Change declarative Shadow DOM fragment parsing to be opt-in

This CL implements most of the suggestions from [1], which effectively
block declarative Shadow DOM from being used by any fragment parser
entry point, unless an explicit opt-in is toggled.

The opt-ins include:
 - DOMParser.allowDeclarativeShadowDom = true;
 - HTMLTemplateElement.allowDeclarativeShadowDom = true;
 - XMLHttpRequest.allowDeclarativeShadowDom = true;
 - DocumentFragment.allowDeclarativeShadowDom = true;
 - Document.allowDeclarativeShadowDom = true; // For innerHTML
 - A new <iframe> sandbox flag: allow-declarative-shadow-dom

This mitigates the potential client-side XSS sanitizer bypass detailed
in the explainer and at [1]. Assuming these changes are functional,
and mitigate the issue, this new behavior will be folded into the
spec PRs at [2] and [3]. But given the security implications of the
existing code, I'd like to get this landed first.

[1] whatwg/dom#912 (comment)
[2] whatwg/html#5465
[3] whatwg/dom#892

Bug: 1042130
Change-Id: I088f28f63078a0d26e354a4442494c0132b47ffc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2513525
Commit-Queue: Mason Freed <masonfreed@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#824591}
GitOrigin-RevId: 83080e44d00b0a9321b54bcca7bbe0eb2f9d5e43

blink/common/feature_policy/feature_policy.cc

@@ -363,6 +363,7 @@ mojom::FeaturePolicyFeature FeaturePolicy::FeatureForSandboxFlag(
         kPropagatesToAuxiliaryBrowsingContexts:
     case network::mojom::WebSandboxFlags::kTopNavigationByUserActivation:
     case network::mojom::WebSandboxFlags::kStorageAccessByUserActivation:
+    case network::mojom::WebSandboxFlags::kDeclarativeShadowDom:
       break;
   }
   return mojom::FeaturePolicyFeature::kNotFound;

blink/renderer/core/dom/document.cc

@@ -6960,6 +6960,20 @@ void Document::MarkFirstPaint() {
   MaybeExecuteDelayedAsyncScripts();
 }
 
+using AllowState = blink::Document::DeclarativeShadowDomAllowState;
+AllowState Document::GetDeclarativeShadowDomAllowState() const {
+  return declarative_shadow_dom_allow_state_;
+}
+
+void Document::setAllowDeclarativeShadowDom(bool val) {
+  declarative_shadow_dom_allow_state_ =
+      val ? AllowState::kAllow : AllowState::kDeny;
+}
+
+bool Document::allowDeclarativeShadowDom() const {
+  return declarative_shadow_dom_allow_state_ == AllowState::kAllow;
+}
+
 void Document::FinishedParsing() {
   DCHECK(!GetScriptableDocumentParser() || !parser_->IsParsing());
   DCHECK(!GetScriptableDocumentParser() || ready_state_ != kLoading);

blink/renderer/core/dom/document.h

@@ -1662,6 +1662,11 @@ class CORE_EXPORT Document : public ContainerNode,
   void MarkFirstPaint();
   void MaybeExecuteDelayedAsyncScripts();
 
+  enum class DeclarativeShadowDomAllowState { kNotSet, kAllow, kDeny };
+  DeclarativeShadowDomAllowState GetDeclarativeShadowDomAllowState() const;
+  void setAllowDeclarativeShadowDom(bool val);
+  bool allowDeclarativeShadowDom() const;
+
   void SetFindInPageActiveMatchNode(Node*);
   const Node* GetFindInPageActiveMatchNode() const;
 
@@ -2201,6 +2206,9 @@ class CORE_EXPORT Document : public ContainerNode,
   int async_script_count_ = 0;
   bool first_paint_recorded_ = false;
 
+  DeclarativeShadowDomAllowState declarative_shadow_dom_allow_state_ =
+      DeclarativeShadowDomAllowState::kNotSet;
+
   WeakMember<Node> find_in_page_active_match_node_;
 
   Member<DocumentData> data_;

blink/renderer/core/dom/document.idl

@@ -199,6 +199,9 @@ typedef (HTMLScriptElement or SVGScriptElement) HTMLOrSVGScriptElement;
     // https://w3c.github.io/webappsec-feature-policy/#the-policy-object
     readonly attribute FeaturePolicy featurePolicy;
 
+    // Declarative Shadow DOM API
+    [RuntimeEnabled=DeclarativeShadowDOM] attribute boolean allowDeclarativeShadowDom;
+
     // Deprecated prefixed page visibility API.
     // TODO(davidben): This is a property so attaching a deprecation warning results in false positives when outputting
     // document in the console. It's possible https://crbug.com/43394 will resolve this.

blink/renderer/core/dom/document_fragment.h

@@ -26,6 +26,7 @@
 
 #include "third_party/blink/renderer/core/core_export.h"
 #include "third_party/blink/renderer/core/dom/container_node.h"
+#include "third_party/blink/renderer/core/dom/document.h"
 #include "third_party/blink/renderer/core/dom/parser_content_policy.h"
 #include "third_party/blink/renderer/platform/wtf/casting.h"
 
@@ -49,6 +50,16 @@ class CORE_EXPORT DocumentFragment : public ContainerNode {
   bool CanContainRangeEndPoint() const final { return true; }
   virtual bool IsTemplateContent() const { return false; }
 
+  bool allowDeclarativeShadowDom() const {
+    return allow_declarative_shadow_dom_;
+  }
+  void setAllowDeclarativeShadowDom(bool value) {
+    allow_declarative_shadow_dom_ = value;
+  }
+
+  // This will catch anyone doing an unnecessary check.
+  bool IsDocumentFragment() const = delete;
+
  protected:
   String nodeName() const final;
 
@@ -57,8 +68,7 @@ class CORE_EXPORT DocumentFragment : public ContainerNode {
   Node* Clone(Document&, CloneChildrenFlag) const override;
   bool ChildTypeAllowed(NodeType) const override;
 
-  bool IsDocumentFragment() const =
-      delete;  // This will catch anyone doing an unnecessary check.
+  bool allow_declarative_shadow_dom_{false};
 };
 
 template <>

blink/renderer/core/dom/document_fragment.idl

@@ -23,6 +23,8 @@
     Exposed=Window
 ] interface DocumentFragment : Node {
   [CallWith=Document] constructor();
+
+  [RuntimeEnabled=DeclarativeShadowDOM] attribute boolean allowDeclarativeShadowDom;
 };
 
 DocumentFragment includes ParentNode;

blink/renderer/core/dom/slot_assignment_test.cc

@@ -64,6 +64,7 @@ class SlotAssignmentTest : public testing::Test {
 void SlotAssignmentTest::SetUp() {
   dummy_page_holder_ = std::make_unique<DummyPageHolder>(IntSize(800, 600));
   document_ = &dummy_page_holder_->GetDocument();
+  document_->setAllowDeclarativeShadowDom(true);
   DCHECK(document_);
 }
 

blink/renderer/core/editing/serializers/serialization.cc

@@ -62,6 +62,7 @@
 #include "third_party/blink/renderer/core/html/html_span_element.h"
 #include "third_party/blink/renderer/core/html/html_table_cell_element.h"
 #include "third_party/blink/renderer/core/html/html_table_element.h"
+#include "third_party/blink/renderer/core/html/html_template_element.h"
 #include "third_party/blink/renderer/core/html_names.h"
 #include "third_party/blink/renderer/core/layout/layout_object.h"
 #include "third_party/blink/renderer/core/loader/empty_clients.h"
@@ -610,8 +611,9 @@ DocumentFragment* CreateFragmentForInnerOuterHTML(
     const char* method,
     ExceptionState& exception_state) {
   DCHECK(context_element);
-  if (IsA<HTMLTemplateElement>(*context_element) &&
-      !context_element->GetExecutionContext()) {
+  const HTMLTemplateElement* template_element =
+      DynamicTo<HTMLTemplateElement>(*context_element);
+  if (template_element && !template_element->GetExecutionContext()) {
     return nullptr;
   }
 
@@ -620,6 +622,10 @@ DocumentFragment* CreateFragmentForInnerOuterHTML(
           ? context_element->GetDocument().EnsureTemplateDocument()
           : context_element->GetDocument();
   DocumentFragment* fragment = DocumentFragment::Create(document);
+  fragment->setAllowDeclarativeShadowDom(
+      context_element->GetDocument().allowDeclarativeShadowDom() ||
+      (template_element && template_element->content() &&
+       template_element->content()->allowDeclarativeShadowDom()));
 
   if (IsA<HTMLDocument>(document)) {
     fragment->ParseHTML(markup, context_element, parser_content_policy);

blink/renderer/core/html/html_iframe_element.cc

@@ -161,10 +161,12 @@ void HTMLIFrameElement::ParseAttribute(
         network::mojom::blink::WebSandboxFlags::kNone;
     if (!value.IsNull()) {
       using network::mojom::blink::WebSandboxFlags;
-      WebSandboxFlags ignored_flags =
-          !RuntimeEnabledFeatures::StorageAccessAPIEnabled()
-              ? WebSandboxFlags::kStorageAccessByUserActivation
-              : WebSandboxFlags::kNone;
+      WebSandboxFlags ignored_flags = WebSandboxFlags::kNone;
+      if (!RuntimeEnabledFeatures::StorageAccessAPIEnabled())
+        ignored_flags |= WebSandboxFlags::kStorageAccessByUserActivation;
+      if (!RuntimeEnabledFeatures::DeclarativeShadowDOMEnabled(
+              GetExecutionContext()))
+        ignored_flags |= WebSandboxFlags::kDeclarativeShadowDom;
 
       auto parsed = network::ParseWebSandboxPolicy(sandbox_->value().Utf8(),
                                                    ignored_flags);

blink/renderer/core/html/html_iframe_element_sandbox.cc

@@ -33,6 +33,10 @@ const char* const kSupportedSandboxTokens[] = {
 constexpr char kStorageAccessAPISandboxToken[] =
     "allow-storage-access-by-user-activation";
 
+// TODO(crbug.com/1042130): move this into |kSupportedSandboxTokens| when the
+// feature flag is enabled by default.
+constexpr char kDeclarativeShadowDom[] = "allow-declarative-shadow-dom";
+
 bool IsTokenSupported(const AtomicString& token) {
   for (const char* supported_token : kSupportedSandboxTokens) {
     if (token == supported_token)
@@ -46,6 +50,15 @@ bool IsTokenSupported(const AtomicString& token) {
       (token == kStorageAccessAPISandboxToken)) {
     return true;
   }
+
+  // If Declarative Shadow DOM is enabled, allow the sandbox flag.
+  // TODO(crbug.com/1145605): This won't work for origin trial enabled iframe
+  // documents, because there's no ExecutionContext here.
+  if (RuntimeEnabledFeatures::DeclarativeShadowDOMEnabledByRuntimeFlag() &&
+      (token == kDeclarativeShadowDom)) {
+    return true;
+  }
+
   return false;
 }
 

blink/renderer/core/html/parser/html_construction_site.cc

@@ -713,10 +713,15 @@ void HTMLConstructionSite::InsertHTMLFormElement(AtomicHTMLToken* token,
 
 void HTMLConstructionSite::InsertHTMLTemplateElement(
     AtomicHTMLToken* token,
-    DeclarativeShadowRootType declarative_shadow_root_type) {
+    DeclarativeShadowRootType declarative_shadow_root_type,
+    bool allow_declarative_shadow_dom) {
   auto* template_element = To<HTMLTemplateElement>(
       CreateElement(token, html_names::xhtmlNamespaceURI));
   template_element->SetDeclarativeShadowRootType(declarative_shadow_root_type);
+  if (DocumentFragment* content =
+          template_element->TemplateContentForHTMLConstructionSite()) {
+    content->setAllowDeclarativeShadowDom(allow_declarative_shadow_dom);
+  }
   AttachLater(CurrentNode(), template_element);
   open_elements_.Push(
       MakeGarbageCollected<HTMLStackItem>(template_element, token));

blink/renderer/core/html/parser/html_construction_site.h

@@ -149,9 +149,9 @@ class HTMLConstructionSite final {
   void InsertCommentOnDocument(AtomicHTMLToken*);
   void InsertCommentOnHTMLHtmlElement(AtomicHTMLToken*);
   void InsertHTMLElement(AtomicHTMLToken*);
-  void InsertHTMLTemplateElement(
-      AtomicHTMLToken*,
-      DeclarativeShadowRootType declarative_shadow_root_type);
+  void InsertHTMLTemplateElement(AtomicHTMLToken*,
+                                 DeclarativeShadowRootType,
+                                 bool allow_declarative_shadow_dom);
   void InsertSelfClosingHTMLElementDestroyingToken(AtomicHTMLToken*);
   void InsertFormattingElement(AtomicHTMLToken*);
   void InsertHTMLHeadElement(AtomicHTMLToken*);

blink/renderer/core/html/parser/html_document_parser.cc

@@ -287,8 +287,30 @@ HTMLDocumentParser::HTMLDocumentParser(HTMLDocument& document,
     : HTMLDocumentParser(document, kAllowScriptingContent, sync_policy) {
   script_runner_ =
       HTMLParserScriptRunner::Create(ReentryPermit(), &document, this);
+
+  // Deny declarative Shadow DOM if explicitly denied.
+  // Allow declarative shadow DOM:
+  //  1. For the main frame (non-fragment) document, or
+  //  2. When explicitly enabled by the allowDeclarativeShadowDom flag, or
+  //  3. For sub-frames that do not have this feature sandboxed.
+  bool allow_declarative_shadow_dom = false;
+  if (document.GetDeclarativeShadowDomAllowState() !=
+      Document::DeclarativeShadowDomAllowState::kDeny) {
+    bool is_main_frame =
+        document.GetFrame() && document.GetFrame()->IsMainFrame();
+    const auto* context = document.GetExecutionContext();
+    allow_declarative_shadow_dom =
+        is_main_frame ||
+        (document.GetDeclarativeShadowDomAllowState() ==
+         Document::DeclarativeShadowDomAllowState::kAllow) ||
+        (!is_main_frame && context &&
+         !context->IsSandboxed(
+             network::mojom::blink::WebSandboxFlags::kDeclarativeShadowDom));
+  }
+
   tree_builder_ = MakeGarbageCollected<HTMLTreeBuilder>(
-      this, document, kAllowScriptingContent, options_);
+      this, document, kAllowScriptingContent, options_,
+      allow_declarative_shadow_dom);
 }
 
 HTMLDocumentParser::HTMLDocumentParser(
@@ -300,7 +322,8 @@ HTMLDocumentParser::HTMLDocumentParser(
                          kForceSynchronousParsing) {
   // No script_runner_ in fragment parser.
   tree_builder_ = MakeGarbageCollected<HTMLTreeBuilder>(
-      this, fragment, context_element, parser_content_policy, options_);
+      this, fragment, context_element, parser_content_policy, options_,
+      fragment->allowDeclarativeShadowDom());
 
   // For now document fragment parsing never reports errors.
   bool report_errors = false;

blink/renderer/core/html/parser/html_tree_builder.cc

@@ -232,12 +232,14 @@ class HTMLTreeBuilder::CharacterTokenBuffer {
 HTMLTreeBuilder::HTMLTreeBuilder(HTMLDocumentParser* parser,
                                  Document& document,
                                  ParserContentPolicy parser_content_policy,
-                                 const HTMLParserOptions& options)
+                                 const HTMLParserOptions& options,
+                                 bool allow_declarative_shadow_dom)
     : frameset_ok_(true),
       tree_(parser->ReentryPermit(), document, parser_content_policy),
       insertion_mode_(kInitialMode),
       original_insertion_mode_(kInitialMode),
       should_skip_leading_newline_(false),
+      allow_declarative_shadow_dom_(allow_declarative_shadow_dom),
       parser_(parser),
       script_to_process_start_position_(UninitializedPositionValue1()),
       options_(options) {}
@@ -246,11 +248,13 @@ HTMLTreeBuilder::HTMLTreeBuilder(HTMLDocumentParser* parser,
                                  DocumentFragment* fragment,
                                  Element* context_element,
                                  ParserContentPolicy parser_content_policy,
-                                 const HTMLParserOptions& options)
+                                 const HTMLParserOptions& options,
+                                 bool allow_declarative_shadow_dom)
     : HTMLTreeBuilder(parser,
                       fragment->GetDocument(),
                       parser_content_policy,
-                      options) {
+                      options,
+                      allow_declarative_shadow_dom) {
   DCHECK(IsMainThread());
   DCHECK(context_element);
   tree_.InitFragmentParsing(fragment, context_element);
@@ -900,7 +904,8 @@ void HTMLTreeBuilder::ProcessTemplateStartTag(AtomicHTMLToken* token) {
   DeclarativeShadowRootType declarative_shadow_root_type(
       DeclarativeShadowRootType::kNone);
   if (RuntimeEnabledFeatures::DeclarativeShadowDOMEnabled(
-          tree_.CurrentNode()->GetExecutionContext())) {
+          tree_.CurrentNode()->GetExecutionContext()) &&
+      allow_declarative_shadow_dom_) {
     if (Attribute* type_attribute =
             token->GetAttributeItem(html_names::kShadowrootAttr)) {
       String shadow_mode = type_attribute->Value();
@@ -919,7 +924,8 @@ void HTMLTreeBuilder::ProcessTemplateStartTag(AtomicHTMLToken* token) {
       }
     }
   }
-  tree_.InsertHTMLTemplateElement(token, declarative_shadow_root_type);
+  tree_.InsertHTMLTemplateElement(token, declarative_shadow_root_type,
+                                  allow_declarative_shadow_dom_);
   frameset_ok_ = false;
   template_insertion_modes_.push_back(kTemplateContentsMode);
   SetInsertionMode(kTemplateContentsMode);

blink/renderer/core/html/parser/html_tree_builder.h

@@ -54,12 +54,14 @@ class HTMLTreeBuilder final : public GarbageCollected<HTMLTreeBuilder> {
   HTMLTreeBuilder(HTMLDocumentParser*,
                   Document&,
                   ParserContentPolicy,
-                  const HTMLParserOptions&);
+                  const HTMLParserOptions&,
+                  bool allow_declarative_shadow_dom);
   HTMLTreeBuilder(HTMLDocumentParser*,
                   DocumentFragment*,
                   Element* context_element,
                   ParserContentPolicy,
-                  const HTMLParserOptions&);
+                  const HTMLParserOptions&,
+                  bool allow_declarative_shadow_dom);
   ~HTMLTreeBuilder();
   void Trace(Visitor*) const;
 
@@ -246,6 +248,8 @@ class HTMLTreeBuilder final : public GarbageCollected<HTMLTreeBuilder> {
 
   bool should_skip_leading_newline_;
 
+  const bool allow_declarative_shadow_dom_;
+
   // We access parser because HTML5 spec requires that we be able to change the
   // state of the tokenizer from within parser actions. We also need it to track
   // the current position.

blink/renderer/core/xml/dom_parser.cc

@@ -33,6 +33,7 @@ Document* DOMParser::parseFromString(const String& str, const String& type) {
                       .WithTypeFrom(type)
                       .WithExecutionContext(window_)
                       .CreateDocument();
+  doc->setAllowDeclarativeShadowDom(allow_declarative_shadow_dom_);
   doc->SetContent(str);
   doc->SetMimeType(AtomicString(type));
   return doc;

blink/renderer/core/xml/dom_parser.h

@@ -42,11 +42,19 @@ class DOMParser final : public ScriptWrappable {
 
   Document* parseFromString(const String&, const String& type);
 
+  bool allowDeclarativeShadowDom() const {
+    return allow_declarative_shadow_dom_;
+  }
+  void setAllowDeclarativeShadowDom(bool value) {
+    allow_declarative_shadow_dom_ = value;
+  }
+
   void Trace(Visitor*) const override;
 
   LocalDOMWindow* GetWindow() const { return window_.Get(); }
 
  private:
+  bool allow_declarative_shadow_dom_{false};
   WeakMember<LocalDOMWindow> window_;
 };
 

blink/renderer/core/xml/dom_parser.idl

@@ -32,4 +32,5 @@ enum SupportedType {
 ] interface DOMParser {
     [CallWith=ScriptState] constructor();
     [NewObject] Document parseFromString(HTMLString str, SupportedType type);
+    [RuntimeEnabled=DeclarativeShadowDOM] attribute boolean allowDeclarativeShadowDom;
 };

blink/renderer/core/xmlhttprequest/xml_http_request.cc

@@ -355,6 +355,8 @@ void XMLHttpRequest::InitResponseDocument() {
   // FIXME: Set Last-Modified.
   response_document_->SetContextFeatures(document->GetContextFeatures());
   response_document_->SetMimeType(FinalResponseMIMETypeWithFallback());
+  response_document_->setAllowDeclarativeShadowDom(
+      allow_declarative_shadow_dom_);
 }
 
 Document* XMLHttpRequest::responseXML(ExceptionState& exception_state) {