[webkit-changes] [WebKit/WebKit] b0305b: Cap cookie lifetimes to 7 days for responses from ...

Wenson Hsieh noreply at github.com
Fri Oct 21 14:37:36 PDT 2022 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b0305b173106ba984cbc0475b3681daea137390c
      https://github.com/WebKit/WebKit/commit/b0305b173106ba984cbc0475b3681daea137390c
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2022-10-21 (Fri, 21 Oct 2022)

  Changed paths:
    M Source/WebCore/platform/network/DNS.cpp
    M Source/WebCore/platform/network/DNS.h
    M Source/WebKit/NetworkProcess/NetworkSession.cpp
    M Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.h
    M Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm
    M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
    A Tools/TestWebKitAPI/Tests/WebCore/IPAddressTests.cpp

  Log Message:
  -----------
  Cap cookie lifetimes to 7 days for responses from third party IP addresses
https://bugs.webkit.org/show_bug.cgi?id=246477
rdar://100831206

Reviewed by John Wilander.

Safari currently caps the lifetime of cookies to 7 days, if third-party CNAME cloaking is detected.
This helps to mitigate many instances where CNAME cloaking is used to store cookies on device (in
the first party context) for far longer than a third party cookie would normally be allowed to;
however, in the case where the resolved CNAME is empty, we end up skipping this mitigation
altogether.

This means that websites can use direct A/AAAA records (instead of CNAME mapping) to cloak third
party requests as first party and subsequently store cookies in the first party context, bypassing
the aforementioned defense.

To strengthen our existing protections, we implement a heuristic to fall back on comparing resolved
IP addresses only in the case where the resolved CNAME of the incoming response is empty. If the IP
address of the response is _mostly_ different than the IP address of the main resource response
(i.e. by comparing the matching subnet mask length of the two addresses), then we apply the same
level of mitigation as we otherwise would for third party CNAMEs.

For now, the minimum matching subnet mask length to consider as "third party" or not is arbitrarily
chosen to be half the IP address length (i.e. 16 for IPv4, and 64 for IPv6). This could be enhanced
in the future, given facilities to query for the IP network block that contains the main resource's
IP address and checking whether the incoming response address falls within that range.

* Source/WebCore/platform/network/DNS.cpp:
(WebCore::IPAddress::isolatedCopy const):

Add an `isolatedCopy` method, so that we're able to perform a cross-thread copy of `IPAddress`.

(WebCore::IPAddress::matchingNetMaskLength const):

Add a helper method to compute the length of the matching subnet mask between the current IP address
and the given address. If the two IP addresses are of different families (i.e. v4 and v6), this
method returns 0.

* Source/WebCore/platform/network/DNS.h:
(WebCore::IPAddress::fromSockAddrIn6):

Minor style fix - add a missing space after the initializer.

* Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.h:
* Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
(WebKit::NetworkDataTaskCocoa::shouldApplyCookiePolicyForThirdPartyCloaking const):

Adjust this to check for third party IP addresses, in the case where the incoming response's CNAME
is empty.

(WebKit::NetworkDataTaskCocoa::updateFirstPartyInfoForSession):
(WebKit::shouldCapCookieExpiryForThirdPartyIPAddress):
(WebKit::NetworkDataTaskCocoa::applyCookiePolicyForThirdPartyCloaking):
(WebKit::NetworkDataTaskCocoa::NetworkDataTaskCocoa):
(WebKit::NetworkDataTaskCocoa::willPerformHTTPRedirection):
(WebKit::NetworkDataTaskCocoa::shouldApplyCookiePolicyForThirdPartyCNAMECloaking const): Deleted.
(WebKit::NetworkDataTaskCocoa::applyCookiePolicyForThirdPartyCNAMECloaking): Deleted.

Rename these to reference "ThirdPartyCloaking" instead of "ThirdPartyCNAMECloaking", since this now
applies to both.

* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WebCore/IPAddressTests.cpp: Added.
(TestWebKitAPI::TEST):

Add a couple of API tests to exercise the new functionality in `WebCore::IPAddress`.

Canonical link: https://commits.webkit.org/255849@main

More information about the webkit-changes mailing list