securitypolicyviolation events firing inconsistently for violations originating from extensions |
|||||
Issue descriptionWhen an a CSP violation occurs from within a chrome-extension frame, it gets logged to the console, like so: [22048:14020:0324/135309.127:INFO:CONSOLE(0)] "Refused to frame 'http://localhos t:55803/' because it violates the following Content Security Policy directive: " frame-src 'self' blob: filesystem: data: chrome-extension-resource:". ", source: chrome-extension://febckchdcnjnkfpnhdddkfajgoahbogk/main.html (0) However, the corresponding 'securitypolicyviolation' event only fires if PlzNavigate is enabled (--enable-browser-side-navigation), so the event cannot be caught by the document. The reason such CSP events don't fire is due to the following workaround code in ContentSecurityPolicy::reportViolation(): // TODO(mkwst): Obviously, we shouldn't hit this check, as extension-loaded // resources should be allowed regardless. We apparently do, however, so // we should at least stop spamming reporting endpoints. See // https://crbug.com/524356 for detail. if (!violationData.sourceFile().isEmpty() && shouldBypassContentSecurityPolicy( KURL(ParsedURLString, violationData.sourceFile()))) { return; } There are two potential issues here then: - In PlzNavigate, sourceFile() is currently empty (although it does appear in the console message), explaining the different event-firing behavior. - The workaround above was apparently intended to suppress CSP violations from content scripts that were being reported to the main document. However, it seems inappropriate to do this when the main document itself is a chrome-extension:// resource, since all extensions frames run with restrictive CSPs in place. https://codereview.chromium.org/2775953002 refurbishes and re-enables a CSP test (PlatformAppBrowserTest.Iframes) that currently passes only in PlzNavigate.
,
Mar 24 2017
,
Mar 24 2017
,
Mar 27 2017
I have made a patch that will bring the "sourceFile" in PlzNavigate mode: https://codereview.chromium.org/2761153003/ Seeing your bug, I realized that I will have to modify my patch a little bit before sending it to the CQ though... So, the first issue should be fixed soon.
,
Mar 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8bec3f2a2edf7217f83d10fe929816e698c64a35 commit 8bec3f2a2edf7217f83d10fe929816e698c64a35 Author: arthursonzogni <arthursonzogni@chromium.org> Date: Thu Mar 30 11:55:52 2017 PlzNavigate & CSP. Use the SourceLocation in violation reports. The SourceLocation struct is available during a navigation thanks to this CL: https://codereview.chromium.org/2720763002 This patch makes use of it for CSP. It fixes several test where the line number in console messages was missing. BUG= 690946 ,705098 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation;master.tryserver.chromium.linux:linux_chromium_browser_side_navigation_rel Review-Url: https://codereview.chromium.org/2761153003 Cr-Commit-Position: refs/heads/master@{#460727} [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/content/browser/frame_host/ancestor_throttle.cc [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/content/browser/frame_host/form_submission_throttle.cc [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/content/browser/frame_host/render_frame_host_impl.cc [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/content/browser/frame_host/render_frame_host_impl.h [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/content/common/content_security_policy/content_security_policy.cc [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/content/common/content_security_policy/content_security_policy.h [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/content/common/content_security_policy/content_security_policy_unittest.cc [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/content/common/content_security_policy/csp_context.cc [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/content/common/content_security_policy/csp_context.h [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/content/common/content_security_policy/csp_context_unittest.cc [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/content/common/frame_messages.h [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/content/renderer/content_security_policy_util.cc [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/third_party/WebKit/Source/web/WebLocalFrameImpl.cpp [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h [rename] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/third_party/WebKit/public/platform/WebSourceLocation.h [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/third_party/WebKit/public/web/WebConsoleMessage.h [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/third_party/WebKit/public/web/WebDataSource.h [modify] https://crrev.com/8bec3f2a2edf7217f83d10fe929816e698c64a35/third_party/WebKit/public/web/WebFrameClient.h
,
Nov 10 2017
,
Feb 18 2018
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by nick@chromium.org
, Mar 24 2017