OOPIF support for 'plugin-types' Content Security Policy.

OOPIF support for 'plugin-types' Content Security Policy.

The CL makes 'plugin-types' Content Security Policy compatible with
OOPIFs by avoiding isLocalFrame check and toLocalFrame cast inside
ContentSecurityPolicy::allowPluginTypeForDocument method.  The method
was tweaked to get a ContentSecurityPolicy object for the parent frame
in a way that works both for local and remote frames.

Additionally, it turned out that before this CL, the error message about
the blocked plugin would incorrectly report the declared MIME type of
the plugin if the parent frame is local (i.e. without
--site-per-process), but would report actual, correct MIME type if the
parent frame was remote (i.e. with --site-per-process, after fixing
allowPluginTypeForDocument method).  This would result in non-sensical
error messages where the blocked plugin seems to match the list of
allowed MIME types:
    Refused to load 'http://localhost:8000/plugins/resources/mock-plugin.pl'
    (MIME type 'text/plain') because it violates the following Content
    Security Policy Directive: 'plugin-types text/plain'.
The expected error message is obviously:
    Refused to load 'http://localhost:8000/plugins/resources/mock-plugin.pl'
    (MIME type 'application/x-blink-test-plugin') because it violates the
    following Content Security Policy Directive: 'plugin-types text/plain'.
This is fixed by tweaking HTMLPlugInElement::allowedToLoadObject to
always pass the value of type attribute declared in the plugin document,
rather than passing the value of the type attribute declared in the
parent document.

BUG=633749
Committed: https://crrev.com/6e2cf9768a02d4ff281dc47d9a1fb07ddb1e27a0
Cr-Commit-Position: refs/heads/master@{#412855}

[Łukasz Anforowicz, 2016-08-04 00:05:24]

lukasza@chromium.org changed reviewers:
+ mkwst@chromium.org

[Łukasz Anforowicz, 2016-08-04 00:05:25]

Mike, can you take a look please?

[Mike West, 2016-08-04 11:27:07]

LGTM!

[Łukasz Anforowicz, 2016-08-15 23:47:34]

Mike, can you double-check if this still looks good to you?  

I am no longer sure if in the near future I can support proper reporting of CSP
violations via https://codereview.chromium.org/2190183002 (more details in an
email thread between estark@, creis@, alexmos@, me and you).  Therefore, I tried
to drop the dependency on this other CL in patchset #4.  The end result is that
we still properly block plugins disallowed by plugin-types directives (just like
in patchset #1 that you've already approved), but in case of OOPIFs we won't
properly report the CSP violation (unlike in patchset #1 that you've already
approved).  Note that frame-src directive is already in a similar situation
(proper enforcement, but no reporting in case of remote parent frame).

[Łukasz Anforowicz, 2016-08-18 14:33:08]

The CQ bit was checked by lukasza@chromium.org

[Łukasz Anforowicz, 2016-08-18 14:33:09]

The patchset sent to the CQ was uploaded after l-g-t-m from mkwst@chromium.org
Link to the patchset: https://codereview.chromium.org/2213593002/#ps60001
(title: "Accounting for lack of https://crrev.com/2190183002 (i.e. no CSP
reports from remote frames).")

[commit-bot: I haz the power, 2016-08-18 14:33:26]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-08-18 16:43:51]

Committed patchset #4 (id:60001)

[commit-bot: I haz the power, 2016-08-18 16:46:33]

Description was changed from

==========
OOPIF support for 'plugin-types' Content Security Policy.

The CL makes 'plugin-types' Content Security Policy compatible with
OOPIFs by avoiding isLocalFrame check and toLocalFrame cast inside
ContentSecurityPolicy::allowPluginTypeForDocument method.  The method
was tweaked to get a ContentSecurityPolicy object for the parent frame
in a way that works both for local and remote frames.

Additionally, it turned out that before this CL, the error message about
the blocked plugin would incorrectly report the declared MIME type of
the plugin if the parent frame is local (i.e. without
--site-per-process), but would report actual, correct MIME type if the
parent frame was remote (i.e. with --site-per-process, after fixing
allowPluginTypeForDocument method).  This would result in non-sensical
error messages where the blocked plugin seems to match the list of
allowed MIME types:
    Refused to load 'http://localhost:8000/plugins/resources/mock-plugin.pl'
    (MIME type 'text/plain') because it violates the following Content
    Security Policy Directive: 'plugin-types text/plain'.
The expected error message is obviously:
    Refused to load 'http://localhost:8000/plugins/resources/mock-plugin.pl'
    (MIME type 'application/x-blink-test-plugin') because it violates the
    following Content Security Policy Directive: 'plugin-types text/plain'.
This is fixed by tweaking HTMLPlugInElement::allowedToLoadObject to
always pass the value of type attribute declared in the plugin document,
rather than passing the value of the type attribute declared in the
parent document.

BUG=633749
==========

to

==========
OOPIF support for 'plugin-types' Content Security Policy.

The CL makes 'plugin-types' Content Security Policy compatible with
OOPIFs by avoiding isLocalFrame check and toLocalFrame cast inside
ContentSecurityPolicy::allowPluginTypeForDocument method.  The method
was tweaked to get a ContentSecurityPolicy object for the parent frame
in a way that works both for local and remote frames.

Additionally, it turned out that before this CL, the error message about
the blocked plugin would incorrectly report the declared MIME type of
the plugin if the parent frame is local (i.e. without
--site-per-process), but would report actual, correct MIME type if the
parent frame was remote (i.e. with --site-per-process, after fixing
allowPluginTypeForDocument method).  This would result in non-sensical
error messages where the blocked plugin seems to match the list of
allowed MIME types:
    Refused to load 'http://localhost:8000/plugins/resources/mock-plugin.pl'
    (MIME type 'text/plain') because it violates the following Content
    Security Policy Directive: 'plugin-types text/plain'.
The expected error message is obviously:
    Refused to load 'http://localhost:8000/plugins/resources/mock-plugin.pl'
    (MIME type 'application/x-blink-test-plugin') because it violates the
    following Content Security Policy Directive: 'plugin-types text/plain'.
This is fixed by tweaking HTMLPlugInElement::allowedToLoadObject to
always pass the value of type attribute declared in the plugin document,
rather than passing the value of the type attribute declared in the
parent document.

BUG=633749

Committed: https://crrev.com/6e2cf9768a02d4ff281dc47d9a1fb07ddb1e27a0
Cr-Commit-Position: refs/heads/master@{#412855}
==========

[commit-bot: I haz the power, 2016-08-18 16:46:34]

Patchset 4 (id:??) landed as
https://crrev.com/6e2cf9768a02d4ff281dc47d9a1fb07ddb1e27a0
Cr-Commit-Position: refs/heads/master@{#412855}