Add Chromium CSPs

chromium_src/ios/chrome/browser/shared/model/profile/profile_ios.mm

@@ -0,0 +1,31 @@
+// Copyright (c) 2024 The Brave Authors. All rights reserved.
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// URLRequestJobFactory::CreateJob checks the protocol_handler_map_
+// to see what requests can be handled
+// The FactoryForMain contains the ProtocolHandlerMap
+// This is initialized via ProfileIOSIOData::Init(ProtocolHandlerMap*
+// protocol_handlers) Which is called via ProfileIOS::GetRequestContext
+
+#include "ios/chrome/browser/shared/model/profile/profile_ios.h"
+
+#include "ios/components/webui/web_ui_url_constants.h"
+#include "ios/web/webui/url_data_manager_ios_backend.h"
+
+// Add the chrome-untrusted scheme
+auto CreateRequestContext_Brave(ProfileIOS* profile) {
+  return [profile](ProtocolHandlerMap* protocol_handlers) {
+    protocol_handlers->insert(
+        {kChromeUIUntrustedScheme,
+         web::URLDataManagerIOSBackend::CreateProtocolHandler(profile)});
+    return profile->CreateRequestContext(protocol_handlers);
+  };
+}
+
+#define CreateRequestContext CreateRequestContext_Brave(this)
+
+#include "src/ios/chrome/browser/shared/model/profile/profile_ios.mm"
+
+#undef CreateRequestContext

chromium_src/ios/components/webui/web_ui_url_constants.cc

@@ -0,0 +1,8 @@
+/* Copyright (c) 2024 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "src/ios/components/webui/web_ui_url_constants.cc"
+
+const char kChromeUIUntrustedScheme[] = "chrome-untrusted";

chromium_src/ios/components/webui/web_ui_url_constants.h

@@ -0,0 +1,13 @@
+/* Copyright (c) 2024 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef BRAVE_CHROMIUM_SRC_IOS_COMPONENTS_WEBUI_WEB_UI_URL_CONSTANTS_H_
+#define BRAVE_CHROMIUM_SRC_IOS_COMPONENTS_WEBUI_WEB_UI_URL_CONSTANTS_H_
+
+extern const char kChromeUIUntrustedScheme[];
+
+#include "src/ios/components/webui/web_ui_url_constants.h"  // IWYU pragma: export
+
+#endif  // BRAVE_CHROMIUM_SRC_IOS_COMPONENTS_WEBUI_WEB_UI_URL_CONSTANTS_H_

chromium_src/ios/web/public/webui/url_data_source_ios.h

@@ -0,0 +1,17 @@
+/* Copyright (c) 2024 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef BRAVE_CHROMIUM_SRC_IOS_WEB_PUBLIC_WEBUI_URL_DATA_SOURCE_IOS_H_
+#define BRAVE_CHROMIUM_SRC_IOS_WEB_PUBLIC_WEBUI_URL_DATA_SOURCE_IOS_H_
+
+#define GetContentSecurityPolicyObjectSrc    \
+  GetContentSecurityPolicyObjectSrc() const; \
+  virtual std::string GetContentSecurityPolicyFrameSrc
+
+#import "src/ios/web/public/webui/url_data_source_ios.h"  // IWYU pragma: export
+
+#undef GetContentSecurityPolicyObjectSrc
+
+#endif  // BRAVE_CHROMIUM_SRC_IOS_WEB_PUBLIC_WEBUI_URL_DATA_SOURCE_IOS_H_

chromium_src/ios/web/webui/BUILD.gn

@@ -0,0 +1,8 @@
+# Copyright (c) 2024 The Brave Authors. All rights reserved.
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this file,
+# You can obtain one at https://mozilla.org/MPL/2.0/.
+
+source_set("webui") {
+  deps = [ "//ios/components/webui:web_ui_url_constants" ]
+}

chromium_src/ios/web/webui/DEPS

@@ -0,0 +1,5 @@
+include_rules = [
+  "+ios/components/webui/web_ui_url_constants.h",
+  "+ios/chrome/browser/shared/model/url/chrome_url_constants.h",
+  "+brave/ios/browser/ui/webui/brave_url_data_source_ios.h",
+]

chromium_src/ios/web/webui/crw_web_ui_scheme_handler.mm

@@ -0,0 +1,78 @@
+/* Copyright (c) 2024 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#import "ios/web/webui/crw_web_ui_scheme_handler.h"
+
+#include <map>
+
+#import "base/files/file_path.h"
+#import "base/ranges/algorithm.h"
+#import "base/strings/sys_string_conversions.h"
+#import "ios/web/webui/url_fetcher_block_adapter.h"
+#import "ios/web/webui/web_ui_ios_controller_factory_registry.h"
+#import "net/base/apple/url_conversions.h"
+#import "url/gurl.h"
+
+@interface CRWWebUISchemeHandler (Override)
+- (void)dummy:(NSHTTPURLResponse*)response;
+- (NSHTTPURLResponse*)processResponse:(NSHTTPURLResponse*)response
+                              fetcher:(web::URLFetcherBlockAdapter*)fetcher;
+@end
+
+// Override
+
+#define didReceiveResponse                                                   \
+  didReceiveResponse:[strongSelf processResponse:response fetcher:fetcher]]; \
+        [strongSelf dummy
+
+#include "src/ios/web/webui/crw_web_ui_scheme_handler.mm"
+
+#undef didReceiveResponse
+
+@implementation CRWWebUISchemeHandler (Override)
+- (void)dummy:(NSHTTPURLResponse*)response {
+}
+
+- (NSHTTPURLResponse*)processResponse:(NSHTTPURLResponse*)response
+                              fetcher:(web::URLFetcherBlockAdapter*)fetcher {
+  const network::mojom::URLResponseHeadPtr responseHead =
+      fetcher->getResponse();
+  if (responseHead) {
+    const scoped_refptr<net::HttpResponseHeaders> headers =
+        responseHead->headers;
+    if (headers) {
+      NSMutableDictionary* responseHeaders = [self parseHeaders:headers];
+
+      if (![responseHeaders objectForKey:@"Content-Type"]) {
+        [responseHeaders setObject:[response MIMEType] forKey:@"Content-Type"];
+      }
+
+      if (![responseHeaders objectForKey:@"Access-Control-Allow-Origin"]) {
+        [responseHeaders setObject:@"*" forKey:@"Access-Control-Allow-Origin"];
+      }
+
+      return [[NSHTTPURLResponse alloc] initWithURL:[response URL]
+                                         statusCode:[response statusCode]
+                                        HTTPVersion:@"HTTP/1.1"
+                                       headerFields:responseHeaders];
+    }
+  }
+  return response;
+}
+
+- (NSMutableDictionary*)parseHeaders:
+    (const scoped_refptr<net::HttpResponseHeaders>&)headers {
+  NSMutableDictionary* result = [[NSMutableDictionary alloc] init];
+
+  std::size_t iterator = 0;
+  std::string name, value;
+  while (headers->EnumerateHeaderLines(&iterator, &name, &value)) {
+    [result setObject:base::SysUTF8ToNSString(value)
+               forKey:base::SysUTF8ToNSString(name)];
+  }
+
+  return result;
+}
+@end

chromium_src/ios/web/webui/url_data_manager_ios_backend.mm

@@ -0,0 +1,15 @@
+/* Copyright (c) 2024 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "ios/web/webui/url_data_manager_ios_backend.h"
+
+#define ShouldDenyXFrameOptions ShouldDenyXFrameOptions());  \
+  job->set_content_security_policy_frame_source(             \
+      source->source()->GetContentSecurityPolicyFrameSrc()); \
+        void(void
+
+#include "src/ios/web/webui/url_data_manager_ios_backend.mm"
+
+#undef ShouldDenyXFrameOptions

chromium_src/ios/web/webui/url_data_source_ios.mm

@@ -0,0 +1,18 @@
+// Copyright (c) 2024 The Brave Authors. All rights reserved.
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
+#include "ios/web/public/webui/url_data_source_ios.h"
+
+namespace web {
+
+std::string URLDataSourceIOS::GetContentSecurityPolicyFrameSrc() const {
+  // Default for iOS:
+  // https://source.chromium.org/chromium/chromium/src/+/main:ios/web/webui/url_data_manager_ios_backend.mm;l=511?q=set_content_security_policy_frame_source&ss=chromium%2Fchromium%2Fsrc
+  return "frame-src 'none';";
+}
+
+}  // namespace web
+
+#include "src/ios/web/webui/url_data_source_ios.mm"

chromium_src/ios/web/webui/url_fetcher_block_adapter.h

@@ -0,0 +1,27 @@
+/* Copyright (c) 2024 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef BRAVE_CHROMIUM_SRC_IOS_WEB_WEBUI_URL_FETCHER_BLOCK_ADAPTER_H_
+#define BRAVE_CHROMIUM_SRC_IOS_WEB_WEBUI_URL_FETCHER_BLOCK_ADAPTER_H_
+
+#include "base/memory/raw_ptr.h"
+#include "services/network/public/mojom/url_response_head.mojom.h"
+
+#define completion_handler_                                \
+  completion_handler_;                                     \
+                                                           \
+ public:                                                   \
+  const network::mojom::URLResponseHeadPtr getResponse() { \
+    return response_.Clone();                              \
+  }                                                        \
+                                                           \
+ private:                                                  \
+  network::mojom::URLResponseHeadPtr response_
+
+#include "src/ios/web/webui/url_fetcher_block_adapter.h"  // IWYU pragma: export
+
+#undef completion_handler_
+
+#endif  // BRAVE_CHROMIUM_SRC_IOS_WEB_WEBUI_URL_FETCHER_BLOCK_ADAPTER_H_

chromium_src/ios/web/webui/url_fetcher_block_adapter.mm

@@ -0,0 +1,21 @@
+/* Copyright (c) 2024 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "ios/web/webui/url_fetcher_block_adapter.h"
+
+#include "services/network/public/cpp/simple_url_loader.h"
+
+#define GetFinalURL                            \
+  GetFinalURL();                               \
+  }                                            \
+                                               \
+  response_ = url_loader_->TakeResponseInfo(); \
+                                               \
+  if (!response_body) {                        \
+  void
+
+#include "src/ios/web/webui/url_fetcher_block_adapter.mm"
+
+#undef GetFinalURL

chromium_src/ios/web/webui/web_ui_ios_data_source_impl.h

@@ -0,0 +1,51 @@
+// Copyright (c) 2024 The Brave Authors. All rights reserved.
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
+#ifndef BRAVE_CHROMIUM_SRC_IOS_WEB_WEBUI_WEB_UI_IOS_DATA_SOURCE_IMPL_H_
+#define BRAVE_CHROMIUM_SRC_IOS_WEB_WEBUI_WEB_UI_IOS_DATA_SOURCE_IMPL_H_
+
+#include <map>
+#include <set>
+#include <string>
+
+#include "base/containers/flat_map.h"
+#include "ios/web/public/webui/web_ui_ios_data_source.h"
+#include "services/network/public/mojom/content_security_policy.mojom.h"
+
+class BraveWebUIIOSDataSource;
+
+#define should_replace_i18n_in_js_ \
+  should_replace_i18n_in_js_;      \
+  friend BraveWebUIIOSDataSource
+#include "src/ios/web/webui/web_ui_ios_data_source_impl.h"  // IWYU pragma: export
+#undef should_replace_i18n_in_js_
+
+class BraveWebUIIOSDataSource : public web::WebUIIOSDataSourceImpl {
+ public:
+  static web::WebUIIOSDataSource* Create(const std::string& source_name);
+
+  // Brave CSP's & Security implementation:
+  virtual void OverrideContentSecurityPolicy(
+      network::mojom::CSPDirectiveName directive,
+      const std::string& value);
+
+  virtual void AddFrameAncestor(const GURL& frame_ancestor);
+  virtual void DisableTrustedTypesCSP();
+
+ protected:
+  ~BraveWebUIIOSDataSource() override;
+
+ private:
+  class InternalDataSource;
+  friend class InternalDataSource;
+  friend class WebUIIOSDataSourceImpl;
+  explicit BraveWebUIIOSDataSource(const std::string& source_name);
+
+  // Brave CSP's & Security variables:
+  base::flat_map<network::mojom::CSPDirectiveName, std::string> csp_overrides_;
+  std::set<GURL> frame_ancestors_;
+};
+
+#endif  // BRAVE_CHROMIUM_SRC_IOS_WEB_WEBUI_WEB_UI_IOS_DATA_SOURCE_IMPL_H_