Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9e08e9d30f556cdfafa2962be997b4911f5f1b97
https://github.com/WebKit/WebKit/commit/9e08e9d30f556cdfafa2962be997b4911f5f1b97
Author: J Pascoe <[email protected]>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.h
M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm
M
Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.h
M
Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.mm
Log Message:
-----------
Cookies from AppSSO extension are getting stored in iframe even when CSP
restricts page to be loaded in iframe
https://bugs.webkit.org/show_bug.cgi?id=264447
rdar://118121639
Reviewed by Brent Fulgham.
In https://bugs.webkit.org/show_bug.cgi?id=260100, we added CSP validation when
setting cookies
in the response of an AppSSO request. However, in that patch, we consider CSP
options that are
only relevant for i-frames in the redirect case. In
NetworkResourceLoader::shouldInterruptLoadForXFrameOptions,
we do an early return in non-main frame cases, but do not in the check for
AppSSO.
In SOAuthorizationCoordinator::tryAuthorize, it can be gleamed that a
non-mainframe navigation implies
a SubFrameSOAuthorizationSession will be created. Therefore we only need to
perform these i-frame specific
CSP checks whenever we have a SubFrameSOAuthorizationSession.
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm:
(WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.h:
(WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm:
(WebKit::SOAuthorizationSession::shouldInterruptLoadForXFrameOptions): Deleted.
(WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
Deleted.
*
Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.h:
*
Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.mm:
(WebKit::SubFrameSOAuthorizationSession::shouldInterruptLoadForXFrameOptions):
(WebKit::SubFrameSOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
Canonical link: https://commits.webkit.org/270422@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
