[webkit-changes] [WebKit/WebKit] ec3e1e: non-CORS Redirects to a cross-origin URI should ca...

mattwoodrow noreply at github.com
Thu Jan 19 13:20:01 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ec3e1edcb9e53c722dbac3fc483161d659ea1b1e
      https://github.com/WebKit/WebKit/commit/ec3e1edcb9e53c722dbac3fc483161d659ea1b1e
  Author: Matt Woodrow <mattwoodrow at apple.com>
  Date:   2023-01-19 (Thu, 19 Jan 2023)

  Changed paths:
    A LayoutTests/http/tests/security/canvas-remote-read-remote-video-allowed-redirect-expected.txt
    A LayoutTests/http/tests/security/canvas-remote-read-remote-video-allowed-redirect.html
    M LayoutTests/http/tests/security/resources/canvas-video-crossorigin.js
    M LayoutTests/imported/w3c/web-platform-tests/html/canvas/element/manual/imagebitmap/createImageBitmap-origin.sub-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/canvas/resources/canvas-tests.js
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-canvas-element/security.pattern.fillStyle.sub-expected.txt
    M LayoutTests/platform/ios-wk2/TestExpectations
    M LayoutTests/platform/mac/TestExpectations
    M LayoutTests/platform/win/TestExpectations
    M LayoutTests/platform/wk2/TestExpectations
    M Source/WebCore/Modules/webaudio/MediaElementAudioSourceNode.cpp
    M Source/WebCore/html/HTMLMediaElement.cpp
    M Source/WebCore/html/HTMLMediaElement.h
    M Source/WebCore/html/ImageBitmap.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext.cpp
    M Source/WebCore/platform/graphics/MediaPlayer.cpp
    M Source/WebCore/platform/graphics/MediaPlayer.h
    M Source/WebCore/platform/graphics/MediaPlayerPrivate.h
    M Source/WebCore/platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.cpp
    M Source/WebCore/platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.h
    M Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.h
    M Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm
    M Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.h
    M Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaStreamAVFObjC.h
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h
    M Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.h
    M Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.h
    M Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm
    M Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.cpp
    M Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.h
    M Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.messages.in
    M Source/WebKit/WebProcess/GPU/media/MediaPlayerPrivateRemote.cpp
    M Source/WebKit/WebProcess/GPU/media/MediaPlayerPrivateRemote.h
    M Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerState.h
    M Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerState.serialization.in

  Log Message:
  -----------
  non-CORS Redirects to a cross-origin URI should cause video to taint <canvas>, even if the final response is same-origin.
https://bugs.webkit.org/show_bug.cgi?id=248462
<rdar://102754474>

Reviewed by Jean-Yves Avenard.

This is true even if we start with a same-origin URI, redirect to a cross-origin URI and then back again to a same-origin URI.

hasSingleSecurityOrigin currently tries to track this, but it only compares the initial request URI against the response URI, not
any intermediate redirects.

This adds tracking of all redirect origins to the media player implementations of wouldTaintOrigin (and rename it to isCrossOrigin), so that
they fail if we redirected to a cross-origin URI at any point. It also ensures that we only do this if we haven't passed a CORS access check.

Moves the code for doing these checks from 3 separate callsites (CanvasRenderingContext, ImageBitmap, MediaElementAudioSourceNode) into
a single shared location (HTMLMediaElement).

Removes all the hasSingleSecurityOrigin media code, since it's no longer in use.

* LayoutTests/http/tests/security/canvas-remote-read-remote-video-allowed-redirect-expected.txt: Added.
* LayoutTests/http/tests/security/canvas-remote-read-remote-video-allowed-redirect.html: Added.

This adds a test for the change in bug 242889, which stopped us tainting for cross-origin redirects.
That's still desired, but only if CORS was requested and successful.

* LayoutTests/http/tests/security/resources/canvas-video-crossorigin.js:
(testDataRetrievalAllowed):

Fixes a test bug, where the 'allowed' test was expecting an exception to be thrown.

* LayoutTests/imported/w3c/web-platform-tests/html/canvas/element/manual/imagebitmap/createImageBitmap-origin.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/canvas/resources/canvas-tests.js:
* LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-canvas-element/security.pattern.fillStyle.sub-expected.txt:

Add new subtest for the same-origin -> cross-origin -> same-origin redirect chain case.

* LayoutTests/platform/ios-wk2/TestExpectations:
* LayoutTests/platform/mac/TestExpectations:
* LayoutTests/platform/win/TestExpectations:
* LayoutTests/platform/wk2/TestExpectations:

Enables tests that now pass.

* Source/WebCore/Modules/webaudio/MediaElementAudioSourceNode.cpp:
(WebCore::MediaElementAudioSourceNode::wouldTaintOrigin):
* Source/WebCore/html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::wouldTaintOrigin const):
* Source/WebCore/html/HTMLMediaElement.h:
(WebCore::HTMLMediaElement::hasSingleSecurityOrigin const): Deleted.
(WebCore::HTMLMediaElement::wouldTaintOrigin const): Deleted.
* Source/WebCore/html/ImageBitmap.cpp:
(WebCore::taintsOrigin):
* Source/WebCore/html/canvas/CanvasRenderingContext.cpp:
(WebCore::CanvasRenderingContext::wouldTaintOrigin):
* Source/WebCore/platform/graphics/MediaPlayer.cpp:
(WebCore::MediaPlayer::isCrossOrigin const):
(WebCore::MediaPlayer::hasSingleSecurityOrigin const): Deleted.
(WebCore::MediaPlayer::wouldTaintOrigin const): Deleted.
* Source/WebCore/platform/graphics/MediaPlayer.h:
* Source/WebCore/platform/graphics/MediaPlayerPrivate.h:
(WebCore::MediaPlayerPrivateInterface::isCrossOrigin const):
(WebCore::MediaPlayerPrivateInterface::hasSingleSecurityOrigin const): Deleted.
(WebCore::MediaPlayerPrivateInterface::wouldTaintOrigin const): Deleted.
* Source/WebCore/platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.cpp:
(WebCore::MediaPlayerPrivateAVFoundation::hasSingleSecurityOrigin const): Deleted.
* Source/WebCore/platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.h:
* Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.h:
* Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
(WebCore::MediaPlayerPrivateAVFoundationObjC::isCrossOrigin const):
(WebCore::MediaPlayerPrivateAVFoundationObjC::wouldTaintOrigin const): Deleted.
* Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.h:
* Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaStreamAVFObjC.h:
* Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
(WebCore::MediaPlayerPrivateGStreamer::isCrossOrigin const):
(WebCore::MediaPlayerPrivateGStreamer::loadNextLocation):
(WebCore::MediaPlayerPrivateGStreamer::hasSingleSecurityOrigin const): Deleted.
(WebCore::MediaPlayerPrivateGStreamer::wouldTaintOrigin const): Deleted.
* Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h:
* Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:
(CachedResourceStreamingClient::redirectReceived):
(webKitSrcIsCrossOrigin):
(webKitSrcWouldTaintOrigin): Deleted.
* Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.h:
* Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.h:
* Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm:
(-[WebCoreNSURLSession task:addSecurityOrigin:]):
(-[WebCoreNSURLSession isCrossOrigin:]):
(-[WebCoreNSURLSessionDataTask resource:receivedResponse:completionHandler:]):
(-[WebCoreNSURLSessionDataTask resource:receivedRedirect:request:completionHandler:]):
(-[WebCoreNSURLSession task:didReceiveResponseFromOrigin:]): Deleted.
(-[WebCoreNSURLSession wouldTaintOrigin:]): Deleted.
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.cpp:
(WebKit::RemoteMediaPlayerProxy::mediaPlayerReadyStateChanged):
(WebKit::RemoteMediaPlayerProxy::isCrossOrigin):
(WebKit::RemoteMediaPlayerProxy::wouldTaintOrigin): Deleted.
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.h:
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.messages.in:
* Source/WebKit/WebProcess/GPU/media/MediaPlayerPrivateRemote.cpp:
(WebKit::MediaPlayerPrivateRemote::updateCachedState):
(WebKit::MediaPlayerPrivateRemote::isCrossOrigin const):
(WebKit::MediaPlayerPrivateRemote::hasSingleSecurityOrigin const): Deleted.
(WebKit::MediaPlayerPrivateRemote::wouldTaintOrigin const): Deleted.
* Source/WebKit/WebProcess/GPU/media/MediaPlayerPrivateRemote.h:
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerState.h:
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerState.serialization.in:

Canonical link: https://commits.webkit.org/259108@main

More information about the webkit-changes mailing list