Add simple implementation of content-security-policy on scripts / styles

This needs a lot more hooks before it'll actually be a good
implementation, but for a start it can help get some feedback on if this
is the right way to go about it.

Part of servo#4577

Author: notriddle

Cargo.lock

@@ -13,6 +13,7 @@ test = false
 doctest = false
 
 [dependencies]
+content-security-policy = {git = "https://github.com/rust-ammonia/rust-content-security-policy"}
 cookie = "0.11"
 embedder_traits = { path = "../embedder_traits" }
 headers = "0.2"

components/net_traits/Cargo.toml

@@ -4,6 +4,7 @@
 
 use crate::ReferrerPolicy;
 use crate::ResourceTimingType;
+use content_security_policy as csp;
 use http::HeaderMap;
 use hyper::Method;
 use msg::constellation_msg::PipelineId;
@@ -50,6 +51,27 @@ impl Destination {
             *self == Destination::SharedWorker ||
             *self == Destination::Worker
     }
+    pub fn to_csp_destination(&self) -> csp::Destination {
+        match *self {
+            Destination::None => csp::Destination::None,
+            Destination::Audio => csp::Destination::Audio,
+            Destination::Document => csp::Destination::Document,
+            Destination::Embed => csp::Destination::Embed,
+            Destination::Font => csp::Destination::Font,
+            Destination::Image => csp::Destination::Image,
+            Destination::Manifest => csp::Destination::Manifest,
+            Destination::Object => csp::Destination::Object,
+            Destination::Report => csp::Destination::Report,
+            Destination::Script => csp::Destination::Script,
+            Destination::ServiceWorker => csp::Destination::ServiceWorker,
+            Destination::SharedWorker => csp::Destination::SharedWorker,
+            Destination::Style => csp::Destination::Style,
+            Destination::Track => csp::Destination::Track,
+            Destination::Video => csp::Destination::Video,
+            Destination::Worker => csp::Destination::Worker,
+            Destination::Xslt => csp::Destination::Xslt,
+        }
+    }
 }
 
 /// A request [origin](https://fetch.spec.whatwg.org/#concept-request-origin)

components/net_traits/request.rs

@@ -37,6 +37,7 @@ bitflags = "1.0"
 bluetooth_traits = {path = "../bluetooth_traits"}
 canvas_traits = {path = "../canvas_traits"}
 caseless = "0.2"
+content-security-policy = {git = "https://github.com/rust-ammonia/rust-content-security-policy"}
 cookie = "0.11"
 chrono = "0.4"
 crossbeam-channel = "0.3"

components/script/Cargo.toml

@@ -51,7 +51,8 @@ use canvas_traits::webgl::{GLFormats, GLLimits, WebGLQueryId};
 use canvas_traits::webgl::{WebGLBufferId, WebGLChan, WebGLContextShareMode, WebGLError};
 use canvas_traits::webgl::{WebGLFramebufferId, WebGLMsgSender, WebGLPipeline, WebGLProgramId};
 use canvas_traits::webgl::{WebGLReceiver, WebGLRenderbufferId, WebGLSLVersion, WebGLSender};
-use canvas_traits::webgl::{WebGLShaderId, WebGLSyncId, WebGLTextureId, WebGLVersion};
+use canvas_traits::webgl::{WebGLShaderId, WebGLTextureId, WebGLVersion, WebGLVertexArrayId};
+use content_security_policy::CspList;
 use crossbeam_channel::{Receiver, Sender};
 use cssparser::RGBA;
 use devtools_traits::{CSSError, TimelineMarkerType, WorkerId};
@@ -167,6 +168,8 @@ unsafe_no_jsmanaged_fields!(*mut JobQueue);
 
 unsafe_no_jsmanaged_fields!(Cow<'static, str>);
 
+unsafe_no_jsmanaged_fields!(CspList);
+
 /// Trace a `JSVal`.
 pub fn trace_jsval(tracer: *mut JSTracer, description: &str, val: &Heap<JSVal>) {
     unsafe {

components/script/dom/bindings/trace.rs

@@ -109,6 +109,7 @@ use crate::stylesheet_set::StylesheetSetRef;
 use crate::task::TaskBox;
 use crate::task_source::{TaskSource, TaskSourceName};
 use crate::timers::OneshotTimerCallback;
+use content_security_policy::{self as csp, CspList};
 use cookie::Cookie;
 use devtools_traits::ScriptToDevtoolsControlMsg;
 use dom_struct::dom_struct;
@@ -131,6 +132,7 @@ use net_traits::request::RequestBuilder;
 use net_traits::response::HttpsState;
 use net_traits::CookieSource::NonHTTP;
 use net_traits::CoreResourceMsg::{GetCookiesForUrl, SetCookiesForUrl};
+use net_traits::NetworkError;
 use net_traits::{FetchResponseMsg, IpcSend, ReferrerPolicy};
 use num_traits::ToPrimitive;
 use percent_encoding::percent_decode;
@@ -147,7 +149,7 @@ use servo_atoms::Atom;
 use servo_config::pref;
 use servo_media::{ClientContextId, ServoMedia};
 use servo_url::{ImmutableOrigin, MutableOrigin, ServoUrl};
-use std::borrow::ToOwned;
+use std::borrow::{Cow, ToOwned};
 use std::cell::{Cell, Ref, RefMut};
 use std::collections::hash_map::Entry::{Occupied, Vacant};
 use std::collections::{HashMap, HashSet, VecDeque};
@@ -395,6 +397,9 @@ pub struct Document {
     /// where `id` needs to match any of the registered ShadowRoots
     /// hosting the media controls UI.
     media_controls: DomRefCell<HashMap<String, Dom<ShadowRoot>>>,
+    /// https://html.spec.whatwg.org/multipage/#concept-document-csp-list
+    #[ignore_malloc_size_of = "Defined in rust-content-security-policy"]
+    csp_list: DomRefCell<Option<CspList>>,
 }
 
 #[derive(JSTraceable, MallocSizeOf)]
@@ -1734,6 +1739,14 @@ impl Document {
         request: RequestBuilder,
         fetch_target: IpcSender<FetchResponseMsg>,
     ) {
+        if self.should_request_be_blocked_by_csp(&request) == csp::CheckResult::Blocked {
+            fetch_target
+                .send(FetchResponseMsg::ProcessResponse(Err(
+                    NetworkError::LoadCancelled,
+                )))
+                .unwrap();
+            return;
+        }
         let mut loader = self.loader.borrow_mut();
         loader.fetch_async(load, request, fetch_target);
     }
@@ -2784,9 +2797,60 @@ impl Document {
             shadow_roots: DomRefCell::new(HashSet::new()),
             shadow_roots_styles_changed: Cell::new(false),
             media_controls: DomRefCell::new(HashMap::new()),
+            csp_list: DomRefCell::new(None),
+        }
+    }
+
+    pub fn set_csp_list(&self, csp_list: Option<CspList>) {
+        *self.csp_list.borrow_mut() = csp_list;
+    }
+
+    pub fn get_csp_list(&self) -> Option<Ref<CspList>> {
+        let b = self.csp_list.borrow();
+        if b.is_none() {
+            None
+        } else {
+            Some(Ref::map(b, |o| o.as_ref().unwrap()))
         }
     }
 
+    pub fn should_request_be_blocked_by_csp(&self, request: &RequestBuilder) -> csp::CheckResult {
+        let request = csp::Request {
+            url: request.url.clone().into_url(),
+            origin: request.origin.clone().into_url_origin(),
+            redirect_count: 0,
+            destination: request.destination.to_csp_destination(),
+            initiator: csp::Initiator::Fetch,
+            nonce: String::new(),
+            integrity_metadata: String::new(),
+            parser_metadata: csp::ParserMetadata::None,
+        };
+        // TODO: Instead of ignoring violations, report them.
+        self.get_csp_list()
+            .map(|c| c.should_request_be_blocked(&request).0)
+            .unwrap_or(csp::CheckResult::Allowed)
+    }
+
+    pub fn should_elements_inline_type_behavior_be_blocked(
+        &self,
+        el: &Element,
+        type_: csp::InlineCheckType,
+        source: &str,
+    ) -> csp::CheckResult {
+        let element = csp::Element {
+            nonce: el
+                .get_attribute(&ns!(), &local_name!("nonce"))
+                .map(|attr| Cow::Owned(attr.value().to_string())),
+        };
+        // TODO: Instead of ignoring violations, report them.
+        self.get_csp_list()
+            .map(|c| {
+                c.should_elements_inline_type_behavior_be_blocked(&element, type_, source)
+                    .0
+            })
+            .unwrap_or(csp::CheckResult::Allowed)
+    }
+
     /// Prevent any JS or layout from running until the corresponding call to
     /// `remove_script_and_layout_blocker`. Used to isolate periods in which
     /// the DOM is in an unstable state and should not be exposed to arbitrary

components/script/dom/document.rs

@@ -38,6 +38,7 @@ use crate::task_source::websocket::WebsocketTaskSource;
 use crate::task_source::TaskSourceName;
 use crate::timers::{IsInterval, OneshotTimerCallback, OneshotTimerHandle};
 use crate::timers::{OneshotTimers, TimerCallback};
+use content_security_policy::CspList;
 use devtools_traits::{ScriptToDevtoolsControlMsg, WorkerId};
 use dom_struct::dom_struct;
 use ipc_channel::ipc::IpcSender;
@@ -812,6 +813,13 @@ impl GlobalScope {
     pub fn get_user_agent(&self) -> Cow<'static, str> {
         self.user_agent.clone()
     }
+
+    pub fn get_csp_list(&self) -> Option<CspList> {
+        if let Some(window) = self.downcast::<Window>() {
+            return window.Document().get_csp_list().map(|c| c.clone());
+        }
+        None
+    }
 }
 
 fn timestamp_in_ms(time: Timespec) -> u64 {

components/script/dom/globalscope.rs

@@ -26,6 +26,7 @@ use crate::dom::node::{BindContext, ChildrenMutation, CloneChildrenFlag, Node};
 use crate::dom::performanceresourcetiming::InitiatorType;
 use crate::dom::virtualmethods::VirtualMethods;
 use crate::network_listener::{self, NetworkListener, PreInvoke, ResourceTimingListener};
+use content_security_policy as csp;
 use dom_struct::dom_struct;
 use encoding_rs::Encoding;
 use html5ever::{LocalName, Prefix};
@@ -442,7 +443,15 @@ impl HTMLScriptElement {
 
         // TODO: Step 12: nomodule content attribute
 
-        // TODO(#4577): Step 13: CSP.
+        if !element.has_attribute(&local_name!("src")) &&
+            doc.should_elements_inline_type_behavior_be_blocked(
+                &element,
+                csp::InlineCheckType::Script,
+                &text,
+            ) == csp::CheckResult::Blocked
+        {
+            return;
+        }
 
         // Step 14.
         let for_attribute = element.get_attribute(&ns!(), &local_name!("for"));

components/script/dom/htmlscriptelement.rs

@@ -35,6 +35,7 @@ use crate::dom::text::Text;
 use crate::dom::virtualmethods::vtable_for;
 use crate::network_listener::PreInvoke;
 use crate::script_thread::ScriptThread;
+use content_security_policy::{self as csp, CspList};
 use dom_struct::dom_struct;
 use embedder_traits::resources::{self, Resource};
 use encoding_rs::Encoding;
@@ -736,6 +737,44 @@ impl FetchResponseListener for ParserContext {
             .and_then(|meta| meta.content_type)
             .map(Serde::into_inner)
             .map(Into::into);
+
+        // https://www.w3.org/TR/CSP/#initialize-document-csp
+        // XXX TODO: DO NOT MERGE INTO MASTER YET
+        // This only implements the non-local behavior stuff; I need to figure out how to check if a URL is local.
+        let csp_list = metadata.as_ref().and_then(|m| {
+            let h = if let Some(h) = m.headers.as_ref() {
+                h
+            } else {
+                return None;
+            };
+            let mut csp = h.get_all("content-security-policy").iter();
+            // This silently ignores the CSP if it contains invalid Unicode.
+            // We should probably report an error somewhere.
+            let c = if let Some(c) = csp.next().and_then(|c| c.to_str().ok()) {
+                c
+            } else {
+                return None;
+            };
+            let mut csp_list = CspList::parse(
+                c,
+                csp::PolicySource::Header,
+                csp::PolicyDisposition::Enforce,
+            );
+            for c in csp {
+                let c = if let Ok(c) = c.to_str() {
+                    c
+                } else {
+                    return None;
+                };
+                csp_list.append(CspList::parse(
+                    c,
+                    csp::PolicySource::Header,
+                    csp::PolicyDisposition::Enforce,
+                ));
+            }
+            Some(csp_list)
+        });
+
         let parser = match ScriptThread::page_headers_available(&self.id, metadata) {
             Some(parser) => parser,
             None => return,
@@ -744,6 +783,8 @@ impl FetchResponseListener for ParserContext {
             return;
         }
 
+        parser.document.set_csp_list(csp_list);
+
         self.parser = Some(Trusted::new(&*parser));
 
         match content_type {