Disable Trusted Types mitigation on Brave's Welcome & Rewards pages

JS code in Brave's Welcome and Rewards WebUI pages is not ready yet to migrated to a world where Trusted Types are enforced, so we need to disable the Content Security Policy for Trusted types in those pages for now and return to a pre-Chromium 87 point in order to keep them working. As mentioned above, this affects mainly Brave Rewards, but also Brave's welcome page. Search for 'dangerouslySetInnerHTML' in *.tsx files to find where exactly this is a problem. Chromium change: https://chromium.googlesource.com/chromium/src/+/5cb72d5f4fe919cfff22f3f51a6fc5e690588836 commit 5cb72d5f4fe919cfff22f3f51a6fc5e690588836 Author: Jun Kokatsu <Jun.Kokatsu@microsoft.com> Date: Fri Aug 21 21:27:19 2020 +0000 Enable Trusted Types mitigation on WebUI by default This change enables Trusted Types mitigation on WebUI by default. It enforces use of safe API by default, and any use of unsafe API (e.g. innerHTML, document.write, etc) has to overwrite Trusted Types directives in the CSP header. Therefore this change makes security review or audit of JavaScript code on WebUI a lot easier. Because JavaScript could introduce XSS only by using `trustedTypes.createPolicy` to generate untrusted html or script as Trusted Types, or removing Trusted Types mitigation. And all of those has to be carefully reviewed going forward. Bug: 41905
brave · Oct 28, 2020 · e218200 · e218200
1 parent edb584e
commit e218200
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 8 deletions.
diff --git a/browser/ui/webui/basic_ui.cc b/browser/ui/webui/basic_ui.cc
@@ -19,9 +19,20 @@ content::WebUIDataSource* CreateBasicUIHTMLSource(
     const std::string& name,
     const GritResourceMap* resource_map,
     size_t resource_map_size,
-    int html_resource_id) {
+    int html_resource_id,
+    bool disable_trusted_types_csp) {
   content::WebUIDataSource* source =
       content::WebUIDataSource::Create(name);
+  // Some parts of Brave's UI pages are not yet migrated to work without doing
+  // assignments of strings directly into |innerHTML| elements (i.e. see usage
+  // of |dangerouslySetInnerHTML| in .tsx files). This will break Brave due to
+  // committing a Trusted Types related violation now that Trusted Types are
+  // enforced on WebUI pages (see crrev.com/c/2234238 and crrev.com/c/2353547).
+  // We should migrate those pages not to require using |innerHTML|, but for now
+  // we just restore pre-Cromium 87 behaviour for pages that are not ready yet.
+  if (disable_trusted_types_csp)
+    source->DisableTrustedTypesCSP();
+
   source->UseStringsJs();
   source->SetDefaultResource(html_resource_id);
   // Add generated resource paths
@@ -60,13 +71,15 @@ BasicUI::BasicUI(content::WebUI* web_ui,
                  const std::string& name,
                  const GritResourceMap* resource_map,
                  size_t resource_map_size,
-                 int html_resource_id)
+                 int html_resource_id,
+                 bool disable_trusted_types_csp)
     : WebUIController(web_ui) {
   observer_.reset(
       new BasicUIWebContentsObserver(this, web_ui->GetWebContents()));
   Profile* profile = Profile::FromWebUI(web_ui);
   content::WebUIDataSource* source = CreateBasicUIHTMLSource(profile, name,
-      resource_map, resource_map_size, html_resource_id);
+      resource_map, resource_map_size, html_resource_id,
+      disable_trusted_types_csp);
   content::WebUIDataSource::Add(profile, source);
 }
 

diff --git a/browser/ui/webui/basic_ui.h b/browser/ui/webui/basic_ui.h
@@ -29,15 +29,17 @@ content::WebUIDataSource* CreateBasicUIHTMLSource(
     const std::string& name,
     const GritResourceMap* resource_map,
     size_t resouece_map_size,
-    int html_resource_id);
+    int html_resource_id,
+    bool disable_trusted_types_csp = false);
 
 class BasicUI : public content::WebUIController {
  public:
   BasicUI(content::WebUI* web_ui,
           const std::string& host,
           const GritResourceMap* resource_map,
           size_t resouece_map_size,
-          int html_resource_id);
+          int html_resource_id,
+          bool disable_trusted_types_csp = false);
   ~BasicUI() override;
 
   // Called when subclass can set its webui properties.

diff --git a/browser/ui/webui/brave_rewards_page_ui.cc b/browser/ui/webui/brave_rewards_page_ui.cc
@@ -1936,10 +1936,11 @@ BraveRewardsPageUI::BraveRewardsPageUI(content::WebUI* web_ui,
               kBraveRewardsSettingsGeneratedSize,
 #endif
 #if defined(OS_ANDROID)
-              IDR_BRAVE_REWARDS_ANDROID_PAGE_HTML) {
+              IDR_BRAVE_REWARDS_ANDROID_PAGE_HTML,
 #else
-              IDR_BRAVE_REWARDS_PAGE_HTML) {
+              IDR_BRAVE_REWARDS_PAGE_HTML,
 #endif
+              /*disable_trusted_types_csp=*/true) {
   auto handler_owner = std::make_unique<RewardsDOMHandler>();
   RewardsDOMHandler * handler = handler_owner.get();
   web_ui->AddMessageHandler(std::move(handler_owner));

diff --git a/browser/ui/webui/brave_welcome_ui.cc b/browser/ui/webui/brave_welcome_ui.cc
@@ -104,7 +104,8 @@ void WelcomeDOMHandler::HandleRecordP3A(const base::ListValue* args) {
 
 BraveWelcomeUI::BraveWelcomeUI(content::WebUI* web_ui, const std::string& name)
     : BasicUI(web_ui, name, kBraveWelcomeGenerated,
-        kBraveWelcomeGeneratedSize, IDR_BRAVE_WELCOME_HTML) {
+        kBraveWelcomeGeneratedSize, IDR_BRAVE_WELCOME_HTML,
+        /*disable_trusted_types_csp=*/true) {
   web_ui->AddMessageHandler(std::make_unique<WelcomeDOMHandler>());
   web_ui->AddMessageHandler(
       std::make_unique<settings::BraveImportDataHandler>());