Propagate parent policy container to local iframes (#36710)

This follows the rules as defined in https://w3c.github.io/webappsec-csp/#security-inherit-csp where local iframes (about:blank and about:srcdoc) should initially start with the CSP rules of the parent. After that, all new CSP headers should only be set on the policy container of the iframe. Part of #36437 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-07-30 10:40:27 +01:00 · 2025-05-03 10:47:40 +02:00 · 2025-05-03 10:47:40 +02:00 · 539ca27284
commit 539ca27284
parent 4164f76769
11 changed files with 45 additions and 47 deletions
--- a/components/script/dom/htmliframeelement.rs
+++ b/components/script/dom/htmliframeelement.rs
@ -279,6 +279,7 @@ impl HTMLIFrameElement {
                Some(document.insecure_requests_policy()),
                document.has_trustworthy_ancestor_or_current_origin(),
            );
+            load_data.policy_container = Some(window.as_global_scope().policy_container());
            let element = self.upcast::<Element>();
            load_data.srcdoc = String::from(element.get_string_attribute(&local_name!("srcdoc")));
            self.navigate_or_reload_child_browsing_context(
@ -361,7 +362,7 @@ impl HTMLIFrameElement {
            None
        };

-        let load_data = LoadData::new(
+        let mut load_data = LoadData::new(
            LoadOrigin::Script(document.origin().immutable().clone()),
            url,
            creator_pipeline_id,
@ -378,6 +379,10 @@ impl HTMLIFrameElement {
        let is_about_blank =
            pipeline_id.is_some() && pipeline_id == self.about_blank_pipeline_id.get();

+        if is_about_blank {
+            load_data.policy_container = Some(window.as_global_scope().policy_container());
+        }
+
        let history_handling = if is_about_blank {
            NavigationHistoryBehavior::Replace
        } else {
@ -407,7 +412,7 @@ impl HTMLIFrameElement {
        let document = self.owner_document();
        let window = self.owner_window();
        let pipeline_id = Some(window.pipeline_id());
-        let load_data = LoadData::new(
+        let mut load_data = LoadData::new(
            LoadOrigin::Script(document.origin().immutable().clone()),
            url,
            pipeline_id,
@ -417,6 +422,7 @@ impl HTMLIFrameElement {
            Some(document.insecure_requests_policy()),
            document.has_trustworthy_ancestor_or_current_origin(),
        );
+        load_data.policy_container = Some(window.as_global_scope().policy_container());
        let browsing_context_id = BrowsingContextId::new();
        let webview_id = window.window_proxy().webview_id();
        self.pipeline_id.set(None);
--- a/components/script/dom/servoparser/mod.rs
+++ b/components/script/dom/servoparser/mod.rs
@ -21,6 +21,7 @@ use html5ever::{Attribute, ExpandedName, LocalName, QualName, local_name, ns};
 use hyper_serde::Serde;
 use markup5ever::TokenizerResult;
 use mime::{self, Mime};
+use net_traits::policy_container::PolicyContainer;
 use net_traits::request::RequestId;
 use net_traits::{
    FetchMetadata, FetchResponseListener, Metadata, NetworkError, ResourceFetchTiming,
@ -813,6 +814,27 @@ impl ParserContext {
            pushed_entry_index: None,
        }
    }
+
+    pub(crate) fn append_parent_to_csp_list(&self, policy_container: Option<&PolicyContainer>) {
+        let Some(policy_container) = policy_container else {
+            return;
+        };
+        let Some(parent_csp_list) = &policy_container.csp_list else {
+            return;
+        };
+        let Some(parser) = self.parser.as_ref().map(|p| p.root()) else {
+            return;
+        };
+        let new_csp_list = match parser.document.get_csp_list() {
+            None => parent_csp_list.clone(),
+            Some(original_csp_list) => {
+                let mut appended_csp_list = original_csp_list.clone();
+                appended_csp_list.append(parent_csp_list.clone());
+                appended_csp_list.to_owned()
+            },
+        };
+        parser.document.set_csp_list(Some(new_csp_list));
+    }
 }

 impl FetchResponseListener for ParserContext {
--- a/components/script/script_thread.rs
+++ b/components/script/script_thread.rs
@ -3674,10 +3674,12 @@ impl ScriptThread {
            None => vec![],
        };

+        let policy_container = incomplete.load_data.policy_container.clone();
        self.incomplete_loads.borrow_mut().push(incomplete);

        let dummy_request_id = RequestId::default();
        context.process_response(dummy_request_id, Ok(FetchMetadata::Unfiltered(meta)));
+        context.append_parent_to_csp_list(policy_container.as_ref());
        context.process_response_chunk(dummy_request_id, chunk);
        context.process_response_eof(
            dummy_request_id,
@ -3697,12 +3699,14 @@ impl ScriptThread {
        let srcdoc = std::mem::take(&mut incomplete.load_data.srcdoc);
        let chunk = srcdoc.into_bytes();

+        let policy_container = incomplete.load_data.policy_container.clone();
        self.incomplete_loads.borrow_mut().push(incomplete);

        let mut context = ParserContext::new(id, url);
        let dummy_request_id = RequestId::default();

        context.process_response(dummy_request_id, Ok(FetchMetadata::Unfiltered(meta)));
+        context.append_parent_to_csp_list(policy_container.as_ref());
        context.process_response_chunk(dummy_request_id, chunk);
        context.process_response_eof(
            dummy_request_id,