[webkit-changes] [WebKit/WebKit] 9e08e9: Cookies from AppSSO extension are getting stored i...

Pascoe noreply at github.com
Wed Nov 8 23:07:47 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 9e08e9d30f556cdfafa2962be997b4911f5f1b97
      https://github.com/WebKit/WebKit/commit/9e08e9d30f556cdfafa2962be997b4911f5f1b97
  Author: J Pascoe <j_pascoe at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.h
    M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm
    M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.h
    M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.mm

  Log Message:
  -----------
  Cookies from AppSSO extension are getting stored in iframe even when CSP restricts page to be loaded in iframe
https://bugs.webkit.org/show_bug.cgi?id=264447
rdar://118121639

Reviewed by Brent Fulgham.

In https://bugs.webkit.org/show_bug.cgi?id=260100, we added CSP validation when setting cookies
in the response of an AppSSO request. However, in that patch, we consider CSP options that are
only relevant for i-frames in the redirect case. In NetworkResourceLoader::shouldInterruptLoadForXFrameOptions,
we do an early return in non-main frame cases, but do not in the check for AppSSO.

In SOAuthorizationCoordinator::tryAuthorize, it can be gleamed that a non-mainframe navigation implies
a SubFrameSOAuthorizationSession will be created. Therefore we only need to perform these i-frame specific
CSP checks whenever we have a SubFrameSOAuthorizationSession.

* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm:
(WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.h:
(WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm:
(WebKit::SOAuthorizationSession::shouldInterruptLoadForXFrameOptions): Deleted.
(WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions): Deleted.
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.h:
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.mm:
(WebKit::SubFrameSOAuthorizationSession::shouldInterruptLoadForXFrameOptions):
(WebKit::SubFrameSOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):

Canonical link: https://commits.webkit.org/270422@main

More information about the webkit-changes mailing list