[webkit-changes] [WebKit/WebKit] 359413: CVE-2022-31736 - Leaking size of cross-origin reso...

Wed Dec 18 10:37:42 PST 2024

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 359413eb3ac5500866994b125692f968b7a08923
      https://github.com/WebKit/WebKit/commit/359413eb3ac5500866994b125692f968b7a08923
  Author: Youenn Fablet <youenn at apple.com>
  Date:   2024-12-18 (Wed, 18 Dec 2024)

  Changed paths:
    A LayoutTests/http/tests/media/hls/range-request-cross-origin-expected.txt
    A LayoutTests/http/tests/media/hls/range-request-cross-origin-worker.js
    A LayoutTests/http/tests/media/hls/range-request-cross-origin.html
    A LayoutTests/http/tests/media/resources/hls/range-request-playlist-cross-origin.m3u8
    A LayoutTests/http/tests/media/resources/hls/range-request-playlists/stream-cross-origin.m3u8
    A LayoutTests/http/wpt/resources/test.mp4
    A LayoutTests/http/wpt/service-workers/media-range-request-expected.txt
    A LayoutTests/http/wpt/service-workers/media-range-request-worker.js
    A LayoutTests/http/wpt/service-workers/media-range-request.html
    M Source/WebCore/loader/MediaResourceLoader.cpp
    M Source/WebCore/loader/MediaResourceLoader.h

  Log Message:
  -----------
  CVE-2022-31736 - Leaking size of cross-origin resources by using Range Requests and Service Workers
rdar://135680688
https://bugs.webkit.org/show_bug.cgi?id=276861

Reviewed by Jer Noble.

We want to restrict byte range responses of a single URL served from multiple origins.
While https://html.spec.whatwg.org/multipage/media.html#verify-a-media-response fixes this, it is not adapted for HLS content which can load different range requests from different origins for the same media element.

Instead, we implement a check dedicated to checking successive range request media loads to the same URL.
We store, per URL, whether these loads are served with service worker content or opaque response content.
We restrict the checks so that validation can only fail if at least one of the load is served by a serviced worker, which should reduce any potential compat issue.

If they are served with both service worker and opaque response content, they need to all be same origin.
This allows the following cases to load properly:
- All loads are served with content that is visible to the service worker (same-origin, synthetic or CORS enabled).
- All loads are coming from the same origin.
This does not allow mixing content that is visible to the service worker and loads that are opaque.

We add a test exercising the failing case.
We also add an HLS test doing range requests from different origins as part of the same media element streaming, all served by service worker.

* LayoutTests/http/tests/media/hls/range-request-cross-origin-expected.txt: Added.
* LayoutTests/http/tests/media/hls/range-request-cross-origin-worker.js: Added.
* LayoutTests/http/tests/media/hls/range-request-cross-origin.html: Added.
* LayoutTests/http/tests/media/resources/hls/range-request-playlist-cross-origin.m3u8: Added.
* LayoutTests/http/tests/media/resources/hls/range-request-playlists/stream-cross-origin.m3u8: Added.
* LayoutTests/http/wpt/resources/test.mp4: Added.
* LayoutTests/http/wpt/service-workers/media-range-request-expected.txt: Added.
* LayoutTests/http/wpt/service-workers/media-range-request-worker.js: Added.
(self.onfetch.event.event.request.url.includes):
(self.onfetch.event.videoRequestCount.shouldUseSyntheticResponse.event.respondWith.new.Response.new.Uint8Array):
* LayoutTests/http/wpt/service-workers/media-range-request.html: Added.
* Source/WebCore/loader/MediaResourceLoader.cpp:
(WebCore::MediaResourceLoader::verifyMediaResponse):
(WebCore::MediaResource::responseReceived):
* Source/WebCore/loader/MediaResourceLoader.h:

Originally-landed-as: 283286.128 at safari-7620-branch (24ac271f7d48). rdar://141323563
Canonical link: https://commits.webkit.org/288024@main

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications