[webkit-changes] [WebKit/WebKit] abf0e2: Data Isolation bypass via attacker controlled firs...

Fri, 10 Jan 2025 17:01:09 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: abf0e2141d8fcb4c03002d0f8a2f51820c905b5c
      
https://github.com/WebKit/WebKit/commit/abf0e2141d8fcb4c03002d0f8a2f51820c905b5c
  Author: Charlie Wolfe <[email protected]>
  Date:   2025-01-10 (Fri, 10 Jan 2025)

  Changed paths:
    M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
    M Source/WebKit/NetworkProcess/NetworkProcess.cpp
    M Source/WebKit/NetworkProcess/NetworkProcess.h
    M Source/WebKit/NetworkProcess/NetworkSession.cpp
    M Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp
    M 
Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm

  Log Message:
  -----------
  Data Isolation bypass via attacker controlled firstPartyForCookies
https://bugs.webkit.org/show_bug.cgi?id=283095
rdar://139818629

Reviewed by Matthew Finkel and Alex Christensen.

`NetworkProcess::allowsFirstPartyForCookies` unconditionally allows cookie 
access for about:blank or
empty firstPartyForCookies URLs. We tried to remove this in rdar://105733798 
and rdar://107270673, but
we needed to revert both because there were rare and subtle bugs where certain 
requests would incorrectly
have about:blank set as their firstPartyForCookies, causing us to kill the WCP.

This patch is a lower risk change that removes the unconditional cookie access 
for requests that have an
empty firstPartyForCookies, but will not kill the WCP that is incorrectly 
sending an empty
firstPartyForCookies.

* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::createSocketChannel):
(WebKit::NetworkConnectionToWebProcess::scheduleResourceLoad):
(WebKit::NetworkConnectionToWebProcess::cookiesForDOM):
(WebKit::NetworkConnectionToWebProcess::setCookiesFromDOM):
(WebKit::NetworkConnectionToWebProcess::cookiesEnabled):
(WebKit::NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue):
(WebKit::NetworkConnectionToWebProcess::getRawCookies):
(WebKit::NetworkConnectionToWebProcess::cookiesForDOMAsync):
(WebKit::NetworkConnectionToWebProcess::setCookieFromDOMAsync):
(WebKit::NetworkConnectionToWebProcess::domCookiesForHost):
(WebKit::NetworkConnectionToWebProcess::establishSWContextConnection):
* Source/WebKit/NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::allowsFirstPartyForCookies):
* Source/WebKit/NetworkProcess/NetworkProcess.h:
* Source/WebKit/NetworkProcess/NetworkSession.cpp:
(WebKit::NetworkSession::addAllowedFirstPartyForCookies):
* Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp:
(WebKit::WebSWServerConnection::scheduleJobInServer):
* Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp:
(WebKit::WebSharedWorkerServerConnection::requestSharedWorker):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm:
(EmptyFirstPartyForCookiesCookieRequestHeaderFieldValue)):

Originally-landed-as: 2815b4e29829. rdar://141317330
Canonical link: https://commits.webkit.org/288740@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to