Diff
Modified: trunk/Source/WebCore/ChangeLog (256074 => 256075)
--- trunk/Source/WebCore/ChangeLog 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebCore/ChangeLog 2020-02-07 23:39:01 UTC (rev 256075)
@@ -1,3 +1,46 @@
+2020-02-07 Chris Dumez <[email protected]>
+
+ [Hardening] Validate Geolocation access permission on UIProcess side
+ https://bugs.webkit.org/show_bug.cgi?id=207393
+ <rdar://problem/56816051>
+
+ Reviewed by Brent Fulgham.
+
+ Validate Geolocation access permission on UIProcess side, instead of only relying solely on the WebProcess for this.
+
+ The workflow is as follows:
+ - The Geolocation objects request for permission to access location data
+ - The UIProcess shows a prompt
+ - If the user accepts, the UIProcess sends an authorization token (a UUID
+ string) to the Geolocation object.
+ - When the Geolocation object later asks for location updates from the UIProcess, the UIProcess validates
+ that this is a valid authorization token (one that it previously issued for this page)
+ - When the Geolocation objects gets destroyed (or resets its permission), the authorization token gets
+ revoked so that it is no longer valid.
+
+ No new tests, no Web-facing behavior change, merely hardening.
+
+ * Modules/geolocation/Geolocation.cpp:
+ (WebCore::Geolocation::~Geolocation):
+ (WebCore::Geolocation::resumeTimerFired):
+ (WebCore::Geolocation::resetAllGeolocationPermission):
+ (WebCore::Geolocation::stop):
+ (WebCore::Geolocation::setIsAllowed):
+ (WebCore::Geolocation::revokeAuthorizationTokenIfNecessary):
+ (WebCore::Geolocation::resetIsAllowed):
+ * Modules/geolocation/Geolocation.h:
+ * Modules/geolocation/GeolocationClient.h:
+ (WebCore::GeolocationClient::revokeAuthorizationToken):
+ * Modules/geolocation/GeolocationController.cpp:
+ (WebCore::GeolocationController::addObserver):
+ (WebCore::GeolocationController::revokeAuthorizationToken):
+ (WebCore::GeolocationController::activityStateDidChange):
+ * Modules/geolocation/GeolocationController.h:
+ * platform/mock/GeolocationClientMock.cpp:
+ (WebCore::GeolocationClientMock::permissionTimerFired):
+ (WebCore::GeolocationClientMock::startUpdating):
+ * platform/mock/GeolocationClientMock.h:
+
2020-02-07 Alex Christensen <[email protected]>
Remember if we used legacy TLS in the back/forward cache like we remember if we have only secure content
Modified: trunk/Source/WebCore/Modules/geolocation/Geolocation.cpp (256074 => 256075)
--- trunk/Source/WebCore/Modules/geolocation/Geolocation.cpp 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebCore/Modules/geolocation/Geolocation.cpp 2020-02-07 23:39:01 UTC (rev 256075)
@@ -146,6 +146,7 @@
Geolocation::~Geolocation()
{
ASSERT(m_allowGeolocation != InProgress);
+ revokeAuthorizationTokenIfNecessary();
}
SecurityOrigin* Geolocation::securityOrigin() const
@@ -206,7 +207,7 @@
if ((isAllowed() || isDenied()) && !m_pendingForPermissionNotifiers.isEmpty()) {
// The pending permission was granted while the object was suspended.
- setIsAllowed(isAllowed());
+ setIsAllowed(isAllowed(), authorizationToken());
ASSERT(!m_hasChangedPosition);
ASSERT(!m_errorWaitingForResume);
return;
@@ -214,7 +215,7 @@
if (isDenied() && hasListeners()) {
// The permission was revoked while the object was suspended.
- setIsAllowed(false);
+ setIsAllowed(false, { });
return;
}
@@ -248,7 +249,7 @@
// 1) Reset our own state.
stopUpdating();
- m_allowGeolocation = Unknown;
+ resetIsAllowed();
m_hasChangedPosition = false;
m_errorWaitingForResume = nullptr;
@@ -271,7 +272,7 @@
if (page && m_allowGeolocation == InProgress)
GeolocationController::from(page)->cancelPermissionRequest(*this);
// The frame may be moving to a new page and we want to get the permissions from the new page's client.
- m_allowGeolocation = Unknown;
+ resetIsAllowed();
cancelAllRequests();
stopUpdating();
m_hasChangedPosition = false;
@@ -480,7 +481,7 @@
stopUpdating();
}
-void Geolocation::setIsAllowed(bool allowed)
+void Geolocation::setIsAllowed(bool allowed, const String& authorizationToken)
{
// Protect the Geolocation object from garbage collection during a callback.
Ref<Geolocation> protectedThis(*this);
@@ -488,6 +489,7 @@
// This may be due to either a new position from the service, or a cached
// position.
m_allowGeolocation = allowed ? Yes : No;
+ m_authorizationToken = authorizationToken;
if (m_isSuspended)
return;
@@ -637,6 +639,24 @@
GeolocationController::from(page)->requestPermission(*this);
}
+void Geolocation::revokeAuthorizationTokenIfNecessary()
+{
+ if (m_authorizationToken.isNull())
+ return;
+
+ Page* page = this->page();
+ if (!page)
+ return;
+
+ GeolocationController::from(page)->revokeAuthorizationToken(std::exchange(m_authorizationToken, String()));
+}
+
+void Geolocation::resetIsAllowed()
+{
+ m_allowGeolocation = Unknown;
+ revokeAuthorizationTokenIfNecessary();
+}
+
void Geolocation::makeSuccessCallbacks(GeolocationPosition& position)
{
ASSERT(lastPosition());
Modified: trunk/Source/WebCore/Modules/geolocation/Geolocation.h (256074 => 256075)
--- trunk/Source/WebCore/Modules/geolocation/Geolocation.h 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebCore/Modules/geolocation/Geolocation.h 2020-02-07 23:39:01 UTC (rev 256075)
@@ -65,8 +65,9 @@
int watchPosition(Ref<PositionCallback>&&, RefPtr<PositionErrorCallback>&&, PositionOptions&&);
void clearWatch(int watchID);
- WEBCORE_EXPORT void setIsAllowed(bool);
- void resetIsAllowed() { m_allowGeolocation = Unknown; }
+ WEBCORE_EXPORT void setIsAllowed(bool, const String& authorizationToken);
+ const String& authorizationToken() const { return m_authorizationToken; }
+ WEBCORE_EXPORT void resetIsAllowed();
bool isAllowed() const { return m_allowGeolocation == Yes; }
void positionChanged();
@@ -132,6 +133,7 @@
void handleError(GeolocationPositionError&);
void requestPermission();
+ void revokeAuthorizationTokenIfNecessary();
bool startUpdating(GeoNotifier*);
void stopUpdating();
@@ -155,6 +157,7 @@
RefPtr<GeolocationPosition> m_lastPosition;
enum { Unknown, InProgress, Yes, No } m_allowGeolocation { Unknown };
+ String m_authorizationToken;
bool m_isSuspended { false };
bool m_resetOnResume { false };
bool m_hasChangedPosition { false };
Modified: trunk/Source/WebCore/Modules/geolocation/GeolocationClient.h (256074 => 256075)
--- trunk/Source/WebCore/Modules/geolocation/GeolocationClient.h 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebCore/Modules/geolocation/GeolocationClient.h 2020-02-07 23:39:01 UTC (rev 256075)
@@ -25,6 +25,7 @@
#pragma once
+#include <wtf/Forward.h>
#include <wtf/Optional.h>
namespace WebCore {
@@ -37,8 +38,10 @@
public:
virtual void geolocationDestroyed() = 0;
- virtual void startUpdating() = 0;
+ virtual void startUpdating(const String& authorizationToken) = 0;
virtual void stopUpdating() = 0;
+ virtual void revokeAuthorizationToken(const String&) { }
+
// FIXME: The V2 Geolocation specification proposes that this property is
// renamed. See http://www.w3.org/2008/geolocation/track/issues/6
// We should update WebKit to reflect this if and when the V2 specification
Modified: trunk/Source/WebCore/Modules/geolocation/GeolocationController.cpp (256074 => 256075)
--- trunk/Source/WebCore/Modules/geolocation/GeolocationController.cpp 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebCore/Modules/geolocation/GeolocationController.cpp 2020-02-07 23:39:01 UTC (rev 256075)
@@ -64,7 +64,7 @@
if (enableHighAccuracy)
m_client.setEnableHighAccuracy(true);
if (wasEmpty && m_page.isVisible())
- m_client.startUpdating();
+ m_client.startUpdating(observer.authorizationToken());
}
void GeolocationController::removeObserver(Geolocation& observer)
@@ -81,6 +81,11 @@
m_client.setEnableHighAccuracy(false);
}
+void GeolocationController::revokeAuthorizationToken(const String& authorizationToken)
+{
+ m_client.revokeAuthorizationToken(authorizationToken);
+}
+
void GeolocationController::requestPermission(Geolocation& geolocation)
{
if (!m_page.isVisible()) {
@@ -134,7 +139,7 @@
auto changed = oldActivityState ^ newActivityState;
if (changed & ActivityState::IsVisible && !m_observers.isEmpty()) {
if (newActivityState & ActivityState::IsVisible)
- m_client.startUpdating();
+ m_client.startUpdating((*m_observers.random())->authorizationToken());
else
m_client.stopUpdating();
}
Modified: trunk/Source/WebCore/Modules/geolocation/GeolocationController.h (256074 => 256075)
--- trunk/Source/WebCore/Modules/geolocation/GeolocationController.h 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebCore/Modules/geolocation/GeolocationController.h 2020-02-07 23:39:01 UTC (rev 256075)
@@ -63,6 +63,8 @@
WEBCORE_EXPORT static const char* supplementName();
static GeolocationController* from(Page* page) { return static_cast<GeolocationController*>(Supplement<Page>::from(page, supplementName())); }
+ void revokeAuthorizationToken(const String&);
+
private:
Page& m_page;
GeolocationClient& m_client;
Modified: trunk/Source/WebCore/platform/mock/GeolocationClientMock.cpp (256074 => 256075)
--- trunk/Source/WebCore/platform/mock/GeolocationClientMock.cpp 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebCore/platform/mock/GeolocationClientMock.cpp 2020-02-07 23:39:01 UTC (rev 256075)
@@ -120,7 +120,7 @@
// which fire synchronously from Geolocation::setIsAllowed() cannot reentrantly modify
// m_pendingPermission.
for (GeolocationSet::iterator it = m_pendingPermission.begin(); it != end; ++it)
- (*it)->setIsAllowed(allowed);
+ (*it)->setIsAllowed(allowed, { });
m_pendingPermission.clear();
}
@@ -136,9 +136,10 @@
ASSERT(!m_isActive);
}
-void GeolocationClientMock::startUpdating()
+void GeolocationClientMock::startUpdating(const String& authorizationToken)
{
ASSERT(!m_isActive);
+ UNUSED_PARAM(authorizationToken);
m_isActive = true;
asyncUpdateController();
}
Modified: trunk/Source/WebCore/platform/mock/GeolocationClientMock.h (256074 => 256075)
--- trunk/Source/WebCore/platform/mock/GeolocationClientMock.h 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebCore/platform/mock/GeolocationClientMock.h 2020-02-07 23:39:01 UTC (rev 256075)
@@ -59,7 +59,7 @@
// GeolocationClient
void geolocationDestroyed() override;
- void startUpdating() override;
+ void startUpdating(const String& authorizationToken) override;
void stopUpdating() override;
void setEnableHighAccuracy(bool) override;
Optional<GeolocationPositionData> lastPosition() override;
Modified: trunk/Source/WebKit/ChangeLog (256074 => 256075)
--- trunk/Source/WebKit/ChangeLog 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/ChangeLog 2020-02-07 23:39:01 UTC (rev 256075)
@@ -1,3 +1,41 @@
+2020-02-07 Chris Dumez <[email protected]>
+
+ [Hardening] Validate Geolocation access permission on UIProcess side
+ https://bugs.webkit.org/show_bug.cgi?id=207393
+ <rdar://problem/56816051>
+
+ Reviewed by Brent Fulgham.
+
+ * UIProcess/GeolocationPermissionRequestManagerProxy.cpp:
+ (WebKit::GeolocationPermissionRequestManagerProxy::didReceiveGeolocationPermissionDecision):
+ (WebKit::GeolocationPermissionRequestManagerProxy::isValidAuthorizationToken const):
+ (WebKit::GeolocationPermissionRequestManagerProxy::revokeAuthorizationToken):
+ * UIProcess/GeolocationPermissionRequestManagerProxy.h:
+ * UIProcess/WebGeolocationManagerProxy.cpp:
+ (WebKit::WebGeolocationManagerProxy::startUpdating):
+ * UIProcess/WebGeolocationManagerProxy.h:
+ * UIProcess/WebGeolocationManagerProxy.messages.in:
+ * UIProcess/WebPageProxy.cpp:
+ * UIProcess/WebPageProxy.h:
+ (WebKit::WebPageProxy::geolocationPermissionRequestManager):
+ * UIProcess/WebPageProxy.messages.in:
+ * WebProcess/Geolocation/GeolocationPermissionRequestManager.cpp:
+ (WebKit::GeolocationPermissionRequestManager::startRequestForGeolocation):
+ (WebKit::GeolocationPermissionRequestManager::revokeAuthorizationToken):
+ (WebKit::GeolocationPermissionRequestManager::didReceiveGeolocationPermissionDecision):
+ * WebProcess/Geolocation/GeolocationPermissionRequestManager.h:
+ * WebProcess/Geolocation/WebGeolocationManager.cpp:
+ (WebKit::WebGeolocationManager::registerWebPage):
+ * WebProcess/Geolocation/WebGeolocationManager.h:
+ * WebProcess/WebCoreSupport/WebGeolocationClient.cpp:
+ (WebKit::WebGeolocationClient::startUpdating):
+ (WebKit::WebGeolocationClient::revokeAuthorizationToken):
+ * WebProcess/WebCoreSupport/WebGeolocationClient.h:
+ * WebProcess/WebPage/WebPage.cpp:
+ (WebKit::WebPage::didReceiveGeolocationPermissionDecision):
+ * WebProcess/WebPage/WebPage.h:
+ * WebProcess/WebPage/WebPage.messages.in:
+
2020-02-07 Alex Christensen <[email protected]>
Remember if we used legacy TLS in the back/forward cache like we remember if we have only secure content
Modified: trunk/Source/WebKit/UIProcess/GeolocationPermissionRequestManagerProxy.cpp (256074 => 256075)
--- trunk/Source/WebKit/UIProcess/GeolocationPermissionRequestManagerProxy.cpp 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/UIProcess/GeolocationPermissionRequestManagerProxy.cpp 2020-02-07 23:39:01 UTC (rev 256075)
@@ -29,6 +29,7 @@
#include "WebPageMessages.h"
#include "WebPageProxy.h"
#include "WebProcessProxy.h"
+#include <wtf/UUID.h>
namespace WebKit {
@@ -62,7 +63,10 @@
return;
#if ENABLE(GEOLOCATION)
- m_page.process().send(Messages::WebPage::DidReceiveGeolocationPermissionDecision(geolocationID, allowed), m_page.webPageID());
+ String authorizationToken = allowed ? createCanonicalUUIDString() : String();
+ if (!authorizationToken.isNull())
+ m_validAuthorizationTokens.add(authorizationToken);
+ m_page.process().send(Messages::WebPage::DidReceiveGeolocationPermissionDecision(geolocationID, authorizationToken), m_page.webPageID());
#else
UNUSED_PARAM(allowed);
#endif
@@ -70,4 +74,17 @@
m_pendingRequests.remove(it);
}
+bool GeolocationPermissionRequestManagerProxy::isValidAuthorizationToken(const String& authorizationToken) const
+{
+ return !authorizationToken.isNull() && m_validAuthorizationTokens.contains(authorizationToken);
+}
+
+void GeolocationPermissionRequestManagerProxy::revokeAuthorizationToken(const String& authorizationToken)
+{
+ ASSERT(isValidAuthorizationToken(authorizationToken));
+ if (!isValidAuthorizationToken(authorizationToken))
+ return;
+ m_validAuthorizationTokens.remove(authorizationToken);
+}
+
} // namespace WebKit
Modified: trunk/Source/WebKit/UIProcess/GeolocationPermissionRequestManagerProxy.h (256074 => 256075)
--- trunk/Source/WebKit/UIProcess/GeolocationPermissionRequestManagerProxy.h 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/UIProcess/GeolocationPermissionRequestManagerProxy.h 2020-02-07 23:39:01 UTC (rev 256075)
@@ -45,8 +45,12 @@
// Called by GeolocationPermissionRequestProxy when a decision is made by the user.
void didReceiveGeolocationPermissionDecision(uint64_t, bool allow);
+ bool isValidAuthorizationToken(const String&) const;
+ void revokeAuthorizationToken(const String&);
+
private:
HashMap<uint64_t, RefPtr<GeolocationPermissionRequestProxy>> m_pendingRequests;
+ HashSet<String> m_validAuthorizationTokens;
WebPageProxy& m_page;
};
Modified: trunk/Source/WebKit/UIProcess/WebGeolocationManagerProxy.cpp (256074 => 256075)
--- trunk/Source/WebKit/UIProcess/WebGeolocationManagerProxy.cpp 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/UIProcess/WebGeolocationManagerProxy.cpp 2020-02-07 23:39:01 UTC (rev 256075)
@@ -27,11 +27,14 @@
#include "WebGeolocationManagerProxy.h"
#include "APIGeolocationProvider.h"
+#include "Logging.h"
#include "WebGeolocationManagerMessages.h"
#include "WebGeolocationManagerProxyMessages.h"
#include "WebGeolocationPosition.h"
#include "WebProcessPool.h"
+#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, (&connection))
+
namespace WebKit {
const char* WebGeolocationManagerProxy::supplementName()
@@ -111,8 +114,14 @@
}
#endif
-void WebGeolocationManagerProxy::startUpdating(IPC::Connection& connection)
+void WebGeolocationManagerProxy::startUpdating(IPC::Connection& connection, WebPageProxyIdentifier pageProxyID, const String& authorizationToken)
{
+ auto* page = WebProcessProxy::webPage(pageProxyID);
+ MESSAGE_CHECK(page);
+
+ auto isValidAuthorizationToken = page->geolocationPermissionRequestManager().isValidAuthorizationToken(authorizationToken);
+ MESSAGE_CHECK(isValidAuthorizationToken);
+
bool wasUpdating = isUpdating();
m_updateRequesters.add(&connection.client());
if (!wasUpdating) {
@@ -159,3 +168,5 @@
}
} // namespace WebKit
+
+#undef MESSAGE_CHECK
Modified: trunk/Source/WebKit/UIProcess/WebGeolocationManagerProxy.h (256074 => 256075)
--- trunk/Source/WebKit/UIProcess/WebGeolocationManagerProxy.h 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/UIProcess/WebGeolocationManagerProxy.h 2020-02-07 23:39:01 UTC (rev 256075)
@@ -29,6 +29,7 @@
#include "Connection.h"
#include "MessageReceiver.h"
#include "WebContextSupplement.h"
+#include "WebPageProxyIdentifier.h"
#include <WebCore/GeolocationPositionData.h>
#include <wtf/HashSet.h>
#include <wtf/text/WTFString.h>
@@ -75,7 +76,7 @@
bool isUpdating() const { return !m_updateRequesters.isEmpty(); }
bool isHighAccuracyEnabled() const { return !m_highAccuracyRequesters.isEmpty(); }
- void startUpdating(IPC::Connection&);
+ void startUpdating(IPC::Connection&, WebPageProxyIdentifier, const String& authorizationToken);
void stopUpdating(IPC::Connection&);
void removeRequester(const IPC::Connection::Client*);
void setEnableHighAccuracy(IPC::Connection&, bool);
Modified: trunk/Source/WebKit/UIProcess/WebGeolocationManagerProxy.messages.in (256074 => 256075)
--- trunk/Source/WebKit/UIProcess/WebGeolocationManagerProxy.messages.in 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/UIProcess/WebGeolocationManagerProxy.messages.in 2020-02-07 23:39:01 UTC (rev 256075)
@@ -21,7 +21,7 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
messages -> WebGeolocationManagerProxy {
- StartUpdating() WantsConnection
+ StartUpdating(WebKit::WebPageProxyIdentifier pageProxyID, String authorizationToken) WantsConnection
StopUpdating() WantsConnection
SetEnableHighAccuracy(bool enabled) WantsConnection
}
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (256074 => 256075)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-02-07 23:39:01 UTC (rev 256075)
@@ -7837,6 +7837,11 @@
completionHandler(false);
}
+void WebPageProxy::revokeGeolocationAuthorizationToken(const String& authorizationToken)
+{
+ m_geolocationPermissionRequestManager.revokeAuthorizationToken(authorizationToken);
+}
+
#if ENABLE(MEDIA_STREAM)
UserMediaPermissionRequestManagerProxy& WebPageProxy::userMediaPermissionRequestManager()
{
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.h (256074 => 256075)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.h 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.h 2020-02-07 23:39:01 UTC (rev 256075)
@@ -474,6 +474,7 @@
void didExitFullscreen();
WebInspectorProxy* inspector() const;
+ GeolocationPermissionRequestManagerProxy& geolocationPermissionRequestManager() { return m_geolocationPermissionRequestManager; }
void resourceLoadDidSendRequest(ResourceLoadInfo&&, WebCore::ResourceRequest&&);
void resourceLoadDidPerformHTTPRedirection(ResourceLoadInfo&&, WebCore::ResourceResponse&&, WebCore::ResourceRequest&&);
@@ -1828,7 +1829,9 @@
void printFrame(WebCore::FrameIdentifier, CompletionHandler<void()>&&);
void exceededDatabaseQuota(WebCore::FrameIdentifier, const String& originIdentifier, const String& databaseName, const String& displayName, uint64_t currentQuota, uint64_t currentOriginUsage, uint64_t currentDatabaseUsage, uint64_t expectedUsage, Messages::WebPageProxy::ExceededDatabaseQuotaDelayedReply&&);
void reachedApplicationCacheOriginQuota(const String& originIdentifier, uint64_t currentQuota, uint64_t totalBytesNeeded, Messages::WebPageProxy::ReachedApplicationCacheOriginQuotaDelayedReply&&);
+
void requestGeolocationPermissionForFrame(uint64_t geolocationID, WebCore::FrameIdentifier, String originIdentifier);
+ void revokeGeolocationAuthorizationToken(const String& authorizationToken);
#if PLATFORM(GTK) || PLATFORM(WPE)
void sendMessageToWebView(UserMessage&&);
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.messages.in (256074 => 256075)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.messages.in 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.messages.in 2020-02-07 23:39:01 UTC (rev 256075)
@@ -284,6 +284,7 @@
# Geolocation messages
RequestGeolocationPermissionForFrame(uint64_t geolocationID, WebCore::FrameIdentifier frameID, String originIdentifier)
+ RevokeGeolocationAuthorizationToken(String authorizationToken);
#if ENABLE(MEDIA_STREAM)
# MediaSteam messages
Modified: trunk/Source/WebKit/WebProcess/Geolocation/GeolocationPermissionRequestManager.cpp (256074 => 256075)
--- trunk/Source/WebKit/WebProcess/Geolocation/GeolocationPermissionRequestManager.cpp 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/WebProcess/Geolocation/GeolocationPermissionRequestManager.cpp 2020-02-07 23:39:01 UTC (rev 256075)
@@ -59,7 +59,7 @@
ASSERT_WITH_MESSAGE(frame, "It is not well understood in which cases the Geolocation is alive after its frame goes away. If you hit this assertion, please add a test covering this case.");
if (!frame) {
- geolocation.setIsAllowed(false);
+ geolocation.setIsAllowed(false, { });
return;
}
@@ -76,6 +76,11 @@
m_page.send(Messages::WebPageProxy::RequestGeolocationPermissionForFrame(geolocationID, webFrame->frameID(), origin.data().databaseIdentifier()));
}
+void GeolocationPermissionRequestManager::revokeAuthorizationToken(const String& authorizationToken)
+{
+ m_page.send(Messages::WebPageProxy::RevokeGeolocationAuthorizationToken(authorizationToken));
+}
+
void GeolocationPermissionRequestManager::cancelRequestForGeolocation(Geolocation& geolocation)
{
uint64_t geolocationID = m_geolocationToIDMap.take(&geolocation);
@@ -84,7 +89,7 @@
m_idToGeolocationMap.remove(geolocationID);
}
-void GeolocationPermissionRequestManager::didReceiveGeolocationPermissionDecision(uint64_t geolocationID, bool allowed)
+void GeolocationPermissionRequestManager::didReceiveGeolocationPermissionDecision(uint64_t geolocationID, const String& authorizationToken)
{
Geolocation* geolocation = m_idToGeolocationMap.take(geolocationID);
if (!geolocation)
@@ -91,7 +96,7 @@
return;
m_geolocationToIDMap.remove(geolocation);
- geolocation->setIsAllowed(allowed);
+ geolocation->setIsAllowed(!authorizationToken.isNull(), authorizationToken);
}
} // namespace WebKit
Modified: trunk/Source/WebKit/WebProcess/Geolocation/GeolocationPermissionRequestManager.h (256074 => 256075)
--- trunk/Source/WebKit/WebProcess/Geolocation/GeolocationPermissionRequestManager.h 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/WebProcess/Geolocation/GeolocationPermissionRequestManager.h 2020-02-07 23:39:01 UTC (rev 256075)
@@ -43,8 +43,9 @@
void startRequestForGeolocation(WebCore::Geolocation&);
void cancelRequestForGeolocation(WebCore::Geolocation&);
+ void revokeAuthorizationToken(const String&);
- void didReceiveGeolocationPermissionDecision(uint64_t geolocationID, bool allowed);
+ void didReceiveGeolocationPermissionDecision(uint64_t geolocationID, const String& authorizationToken);
private:
typedef HashMap<uint64_t, WebCore::Geolocation*> IDToGeolocationMap;
Modified: trunk/Source/WebKit/WebProcess/Geolocation/WebGeolocationManager.cpp (256074 => 256075)
--- trunk/Source/WebKit/WebProcess/Geolocation/WebGeolocationManager.cpp 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/WebProcess/Geolocation/WebGeolocationManager.cpp 2020-02-07 23:39:01 UTC (rev 256075)
@@ -50,7 +50,7 @@
m_process.addMessageReceiver(Messages::WebGeolocationManager::messageReceiverName(), *this);
}
-void WebGeolocationManager::registerWebPage(WebPage& page)
+void WebGeolocationManager::registerWebPage(WebPage& page, const String& authorizationToken)
{
bool wasUpdating = isUpdating();
@@ -57,7 +57,7 @@
m_pageSet.add(&page);
if (!wasUpdating)
- m_process.parentProcessConnection()->send(Messages::WebGeolocationManagerProxy::StartUpdating(), 0);
+ m_process.parentProcessConnection()->send(Messages::WebGeolocationManagerProxy::StartUpdating(page.webPageProxyIdentifier(), authorizationToken), 0);
}
void WebGeolocationManager::unregisterWebPage(WebPage& page)
Modified: trunk/Source/WebKit/WebProcess/Geolocation/WebGeolocationManager.h (256074 => 256075)
--- trunk/Source/WebKit/WebProcess/Geolocation/WebGeolocationManager.h 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/WebProcess/Geolocation/WebGeolocationManager.h 2020-02-07 23:39:01 UTC (rev 256075)
@@ -51,7 +51,7 @@
static const char* supplementName();
- void registerWebPage(WebPage&);
+ void registerWebPage(WebPage&, const String& authorizationToken);
void unregisterWebPage(WebPage&);
void setEnableHighAccuracyForPage(WebPage&, bool);
Modified: trunk/Source/WebKit/WebProcess/WebCoreSupport/WebGeolocationClient.cpp (256074 => 256075)
--- trunk/Source/WebKit/WebProcess/WebCoreSupport/WebGeolocationClient.cpp 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/WebProcess/WebCoreSupport/WebGeolocationClient.cpp 2020-02-07 23:39:01 UTC (rev 256075)
@@ -48,9 +48,9 @@
delete this;
}
-void WebGeolocationClient::startUpdating()
+void WebGeolocationClient::startUpdating(const String& authorizationToken)
{
- WebProcess::singleton().supplement<WebGeolocationManager>()->registerWebPage(m_page);
+ WebProcess::singleton().supplement<WebGeolocationManager>()->registerWebPage(m_page, authorizationToken);
}
void WebGeolocationClient::stopUpdating()
@@ -73,6 +73,11 @@
m_page.geolocationPermissionRequestManager().startRequestForGeolocation(geolocation);
}
+void WebGeolocationClient::revokeAuthorizationToken(const String& authorizationToken)
+{
+ m_page.geolocationPermissionRequestManager().revokeAuthorizationToken(authorizationToken);
+}
+
void WebGeolocationClient::cancelPermissionRequest(Geolocation& geolocation)
{
m_page.geolocationPermissionRequestManager().cancelRequestForGeolocation(geolocation);
Modified: trunk/Source/WebKit/WebProcess/WebCoreSupport/WebGeolocationClient.h (256074 => 256075)
--- trunk/Source/WebKit/WebProcess/WebCoreSupport/WebGeolocationClient.h 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/WebProcess/WebCoreSupport/WebGeolocationClient.h 2020-02-07 23:39:01 UTC (rev 256075)
@@ -44,8 +44,9 @@
private:
void geolocationDestroyed() override;
- void startUpdating() override;
+ void startUpdating(const String& authorizationToken) override;
void stopUpdating() override;
+ void revokeAuthorizationToken(const String&) override;
void setEnableHighAccuracy(bool) override;
Optional<WebCore::GeolocationPositionData> lastPosition() override;
Modified: trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp (256074 => 256075)
--- trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2020-02-07 23:39:01 UTC (rev 256075)
@@ -4231,9 +4231,9 @@
#endif
#if ENABLE(GEOLOCATION)
-void WebPage::didReceiveGeolocationPermissionDecision(uint64_t geolocationID, bool allowed)
+void WebPage::didReceiveGeolocationPermissionDecision(uint64_t geolocationID, const String& authorizationToken)
{
- geolocationPermissionRequestManager().didReceiveGeolocationPermissionDecision(geolocationID, allowed);
+ geolocationPermissionRequestManager().didReceiveGeolocationPermissionDecision(geolocationID, authorizationToken);
}
#endif
Modified: trunk/Source/WebKit/WebProcess/WebPage/WebPage.h (256074 => 256075)
--- trunk/Source/WebKit/WebProcess/WebPage/WebPage.h 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/WebProcess/WebPage/WebPage.h 2020-02-07 23:39:01 UTC (rev 256075)
@@ -1543,7 +1543,7 @@
void extendSandboxForFilesFromOpenPanel(SandboxExtension::HandleArray&&);
#endif
- void didReceiveGeolocationPermissionDecision(uint64_t geolocationID, bool allowed);
+ void didReceiveGeolocationPermissionDecision(uint64_t geolocationID, const String& authorizationToken);
void didReceiveNotificationPermissionDecision(uint64_t notificationID, bool allowed);
Modified: trunk/Source/WebKit/WebProcess/WebPage/WebPage.messages.in (256074 => 256075)
--- trunk/Source/WebKit/WebProcess/WebPage/WebPage.messages.in 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKit/WebProcess/WebPage/WebPage.messages.in 2020-02-07 23:39:01 UTC (rev 256075)
@@ -358,7 +358,7 @@
#if ENABLE(GEOLOCATION)
# Geolocation
- DidReceiveGeolocationPermissionDecision(uint64_t geolocationID, bool allowed)
+ DidReceiveGeolocationPermissionDecision(uint64_t geolocationID, String authorizationToken)
#endif
#if ENABLE(MEDIA_STREAM)
Modified: trunk/Source/WebKitLegacy/ios/WebCoreSupport/WebGeolocation.mm (256074 => 256075)
--- trunk/Source/WebKitLegacy/ios/WebCoreSupport/WebGeolocation.mm 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKitLegacy/ios/WebCoreSupport/WebGeolocation.mm 2020-02-07 23:39:01 UTC (rev 256075)
@@ -50,7 +50,7 @@
- (void)setIsAllowed:(BOOL)allowed
{
- reinterpret_cast<Geolocation*>(_private)->setIsAllowed(allowed);
+ reinterpret_cast<Geolocation*>(_private)->setIsAllowed(allowed, { });
}
- (void)dealloc
Modified: trunk/Source/WebKitLegacy/mac/ChangeLog (256074 => 256075)
--- trunk/Source/WebKitLegacy/mac/ChangeLog 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKitLegacy/mac/ChangeLog 2020-02-07 23:39:01 UTC (rev 256075)
@@ -1,3 +1,18 @@
+2020-02-07 Chris Dumez <[email protected]>
+
+ [Hardening] Validate Geolocation access permission on UIProcess side
+ https://bugs.webkit.org/show_bug.cgi?id=207393
+ <rdar://problem/56816051>
+
+ Reviewed by Brent Fulgham.
+
+ * WebCoreSupport/WebGeolocationClient.h:
+ * WebCoreSupport/WebGeolocationClient.mm:
+ (WebGeolocationClient::startUpdating):
+ (WebGeolocationClient::requestPermission):
+ (-[WebGeolocationPolicyListener allow]):
+ (-[WebGeolocationPolicyListener deny]):
+
2020-02-07 Alex Christensen <[email protected]>
Remember if we used legacy TLS in the back/forward cache like we remember if we have only secure content
Modified: trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebGeolocationClient.h (256074 => 256075)
--- trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebGeolocationClient.h 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebGeolocationClient.h 2020-02-07 23:39:01 UTC (rev 256075)
@@ -39,7 +39,7 @@
WebView *webView() { return m_webView; }
void geolocationDestroyed() override;
- void startUpdating() override;
+ void startUpdating(const String& authorizationToken) override;
void stopUpdating() override;
#if PLATFORM(IOS_FAMILY)
// FIXME: unify this with Mac on OpenSource.
Modified: trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebGeolocationClient.mm (256074 => 256075)
--- trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebGeolocationClient.mm 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebGeolocationClient.mm 2020-02-07 23:39:01 UTC (rev 256075)
@@ -83,8 +83,9 @@
delete this;
}
-void WebGeolocationClient::startUpdating()
+void WebGeolocationClient::startUpdating(const String& authorizationToken)
{
+ UNUSED_PARAM(authorizationToken);
[[m_webView _geolocationProvider] registerWebView:m_webView];
}
@@ -108,7 +109,7 @@
SEL selector = @selector(webView:decidePolicyForGeolocationRequestFromOrigin:frame:listener:);
if (![[m_webView UIDelegate] respondsToSelector:selector]) {
- geolocation.setIsAllowed(false);
+ geolocation.setIsAllowed(false, { });
return;
}
@@ -116,7 +117,7 @@
Frame *frame = geolocation.frame();
if (!frame) {
- geolocation.setIsAllowed(false);
+ geolocation.setIsAllowed(false, { });
return;
}
@@ -152,12 +153,12 @@
- (void)allow
{
- _geolocation->setIsAllowed(true);
+ _geolocation->setIsAllowed(true, { });
}
- (void)deny
{
- _geolocation->setIsAllowed(false);
+ _geolocation->setIsAllowed(false, { });
}
@end
@@ -177,7 +178,7 @@
- (void)allow
{
WebThreadRun(^{
- _geolocation->setIsAllowed(true);
+ _geolocation->setIsAllowed(true, { });
});
}
@@ -184,7 +185,7 @@
- (void)deny
{
WebThreadRun(^{
- _geolocation->setIsAllowed(false);
+ _geolocation->setIsAllowed(false, { });
});
}
@@ -235,7 +236,7 @@
- (void)initializationDeniedWebView:(WebView *)webView
{
- m_geolocation->setIsAllowed(false);
+ m_geolocation->setIsAllowed(false, { });
}
@end
#endif // PLATFORM(IOS_FAMILY)
Modified: trunk/Source/WebKitLegacy/win/ChangeLog (256074 => 256075)
--- trunk/Source/WebKitLegacy/win/ChangeLog 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKitLegacy/win/ChangeLog 2020-02-07 23:39:01 UTC (rev 256075)
@@ -1,3 +1,15 @@
+2020-02-07 Chris Dumez <[email protected]>
+
+ [Hardening] Validate Geolocation access permission on UIProcess side
+ https://bugs.webkit.org/show_bug.cgi?id=207393
+ <rdar://problem/56816051>
+
+ Reviewed by Brent Fulgham.
+
+ * WebCoreSupport/WebGeolocationClient.cpp:
+ (WebGeolocationClient::startUpdating):
+ * WebCoreSupport/WebGeolocationClient.h:
+
2020-02-07 Alex Christensen <[email protected]>
Remember if we used legacy TLS in the back/forward cache like we remember if we have only secure content
Modified: trunk/Source/WebKitLegacy/win/WebCoreSupport/WebGeolocationClient.cpp (256074 => 256075)
--- trunk/Source/WebKitLegacy/win/WebCoreSupport/WebGeolocationClient.cpp 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKitLegacy/win/WebCoreSupport/WebGeolocationClient.cpp 2020-02-07 23:39:01 UTC (rev 256075)
@@ -48,8 +48,9 @@
delete this;
}
-void WebGeolocationClient::startUpdating()
+void WebGeolocationClient::startUpdating(const String& authorizationToken)
{
+ UNUSED_PARAM(authorizationToken);
COMPtr<IWebGeolocationProvider> provider;
if (FAILED(m_webView->geolocationProvider(&provider)))
return;
@@ -79,13 +80,13 @@
{
COMPtr<IWebUIDelegate> uiDelegate;
if (FAILED(m_webView->uiDelegate(&uiDelegate))) {
- geolocation.setIsAllowed(false);
+ geolocation.setIsAllowed(false, { });
return;
}
COMPtr<IWebUIDelegatePrivate2> uiDelegatePrivate2(Query, uiDelegate);
if (!uiDelegatePrivate2) {
- geolocation.setIsAllowed(false);
+ geolocation.setIsAllowed(false, { });
return;
}
@@ -96,5 +97,5 @@
if (hr != E_NOTIMPL)
return;
- geolocation.setIsAllowed(false);
+ geolocation.setIsAllowed(false, { });
}
Modified: trunk/Source/WebKitLegacy/win/WebCoreSupport/WebGeolocationClient.h (256074 => 256075)
--- trunk/Source/WebKitLegacy/win/WebCoreSupport/WebGeolocationClient.h 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKitLegacy/win/WebCoreSupport/WebGeolocationClient.h 2020-02-07 23:39:01 UTC (rev 256075)
@@ -41,7 +41,7 @@
WebGeolocationClient(WebView*);
void geolocationDestroyed() final;
- void startUpdating() final;
+ void startUpdating(const String& authorizationToken) final;
void stopUpdating() final;
void setEnableHighAccuracy(bool) final { }
Optional<WebCore::GeolocationPositionData> lastPosition() final;
Modified: trunk/Source/WebKitLegacy/win/WebGeolocationPolicyListener.cpp (256074 => 256075)
--- trunk/Source/WebKitLegacy/win/WebGeolocationPolicyListener.cpp 2020-02-07 23:38:17 UTC (rev 256074)
+++ trunk/Source/WebKitLegacy/win/WebGeolocationPolicyListener.cpp 2020-02-07 23:39:01 UTC (rev 256075)
@@ -87,12 +87,12 @@
HRESULT WebGeolocationPolicyListener::allow()
{
- m_geolocation->setIsAllowed(true);
+ m_geolocation->setIsAllowed(true, { });
return S_OK;
}
HRESULT WebGeolocationPolicyListener::deny()
{
- m_geolocation->setIsAllowed(false);
+ m_geolocation->setIsAllowed(false, { });
return S_OK;
}
