removing security labels and putting this in the security component instead

Thanks for the report.  Arthur, can you confirm if this is correct?

If so, we should decide if this is a PlzNavigate blocking issue.  It's important not to leak full URLs to other renderer processes anymore.

I'll let Arthur confirm, but it seems like this is a problem indeed. :(  Thanks for filing, Lukasz!  

Just to elaborate, I think the concern is the following.  Suppose a.com embeds b.com and restricts it with CSP frame-src to only navigate within b.com.  Next, B might navigate to b.com/secret.html?secret_data=bar, and then attempts to navigate to c.com.  We block that navigation and with PlzNav, we forward a source location for the violation report to a.com, which seems to include the full URL that b.com is currently on, i.e., b.com/secret.html?secret_data=bar [1].  So, if a.com and b.com are in separate renderers, we'd leak the location b.com was on when it violated frame-src to a.com.

Later, a.com filters that source URL to just the origin for use in the violation event [2], so a.com's JS never gets to learn the full b.com URL (see issue 633348).  So the disclosure is only a concern if the a.com renderer is compromised.

It seems that as one potential fix, we could detect whether the frame-src violation is cross-origin in the AncestorThrottle, and strip the source URL right there before sending it out to the renderer.

[1] https://cs.chromium.org/chromium/src/third_party/WebKit/Source/web/LocalFrameClientImpl.cpp?rcl=34718d4879fbba5182af5611438da97f17058142&l=526

[2] 
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp?rcl=34718d4879fbba5182af5611438da97f17058142&l=1079

Also, note that CSP violation reporting is broken with OOPIFs without PlzNavigate, and the tests that r460727 fixed are disabled with --site-per-process (see issue 611232).  We shipped --isolate-extensions without this support as we considered it to not be a blocker in practice for extensions.  Shipping PlzNavigate without a fix for this would mean that any affected extensions (or web pages embedding extensions) would start getting violation reports, and this info disclosure would become possible.

Thanks.  Given comment 3-4 (and the possible way forward), I think we should tentatively consider this a blocking issue.

Yes, indeed it is a problem when a renderer is compromised.
We have to strip the URL before it reaches the renderer.
Thanks for filling the bug lukasz and the explanation alexmos.

Assigning the bug to me.

This bug is about: CSPViolationParams.source_location.url
What about:        CSPViolationParams.blocked_url ?

It is probably the same thing here, isn't it? Only the origin of the urls should be transmitted to the renderer when they are cross-origin.

#7: yes, that seems like a similar problem.  The blocked_url is also stripped down to an origin in GatherSecurityPolicyViolationEventData (https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp?rcl=34718d4879fbba5182af5611438da97f17058142&l=1099), so we probably want to similarly strip it down to an origin in the browser process for cross-origin cases.

Note that we already reset the SourceLocation information we send to the renderer when the navigation commits cross-origin (https://cs.chromium.org/chromium/src/content/browser/frame_host/navigation_request.cc?dr=CSs&l=585).

The SourceLocation is also used when reporting mixed contents violations, so something should probably be done there as well.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/74a80d7c654a53bbb1ad714d8d86c60af1646573

commit 74a80d7c654a53bbb1ad714d8d86c60af1646573
Author: arthursonzogni <arthursonzogni@chromium.org>
Date: Wed May 17 12:47:42 2017

PlzNavigate: Do not disclose urls between cross-origin renderers.

The browser transmits Urls between potentially separate, cross-origin renderers
in RenderFrameHostImpl::ReportContentSecurityPolicyViolation.
It is bad from a security point of view when one of the renderer is
compromised.

This CL prevent the browser to send the full path of the urls when they
are cross-origin.

It regresses the quality of some console messages.

BUG= 718942 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_browser_side_navigation_rel;master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2869423002
Cr-Commit-Position: refs/heads/master@{#472433}

[modify] https://crrev.com/74a80d7c654a53bbb1ad714d8d86c60af1646573/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/74a80d7c654a53bbb1ad714d8d86c60af1646573/content/browser/frame_host/render_frame_host_impl.h
[modify] https://crrev.com/74a80d7c654a53bbb1ad714d8d86c60af1646573/content/common/content_security_policy/content_security_policy.cc
[modify] https://crrev.com/74a80d7c654a53bbb1ad714d8d86c60af1646573/content/common/content_security_policy/csp_context.cc
[modify] https://crrev.com/74a80d7c654a53bbb1ad714d8d86c60af1646573/content/common/content_security_policy/csp_context.h
[modify] https://crrev.com/74a80d7c654a53bbb1ad714d8d86c60af1646573/content/common/content_security_policy/csp_context_unittest.cc
[modify] https://crrev.com/74a80d7c654a53bbb1ad714d8d86c60af1646573/third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation