Deprecate CSPEE same-origin blanket enforcement

Remove same-origin blanket enforcement from CSPEE. See intent thread[1] for more details. [1] https://groups.google.com/a/chromium.org/g/blink-dev/c/VtKJHVgQRzE/m/bTZeRD77AAAJ Bug: 1263288 Change-Id: I18d46b33ea52fbe60dc000e6d9ed2623d01f9bb2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4850620 Reviewed-by: Camille Lamy <[email protected]> Reviewed-by: Reilly Grant <[email protected]> Commit-Queue: Jun Kokatsu <[email protected]> Cr-Commit-Position: refs/heads/main@{#1209684}
Tobias710219 · Oct 16, 2023 · ca644fc · ca644fc
1 parent 4d91410
commit ca644fc
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 38 deletions.
diff --git a/content-security-policy/embedded-enforcement/allow_csp_from-header.html b/content-security-policy/embedded-enforcement/allow_csp_from-header.html
@@ -9,29 +9,29 @@
 <body>
   <script>
     var tests = [
-      { "name": "Same origin iframes are always allowed.",
+      { "name": "Same origin iframes with correct Allow-CSP-From header are allowed.",
         "origin": Host.SAME_ORIGIN,
         "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
-        "allow_csp_from": "¢¥§",
+        "allow_csp_from": getOrigin(),
         "expected": IframeLoad.EXPECT_LOAD,
         "blockedURI": null},
-      { "name": "Same origin iframes are allowed even if the Allow-CSP-From is empty.",
+      { "name": "Same origin iframes with an empty Allow-CSP-From header get blocked.",
         "origin": Host.SAME_ORIGIN,
         "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
         "allow_csp_from": "",
-        "expected": IframeLoad.EXPECT_LOAD,
+        "expected": IframeLoad.EXPECT_BLOCK,
         "blockedURI": null},
-      { "name": "Same origin iframes are allowed even if the Allow-CSP-From is not present.",
+      { "name": "Same origin iframes without Allow-CSP-From header gets blocked.",
         "origin": Host.SAME_ORIGIN,
         "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
         "allow_csp_from": null,
-        "expected": IframeLoad.EXPECT_LOAD,
+        "expected": IframeLoad.EXPECT_BLOCK,
         "blockedURI": null},
-      { "name": "Same origin iframes are allowed even if Allow-CSP-From does not match origin.",
+      { "name": "Same origin iframes are blocked if Allow-CSP-From does not match origin.",
         "origin": Host.SAME_ORIGIN,
         "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
         "allow_csp_from": "http://example.com:888",
-        "expected": IframeLoad.EXPECT_LOAD,
+        "expected": IframeLoad.EXPECT_BLOCK,
         "blockedURI": null},
       { "name": "Cross origin iframe with an empty Allow-CSP-From header gets blocked.",
         "origin": Host.CROSS_ORIGIN,

diff --git a/content-security-policy/embedded-enforcement/support/embed-img-and-message-top.html.headers b/content-security-policy/embedded-enforcement/support/embed-img-and-message-top.html.headers
@@ -0,0 +1 @@
+Allow-CSP-From: *
diff --git a/content-security-policy/inheritance/support/message-top-and-navigate-back.html.headers b/content-security-policy/inheritance/support/message-top-and-navigate-back.html.headers
@@ -0,0 +1 @@
+Allow-CSP-From: *
diff --git a/fenced-frame/cspee.https.html b/fenced-frame/cspee.https.html
@@ -9,39 +9,55 @@
 <body>
 <script>
 promise_test(async(t) => {
-  const iframe = attachIFrameContext({attributes:[["csp", "frame-src *"]]});
+  const iframe = attachIFrameContext({
+    attributes: [["csp", "frame-src *"]],
+    headers: [["Allow-CSP-From", "*"]]
+  });
   t.step_timeout(() => t.done(), 1000);
   await iframe.execute(async (t) => {
-    const fencedframe = attachFencedFrameContext();
+    const fencedframe = attachFencedFrameContext({
+      headers: [["Allow-CSP-From", "*"]]
+    });
     await fencedframe.execute(() => {});
   });
   assert_unreached("fenced frame should not be loaded.");
 }, 'fenced frame should not be loaded in CSPEE');
 
 promise_test(async(t) => {
-  const iframe_a = attachIFrameContext({attributes:[["csp", "frame-src *"]]});
+  const iframe_a = attachIFrameContext({
+    attributes: [["csp", "frame-src *"]],
+    headers: [["Allow-CSP-From", "*"]]
+  });
   t.step_timeout(() => t.done(), 1000);
   await iframe_a.execute(async (t) => {
-    const iframe_b = attachIFrameContext();
+    const iframe_b = attachIFrameContext({headers: [["Allow-CSP-From", "*"]]});
     await iframe_b.execute(async (t) => {
-      const fencedframe = attachFencedFrameContext();
+      const fencedframe = attachFencedFrameContext({
+        headers: [["Allow-CSP-From", "*"]]
+      });
       await fencedframe.execute(() => {});
     });
   });
   assert_unreached("fenced frame should not be loaded.");
 }, 'fenced frame should not be loaded if any ancestor has CSPEE');
 
 promise_test(async(t) => {
-  const iframe = attachIFrameContext({attributes:[["csp", "frame-src *"]]});
+  const iframe = attachIFrameContext({
+    attributes: [["csp", "frame-src *"]],
+    headers: [["Allow-CSP-From", "*"]]
+  });
   await iframe.execute(async (t) => {
     assert_false(navigator.canLoadAdAuctionFencedFrame());
   });
 }, 'canLoadOpaqueURL considers CSPEE headers');
 
 promise_test(async(t) => {
-  const iframe_a = attachIFrameContext({attributes:[["csp", "frame-src *"]]});
+  const iframe_a = attachIFrameContext({
+    attributes: [["csp", "frame-src *"]],
+    headers: [["Allow-CSP-From", "*"]]
+  });
   await iframe_a.execute(async (t) => {
-    const iframe_b = attachIFrameContext();
+    const iframe_b = attachIFrameContext({headers: [["Allow-CSP-From", "*"]]});
     await iframe_b.execute(async (t) => {
       assert_false(navigator.canLoadAdAuctionFencedFrame());
     });

diff --git a/resource-timing/iframe-failed-commit.html b/resource-timing/iframe-failed-commit.html
@@ -50,15 +50,6 @@
     invariants.assert_tao_failure_resource, label);
 };
 
-// Runs a test (labeled by the given label) to verify that loading an iframe
-// with the given URL, an empty response body and under a "default-src 'none'
-// Content-Security-Policy generates a PerformanceResourceTiming entry and that
-// the entry does expose sensitive timing attributes.
-const empty_unmasked_entry_with_csp_test = (url, label) => {
-  return attribute_test(load_iframe_with_csp, url,
-    invariants.assert_tao_pass_no_redirect_http_empty, label);
-};
-
 // Runs a test (labeled by the given label) to verify that loading an iframe
 // with the given URL under a "default-src 'none' Content-Security-Policy
 // generates a PerformanceResourceTiming entry and that the entry does not
@@ -68,15 +59,6 @@
     invariants.assert_tao_failure_resource, label);
 };
 
-// Runs a test (labeled by the given label) to verify that loading an iframe
-// with the given URL, an empty response body and under a "default-src 'none'
-// Content-Security-Policy generates a PerformanceResourceTiming entry and that
-// the entry does expose sensitive timing attributes.
-const non_navigating_empty_unmasked_entry_with_csp_test = (url, label) => {
-  return attribute_test(load_iframe_with_csp_no_navigation, url,
-    invariants.assert_tao_pass_no_redirect_http_empty, label);
-};
-
 const {REMOTE_ORIGIN, ORIGINAL_HOST, HTTPS_PORT} = get_host_info();
 const unhosted_url = `https://nonexistent.${ORIGINAL_HOST}:${HTTPS_PORT}/`;
 
@@ -91,7 +73,8 @@
 unmasked_entry_with_csp_test("/resource-timing/resources/csp-default-none.html",
   "Same-origin iframe that complies with CSP attribute gets reported");
 
-unmasked_entry_with_csp_test("/resource-timing/resources/green-frame.html",
+// masked because this will load an error page which is cross-origin.
+masked_entry_with_csp_test("/resource-timing/resources/green-frame.html",
   "Same-origin iframe that doesn't comply with CSP attribute gets reported");
 
 masked_entry_with_csp_test(
@@ -102,19 +85,19 @@
   new URL("/resource-timing/resources/green-frame.html", REMOTE_ORIGIN),
   "Cross-origin iframe that doesn't comply with CSP attribute gets reported");
 
-empty_unmasked_entry_with_csp_test(
+masked_entry_with_csp_test(
   "/resource-timing/resources/200_empty.asis",
   "Same-origin empty iframe with a 200 status gets reported");
 
 masked_entry_with_csp_test(
   new URL("/resource-timing/resources/200_empty.asis", REMOTE_ORIGIN),
   "Cross-origin empty iframe with a 200 status gets reported");
 
-non_navigating_empty_unmasked_entry_with_csp_test(
+non_navigating_masked_entry_with_csp_test(
     new URL("/resource-timing/resources/204_empty.asis", location.origin),
     "Same-origin empty iframe with a 204 status gets reported");
 
-non_navigating_empty_unmasked_entry_with_csp_test(
+non_navigating_masked_entry_with_csp_test(
     new URL("/resource-timing/resources/205_empty.asis", location.origin),
     "Same-origin empty iframe with a 205 status gets reported");