -314,10 +314,7 @@ void PopulateAndAddResourceTimingInfo(Resource* resource, scoped_refptr<ResourceTimingInfo> info, base::TimeTicks response_end, int64_t encoded_data_length) { - info->SetInitialURL( - resource->GetResourceRequest().GetInitialUrlForResourceTiming().IsNull() - ? resource->GetResourceRequest().Url() - : resource->GetResourceRequest().GetInitialUrlForResourceTiming()); + info->SetInitialURL(resource->Url()); info->SetFinalResponse(resource->GetResponse()); info->SetLoadResponseEnd(response_end); // encodedDataLength == -1 means "not available". @@ -645,12 +642,9 @@ void ResourceFetcher::DidLoadResourceFromMemoryCache( scoped_refptr<ResourceTimingInfo> info = ResourceTimingInfo::Create( resource->Options().initiator_info.name, base::TimeTicks::Now(), request.GetRequestContext(), request.GetRequestDestination()); - // TODO(yoav): GetInitialUrlForResourceTiming() is only needed until + // TODO(yoav): GetOriginalURLBeforeRedirects() is only needed until // Out-of-Blink CORS lands: https://crbug.com/736308 - info->SetInitialURL( - resource->GetResourceRequest().GetInitialUrlForResourceTiming().IsNull() - ? resource->GetResourceRequest().Url() - : resource->GetResourceRequest().GetInitialUrlForResourceTiming()); + info->SetInitialURL(resource->Url()); ResourceResponse final_response = resource->GetResponse(); final_response.SetResourceLoadTiming(nullptr); info->SetFinalResponse(final_response); @@ -819,20 +813,27 @@ base::Optional<ResourceRequestBlockedReason> ResourceFetcher::PrepareRequest( : ReportingDisposition::kReport; - // Note that resource_request.GetRedirectInfo() may non-null here since e.g. - // ThreadableLoader may create a new Resource from a ResourceRequest that + // Note that resource_request.GetRedirectChain() may be non-empty here since + // e.g. ThreadableLoader may create a new Resource from a ResourceRequest that // originates from the ResourceRequest passed to the redirect handling // callback. // Before modifying the request for CSP, evaluate report-only headers. This // allows site owners to learn about requests that are being modified // (e.g. mixed content that is being upgraded by upgrade-insecure-requests). - Context().CheckCSPForRequest( - resource_request.GetRequestContext(), - MemoryCache::RemoveFragmentIdentifierIfNeeded(params.Url()), options, - reporting_disposition, resource_request.GetRedirectInfo() - ? ResourceRequest::RedirectStatus::kFollowedRedirect - : ResourceRequest::RedirectStatus::kNoRedirect); + const Vector<KURL>& redirect_chain = resource_request.GetRedirectChain(); + const KURL& url_before_redirects = + redirect_chain.IsEmpty() ? params.Url() : redirect_chain.front(); + const ResourceRequestHead::RedirectStatus redirect_status = + redirect_chain.IsEmpty() + ? ResourceRequestHead::RedirectStatus::kNoRedirect + : ResourceRequestHead::RedirectStatus::kFollowedRedirect; + Context().CheckCSPForRequest( + resource_request.GetRequestContext(), + MemoryCache::RemoveFragmentIdentifierIfNeeded(params.Url()), options, + reporting_disposition, + MemoryCache::RemoveFragmentIdentifierIfNeeded(url_before_redirects), + redirect_status); // This may modify params.Url() (via the resource_request argument). Context().PopulateResourceRequest( @@ -893,7 +894,7 @@ base::Optional<ResourceRequestBlockedReason> ResourceFetcher::PrepareRequest( base::Optional<ResourceRequestBlockedReason> blocked_reason = Context().CanRequest(resource_type, resource_request, url, options, reporting_disposition, - resource_request.GetRedirectInfo()); + resource_request.GetRedirectChain()); if (Context().CalculateIfAdSubresource(resource_request, resource_type)) resource_request.SetIsAdResource(); @@ -2059,7 +2060,7 @@ void ResourceFetcher::EmulateLoadStartedForInspector( Context().CanRequest(resource->GetType(), last_resource_request, last_resource_request.Url(), params.Options(), ReportingDisposition::kReport, - last_resource_request.GetRedirectInfo()); + last_resource_request.GetRedirectChain()); DidLoadResourceFromMemoryCache(resource->InspectorId(), resource, params.GetResourceRequest(), false /* is_static_data */); diff --git a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_loader.cc b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_loader.cc index 84ae2e48c70..ae6167b2dce 100644 --- a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_loader.cc +++ b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_loader.cc @@ -739,6 +739,8 @@ bool ResourceLoader::WillFollowRedirect( const ResourceResponse& redirect_response( passed_redirect_response.ToResourceResponse()); + const KURL& url_before_redirects = initial_request.Url(); + if (!IsManualRedirectFetchRequest(initial_request)) { bool unused_preload = resource_->IsUnusedPreload(); @@ -750,13 +752,13 @@ bool ResourceLoader::WillFollowRedirect( // CanRequest() checks only enforced CSP, so check report-only here to // ensure that violations are sent. Context().CheckCSPForRequest( - request_context, new_url, options, reporting_disposition, + request_context, new_url, options, reporting_disposition, url_before_redirects, ResourceRequest::RedirectStatus::kFollowedRedirect); base::Optional<ResourceRequestBlockedReason> blocked_reason = Context().CanRequest(resource_type, *new_request, new_url, options, reporting_disposition, - new_request->GetRedirectInfo()); + new_request->GetRedirectChain()); if (Context().CalculateIfAdSubresource(*new_request, resource_type)) new_request->SetIsAdResource(); @@ -1028,17 +1030,18 @@ void ResourceLoader::DidReceiveResponseInternal( // pre-request checks, and consider running the checks regardless of service // worker interception. const KURL& response_url = response.ResponseUrl(); + Vector<KURL> redirect_chain = request.GetRedirectChain(); + redirect_chain.push_back(request.Url()); // CanRequest() below only checks enforced policies: check report-only // here to ensure violations are sent. Context().CheckCSPForRequest( - request_context, response_url, options, ReportingDisposition::kReport, + request_context, response_url, options, ReportingDisposition::kReport, redirect_chain.front(), ResourceRequest::RedirectStatus::kFollowedRedirect); base::Optional<ResourceRequestBlockedReason> blocked_reason = Context().CanRequest(resource_type, ResourceRequest(initial_request), response_url, options, - ReportingDisposition::kReport, - ResourceRequest::RedirectInfo()); + ReportingDisposition::kReport, redirect_chain); if (blocked_reason) { HandleError(ResourceError::CancelledDueToAccessCheckError( response_url, blocked_reason.value())); diff --git a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_request.cc b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_request.cc index 0ee5c7db137..776e1950ffd 100644 --- a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_request.cc +++ b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_request.cc @@ -76,8 +76,7 @@ ResourceRequestHead::ResourceRequestHead(const KURL& url) referrer_policy_(network::mojom::ReferrerPolicy::kDefault), is_external_request_(false), cors_preflight_policy_( - network::mojom::CorsPreflightPolicy::kConsiderPreflight), - redirect_info_(base::nullopt) {} + network::mojom::CorsPreflightPolicy::kConsiderPreflight) {} ResourceRequestHead::ResourceRequestHead(const ResourceRequestHead&) = default; @@ -155,7 +154,8 @@ std::unique_ptr<ResourceRequest> ResourceRequestHead::CreateRedirectRequest( request->SetReferrerString(referrer); request->SetReferrerPolicy(new_referrer_policy); request->SetSkipServiceWorker(skip_service_worker); - request->SetRedirectInfo(RedirectInfo(Url())); + request->redirect_chain_ = GetRedirectChain(); + request->redirect_chain_.push_back(Url()); // Copy from parameters for |this|. request->SetDownloadToBlob(DownloadToBlob()); @@ -197,14 +197,6 @@ void ResourceRequestHead::SetUrl(const KURL& url) { url_ = url; } -const KURL& ResourceRequestHead::GetInitialUrlForResourceTiming() const { - return initial_url_for_resource_timing_; -} - -void ResourceRequestHead::SetInitialUrlForResourceTiming(const KURL& url) { - initial_url_for_resource_timing_ = url; -} - void ResourceRequestHead::RemoveUserAndPassFromURL() { if (url_.User().IsEmpty() && url_.Pass().IsEmpty()) return; diff --git a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_request.h b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_request.h index 2c5c8095622..ab8037c16cd 100644 --- a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_request.h +++ b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_request.h @@ -64,15 +64,10 @@ class PLATFORM_EXPORT ResourceRequestHead { DISALLOW_NEW(); public: - enum class RedirectStatus : uint8_t { kFollowedRedirect, kNoRedirect }; - - struct RedirectInfo { - // Previous url in the redirect chain. - KURL previous_url; - RedirectInfo() = default; - explicit RedirectInfo(const KURL& previous_url) - : previous_url(previous_url) {} - }; + enum class RedirectStatus : uint8_t { + kFollowedRedirect, + kNoRedirect + }; // TO REMOVE ResourceRequestHead(); explicit ResourceRequestHead(const KURL&); @@ -100,14 +95,6 @@ class PLATFORM_EXPORT ResourceRequestHead { const KURL& Url() const; void SetUrl(const KURL&); - // ThreadableLoader sometimes breaks redirect chains into separate Resource - // and ResourceRequests. The ResourceTiming API needs the initial URL for the - // name attribute of PerformanceResourceTiming entries. This property - // remembers the initial URL for that purpose. Note that it can return a null - // URL. In that case, use Url() instead. - const KURL& GetInitialUrlForResourceTiming() const; - void SetInitialUrlForResourceTiming(const KURL&); - void RemoveUserAndPassFromURL(); mojom::FetchCacheMode GetCacheMode() const; @@ -343,10 +330,7 @@ class PLATFORM_EXPORT ResourceRequestHead { cors_preflight_policy_ = policy; } - void SetRedirectInfo(const RedirectInfo& info) { redirect_info_ = info; } - const base::Optional<RedirectInfo>& GetRedirectInfo() const { - return redirect_info_; - } + const Vector<KURL>& GetRedirectChain() const { return redirect_chain_; } void SetSuggestedFilename(const base::Optional<String>& suggested_filename) { suggested_filename_ = suggested_filename; @@ -471,9 +455,6 @@ class PLATFORM_EXPORT ResourceRequestHead { bool NeedsHTTPOrigin() const; KURL url_; - // TODO(yoav): initial_url_for_resource_timing_ is a stop-gap only needed - // until Out-of-Blink CORS lands: https://crbug.com/736308 - KURL initial_url_for_resource_timing_; // base::TimeDelta::Max() represents the default timeout on platforms that // have one. base::TimeDelta timeout_interval_; @@ -514,7 +495,7 @@ class PLATFORM_EXPORT ResourceRequestHead { network::mojom::ReferrerPolicy referrer_policy_; bool is_external_request_; network::mojom::CorsPreflightPolicy cors_preflight_policy_; - base::Optional<RedirectInfo> redirect_info_; + Vector<KURL> redirect_chain_; base::Optional<network::mojom::blink::TrustTokenParams> trust_token_params_; base::Optional<String> suggested_filename_; |