From e21820079e095eb8592977f73f5ce246db32c1e5 Mon Sep 17 00:00:00 2001 From: Mario Sanchez Prada Date: Wed, 9 Sep 2020 10:14:57 +0200 Subject: [PATCH] Disable Trusted Types mitigation on Brave's Welcome & Rewards pages JS code in Brave's Welcome and Rewards WebUI pages is not ready yet to migrated to a world where Trusted Types are enforced, so we need to disable the Content Security Policy for Trusted types in those pages for now and return to a pre-Chromium 87 point in order to keep them working. As mentioned above, this affects mainly Brave Rewards, but also Brave's welcome page. Search for 'dangerouslySetInnerHTML' in *.tsx files to find where exactly this is a problem. Chromium change: https://chromium.googlesource.com/chromium/src/+/5cb72d5f4fe919cfff22f3f51a6fc5e690588836 commit 5cb72d5f4fe919cfff22f3f51a6fc5e690588836 Author: Jun Kokatsu Date: Fri Aug 21 21:27:19 2020 +0000 Enable Trusted Types mitigation on WebUI by default This change enables Trusted Types mitigation on WebUI by default. It enforces use of safe API by default, and any use of unsafe API (e.g. innerHTML, document.write, etc) has to overwrite Trusted Types directives in the CSP header. Therefore this change makes security review or audit of JavaScript code on WebUI a lot easier. Because JavaScript could introduce XSS only by using `trustedTypes.createPolicy` to generate untrusted html or script as Trusted Types, or removing Trusted Types mitigation. And all of those has to be carefully reviewed going forward. Bug: 41905 --- browser/ui/webui/basic_ui.cc | 19 ++++++++++++++++--- browser/ui/webui/basic_ui.h | 6 ++++-- browser/ui/webui/brave_rewards_page_ui.cc | 5 +++-- browser/ui/webui/brave_welcome_ui.cc | 3 ++- 4 files changed, 25 insertions(+), 8 deletions(-) diff --git a/browser/ui/webui/basic_ui.cc b/browser/ui/webui/basic_ui.cc index 4aadca755c44..78531015ddcf 100644 --- a/browser/ui/webui/basic_ui.cc +++ b/browser/ui/webui/basic_ui.cc @@ -19,9 +19,20 @@ content::WebUIDataSource* CreateBasicUIHTMLSource( const std::string& name, const GritResourceMap* resource_map, size_t resource_map_size, - int html_resource_id) { + int html_resource_id, + bool disable_trusted_types_csp) { content::WebUIDataSource* source = content::WebUIDataSource::Create(name); + // Some parts of Brave's UI pages are not yet migrated to work without doing + // assignments of strings directly into |innerHTML| elements (i.e. see usage + // of |dangerouslySetInnerHTML| in .tsx files). This will break Brave due to + // committing a Trusted Types related violation now that Trusted Types are + // enforced on WebUI pages (see crrev.com/c/2234238 and crrev.com/c/2353547). + // We should migrate those pages not to require using |innerHTML|, but for now + // we just restore pre-Cromium 87 behaviour for pages that are not ready yet. + if (disable_trusted_types_csp) + source->DisableTrustedTypesCSP(); + source->UseStringsJs(); source->SetDefaultResource(html_resource_id); // Add generated resource paths @@ -60,13 +71,15 @@ BasicUI::BasicUI(content::WebUI* web_ui, const std::string& name, const GritResourceMap* resource_map, size_t resource_map_size, - int html_resource_id) + int html_resource_id, + bool disable_trusted_types_csp) : WebUIController(web_ui) { observer_.reset( new BasicUIWebContentsObserver(this, web_ui->GetWebContents())); Profile* profile = Profile::FromWebUI(web_ui); content::WebUIDataSource* source = CreateBasicUIHTMLSource(profile, name, - resource_map, resource_map_size, html_resource_id); + resource_map, resource_map_size, html_resource_id, + disable_trusted_types_csp); content::WebUIDataSource::Add(profile, source); } diff --git a/browser/ui/webui/basic_ui.h b/browser/ui/webui/basic_ui.h index a84ecaf7a137..7a75a443ba79 100644 --- a/browser/ui/webui/basic_ui.h +++ b/browser/ui/webui/basic_ui.h @@ -29,7 +29,8 @@ content::WebUIDataSource* CreateBasicUIHTMLSource( const std::string& name, const GritResourceMap* resource_map, size_t resouece_map_size, - int html_resource_id); + int html_resource_id, + bool disable_trusted_types_csp = false); class BasicUI : public content::WebUIController { public: @@ -37,7 +38,8 @@ class BasicUI : public content::WebUIController { const std::string& host, const GritResourceMap* resource_map, size_t resouece_map_size, - int html_resource_id); + int html_resource_id, + bool disable_trusted_types_csp = false); ~BasicUI() override; // Called when subclass can set its webui properties. diff --git a/browser/ui/webui/brave_rewards_page_ui.cc b/browser/ui/webui/brave_rewards_page_ui.cc index e9b4922243c2..9d3619d1c2b6 100644 --- a/browser/ui/webui/brave_rewards_page_ui.cc +++ b/browser/ui/webui/brave_rewards_page_ui.cc @@ -1936,10 +1936,11 @@ BraveRewardsPageUI::BraveRewardsPageUI(content::WebUI* web_ui, kBraveRewardsSettingsGeneratedSize, #endif #if defined(OS_ANDROID) - IDR_BRAVE_REWARDS_ANDROID_PAGE_HTML) { + IDR_BRAVE_REWARDS_ANDROID_PAGE_HTML, #else - IDR_BRAVE_REWARDS_PAGE_HTML) { + IDR_BRAVE_REWARDS_PAGE_HTML, #endif + /*disable_trusted_types_csp=*/true) { auto handler_owner = std::make_unique(); RewardsDOMHandler * handler = handler_owner.get(); web_ui->AddMessageHandler(std::move(handler_owner)); diff --git a/browser/ui/webui/brave_welcome_ui.cc b/browser/ui/webui/brave_welcome_ui.cc index d2e67ea04ec0..4bca00a3555a 100644 --- a/browser/ui/webui/brave_welcome_ui.cc +++ b/browser/ui/webui/brave_welcome_ui.cc @@ -104,7 +104,8 @@ void WelcomeDOMHandler::HandleRecordP3A(const base::ListValue* args) { BraveWelcomeUI::BraveWelcomeUI(content::WebUI* web_ui, const std::string& name) : BasicUI(web_ui, name, kBraveWelcomeGenerated, - kBraveWelcomeGeneratedSize, IDR_BRAVE_WELCOME_HTML) { + kBraveWelcomeGeneratedSize, IDR_BRAVE_WELCOME_HTML, + /*disable_trusted_types_csp=*/true) { web_ui->AddMessageHandler(std::make_unique()); web_ui->AddMessageHandler( std::make_unique());