Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b0305b173106ba984cbc0475b3681daea137390c
https://github.com/WebKit/WebKit/commit/b0305b173106ba984cbc0475b3681daea137390c
Author: Wenson Hsieh <[email protected]>
Date: 2022-10-21 (Fri, 21 Oct 2022)
Changed paths:
M Source/WebCore/platform/network/DNS.cpp
M Source/WebCore/platform/network/DNS.h
M Source/WebKit/NetworkProcess/NetworkSession.cpp
M Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.h
M Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm
M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
A Tools/TestWebKitAPI/Tests/WebCore/IPAddressTests.cpp
Log Message:
-----------
Cap cookie lifetimes to 7 days for responses from third party IP addresses
https://bugs.webkit.org/show_bug.cgi?id=246477
rdar://100831206
Reviewed by John Wilander.
Safari currently caps the lifetime of cookies to 7 days, if third-party CNAME
cloaking is detected.
This helps to mitigate many instances where CNAME cloaking is used to store
cookies on device (in
the first party context) for far longer than a third party cookie would
normally be allowed to;
however, in the case where the resolved CNAME is empty, we end up skipping this
mitigation
altogether.
This means that websites can use direct A/AAAA records (instead of CNAME
mapping) to cloak third
party requests as first party and subsequently store cookies in the first party
context, bypassing
the aforementioned defense.
To strengthen our existing protections, we implement a heuristic to fall back
on comparing resolved
IP addresses only in the case where the resolved CNAME of the incoming response
is empty. If the IP
address of the response is _mostly_ different than the IP address of the main
resource response
(i.e. by comparing the matching subnet mask length of the two addresses), then
we apply the same
level of mitigation as we otherwise would for third party CNAMEs.
For now, the minimum matching subnet mask length to consider as "third party"
or not is arbitrarily
chosen to be half the IP address length (i.e. 16 for IPv4, and 64 for IPv6).
This could be enhanced
in the future, given facilities to query for the IP network block that contains
the main resource's
IP address and checking whether the incoming response address falls within that
range.
* Source/WebCore/platform/network/DNS.cpp:
(WebCore::IPAddress::isolatedCopy const):
Add an `isolatedCopy` method, so that we're able to perform a cross-thread copy
of `IPAddress`.
(WebCore::IPAddress::matchingNetMaskLength const):
Add a helper method to compute the length of the matching subnet mask between
the current IP address
and the given address. If the two IP addresses are of different families (i.e.
v4 and v6), this
method returns 0.
* Source/WebCore/platform/network/DNS.h:
(WebCore::IPAddress::fromSockAddrIn6):
Minor style fix - add a missing space after the initializer.
* Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.h:
* Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
(WebKit::NetworkDataTaskCocoa::shouldApplyCookiePolicyForThirdPartyCloaking
const):
Adjust this to check for third party IP addresses, in the case where the
incoming response's CNAME
is empty.
(WebKit::NetworkDataTaskCocoa::updateFirstPartyInfoForSession):
(WebKit::shouldCapCookieExpiryForThirdPartyIPAddress):
(WebKit::NetworkDataTaskCocoa::applyCookiePolicyForThirdPartyCloaking):
(WebKit::NetworkDataTaskCocoa::NetworkDataTaskCocoa):
(WebKit::NetworkDataTaskCocoa::willPerformHTTPRedirection):
(WebKit::NetworkDataTaskCocoa::shouldApplyCookiePolicyForThirdPartyCNAMECloaking
const): Deleted.
(WebKit::NetworkDataTaskCocoa::applyCookiePolicyForThirdPartyCNAMECloaking):
Deleted.
Rename these to reference "ThirdPartyCloaking" instead of
"ThirdPartyCNAMECloaking", since this now
applies to both.
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WebCore/IPAddressTests.cpp: Added.
(TestWebKitAPI::TEST):
Add a couple of API tests to exercise the new functionality in
`WebCore::IPAddress`.
Canonical link: https://commits.webkit.org/255849@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
