[webkit-changes] [WebKit/WebKit] 7f2ea8: Partition Blob Registry by the top-level main docu...

Matthew Finkel noreply at github.com
Tue Aug 22 19:20:59 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 7f2ea8fcf41a68add90efab89609218407e1a824
      https://github.com/WebKit/WebKit/commit/7f2ea8fcf41a68add90efab89609218407e1a824
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2023-08-22 (Tue, 22 Aug 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/http/tests/local/blob/download-blob-from-iframe-expected.txt
    A LayoutTests/http/tests/local/blob/download-blob-from-iframe.html
    A LayoutTests/http/tests/local/blob/navigate-blob-expected.txt
    A LayoutTests/http/tests/local/blob/navigate-blob.html
    A LayoutTests/http/tests/local/blob/resources/broadcast-channel-proxy.html
    A LayoutTests/http/tests/local/blob/resources/iframe-creating-or-downloading-blob.html
    A LayoutTests/http/tests/local/blob/resources/iframe-for-creating-and-navigating-to-blob.html
    A LayoutTests/http/tests/local/blob/resources/main-frame-with-iframe-creating-or-navigating-to-blob.html
    A LayoutTests/http/tests/local/blob/resources/main-frame-with-iframe-downloading-blob.html
    M LayoutTests/http/tests/security/blob-null-url-location-origin-expected.txt
    M LayoutTests/http/tests/security/blob-null-url-location-origin.html
    A LayoutTests/http/tests/security/cross-origin-blob-transfer-expected.txt
    A LayoutTests/http/tests/security/cross-origin-blob-transfer.html
    A LayoutTests/http/tests/security/resources/iframe-cross-origin-blob-transfer.html
    M LayoutTests/http/tests/security/top-level-unique-origin2.https.html
    A LayoutTests/platform/gtk/http/tests/local/blob/download-blob-from-iframe-expected.txt
    M LayoutTests/platform/mac-wk1/TestExpectations
    M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
    M Source/WebCore/fileapi/BlobURL.cpp
    M Source/WebCore/fileapi/BlobURL.h
    M Source/WebCore/fileapi/ThreadableBlobRegistry.cpp
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/platform/network/BlobRegistryImpl.cpp
    M Source/WebCore/platform/network/BlobRegistryImpl.h

  Log Message:
  -----------
  Partition Blob Registry by the top-level main document origin
https://bugs.webkit.org/show_bug.cgi?id=260035
rdar://problem/113705298

Reviewed by Alex Christensen and Sihui Liu.

Public blob URLs are only accessible from same-origin dcuments, but access is
not restricted by the top-level origin. This means that Blob URLs can be used
as a cross-origin tracking mechanism within iframes. In this patch we partition
public blob URLs within the Blob Registry by top-level origin. This
partitioning is controlled by a feature flag that is disabled by default.

I took a few approaches at solving this. The most difficult challenge was
finding a solution that allowed retrieving BlobData using a public blob URL
from WKWebView APIs. In that case, the relevant top document may not be
obvious, or may not exist. As a result, the design of this partitioning is more
like access control rather than adding another key into the hashmap.

Two alternative designs I considered include creating a second hashmap that is
keyed by <URL, SecurityOriginData> and we lookup the BlobData in that map if we
have a SecurityOriginData, otherwise we use the unpartitioned map. Or, we
create a new map from URL -> SecurityOriginData where we can lookup the
associated top origin SecurityOriginData if we don't already know it. However,
both of these options are more complex than the chosen implementation, and
neither of them seemed safer.

This change also enforces a noopener policy on new windows when the top origin
of the opener is cross-origin with the blob's security origin. This is a
mitigation that was discussed in the blob URL storage partitioning issue [0]
with cross-engine support, and that seemed reasonable to me.

[0] https://github.com/w3c/FileAPI/issues/153

* LayoutTests/TestExpectations:
* LayoutTests/http/tests/local/blob/download-blob-from-iframe-expected.txt: Added.
* LayoutTests/http/tests/local/blob/download-blob-from-iframe.html: Added.
* LayoutTests/http/tests/local/blob/navigate-blob-expected.txt: Added.
* LayoutTests/http/tests/local/blob/navigate-blob.html: Added.
* LayoutTests/http/tests/local/blob/resources/broadcast-channel-proxy.html: Added.
* LayoutTests/http/tests/local/blob/resources/iframe-creating-or-downloading-blob.html: Added.
* LayoutTests/http/tests/local/blob/resources/iframe-for-creating-and-navigating-to-blob.html: Added.
* LayoutTests/http/tests/local/blob/resources/main-frame-with-iframe-creating-or-navigating-to-blob.html: Added.
* LayoutTests/http/tests/local/blob/resources/main-frame-with-iframe-downloading-blob.html: Added.
* LayoutTests/http/tests/security/blob-null-url-location-origin-expected.txt:
* LayoutTests/http/tests/security/blob-null-url-location-origin.html:
* LayoutTests/http/tests/security/cross-origin-blob-transfer-expected.txt: Added.
* LayoutTests/http/tests/security/cross-origin-blob-transfer.html: Added.
* LayoutTests/http/tests/security/resources/iframe-cross-origin-blob-transfer.html: Added.
* LayoutTests/http/tests/security/top-level-unique-origin2.https.html:
* LayoutTests/platform/gtk-wk2/http/tests/local/blob/download-blob-from-iframe-expected.txt: Added.
* LayoutTests/platform/mac-wk1/TestExpectations:
* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
* Source/WebCore/fileapi/BlobURL.cpp:
(WebCore::BlobURL::isInternalURL):
* Source/WebCore/fileapi/BlobURL.h:
* Source/WebCore/fileapi/ThreadableBlobRegistry.cpp:
(WebCore::ThreadableBlobRegistry::registerInternalFileBlobURL):
(WebCore::ThreadableBlobRegistry::registerInternalBlobURL):
(WebCore::ThreadableBlobRegistry::registerInternalBlobURLOptionallyFileBacked):
(WebCore::ThreadableBlobRegistry::registerInternalBlobURLForSlice):
(WebCore::isInternalBlobURL): Deleted.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadURL):
(WebCore::FrameLoader::loadPostRequest):
(WebCore::createWindow):
* Source/WebCore/platform/network/BlobRegistryImpl.cpp:
(WebCore::BlobRegistryImpl::registerBlobURLOptionallyFileBacked):
(WebCore::BlobRegistryImpl::unregisterBlobURL):
(WebCore::BlobRegistryImpl::getBlobDataFromURL const):
(WebCore::BlobRegistryImpl::addBlobData):
(WebCore::BlobRegistryImpl::registerBlobURLHandle):
(WebCore::BlobRegistryImpl::unregisterBlobURLHandle):
* Source/WebCore/platform/network/BlobRegistryImpl.h:

Canonical link: https://commits.webkit.org/267172@main

More information about the webkit-changes mailing list