[iOS] - Add CSPs support in Chromium WebUI

[Brandon-T]

Security Review

• https://github.com/brave/reviews/issues/1792

Summary

• Adds support for Content-Security-Policy and other headers to be set on WebUI responses so that WebKit can enforce such policies. See screenshots below.

Resolves brave/brave-browser#42138

Submitter Checklist:

• I confirm that no security/privacy review is needed and no other type of reviews are needed, or that I have requested them
• There is a ticket for my issue
• Used Github auto-closing keywords in the PR description above
• Wrote a good PR/commit description
• Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
• Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
• Checked the PR locally:
  • npm run test -- brave_browser_tests, npm run test -- brave_unit_tests wiki
  • npm run presubmit wiki, npm run gn_check, npm run tslint
• Ran git rebase master (if needed)

Reviewer Checklist:

• A security review is not needed, or a link to one is included in the PR description
• New files have MPL-2.0 license header
• Adequate test coverage exists to prevent regressions
• Major classes, functions and non-trivial code blocks are well-commented
• Changes in component dependencies are properly reflected in gn
• Code follows the style guide
• Test plan is specified in PR before merging

After-merge Checklist:

• The associated issue milestone is set to the smallest version that the
  changes has landed on
• All relevant documentation has been updated, for instance:
  • https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
  • https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs
  • https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections
  • https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes
  • https://github.com/brave/brave-browser/wiki/Web-Compatibility-Exceptions-in-Brave
  • https://github.com/brave/brave-browser/wiki/QA-Guide
  • https://github.com/brave/brave-browser/wiki/P3A

Screenshots:

Testing Overrides by adding script-src with a nonce:

WebKit sees the abovenonce:

Testing Default CSPs (no overrides):

Without this PR (Current AppStore Build - Same as Chrome-iOS):

The above matches Desktop:

[github-actions]

The security team is monitoring all repositories for certain keywords. This PR includes the word(s) "csp" and so security team members have been added as reviewers to take a look.

No need to request a full security review at this stage, the security team will take a look shortly and either clear the label or request more information/changes.

Notifications have already been sent, but if this is blocking your merge feel free to reach out directly to the security team on Slack so that we can expedite this check.

[stoletheminerals]

@Brandon-T do we expose any mojo interfaces to chrome-untrusted? For example, does MojoJS get injected in these contexts? I believe @bridiver mentioned that the last time we tried to implement it, page permissions weren't too much different from chrome:// urls

[Brandon-T]

@Brandon-T do we expose any mojo interfaces to chrome-untrusted? For example, does MojoJS get injected in these contexts? I believe @bridiver mentioned that the last time we tried to implement it, page permissions weren't too much different from chrome:// urls

chromium-untrusted must have access to mojom APIs.

It's not injected by default but if we created an untrusted html page that loads the mojom script, it will work.

If an untrusted page programmatically loads the script, it'll work.

mojom bindings are available to chromium-untrusted as they're supposed to be afaik. I can probably block them, but how would it communicate with native code?

We would have to disable it via: https://source.chromium.org/chromium/chromium/src/+/main:ios/web/web_state/ui/crw_wk_ui_handler.mm;l=256;drc=a2ed1bfa50bdef7869f102cb1436f0c95cca812f;bpv=0;bpt=1

But https://chromium.googlesource.com/chromium/src/+/main/docs/chrome_untrusted.md states:

We recommend using Mojo to expose APIs to chrome-untrusted://. Mojo for chrome-untrusted:// works similarly to how it works for chrome:// with a few key differences:

Unlike chrome:// pages, chrome-untrusted:// pages don't get access to all renderer exposed Mojo interfaces by default. Use PopulateChromeWebUIFrameInterfaceBrokers to expose WebUI specific interfaces to your WebUI. See this CL for example.
The exposed interface has a different threat model: a compromised chrome-untrusted:// page could try to exploit the interface (e.g. sending malformed messages, closing the Mojo pipe).

Desktop has: https://source.chromium.org/chromium/chromium/src/+/main:content/browser/renderer_host/render_frame_host_impl.cc;l=16777;drc=a2ed1bfa50bdef7869f102cb1436f0c95cca812f

But iOS doesn't have a RenderFrameHost or any sort of Render Processes.

[stoletheminerals]

mojom bindings are available to chromium-untrusted as they're supposed to be afaik. I can probably block them, but how would it communicate with native code?

This document
https://docs.google.com/document/d/1Kw4aTuISF7csHnjOpDJGc7JYIjlvOAKRprCTBVWw_E4/edit?tab=t.0#heading=h.eh1u1uo66itu states:

Unlike trustworthy WebUI pages, which may request any renderer-exposed interface through Mojo.bindInterface(), an untrustworthy WebUIs is restricted to requesting its single bespoke Mojo interface registered in PopulateChromeWebUIFrameInterfaceBrokers(). Often, this interface is used as a top-level broker interface to expose additional interfaces to the untrustworthy WebUI.

So I guess the question is, can chrome-untrusted on iOS bind to any interface or is it limited in the same way as on desktop.

[Brandon-T]

mojom bindings are available to chromium-untrusted as they're supposed to be afaik. I can probably block them, but how would it communicate with native code?

This document https://docs.google.com/document/d/1Kw4aTuISF7csHnjOpDJGc7JYIjlvOAKRprCTBVWw_E4/edit?tab=t.0#heading=h.eh1u1uo66itu states:

Unlike trustworthy WebUI pages, which may request any renderer-exposed interface through Mojo.bindInterface(), an untrustworthy WebUIs is restricted to requesting its single bespoke Mojo interface registered in PopulateChromeWebUIFrameInterfaceBrokers(). Often, this interface is used as a top-level broker interface to expose additional interfaces to the untrustworthy WebUI.

So I guess the question is, can chrome-untrusted on iOS bind to any interface or is it limited in the same way as on desktop.

I believe an untrusted frame would be able to access whatever interfaces are bound to the main-frame.
https://source.chromium.org/chromium/chromium/src/+/main:ios/web/webui/mojo_facade.mm;l=101;drc=a2ed1bfa50bdef7869f102cb1436f0c95cca812f?q=GetInterfaceBinderForMainFrame&ss=chromium%2Fchromium%2Fsrc

is called no matter which frame or scheme calls it. So:

var pHandle = Mojo.createMessagePipe();
Mojo.bindInterface('optimization_guide_internals.mojom.PageHandlerFactory', pHandle.handle0);

From the skus-internals page in a separate iFrame, will call it. In WebUI on iOS, all interfaces are registered through that function, so I'm pretty sure the untrusted would be able to access it the same way.

We don't have: https://source.chromium.org/chromium/chromium/src/+/main:content/public/browser/per_web_ui_browser_interface_broker.h;l=23;drc=a2ed1bfa50bdef7869f102cb1436f0c95cca812f;bpv=0;bpt=1

or https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/chrome_browser_interface_binders.cc;l=1188;drc=7fb345a0da63049b102e1c0bcdc8d7831110e324;bpv=0;bpt=1

or https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/chrome_content_browser_client_receiver_bindings.cc;l=367;drc=a2ed1bfa50bdef7869f102cb1436f0c95cca812f;bpv=0;bpt=1

or a RenderHost frame. Chrome iOS doesn't have a registry to register any WebUI, whereas Desktop registers every WebUI regardless of if it's trusted or not.

Chrome's regular ones are registered here: https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/chrome_browser_interface_binders.cc;l=768;drc=7fb345a0da63049b102e1c0bcdc8d7831110e324;bpv=0;bpt=1

I'm not sure if it's even possible to replicate that behaviour and fix it on iOS.

Interfaces for trustworthy WebUIs should be bound in [PopulateChromeWebUIFrameBinders].

Already doesn't apply to iOS. We would have to figure out a way to do all of that for both trusted and untrusted if we want this to follow Desktop or this doc.

[stoletheminerals]

I believe an untrusted frame would be able to access whatever interfaces are bound to the main-frame

This unfortunately defeats the purpose of chrome-untrusted. I think we should decouple CSP logic (which lgtm) from this PR and figure out how to make chrome-untrusted secure.

[github-actions]

The security team is monitoring all repositories for certain keywords. This PR includes the word(s) "policy, csp" and so security team members have been added as reviewers to take a look.

No need to request a full security review at this stage, the security team will take a look shortly and either clear the label or request more information/changes.

Notifications have already been sent, but if this is blocking your merge feel free to reach out directly to the security team on Slack so that we can expedite this check.

[Brandon-T]

chrome-untrusted support has now been removed from this PR via the revert commit: c8f38a6

Only Content-Security-Policy additions/overrides remain.

[bridiver]

what is this for?

[Brandon-T]

Chromium has: https://source.chromium.org/chromium/chromium/src/+/main:ios/web/webui/crw_web_ui_scheme_handler.mm;l=89?q=CRWWebUISchemeHandler&ss=chromium%2Fchromium%2Fsrc

they completely ignore the headers from the response (and they use * for the Access-Control-Allow-Origin header. They hardcode headers). So to add the actual response headers, I need to retrieve it, and add it here (in this PR):

brave-core/chromium_src/ios/web/webui/crw_web_ui_scheme_handler.mm

Lines 64 to 77 in c8f38a6

	const network::mojom::URLResponseHeadPtr responseHead =
	fetcher->getResponse();
	if (responseHead) {
	const scoped_refptr<net::HttpResponseHeaders> headers =
	responseHead->headers;
	if (headers) {
	// const std::string& raw_headers = headers->raw_headers();
	NSMutableDictionary* responseHeaders =
	[strongSelf parseHeaders:headers];
	if (![responseHeaders objectForKey:@"Content-Type"]) {
	[responseHeaders setObject:mimeType forKey:@"Content-Type"];
	}

[bridiver]

can you please add comments explaining?

[bridiver]

same as above, what is this for?

[Brandon-T]

It's an override for: https://source.chromium.org/chromium/chromium/src/+/main:ios/web/webui/url_fetcher_block_adapter.mm;l=43;bpv=0;bpt=1

So that I can retrieve the response that contains the headers, so that I can give them to WebKit's WKURLSchemeHandler here:

brave-core/chromium_src/ios/web/webui/crw_web_ui_scheme_handler.mm

Line 65 in c8f38a6

fetcher->getResponse();

and pass them to WebKit. It's used in the files linked above, as part of this PR.

[bridiver]

same as above, please add comments

[bridiver]

don't forward declare enums

[bridiver]

what is the purpose of this?

[bridiver]

doesn't this also need to include kChromeUIUntrustedScheme?

[bridiver]

if it doesn't then overriding this is pointless

[bridiver]

adding this seems pointless if it's always going to return true

[bridiver]

this is already called in URLDataManagerIOSBackend::StartRequest, why are we calling it again?

[bridiver]

public doesn't make sense inside ios/browser, this is more equivalent to URLDataSourceIOSImpl because it's a brave specific implementation.

[bridiver]

why aren't we subclassing WebUIIOSDataSourceImpl to get this stuff? We don't want to duplicate it

[bridiver]

I guess it isn't public, but per dm I think we can have BraveWebUIIOSDataSource own an instance of WebUIIOSDataSourceImpl that is created through WebUIIOSDataSource::Create and then proxy these methods to it

[github-actions]

[puLL-Merge] - brave/brave-core@26402

Description

This PR introduces significant changes to the Brave iOS browser, primarily focusing on enhancing WebUI functionality and security. It adds support for the chrome-untrusted scheme, implements Content Security Policy (CSP) controls, and modifies the behavior of WebUI data sources.

Possible Issues

1. The implementation of IsWebUIMessageAllowedForFrame in brave_web_client.mm always returns true, which might be overly permissive.
2. The chrome-untrusted scheme is added, but the logic for handling untrusted interfaces is commented out, potentially leaving a security gap.

Security Hotspots

1. The addition of the chrome-untrusted scheme in profile_ios.mm could introduce new attack vectors if not properly secured.
2. The modification of Content Security Policy settings in brave_url_data_source_ios.mm might affect the security of WebUI pages if not carefully implemented.
3. The IsWebUIMessageAllowedForFrame method in brave_web_client.mm always returns true, which could potentially allow unauthorized messages.

Changes

Changes

1. ios/chrome/browser/shared/model/profile/profile_ios.mm:

   • Added support for the chrome-untrusted scheme.

2. ios/components/webui/web_ui_url_constants.cc and .h:

   • Defined the kChromeUIUntrustedScheme constant.

3. ios/web/public/web_client.h and ios/web/web_client.mm:

   • Added IsWebUIMessageAllowedForFrame method.

4. ios/web/public/web_state.h and ios/web/web_state/web_state.mm:

   • Implemented AddUntrustedInterface and BindUntrustedInterface methods.

5. ios/web/webui/crw_web_ui_scheme_handler.mm:

   • Modified response processing to add default headers.

6. ios/web/webui/mojo_facade.mm:

   • Implemented IsWebUIMessageAllowedForFrame method.

7. ios/browser/brave_web_client.h and .mm:

   • Added support for untrusted interfaces and WebUI message handling.

8. ios/browser/ui/webui/public/brave_url_data_source_ios.h and .mm:

   • Implemented custom Content Security Policy controls.

9. ios/browser/ui/webui/public/brave_web_ui_ios_data_source.h and .mm:

   • Created a new WebUI data source with enhanced security features.

sequenceDiagram
    participant WebUI
    participant BraveWebUIIOSDataSource
    participant BraveURLDataSourceIOS
    participant WebClient
    WebUI->>BraveWebUIIOSDataSource: Request data
    BraveWebUIIOSDataSource->>BraveURLDataSourceIOS: Get content
    BraveURLDataSourceIOS->>WebClient: Get resource
    WebClient-->>BraveURLDataSourceIOS: Return resource
    BraveURLDataSourceIOS->>BraveURLDataSourceIOS: Apply CSP
    BraveURLDataSourceIOS-->>BraveWebUIIOSDataSource: Return content
    BraveWebUIIOSDataSource-->>WebUI: Serve content

Loading