[webkit-changes] [WebKit/WebKit] 647e80: Tighten up cross-site access to CSSStyleSheet

Fri, 23 May 2025 09:26:27 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 647e80ac22b36756d0b194b3f0526fae8f62447a
      
https://github.com/WebKit/WebKit/commit/647e80ac22b36756d0b194b3f0526fae8f62447a
  Author: Kiet Ho <kiet...@apple.com>
  Date:   2025-05-23 (Fri, 23 May 2025)

  Changed paths:
    A 
LayoutTests/http/tests/security/access-cssstylesheet-after-removing-from-document-expected.txt
    A 
LayoutTests/http/tests/security/access-cssstylesheet-after-removing-from-document.html
    A 
LayoutTests/http/tests/security/access-imported-cssstylesheet-after-removing-from-document-expected.txt
    A 
LayoutTests/http/tests/security/access-imported-cssstylesheet-after-removing-from-document.html
    M LayoutTests/http/tests/security/cannot-read-cssrules-redirect-expected.txt
    M 
LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-css-cross-origin.https-expected.txt
    M Source/WebCore/css/CSSImportRule.cpp
    M Source/WebCore/css/CSSStyleSheet.cpp
    M Source/WebCore/css/CSSStyleSheet.h
    M Source/WebCore/dom/ProcessingInstruction.cpp
    M Source/WebCore/html/HTMLLinkElement.cpp

  Log Message:
  -----------
  Tighten up cross-site access to CSSStyleSheet
rdar://148513087
https://bugs.webkit.org/show_bug.cgi?id=290992

Reviewed by Youenn Fablet.

CSSStyleSheet::canAccessRules() gates access to rules within
CSSStyleSheet, depending on whether the JS code and stylesheet comes
from the same origin.

bool CSSStyleSheet::canAccessRules() const
{
    if (m_isOriginClean)                      // (1)
        return m_isOriginClean.value();

    URL baseURL = m_contents->baseURL();      // (2)
    if (baseURL.isEmpty())
        return true;
    Document* document = ownerDocument();     // (3)
    if (!document)
        return true;                          // (4)
    return document->protectedSecurityOrigin()->canRequest(baseURL, 
OriginAccessPatternsForWebProcess::singleton()); // (5)
}

If CSSStyleSheet is constructed with an explicit same-origin flag, (which
indicates the origin status of the JS code and stylesheet), that flag is
used (1). Otherwise, it manually checks the origin:

* get the base URL of the stylesheet (2)
* get the document owner of the CSSStyleSheet
  (also the document that the JS code is in) (3)
* check whether the JS code and the stylesheet is same-origin (5)

There's a bug at (4) - it grants access if the CSSStyleSheet doesn't
belong to a Document. Malicious JS code can manipulate a cross-origin
CSSStyleSheet into this state:

* If the CSSStyleSheet comes from HTMLLinkElement.sheet (<link 
rel="stylesheet">)
  or HTMLStyleElement.sheet (<style>), remove the <link> or <style> element
  from the document e.g using Node.removeChild
* If it comes from CSSImportRule.styleSheet (@import), remove the
  stylesheet containing the @import rule from the document

Following the removal, ownerDocument() returns nullptr, and access is
granted. Fix this by changing (4) to return false instead.

Unfortunately, many places in the codebase construct CSSStyleSheet
without supplying the same-origin flag, instead relying on the
fallback check. For those cases, this change introduces a regression
where if a same-origin stylesheet is created without the same-origin
flag, then is removed from the document, the fallback check will
incorrectly deny access. Fix this by hunting down places that
construct CSSStyleSheet and supply the flag if possible.

Also fix CSSStyleSheet.{insert,delete}Rule to always check with
canAccessRules() before allowing insertion/deletion.

* 
LayoutTests/http/tests/security/access-cssstylesheet-after-removing-from-document-expected.txt:
 Added.
* 
LayoutTests/http/tests/security/access-cssstylesheet-after-removing-from-document.html:
 Added.
* 
LayoutTests/http/tests/security/access-imported-cssstylesheet-after-removing-from-document-expected.txt:
 Added.
* 
LayoutTests/http/tests/security/access-imported-cssstylesheet-after-removing-from-document.html:
 Added.
* LayoutTests/http/tests/security/cannot-read-cssrules-redirect-expected.txt:
    - Adjust expectation. This now matches Chrome's output.

* 
LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-css-cross-origin.https-expected.txt:
* Source/WebCore/css/CSSImportRule.cpp:
(WebCore::CSSImportRule::styleSheet const):
    - Supply same-origin flag when creating CSSStyleSheet if possible.

* Source/WebCore/css/CSSStyleSheet.cpp:
(WebCore::CSSStyleSheet::create):
    - Make ::create for @import rules take an optional same-origin flag.

(WebCore::CSSStyleSheet::createInline):
    - Take an optional same-origin flag.

(WebCore::CSSStyleSheet::canAccessRules const):
    - Deny access if the CSSStyleSheet does not belong to a Document.

(WebCore::CSSStyleSheet::insertRule):
    - Deny access if not allowed (using canAccessRules())

(WebCore::CSSStyleSheet::deleteRule):
    - Deny access if not allowed (using canAccessRules())

* Source/WebCore/css/CSSStyleSheet.h:
* Source/WebCore/dom/ProcessingInstruction.cpp:
(WebCore::ProcessingInstruction::setCSSStyleSheet):
    - Supply same-origin flag when creating CSSStyleSheet.

* Source/WebCore/html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::initializeStyleSheet):
    - Always set the origin clean flag, regardless whether the fetch
      request is CORS or not.

Originally-landed-as: be53cebfe0d9. rdar://151714711
Canonical link: https://commits.webkit.org/295342@main


  Commit: 1d88cd372a58384f14f98fb95b5d5c83a4fd4c22
      
https://github.com/WebKit/WebKit/commit/1d88cd372a58384f14f98fb95b5d5c83a4fd4c22
  Author: Sihui Liu <sihui_...@apple.com>
  Date:   2025-05-23 (Fri, 23 May 2025)

  Changed paths:
    M Source/WebCore/platform/network/ResourceResponseBase.cpp
    M Source/WebCore/platform/network/ResourceResponseBase.h

  Log Message:
  -----------
  ResourceResponseData::proxyName is not properly isolated copied
https://bugs.webkit.org/show_bug.cgi?id=291646
rdar://148182167

Reviewed by Chris Dumez.

In existing implementation, ResourceResponseData::proxyName is not isolated 
copied or moved correctly at the places it
is supposed to be, and this can be the cause of increasing crashes we saw in 
recent builds. Credits to Chris who found
the issue.

* Source/WebCore/platform/network/ResourceResponseBase.cpp:
(WebCore::ResourceResponseData::isolatedCopy const):
(WebCore::ResourceResponseBase::crossThreadData const):
(WebCore::ResourceResponseBase::fromCrossThreadData):
* Source/WebCore/platform/network/ResourceResponseBase.h:
(WebCore::ResourceResponseBase::setProxyName):
(WebCore::ResourceResponseBase::proxyName const):

Originally-landed-as: cdd407b46a54. rdar://151714620
Canonical link: https://commits.webkit.org/295343@main


Compare: https://github.com/WebKit/WebKit/compare/150fa103a89e...1d88cd372a58

To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to