Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 273d78edc0aec695b593b815edf1527eed076d42
https://github.com/WebKit/WebKit/commit/273d78edc0aec695b593b815edf1527eed076d42
Author: Alex Christensen <[email protected]>
Date: 2023-05-03 (Wed, 03 May 2023)
Changed paths:
M Source/WebCore/Headers.cmake
M Source/WebCore/Modules/fetch/FetchRequest.cpp
M Source/WebCore/Modules/webaudio/BaseAudioContext.cpp
M Source/WebCore/Sources.txt
M Source/WebCore/WebCore.xcodeproj/project.pbxproj
M Source/WebCore/css/CSSStyleSheet.cpp
M Source/WebCore/css/StyleSheetContents.cpp
M Source/WebCore/css/parser/CSSParserContext.cpp
M Source/WebCore/dom/ScriptExecutionContext.cpp
M Source/WebCore/html/HTMLAnchorElement.cpp
M Source/WebCore/html/HTMLMediaElement.cpp
M Source/WebCore/html/canvas/CanvasRenderingContext.cpp
M Source/WebCore/loader/CrossOriginAccessControl.cpp
M Source/WebCore/loader/CrossOriginAccessControl.h
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/loader/DocumentThreadableLoader.cpp
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/loader/NavigationAction.cpp
M Source/WebCore/loader/PingLoader.cpp
M Source/WebCore/loader/ResourceLoader.cpp
M Source/WebCore/loader/ResourceTiming.cpp
M Source/WebCore/loader/SubframeLoader.cpp
M Source/WebCore/loader/SubresourceLoader.cpp
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
M Source/WebCore/loader/cache/CachedResourceRequest.cpp
M Source/WebCore/page/DragController.cpp
M Source/WebCore/page/History.cpp
M Source/WebCore/page/LocalDOMWindow.cpp
A Source/WebCore/page/OriginAccessPatterns.cpp
A Source/WebCore/page/OriginAccessPatterns.h
M Source/WebCore/page/SecurityOrigin.cpp
M Source/WebCore/page/SecurityOrigin.h
M Source/WebCore/page/SecurityPolicy.cpp
M Source/WebCore/page/SecurityPolicy.h
M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
M Source/WebCore/platform/graphics/MediaPlayer.cpp
M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
M
Source/WebCore/platform/network/mac/WebCoreResourceHandleAsOperationQueueDelegate.mm
M Source/WebCore/workers/AbstractWorker.cpp
M Source/WebCore/workers/shared/SharedWorker.cpp
M Source/WebCore/xml/XSLTProcessorLibxslt.cpp
M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h
M Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp
M Source/WebKit/NetworkProcess/NetworkLoadChecker.h
A Source/WebKit/NetworkProcess/NetworkOriginAccessPatterns.cpp
A Source/WebKit/NetworkProcess/NetworkOriginAccessPatterns.h
M Source/WebKit/NetworkProcess/NetworkProcess.cpp
M Source/WebKit/NetworkProcess/NetworkProcess.h
M Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
M Source/WebKit/NetworkProcess/ServiceWorker/ServiceWorkerFetchTask.cpp
M Source/WebKit/NetworkProcess/cache/CacheStorageEngineCache.cpp
M Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm
M Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.cpp
M Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp
M Source/WebKit/NetworkProcess/storage/CacheStorageCache.cpp
M Source/WebKit/Sources.txt
M Source/WebKit/WebKit.xcodeproj/project.pbxproj
M Source/WebKit/WebProcess/Plugins/PluginView.cpp
M Source/WebKit/WebProcess/WebPage/WebFrame.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKitLegacy/mac/Plugins/WebPluginContainerCheck.mm
M Source/WebKitLegacy/mac/WebView/WebFrame.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKURLSchemeHandler-1.mm
Log Message:
-----------
SecurityPolicy::isAccessAllowed shouldn't use global UserContentURLPattern
collection in network process
https://bugs.webkit.org/show_bug.cgi?id=256232
rdar://108273770
Reviewed by Tim Hatcher.
259976@main introduced a call to SecurityPolicy::allowAccessTo in the network
process which allows CORS
access to URLs matching a pattern. The problem was it allows CORS access for
requests from all web content
processes, not just the one from which the pattern came. This made users of
WKWebViewConfiguration._corsDisablingPatterns
have effects for all WKWebViews in the network process, even ones without CORS
disabling patterns.
This caused some HTTP Origin header fields to be missing, which caused subtle
loading issues.
To fix the problem, I introduce an abstraction called OriginAccessPatterns. To
keep the change minimal
and straightforward, I introduce OriginAccessPatternsForWebProcess for use in
the web process, which keeps
the status quo for now. In the network process, however, I introduce
NetworkOriginAccessPatterns which has
the same scope as OriginAccessPatternsForWebProcess by being owned by the
NetworkConnectionToWebProcess, but
importantly it no longer has global scope in the network process. For a few
uses of SecurityPolicy::isAccessAllowed
outside of the web content process that don't have a clear mapping to a Page, I
introduce EmptyOriginAccessPatterns
which maintain the behavior we had before 259976@main.
Covered by a new unit test and the unit test added by 259976@main.
* Source/WebCore/Headers.cmake:
* Source/WebCore/Modules/fetch/FetchRequest.cpp:
(WebCore::computeReferrer):
* Source/WebCore/Modules/webaudio/BaseAudioContext.cpp:
(WebCore::BaseAudioContext::wouldTaintOrigin const):
* Source/WebCore/Sources.txt:
* Source/WebCore/WebCore.xcodeproj/project.pbxproj:
* Source/WebCore/css/CSSStyleSheet.cpp:
(WebCore::CSSStyleSheet::canAccessRules const):
* Source/WebCore/css/StyleSheetContents.cpp:
(WebCore::StyleSheetContents::parseAuthorStyleSheet):
* Source/WebCore/css/parser/CSSParserContext.cpp:
* Source/WebCore/dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::canIncludeErrorDetails):
* Source/WebCore/html/HTMLAnchorElement.cpp:
(WebCore::HTMLAnchorElement::handleClick):
* Source/WebCore/html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::isSafeToLoadURL):
(WebCore::HTMLMediaElement::mediaPlayerReferrer const):
* Source/WebCore/html/canvas/CanvasRenderingContext.cpp:
(WebCore::CanvasRenderingContext::taintsOrigin):
* Source/WebCore/loader/CrossOriginAccessControl.cpp:
(WebCore::updateRequestReferrer):
(WebCore::createPotentialAccessControlRequest):
(WebCore::shouldCrossOriginResourcePolicyCancelLoad):
(WebCore::validateCrossOriginResourcePolicy):
* Source/WebCore/loader/CrossOriginAccessControl.h:
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):
* Source/WebCore/loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::DocumentThreadableLoader):
(WebCore::DocumentThreadableLoader::redirectReceived):
(WebCore::DocumentThreadableLoader::isAllowedRedirect):
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::submitForm):
(WebCore::FrameLoader::loadFrameRequest):
(WebCore::FrameLoader::commitProvisionalLoad):
(WebCore::FrameLoader::loadResourceSynchronously):
(WebCore::createWindow):
* Source/WebCore/loader/NavigationAction.cpp:
(WebCore::shouldTreatAsSameOriginNavigation):
* Source/WebCore/loader/PingLoader.cpp:
(WebCore::PingLoader::loadImage):
(WebCore::PingLoader::sendPing):
(WebCore::PingLoader::sendViolationReport):
* Source/WebCore/loader/ResourceLoader.cpp:
(WebCore::ResourceLoader::init):
(WebCore::ResourceLoader::shouldAllowResourceToAskForCredentials const):
(WebCore::ResourceLoader::isAllowedToAskUserForCredentials const):
* Source/WebCore/loader/ResourceTiming.cpp:
(WebCore::ResourceTiming::updateExposure):
* Source/WebCore/loader/SubframeLoader.cpp:
(WebCore::FrameLoader::SubframeLoader::pluginIsLoadable):
(WebCore::FrameLoader::SubframeLoader::loadSubframe):
* Source/WebCore/loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl):
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::canRequest):
(WebCore::CachedResourceLoader::canRequestAfterRedirection const):
(WebCore::CachedResourceLoader::canRequestInContentDispositionAttachmentSandbox
const):
(WebCore::CachedResourceLoader::requestResource):
* Source/WebCore/loader/cache/CachedResourceRequest.cpp:
(WebCore::CachedResourceRequest::updateReferrerAndOriginHeaders):
(WebCore::isRequestCrossOrigin):
* Source/WebCore/page/DragController.cpp:
(WebCore::DragController::prepareForDragStart const):
(WebCore::DragController::startDrag):
* Source/WebCore/page/History.cpp:
(WebCore::History::stateObjectAdded):
* Source/WebCore/page/LocalDOMWindow.cpp:
(WebCore::LocalDOMWindow::createWindow):
* Source/WebCore/page/OriginAccessPatterns.cpp: Added.
(WebCore::OriginAccessPatternsForWebProcess::singleton):
(WebCore::WTF_REQUIRES_LOCK):
(WebCore::OriginAccessPatternsForWebProcess::allowAccessTo):
(WebCore::OriginAccessPatternsForWebProcess::anyPatternMatches const):
(WebCore::EmptyOriginAccessPatterns::singleton):
(WebCore::EmptyOriginAccessPatterns::anyPatternMatches const):
* Source/WebCore/page/OriginAccessPatterns.h: Added.
(WebCore::OriginAccessPatterns::~OriginAccessPatterns):
* Source/WebCore/page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::canRequest const):
(WebCore::SecurityOrigin::canDisplay const):
* Source/WebCore/page/SecurityOrigin.h:
* Source/WebCore/page/SecurityPolicy.cpp:
(WebCore::SecurityPolicy::generateReferrerHeader):
(WebCore::SecurityPolicy::generateOriginHeader):
(WebCore::SecurityPolicy::isAccessAllowed):
(WebCore::SecurityPolicy::allowAccessTo): Deleted.
* Source/WebCore/page/SecurityPolicy.h:
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::createURLForReporting const):
* Source/WebCore/platform/graphics/MediaPlayer.cpp:
(WebCore::MediaPlayer::isCrossOrigin const):
*
Source/WebCore/platform/network/mac/WebCoreResourceHandleAsOperationQueueDelegate.mm:
(-[WebCoreResourceHandleAsOperationQueueDelegate
connection:willSendRequest:redirectResponse:]):
* Source/WebCore/workers/AbstractWorker.cpp:
(WebCore::AbstractWorker::resolveURL):
* Source/WebCore/workers/shared/SharedWorker.cpp:
(WebCore::SharedWorker::create):
* Source/WebCore/xml/XSLTProcessorLibxslt.cpp:
(WebCore::docLoaderFunc):
* Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::shouldAllowExternalLoad):
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::setCORSDisablingPatterns):
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h:
(WebKit::NetworkConnectionToWebProcess::originAccessPatterns):
* Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp:
(WebKit::NetworkLoadChecker::isSameOrigin const):
(WebKit::NetworkLoadChecker::originAccessPatterns const):
(WebKit::performCORPCheck):
(WebKit::NetworkLoadChecker::validateResponse):
(WebKit::NetworkLoadChecker::continueCheckingRequest):
(WebKit::NetworkLoadChecker::checkCORSRedirectedRequest):
(WebKit::isSameOrigin): Deleted.
* Source/WebKit/NetworkProcess/NetworkLoadChecker.h:
* Source/WebKit/NetworkProcess/NetworkOriginAccessPatterns.cpp: Added.
(WebKit::NetworkOriginAccessPatterns::allowAccessTo):
(WebKit::NetworkOriginAccessPatterns::anyPatternMatches const):
* Source/WebKit/NetworkProcess/NetworkOriginAccessPatterns.h: Added.
* Source/WebKit/NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::setCORSDisablingPatterns):
* Source/WebKit/NetworkProcess/NetworkProcess.h:
* Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::isCrossOriginPrefetch const):
* Source/WebKit/NetworkProcess/ServiceWorker/ServiceWorkerFetchTask.cpp:
(WebKit::ServiceWorkerFetchTask::processResponse):
* Source/WebKit/NetworkProcess/cache/CacheStorageEngineCache.cpp:
(WebKit::CacheStorage::Cache::retrieveRecords):
* Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
(WebKit::NetworkDataTaskCocoa::willPerformHTTPRedirection):
* Source/WebKit/NetworkProcess/storage/CacheStorageCache.cpp:
(WebKit::CacheStorageCache::retrieveRecords):
* Source/WebKit/Sources.txt:
* Source/WebKit/WebKit.xcodeproj/project.pbxproj:
* Source/WebKit/WebProcess/Plugins/PluginView.cpp:
(WebKit::PluginView::loadMainResource):
* Source/WebKit/WebProcess/WebPage/WebFrame.cpp:
(WebKit::WebFrame::allowsFollowingLink const):
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::parseAndAllowAccessToCORSDisablingPatterns):
* Source/WebKitLegacy/mac/Plugins/WebPluginContainerCheck.mm:
(-[WebPluginContainerCheck _isForbiddenFileLoad]):
* Source/WebKitLegacy/mac/WebView/WebFrame.mm:
(-[WebFrame _allowsFollowingLink:]):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/SiteIsolation.mm:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/263652@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
