[webkit-changes] [WebKit/WebKit] 556e13: Prevent duplication of WASM throw and rethrow patc...

Ryan Reno noreply at github.com
Mon Aug 7 11:09:37 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 556e13530a1c87ce76b7710ec8c2198251466e56
      https://github.com/WebKit/WebKit/commit/556e13530a1c87ce76b7710ec8c2198251466e56
  Author: David Degazio <d_degazio at apple.com>
  Date:   2023-08-07 (Mon, 07 Aug 2023)

  Changed paths:
    A JSTests/wasm/stress/phi-live-across-rethrow.js
    A JSTests/wasm/stress/phi-live-across-throw.js
    M Source/JavaScriptCore/b3/B3DuplicateTails.cpp
    M Source/JavaScriptCore/b3/B3Kind.cpp
    M Source/JavaScriptCore/b3/B3Kind.h
    M Source/JavaScriptCore/b3/B3PatchpointValue.cpp
    M Source/JavaScriptCore/b3/B3PatchpointValue.h
    M Source/JavaScriptCore/b3/B3ValueInlines.h
    M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

  Log Message:
  -----------
  Prevent duplication of WASM throw and rethrow patchpoints in B3
https://bugs.webkit.org/show_bug.cgi?id=258408
rdar://110634913

Reviewed by Yusuke Suzuki.

Adds a cloningForbidden property to B3Kind, used to prevent a B3 value
from being cloned during optimizations, and applies it to the patchpoints
generated for the WASM throw and rethrow opcodes in WasmB3IRGenerator.
This prevents a problem where these patchpoints could be duplicated, still
share a stackmap/callsite index, but have conflicting live value
locations.

* JSTests/wasm/stress/phi-live-across-rethrow.js: Added.
(async test):
* JSTests/wasm/stress/phi-live-across-throw.js: Added.
(async test):
* Source/JavaScriptCore/b3/B3DuplicateTails.cpp:
* Source/JavaScriptCore/b3/B3Kind.cpp:
(JSC::B3::Kind::dump const):
* Source/JavaScriptCore/b3/B3Kind.h:
(JSC::B3::Kind::hasCloningForbidden):
(JSC::B3::Kind::hasCloningForbidden const):
(JSC::B3::Kind::isCloningForbidden const):
(JSC::B3::Kind::setIsCloningForbidden):
(JSC::B3::Kind::operator== const):
(JSC::B3::Kind::hash const):
(JSC::B3::cloningForbidden):
* Source/JavaScriptCore/b3/B3PatchpointValue.cpp:
(JSC::B3::PatchpointValue::PatchpointValue):
* Source/JavaScriptCore/b3/B3PatchpointValue.h:
* Source/JavaScriptCore/b3/B3ValueInlines.h:
(JSC::B3::Value::cloneImpl const):
* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addThrow):
(JSC::Wasm::B3IRGenerator::addRethrow):

Originally-landed-as: 259548.844 at safari-7615-branch (2e29306082ae). rdar://113286251
Canonical link: https://commits.webkit.org/266643@main


  Commit: 04bd941e62cbadecdc889fb575315ffd142756e4
      https://github.com/WebKit/WebKit/commit/04bd941e62cbadecdc889fb575315ffd142756e4
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-08-07 (Mon, 07 Aug 2023)

  Changed paths:
    M LayoutTests/http/tests/referrer-policy-iframe/no-referrer-when-downgrade/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/no-referrer/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/origin-when-cross-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/same-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/strict-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/unsafe-url/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/no-referrer-when-downgrade/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/no-referrer/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/unsafe-url/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt
    M LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
    M LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe.html
    A LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe.html
    M LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-header-and-meta-tag-emptyString.html
    M LayoutTests/http/tests/security/referrer-policy-header-and-meta-tag.html
    M LayoutTests/http/tests/security/referrer-policy-header-multipart.html
    M LayoutTests/http/tests/security/referrer-policy-header-test.js
    M LayoutTests/http/tests/security/referrer-policy-header.html
    M LayoutTests/http/tests/security/referrer-policy-https-always-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-always.html
    M LayoutTests/http/tests/security/referrer-policy-https-default-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-default.html
    M LayoutTests/http/tests/security/referrer-policy-https-never-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-never.html
    M LayoutTests/http/tests/security/referrer-policy-https-no-referrer-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-no-referrer-when-downgrade-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-no-referrer-when-downgrade.html
    M LayoutTests/http/tests/security/referrer-policy-https-no-referrer.html
    M LayoutTests/http/tests/security/referrer-policy-https-origin-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-origin.html
    M LayoutTests/http/tests/security/referrer-policy-https-unsafe-url-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-unsafe-url.html
    M LayoutTests/http/tests/security/resources/postReferrer.py
    M LayoutTests/http/tests/security/resources/referrer-policy-log.py
    M LayoutTests/http/tests/security/resources/sandboxed-iframe-geolocation-getCurrentPosition.html
    M LayoutTests/http/tests/security/resources/sandboxed-iframe-geolocation-watchPosition.html
    M LayoutTests/http/tests/security/resources/serve-referrer-policy-and-meta-tag.py
    M LayoutTests/http/tests/security/resources/serve-referrer-policy-and-test.py
    R LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http-expected.txt
    R LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http.html
    M LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-https-with-embedded-http-with-embedded-https.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/nested-iframes.window-expected.txt
    A LayoutTests/platform/glib/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-event-referrer-policy.https-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-mixed-content-to-outscope.https-expected.txt
    A LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/fs/FileSystemFileHandle-create-sync-access-handle.https.tentative.window-expected.txt
    A LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/screen-orientation/nested-documents-expected.txt
    A LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/screen-orientation/unlock-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt
    R LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt
    M Source/WebCore/Modules/websockets/WebSocket.cpp
    M Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp
    M Source/WebCore/html/HTMLFormElement.cpp
    M Source/WebCore/loader/DocumentLoader.cpp
    M Source/WebCore/loader/DocumentThreadableLoader.cpp
    M Source/WebCore/loader/MixedContentChecker.cpp
    M Source/WebCore/loader/MixedContentChecker.h
    M Source/WebCore/loader/SubframeLoader.cpp
    M Source/WebCore/loader/cache/CachedResourceLoader.cpp

  Log Message:
  -----------
  Framed pages have ability to bypass Mixed Content restrictions
https://bugs.webkit.org/show_bug.cgi?id=257331
rdar://109100886

Reviewed by Brent Fulgham.

It is possible to bypass mixed content restrictions in pages which are
framed. There are actually two issues here: secure frames embedded in
insecure frames can bypass and frames which are sandboxed can bypass.

In the former case we are only checking the for mixed content in the
frame making the request as well as the top frame. So if an insecure frame
embeds a secure frame, that secure frame could then embed an insecure frame and
make mixed content requests without being blocked since the middle frame
is not checked against the URL for mixed content.

For the latter case we check whether or not the security origin
of the requestor has an "https" protocol. The problem is sandboxed iframes
are given an opaque origin which does not have the "https" protocol (or
any protocol for that matter) and so we were skipping the mixed content check.

This patch cleans up the MixedContentChecker implementation and fixes
these two methods of bypass. This is accomplished by 1) checking the entire
ancestor frame path from the requestor up to the top frame and 2) considering
what the protocol of the security origin for the frame making the
request would have been if it were not opaque. We special case a main resource
load in the DocumentLoader by checking for mixed content starting from the parent frame.
Otherwise we would block an insecure main frame from navigating a secure
iframe to an insecure URL which is allowed by other browser engines.

LayoutTests/http/tests/security:
    Rewrote some tests to no longer use HTTP iframes in HTTPS frames
    which is now blocked. These changes also include new console output
    for mixed content blocking messages.

* LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http-expected.txt: Removed.
* LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http.html: Removed.
    This test is no longer needed. We now block loading a HTTP iframe
    in a middle HTTPS frame so the innermost frame would never have a
    chance to load a worker anyway.

* LayoutTests/imported/w3c/web-platform-tests/fs/FileSystemFileHandle-create-sync-access-handle.https.tentative.window-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/nested-iframes.window-expected.txt:

LayoutTests/platform:
    Updated platform-specific expectations.

* Source/WebCore/Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::connect):
* Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp:
(WebCore::WorkerThreadableWebSocketChannel::Bridge::connect):
* Source/WebCore/html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::parseAttribute):
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):
* Source/WebCore/loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::loadRequest):

Source/WebCore/loader/MixedContentChecker:
    Refactor the MixedContentChecker to expose a more clear API.
    isMixedContent was never called by client code and canDisplay and
    canShow functions should be more clear that they will be checking
    the entire frame ancestor hierarchy so clients don't try to do that
    themselves. Move helpers to be static functions in the .cpp file.

* Source/WebCore/loader/MixedContentChecker.cpp:
(WebCore::isMixedContent):
(WebCore::foundMixedContentInFrameTree):
(WebCore::MixedContentChecker::frameAndAncestorsCanDisplayInsecureContent):
(WebCore::MixedContentChecker::frameAndAncestorsCanRunInsecureContent):
(WebCore::MixedContentChecker::checkFormForMixedContent):
(WebCore::MixedContentChecker::checkForMixedContentInFrameTree): Deleted.
(WebCore::MixedContentChecker::isMixedContent): Deleted.
(WebCore::MixedContentChecker::canDisplayInsecureContent): Deleted.
(WebCore::MixedContentChecker::canRunInsecureContent): Deleted.
* Source/WebCore/loader/MixedContentChecker.h:

* Source/WebCore/loader/SubframeLoader.cpp:
(WebCore::FrameLoader::SubframeLoader::pluginIsLoadable):
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::checkInsecureContent const):

Originally-landed-as: 259548.802 at safari-7615-branch (bc09b6fca325). rdar://113286343
Canonical link: https://commits.webkit.org/266644@main


Compare: https://github.com/WebKit/WebKit/compare/fe792fdab477...04bd941e62cb

More information about the webkit-changes mailing list