[Backport] CVE-2021-37989 : Inappropriate implementation in Blink

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3240285:
[M90-LTS] Limit length of 'csp' attribute

Most servers limit the length of request headers anywhere. 4Kb seems
like a reasonable limit, which some popular http servers have by
default, and which we already enforce for Referer
(https://crrev.com/c/1595872).

I would have liked the constant 4096 to be shared between //content
and blink. This would have required putting it somewhere like in
//services/network or in //third_party/blink/common, creating a new
file for it. I thought it would be easier to avoid that for this
change.

It would be safer to not load the iframe document, or to impose some
very strict CSP like "default-src 'none'", instead than just ignoring
the 'csp' attribute if that's too long. However, ignoring is what we
already do if the attribute contains illegal characters or does not
match the CSP grammary or is not subsumed by the parent iframe's csp
attribute. For this change, I believe it's better to stay consistent
with that, and later change the CSPEE code to block loading in all
those cases.

M90 merge issues:
  content/browser/content_security_policy_browsertest.cc is not
  present on M90
(cherry picked from commit 8af66de55aad1b8230a6ec4f14fef8ba0f19a498)

Bug: 1233067
Change-Id: Ie9cd3db82287a76892cca76a0bf0d4a1613a3055
Fixed: 1233067
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#914730}
Reviewed-by: Artem Sumaneev <asumaneev@google.com>
Owners-Override: Artem Sumaneev <asumaneev@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4430@{#1658}
Cr-Branched-From: e5ce7dc4f7518237b3d9bb93cccca35d25216cbe-refs/heads/master@{#857950}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 14 insertions, 3 deletions

diff --git a/chromium/third_party/blink/renderer/core/html/html_iframe_element.cc b/chromium/third_party/blink/renderer/core/html/html_iframe_element.cc
index 8c8455006dd..8cf9d0387c5 100644
--- a/chromium/third_party/blink/renderer/core/html/html_iframe_element.cc
+++ b/chromium/third_party/blink/renderer/core/html/html_iframe_element.cc
@@ -234,16 +234,27 @@ void HTMLIFrameElement::ParseAttribute(
     }
   } else if (name == html_names::kCspAttr) {
     if (base::FeatureList::IsEnabled(network::features::kOutOfBlinkCSPEE)) {
+      static const size_t kMaxLengthCSPAttribute = 4096;
       if (value.Contains('\n') || value.Contains('\r') ||
           !MatchesTheSerializedCSPGrammar(value.GetString())) {
+        // TODO(antoniosartori): It would be safer to block loading iframes with
+        // invalid 'csp' attribute.
         required_csp_ = g_null_atom;
         GetDocument().AddConsoleMessage(MakeGarbageCollected<ConsoleMessage>(
             mojom::blink::ConsoleMessageSource::kOther,
             mojom::blink::ConsoleMessageLevel::kError,
             "'csp' attribute is invalid: " + value));
-        return;
-      }
-      if (required_csp_ != value) {
+      } else if (value && value.length() > kMaxLengthCSPAttribute) {
+        // TODO(antoniosartori): It would be safer to block loading iframes with
+        // invalid 'csp' attribute.
+        required_csp_ = g_null_atom;
+        GetDocument().AddConsoleMessage(MakeGarbageCollected<ConsoleMessage>(
+            mojom::blink::ConsoleMessageSource::kOther,
+            mojom::blink::ConsoleMessageLevel::kError,
+            String::Format("'csp' attribute too long. The max length for the "
+                           "'csp' attribute is %zu bytes.",
+                           kMaxLengthCSPAttribute)));
+      } else if (required_csp_ != value) {
         required_csp_ = value;
         CSPAttributeChanged();
         UseCounter::Count(GetDocument(), WebFeature::kIFrameCSPAttribute);