Add simple implementation of content-security-policy on scripts / styles

This needs a lot more hooks before it'll actually be a good
implementation, but for a start it can help get some feedback on if this
is the right way to go about it.

Part of servo#4577

Author: notriddle

Cargo.lock

@@ -13,6 +13,7 @@ test = false
 doctest = false
 
 [dependencies]
+content-security-policy = {git = "https://github.com/rust-ammonia/rust-content-security-policy"}
 cookie = "0.11"
 embedder_traits = { path = "../embedder_traits" }
 headers-core = "0.1"

components/net_traits/Cargo.toml

@@ -4,6 +4,7 @@
 
 use crate::ReferrerPolicy;
 use crate::ResourceTimingType;
+use content_security_policy as csp;
 use http::HeaderMap;
 use hyper::Method;
 use msg::constellation_msg::PipelineId;
@@ -50,6 +51,27 @@ impl Destination {
             *self == Destination::SharedWorker ||
             *self == Destination::Worker
     }
+    pub fn to_csp_destination(&self) -> csp::Destination {
+        match *self {
+            Destination::None => csp::Destination::None,
+            Destination::Audio => csp::Destination::Audio,
+            Destination::Document => csp::Destination::Document,
+            Destination::Embed => csp::Destination::Embed,
+            Destination::Font => csp::Destination::Font,
+            Destination::Image => csp::Destination::Image,
+            Destination::Manifest => csp::Destination::Manifest,
+            Destination::Object => csp::Destination::Object,
+            Destination::Report => csp::Destination::Report,
+            Destination::Script => csp::Destination::Script,
+            Destination::ServiceWorker => csp::Destination::ServiceWorker,
+            Destination::SharedWorker => csp::Destination::SharedWorker,
+            Destination::Style => csp::Destination::Style,
+            Destination::Track => csp::Destination::Track,
+            Destination::Video => csp::Destination::Video,
+            Destination::Worker => csp::Destination::Worker,
+            Destination::Xslt => csp::Destination::Xslt,
+        }
+    }
 }
 
 /// A request [origin](https://fetch.spec.whatwg.org/#concept-request-origin)

components/net_traits/request.rs

@@ -40,6 +40,7 @@ bluetooth_traits = {path = "../bluetooth_traits"}
 byteorder = "1.0"
 canvas_traits = {path = "../canvas_traits"}
 caseless = "0.2"
+content-security-policy = {git = "https://github.com/rust-ammonia/rust-content-security-policy"}
 cookie = "0.11"
 chrono = "0.4"
 crossbeam-channel = "0.3"

components/script/Cargo.toml

@@ -51,6 +51,7 @@ use canvas_traits::webgl::{WebGLBufferId, WebGLChan, WebGLContextShareMode, WebG
 use canvas_traits::webgl::{WebGLFramebufferId, WebGLMsgSender, WebGLPipeline, WebGLProgramId};
 use canvas_traits::webgl::{WebGLReceiver, WebGLRenderbufferId, WebGLSLVersion, WebGLSender};
 use canvas_traits::webgl::{WebGLShaderId, WebGLTextureId, WebGLVersion, WebGLVertexArrayId};
+use content_security_policy::CspList;
 use crossbeam_channel::{Receiver, Sender};
 use cssparser::RGBA;
 use devtools_traits::{CSSError, TimelineMarkerType, WorkerId};
@@ -166,6 +167,8 @@ unsafe_no_jsmanaged_fields!(*mut JobQueue);
 
 unsafe_no_jsmanaged_fields!(Cow<'static, str>);
 
+unsafe_no_jsmanaged_fields!(CspList);
+
 /// Trace a `JSVal`.
 pub fn trace_jsval(tracer: *mut JSTracer, description: &str, val: &Heap<JSVal>) {
     unsafe {

components/script/dom/bindings/trace.rs

@@ -109,6 +109,7 @@ use crate::stylesheet_set::StylesheetSetRef;
 use crate::task::TaskBox;
 use crate::task_source::{TaskSource, TaskSourceName};
 use crate::timers::OneshotTimerCallback;
+use content_security_policy::{self as csp, CspList};
 use cookie::Cookie;
 use devtools_traits::ScriptToDevtoolsControlMsg;
 use dom_struct::dom_struct;
@@ -129,6 +130,7 @@ use msg::constellation_msg::BrowsingContextId;
 use net_traits::pub_domains::is_pub_domain;
 use net_traits::request::RequestBuilder;
 use net_traits::response::HttpsState;
+use net_traits::NetworkError;
 use net_traits::CookieSource::NonHTTP;
 use net_traits::CoreResourceMsg::{GetCookiesForUrl, SetCookiesForUrl};
 use net_traits::{FetchResponseMsg, IpcSend, ReferrerPolicy};
@@ -147,7 +149,7 @@ use servo_atoms::Atom;
 use servo_config::pref;
 use servo_media::{ClientContextId, ServoMedia};
 use servo_url::{ImmutableOrigin, MutableOrigin, ServoUrl};
-use std::borrow::ToOwned;
+use std::borrow::{Cow, ToOwned};
 use std::cell::{Cell, Ref, RefMut};
 use std::collections::hash_map::Entry::{Occupied, Vacant};
 use std::collections::{HashMap, HashSet, VecDeque};
@@ -395,6 +397,9 @@ pub struct Document {
     /// where `id` needs to match any of the registered ShadowRoots
     /// hosting the media controls UI.
     media_controls: DomRefCell<HashMap<String, Dom<ShadowRoot>>>,
+    /// https://html.spec.whatwg.org/multipage/dom.html#concept-document-csp-list
+    #[ignore_malloc_size_of = "Defined in rust-content-security-policy"]
+    csp_list: DomRefCell<Option<CspList>>,
 }
 
 #[derive(JSTraceable, MallocSizeOf)]
@@ -1734,6 +1739,10 @@ impl Document {
         request: RequestBuilder,
         fetch_target: IpcSender<FetchResponseMsg>,
     ) {
+        if self.should_request_be_blocked_by_csp(&request) == csp::CheckResult::Blocked {
+            fetch_target.send(FetchResponseMsg::ProcessResponse(Err(NetworkError::LoadCancelled))).unwrap();
+            return;
+        }
         let mut loader = self.loader.borrow_mut();
         loader.fetch_async(load, request, fetch_target);
     }
@@ -2784,9 +2793,51 @@ impl Document {
             shadow_roots: DomRefCell::new(HashSet::new()),
             shadow_roots_styles_changed: Cell::new(false),
             media_controls: DomRefCell::new(HashMap::new()),
+            csp_list: DomRefCell::new(None),
         }
     }
 
+    pub fn set_csp_list(&self, csp_list: Option<CspList>) {
+        *self.csp_list.borrow_mut() = csp_list;
+    }
+
+    pub fn get_csp_list(&self) -> Option<Ref<CspList>> {
+        let b = self.csp_list.borrow();
+        if b.is_none() { None } else { Some(Ref::map(b, |o| o.as_ref().unwrap())) }
+    }
+
+    pub fn should_request_be_blocked_by_csp(&self, request: &RequestBuilder) -> csp::CheckResult {
+        let request = csp::Request {
+            url: request.url.clone().into_url(),
+            origin: request.origin.clone().into_url_origin(),
+            redirect_count: 0,
+            destination: request.destination.to_csp_destination(),
+            initiator: csp::Initiator::Fetch,
+            nonce: String::new(),
+            integrity_metadata: String::new(),
+            parser_metadata: csp::ParserMetadata::None,
+        };
+        // TODO: Instead of ignoring violations, report them.
+        self.get_csp_list().map(|c| c.should_request_be_blocked(&request).0).unwrap_or(csp::CheckResult::Allowed)
+    }
+
+    pub fn should_elements_inline_type_behavior_be_blocked(
+        &self,
+        el: &Element,
+        type_: csp::InlineCheckType,
+        source: &str) -> csp::CheckResult {
+        let element = csp::Element {
+            nonce: el.get_attribute(&ns!(), &local_name!("nonce"))
+                .map(|attr| Cow::Owned(attr.value().to_string())),
+        };
+        // TODO: Instead of ignoring violations, report them.
+        self.get_csp_list().map(|c| c.should_elements_inline_type_behavior_be_blocked(
+            &element,
+            type_,
+            source,
+        ).0).unwrap_or(csp::CheckResult::Allowed)
+    }
+
     /// Prevent any JS or layout from running until the corresponding call to
     /// `remove_script_and_layout_blocker`. Used to isolate periods in which
     /// the DOM is in an unstable state and should not be exposed to arbitrary

components/script/dom/document.rs

@@ -38,6 +38,7 @@ use crate::task_source::websocket::WebsocketTaskSource;
 use crate::task_source::TaskSourceName;
 use crate::timers::{IsInterval, OneshotTimerCallback, OneshotTimerHandle};
 use crate::timers::{OneshotTimers, TimerCallback};
+use content_security_policy::CspList;
 use devtools_traits::{ScriptToDevtoolsControlMsg, WorkerId};
 use dom_struct::dom_struct;
 use ipc_channel::ipc::IpcSender;
@@ -59,7 +60,7 @@ use script_traits::{MsDuration, ScriptToConstellationChan, TimerEvent};
 use script_traits::{TimerEventId, TimerSchedulerMsg, TimerSource};
 use servo_url::{MutableOrigin, ServoUrl};
 use std::borrow::Cow;
-use std::cell::Cell;
+use std::cell::{Cell, Ref};
 use std::collections::hash_map::Entry;
 use std::collections::HashMap;
 use std::ffi::CString;
@@ -812,6 +813,13 @@ impl GlobalScope {
     pub fn get_user_agent(&self) -> Cow<'static, str> {
         self.user_agent.clone()
     }
+
+    pub fn get_csp_list(&self) -> Option<CspList> {
+        if let Some(window) = self.downcast::<Window>() {
+            return window.Document().get_csp_list().map(|c| c.clone());
+        }
+        None
+    }
 }
 
 fn timestamp_in_ms(time: Timespec) -> u64 {

components/script/dom/globalscope.rs

@@ -26,6 +26,7 @@ use crate::dom::node::{BindContext, ChildrenMutation, CloneChildrenFlag, Node};
 use crate::dom::performanceresourcetiming::InitiatorType;
 use crate::dom::virtualmethods::VirtualMethods;
 use crate::network_listener::{self, NetworkListener, PreInvoke, ResourceTimingListener};
+use content_security_policy::{self as csp, CspList};
 use dom_struct::dom_struct;
 use encoding_rs::Encoding;
 use html5ever::{LocalName, Prefix};
@@ -442,7 +443,13 @@ impl HTMLScriptElement {
 
         // TODO: Step 12: nomodule content attribute
 
-        // TODO(#4577): Step 13: CSP.
+        if !element.has_attribute(&local_name!("src")) &&
+            doc.should_elements_inline_type_behavior_be_blocked(
+                &element,
+                csp::InlineCheckType::Script,
+                &text) == csp::CheckResult::Blocked {
+            return;
+        }
 
         // Step 14.
         let for_attribute = element.get_attribute(&ns!(), &local_name!("for"));

components/script/dom/htmlscriptelement.rs

@@ -35,6 +35,7 @@ use crate::dom::text::Text;
 use crate::dom::virtualmethods::vtable_for;
 use crate::network_listener::PreInvoke;
 use crate::script_thread::ScriptThread;
+use content_security_policy::{self as csp, CspList};
 use dom_struct::dom_struct;
 use embedder_traits::resources::{self, Resource};
 use encoding_rs::Encoding;
@@ -736,6 +737,24 @@ impl FetchResponseListener for ParserContext {
             .and_then(|meta| meta.content_type)
             .map(Serde::into_inner)
             .map(Into::into);
+
+        // https://www.w3.org/TR/CSP/#initialize-document-csp
+        // XXX TODO: DO NOT MERGE INTO MASTER YET
+        // This only implements the non-local behavior stuff; I need to figure out how to check if a URL is local.
+        let csp_list = metadata.as_ref().and_then(|m| {
+            let h = if let Some(h) = m.headers.as_ref() { h } else { return None };
+            let mut csp = h.get_all("content-security-policy").iter();
+            // This silently ignores the CSP if it contains invalid Unicode.
+            // We should probably report an error somewhere.
+            let c = if let Some(c) = csp.next().and_then(|c| c.to_str().ok()) { c } else { return None };
+            let mut csp_list = CspList::parse(c, csp::PolicySource::Header, csp::PolicyDisposition::Enforce);
+            for c in csp {
+                let c = if let Ok(c) = c.to_str() { c } else { return None };
+                csp_list.append(CspList::parse(c, csp::PolicySource::Header, csp::PolicyDisposition::Enforce));
+            }
+            Some(csp_list)
+        });
+
         let parser = match ScriptThread::page_headers_available(&self.id, metadata) {
             Some(parser) => parser,
             None => return,
@@ -744,6 +763,8 @@ impl FetchResponseListener for ParserContext {
             return;
         }
 
+        parser.document.set_csp_list(csp_list);
+
         self.parser = Some(Trusted::new(&*parser));
 
         match content_type {