New issue
Advanced search Search tips

Issue 878274 link

Starred by 2 users
Status: Started
Owner:
karandeepb@chromium.org
Cc:
nhiroki@chromium.org
hirosh...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug

Blocked on:
issue 880027
Blocking:
issue 845285
issue 861564
issue 896041


Participants' hotlists:
Worker-OffTheMainThread


Sign in to add a comment

Decouple ContentSecurityPolicy from ExecutionContext

Project Member Reported by hirosh...@chromium.org, Aug 28 
In the spec, the fetch-related parts of CSP is associated with request's client's global object.
Therefore, blink::ContentSecurityPolicy should be associated with FetchClientSettingsObject, instead of ExecutionContext.

This issue tracks efforts to reduce dependency from CSP to ExecutionContext and switch to FetchClientSettingsObject.

Design doc: https://docs.google.com/document/d/1M4JnILy67UvGAeucg3v-AyE5SgfZq1AfN2JbEvnaEyM/edit?usp=sharing

Comment 1 by hirosh...@chromium.org, Aug 28

Blocking: 845285 861564

Comment 2 by hirosh...@chromium.org, Sep 3

Blockedon: 880027

Comment 3 by hirosh...@chromium.org, Dec 6

Cc: hirosh...@chromium.org
Owner: karandeepb@chromium.org

Comment 4 by hirosh...@chromium.org, Dec 6

Summary: Decouple ContentSecurityPolicy from ExecutionContext (was: Associate ContentSecurityPolicy with FetchClientSettingsObject instead of ExecutionContext)
As Karan is starting an effort in the context of extension, assigning this to Karan.

Also, the important thing is to decouple CSP from ExecutionContext, and probably in the first step we don't have to switch to FetchClientSettingsObject/FetchContext.
(In the context of worker-related issues, I'll anyway have to associate CSP to FetchContext, but this can/should be done once CSP-ExeuctionContext dependency is cleared)
Project Member

Comment 5 by bugdroid1@chromium.org, Dec 7 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1c086040bdda4d0abe86770891aa61de499da645

commit 1c086040bdda4d0abe86770891aa61de499da645
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Fri Dec 07 18:39:46 2018

Stop counting kWorkerAllowedByChildBlockedByScript

To reduce GetDocument() usage.
As https://github.com/w3c/webappsec-csp/issues/146 has already been
closed and the Blink implemetation has been changed,
this UseCounter is no longer needed.

Bug: 878274
Change-Id: Icb55058d369b29992436229a9b971bc6f0b8f2a6
Reviewed-on: https://chromium-review.googlesource.com/c/1192303
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/master@{#614762}
[modify] https://crrev.com/1c086040bdda4d0abe86770891aa61de499da645/third_party/blink/public/platform/web_feature.mojom
[modify] https://crrev.com/1c086040bdda4d0abe86770891aa61de499da645/third_party/blink/renderer/core/frame/csp/content_security_policy.cc

Comment 6 by karandeepb@chromium.org, Dec 19

Blocking: 896041
Project Member

Comment 7 by bugdroid1@chromium.org, Dec 19 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5761847e925fc4ec4ec989b0b8659b44bbd71434

commit 5761847e925fc4ec4ec989b0b8659b44bbd71434
Author: Karan Bhatia <karandeepb@chromium.org>
Date: Wed Dec 19 07:41:52 2018

Blink: Introduce ContentSecurityPolicyDelegate.

This CL removes the dependence of blink::ContentSecurityPolicy on it's member
ExecutionContext by introducing a Delegate interface which an ExecutionContext
wrapper (ExecutionContextCSPDelegate) implements. This is done because:

- We subsequently plan to apply CSP checks for isolated worlds. Code running in
  the context of an isolated world doesn't have it's own execution context, and
  shares its execution context with the underlying Document. Having a delegate
  interface will allow us to customize the execution context dependent behavior
  for isolated world CSPs.
- This refactoring is also needed for off-the-main-thread fetch in workers,
  which require there to be two settings objects- "insideSettings" for
  subresource requests from workers, and "outsideSettings" for worker top-level
  scripts.

BUG=896041, 878274

Change-Id: I8f52a559f6a650c5060dcecf7530a55219bb14cd
Reviewed-on: https://chromium-review.googlesource.com/c/1364298
Commit-Queue: Karan Bhatia <karandeepb@chromium.org>
Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Cr-Commit-Position: refs/heads/master@{#617758}
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/dom/document.cc
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/dom/scripted_idle_task_controller_test.cc
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/execution_context/execution_context.cc
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/execution_context/execution_context.h
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/frame/BUILD.gn
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/frame/csp/content_security_policy.cc
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/frame/csp/content_security_policy.h
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/frame/csp/content_security_policy_test.cc
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/frame/csp/csp_source.cc
[add] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.cc
[add] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.h
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/frame/csp/source_list_directive_test.cc
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/script/script_loader.h
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/testing/null_execution_context.cc
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/workers/worker_global_scope.cc
[modify] https://crrev.com/5761847e925fc4ec4ec989b0b8659b44bbd71434/third_party/blink/renderer/core/workers/worker_or_worklet_global_scope.cc

Comment 9 by hirosh...@chromium.org, Dec 19

Description: Show this description

Comment 10 by hirosh...@chromium.org, Dec 19 

Created/added design doc link.
Project Member

Comment 11 by bugdroid1@chromium.org, Dec 20 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9e303126011a2ed9933905c39f2e7f205f012aab

commit 9e303126011a2ed9933905c39f2e7f205f012aab
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Thu Dec 20 09:46:50 2018

Remove GlobalScopeCreationParams::content_security_policy_raw_headers

Simply not used.

Bug: 878274
Change-Id: I3e05e645027232ceba12df93104d897214432302
Reviewed-on: https://chromium-review.googlesource.com/c/1385890
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Cr-Commit-Position: refs/heads/master@{#618152}
[modify] https://crrev.com/9e303126011a2ed9933905c39f2e7f205f012aab/third_party/blink/renderer/core/workers/global_scope_creation_params.h
Project Member

Comment 12 by bugdroid1@chromium.org, Jan 9 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cdd159ca09d82ff0a3005f8318469dc210047c89

commit cdd159ca09d82ff0a3005f8318469dc210047c89
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Wed Jan 09 02:43:41 2019

[wpt/upgrade-insecure-requests] Fix generateRedirect()

|url| in generateRedirect() was string (not URL) and therefore
generateRedirect() returned the same URL (|url| as-is)
regardless of |host| or |protocol| parameters.

Bug: 906850, 878274
Change-Id: I7134726e916854a829eaf7d348776a2b7b547c70
Reviewed-on: https://chromium-review.googlesource.com/c/1389029
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/master@{#621013}
[modify] https://crrev.com/cdd159ca09d82ff0a3005f8318469dc210047c89/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/support/testharness-helper.sub.js
Project Member

Comment 13 by bugdroid1@chromium.org, Jan 9 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f347091b94fb55bd5218d3e426f119bbc8ba2d23

commit f347091b94fb55bd5218d3e426f119bbc8ba2d23
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Wed Jan 09 19:28:08 2019

[wpt/upgrade-insecure-requests] Add worker/worklet tests

This CL adds upgrade-insecure-requests test coverage for:
- (classic and module) dedicated worker top-level scripts,
- fetch API from dedicated workers, and
- animation/audio/layout/paint worklet top-level scripts.
possibly including redirects and/or static imports,
reusing /mixed-content/generic/common.js.

For this purpose, this CL creates a generator script
that generates the newly added tests
as well as some of the existing tests
(where this CL preserves the test behavior):
- iframe-upgrade.https.html
- iframe-redirect-upgrade.https.html
- image-upgrade.https.html
- image-redirect-upgrade.https.html

This CL also removes upgrade-insecure-requests tests under
/wpt/worklets/ as they are covered by the newly added tests.

Bug: 906850, 878274, 917532, 917554
Change-Id: I1e4f60b72d2b40c795c03b9f79c542c1a250c913
Reviewed-on: https://chromium-review.googlesource.com/c/1389635
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Cr-Commit-Position: refs/heads/master@{#621265}
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/TestExpectations
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/animation-worklet-import-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/animation-worklet-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/animation-worklet-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/audio-worklet-import-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/audio-worklet-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/audio-worklet-upgrade.https.html
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/iframe-redirect-upgrade.https.html
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/iframe-upgrade.https.html
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/image-redirect-upgrade.https.html
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/image-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/layout-worklet-import-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/layout-worklet-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/layout-worklet-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/module-worker-import-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/module-worker-redirect-upgrade.https-expected.txt
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/module-worker-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/module-worker-upgrade.https-expected.txt
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/module-worker-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/paint-worklet-import-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/paint-worklet-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/paint-worklet-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/support/generate.py
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/support/pass.png.headers
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/support/redirect-cors.py
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/support/testharness-helper.sub.js
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/support/worker.js
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/support/worker.js.headers
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/worker-redirect-upgrade.https-expected.txt
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/worker-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/worker-subresource-fetch-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/worker-subresource-fetch-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/worker-upgrade.https-expected.txt
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/worker-upgrade.https.html
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/worklets/resources/csp-tests.js

Sign in to add a comment