[CSP] Fix dedicated worker inheritance

Dedicated workers should populate their Content Security Policy from
parsing their response headers. In chrome, they instead used to inherit
CSP from the creator document. This CL fixes that.

Note that workers with local schemes (data, blob, filesystem) still
inherit CSP from the creator context.

Intent to ship:
https://groups.google.com/a/chromium.org/g/blink-dev/c/sH75Nkx_OZ0

Relevant algorithm in the specification:
https://html.spec.whatwg.org/#initialize-worker-policy-container

Bug: 1012640,1253267
Change-Id: I2630bf1ba9425114758d805d5e0b8a3664cbd906
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168339
Reviewed-by: Mike West <[email protected]>
Reviewed-by: Carlos IL <[email protected]>
Reviewed-by: Hiroshige Hayashizaki <[email protected]>
Commit-Queue: Carlos IL <[email protected]>
Cr-Commit-Position: refs/heads/main@{#931337}

common/security-features/tools/spec.src.json

@@ -328,26 +328,6 @@
       ],
       "subresourcePolicyDeliveries": []
     },
-    "worker-classic-inherit": {
-      // This is applicable to upgrade-insecure-requests and mixed-content tests.
-      // Use "worker-classic" for referrer-policy.
-      "description": "dedicated workers should inherit its parent's policy.",
-      "sourceContextList": [
-        {
-          "sourceContextType": "top",
-          "policyDeliveries": [
-            "policy"
-          ]
-        },
-        {
-          "sourceContextType": "worker-classic",
-          "policyDeliveries": [
-            "anotherPolicy"
-          ]
-        }
-      ],
-      "subresourcePolicyDeliveries": []
-    },
     "worker-classic-data": {
       "description": "data: dedicated workers should inherit its parent's policy.",
       "sourceContextList": [
@@ -366,7 +346,6 @@
     },
     "worker-module": {
       // This is applicable to referrer-policy tests.
-      // Use "worker-module-inherit" for CSP (mixed-content, etc.).
       "description": "dedicated workers shouldn't inherit its parent's policy.",
       "sourceContextList": [
         {
@@ -384,26 +363,6 @@
       ],
       "subresourcePolicyDeliveries": []
     },
-    "worker-module-inherit": {
-      // This is applicable to upgrade-insecure-requests and mixed-content tests.
-      // Use "worker-module" for referrer-policy.
-      "description": "dedicated workers should inherit its parent's policy.",
-      "sourceContextList": [
-        {
-          "sourceContextType": "top",
-          "policyDeliveries": [
-            "policy"
-          ]
-        },
-        {
-          "sourceContextType": "worker-module",
-          "policyDeliveries": [
-            "anotherPolicy"
-          ]
-        }
-      ],
-      "subresourcePolicyDeliveries": []
-    },
     "worker-module-data": {
       "description": "data: dedicated workers should inherit its parent's policy.",
       "sourceContextList": [
@@ -506,10 +465,8 @@
       "iframe",
       "iframe-blank-inherit",
       "worker-classic",
-      "worker-classic-inherit",
       "worker-classic-data",
       "worker-module",
-      "worker-module-inherit",
       "worker-module-data",
       "sharedworker-classic",
       "sharedworker-classic-data",

content-security-policy/inside-worker/dedicatedworker-connect-src.html

@@ -10,6 +10,10 @@
       .split('=')[1].trim();
 
   promise_test(async t => {
+    // Dedicated workers do not inherit CSP.
+    await fetch_tests_from_worker(
+      new Worker("./support/connect-src-allow.sub.js"));
+
     // Dedicated workers honor CSP received in their response headers.
     await fetch_tests_from_worker(
       new Worker(
@@ -49,12 +53,5 @@
 
       await new Promise(resolve => fs_entry.remove(resolve));
     }
-
-    // Dedicated workers do not inherit CSP in general.
-    // We put this at the end since chrome is failing this at the moment, and
-    // this sends reports which would make the report checks in the other tests
-    // fail.
-    await fetch_tests_from_worker(
-      new Worker("./support/connect-src-allow.sub.js"));
   });
 </script>

content-security-policy/inside-worker/dedicatedworker-script-src.html

@@ -10,6 +10,10 @@
       .split('=')[1].trim();
 
   promise_test(async t => {
+    // Dedicated workers do not inherit CSP in general.
+    await fetch_tests_from_worker(
+      new Worker("./support/script-src-allow.sub.js"));
+
     // Dedicated workers honor CSP received in their response headers.
     await fetch_tests_from_worker(
       new Worker(
@@ -49,12 +53,5 @@
 
       await new Promise(resolve => fs_entry.remove(resolve));
     }
-
-    // Dedicated workers do not inherit CSP in general.
-    // We put this at the end since chrome is failing this at the moment, and
-    // this sends reports which would make the report checks in the other tests
-    // fail.
-    await fetch_tests_from_worker(
-      new Worker("./support/script-src-allow.sub.js"));
   });
 </script>

content-security-policy/script-src/worker-importscripts.sub.html

@@ -13,8 +13,8 @@
     <script>
       assert_worker_is_loaded(
         "./support/worker-with-script-src-none-importscripts.js",
-        "Dedicated worker inherits CSP from main document",
-        "importScripts allowed");
+        "Dedicated worker delivers its own CSP",
+        "importScripts blocked");
 
       assert_shared_worker_is_loaded(
         "./support/worker-with-script-src-none-importscripts.js",

content-security-policy/script-src/worker-set-timeout.sub.html

@@ -13,8 +13,8 @@
     <script>
       assert_worker_is_loaded(
         "./support/worker-with-script-src-none-set-timeout.js",
-        "Dedicated worker inherits CSP from main document",
-        "setTimeout allowed");
+        "Dedicated worker delivers its own CSP",
+        "setTimeout blocked");
 
       assert_shared_worker_is_loaded(
         "./support/worker-with-script-src-none-set-timeout.js",

content-security-policy/spec.src.json

@@ -294,21 +294,6 @@
       "subresource": "*",
       "expectation": "*"
     },
-    {
-      // source_context_list values not for content security policy tests
-      "expansion": "*",
-      "source_scheme": "*",
-      "source_context_list": [
-        "worker-classic",
-        "worker-module"
-      ],
-      "delivery_type": "*",
-      "delivery_value": "*",
-      "redirection": "*",
-      "subresource": "*",
-      "origin": "*",
-      "expectation": "*"
-    },
     {
       // source_context_list values to be blocked by CSP (i.e. the source
       // context itself should be blocked by CSP before sending subresource
@@ -348,10 +333,8 @@
         "iframe",
         "iframe-blank-inherit",
         "worker-classic",
-        "worker-classic-inherit",
         "worker-classic-data",
         "worker-module",
-        "worker-module-inherit",
         "worker-module-data",
         "sharedworker-classic",
         "sharedworker-classic-data",
@@ -417,6 +400,7 @@
         "link-prefetch-tag",
         "object-tag",
         "picture-tag",
+        "script-tag-dynamic-import",
         "video-tag",
         "websocket",
         "xhr"
@@ -448,6 +432,7 @@
         "link-prefetch-tag",
         "object-tag",
         "picture-tag",
+        "script-tag-dynamic-import",
         "video-tag",
         "websocket",
         "xhr"
@@ -523,6 +508,7 @@
       "object-tag": [],
       "picture-tag": [],
       "script-tag": [],
+      "script-tag-dynamic-import": [],
       "sharedworker-classic": [],
       "sharedworker-import": [],
       "sharedworker-import-data": [],

mixed-content/gen/worker-module-inherit.meta/opt-in/worker-module.https.html → mixed-content/gen/top.http-rp/opt-in/script-tag-dynamic-import.https.html

@@ -4,7 +4,6 @@
   <head>
     <meta charset="utf-8">
     <meta name="timeout" content="long">
-    <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
     <script src="/common/security-features/resources/common.sub.js"></script>
@@ -17,32 +16,22 @@
           {
             "expectation": "allowed",
             "origin": "same-https",
-            "redirection": "no-redirect",
-            "source_context_list": [
-              {
-                "policyDeliveries": [],
-                "sourceContextType": "worker-module"
-              }
-            ],
+            "redirection": "keep-scheme",
+            "source_context_list": [],
             "source_scheme": "https",
-            "subresource": "worker-module",
+            "subresource": "script-tag-dynamic-import",
             "subresource_policy_deliveries": [],
-            "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+            "test_description": "Mixed-Content: Expects allowed for script-tag-dynamic-import to same-https origin and keep-scheme redirection from https context."
           },
           {
-            "expectation": "blocked",
-            "origin": "same-http",
+            "expectation": "allowed",
+            "origin": "same-https",
             "redirection": "no-redirect",
-            "source_context_list": [
-              {
-                "policyDeliveries": [],
-                "sourceContextType": "worker-module"
-              }
-            ],
+            "source_context_list": [],
             "source_scheme": "https",
-            "subresource": "worker-module",
+            "subresource": "script-tag-dynamic-import",
             "subresource_policy_deliveries": [],
-            "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and no-redirect redirection from https context."
+            "test_description": "Mixed-Content: Expects allowed for script-tag-dynamic-import to same-https origin and no-redirect redirection from https context."
           }
         ],
         new SanityChecker()

mixed-content/gen/worker-module-inherit.meta/opt-in/worker-classic.https.html → mixed-content/gen/top.meta/opt-in/script-tag-dynamic-import.https.html

@@ -18,31 +18,11 @@
             "expectation": "allowed",
             "origin": "same-https",
             "redirection": "no-redirect",
-            "source_context_list": [
-              {
-                "policyDeliveries": [],
-                "sourceContextType": "worker-module"
-              }
-            ],
+            "source_context_list": [],
             "source_scheme": "https",
-            "subresource": "worker-classic",
+            "subresource": "script-tag-dynamic-import",
             "subresource_policy_deliveries": [],
-            "test_description": "Mixed-Content: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context."
-          },
-          {
-            "expectation": "blocked",
-            "origin": "same-http",
-            "redirection": "no-redirect",
-            "source_context_list": [
-              {
-                "policyDeliveries": [],
-                "sourceContextType": "worker-module"
-              }
-            ],
-            "source_scheme": "https",
-            "subresource": "worker-classic",
-            "subresource_policy_deliveries": [],
-            "test_description": "Mixed-Content: Expects blocked for worker-classic to same-http origin and no-redirect redirection from https context."
+            "test_description": "Mixed-Content: Expects allowed for script-tag-dynamic-import to same-https origin and no-redirect redirection from https context."
           }
         ],
         new SanityChecker()

mixed-content/gen/worker-classic-inherit.meta/opt-in/worker-module.https.html → mixed-content/gen/top.meta/unset/script-tag-dynamic-import.https.html

@@ -4,7 +4,6 @@
   <head>
     <meta charset="utf-8">
     <meta name="timeout" content="long">
-    <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
     <script src="/common/security-features/resources/common.sub.js"></script>
@@ -17,32 +16,22 @@
           {
             "expectation": "allowed",
             "origin": "same-https",
-            "redirection": "no-redirect",
-            "source_context_list": [
-              {
-                "policyDeliveries": [],
-                "sourceContextType": "worker-classic"
-              }
-            ],
+            "redirection": "keep-scheme",
+            "source_context_list": [],
             "source_scheme": "https",
-            "subresource": "worker-module",
+            "subresource": "script-tag-dynamic-import",
             "subresource_policy_deliveries": [],
-            "test_description": "Mixed-Content: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context."
+            "test_description": "Mixed-Content: Expects allowed for script-tag-dynamic-import to same-https origin and keep-scheme redirection from https context."
           },
           {
-            "expectation": "blocked",
-            "origin": "same-http",
+            "expectation": "allowed",
+            "origin": "same-https",
             "redirection": "no-redirect",
-            "source_context_list": [
-              {
-                "policyDeliveries": [],
-                "sourceContextType": "worker-classic"
-              }
-            ],
+            "source_context_list": [],
             "source_scheme": "https",
-            "subresource": "worker-module",
+            "subresource": "script-tag-dynamic-import",
             "subresource_policy_deliveries": [],
-            "test_description": "Mixed-Content: Expects blocked for worker-module to same-http origin and no-redirect redirection from https context."
+            "test_description": "Mixed-Content: Expects allowed for script-tag-dynamic-import to same-https origin and no-redirect redirection from https context."
           }
         ],
         new SanityChecker()