[webkit-changes] [WebKit/WebKit] 19287e: sameSiteInfo.isSameSite may not match URLs used in...
Charlie Wolfe
noreply at github.com
Tue Jan 14 14:46:55 PST 2025
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 19287e51e57f5918c5660a18e7cc4e9821a541b6
https://github.com/WebKit/WebKit/commit/19287e51e57f5918c5660a18e7cc4e9821a541b6
Author: Charlie Wolfe <charliew at apple.com>
Date: 2025-01-14 (Tue, 14 Jan 2025)
Changed paths:
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/loader/FrameLoader.h
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
M Source/WebCore/page/SecurityPolicy.h
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/SOAuthorizationTests.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKHTTPCookieStore.mm
Log Message:
-----------
sameSiteInfo.isSameSite may not match URLs used in Data Isolation checks
https://bugs.webkit.org/show_bug.cgi?id=283309
rdar://140129837
Reviewed by Sihui Liu.
This patch fixes an issue where a WebContent process can send IPC with URLs that are not same-site, but
contains `sameSiteInfo` that indicates that the request is same-site. This can lead to requesting cookies
for a URL that was not considered in the data isolation check.
To lower risk, we reject cookie access instead of terminating the sender process. More details provided
below.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::setOriginalURLForDownloadRequest):
(WebCore::FrameLoader::updateRequestAndAddExtraFields):
(WebCore::FrameLoader::addSameSiteInfoToRequestIfNeeded):
* Source/WebCore/loader/FrameLoader.h:
These quirks were added when cookies were SameSite=Lax by default, which is no longer the case, so it can
be removed. Keeping this would mean certain requests would unexpectedly be considered same-site, and
would fail the check being added in the network process.
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestResource):
This is an existing bug that was revealed by this change, and is needed to fix
`http/tests/cache/disk-cache/disk-cache-vary-cookie.html`.
* Source/WebCore/page/SecurityPolicy.h:
Export `shouldInheritSecurityOriginFromOwner` so that it can be used in the network process.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::shouldTreatAsSameSite const):
Add a network process side same-site check, similar to `FrameLoader::addSameSiteInfoToRequestIfNeeded`.
(WebKit::NetworkConnectionToWebProcess::cookiesForDOM):
(WebKit::NetworkConnectionToWebProcess::setCookiesFromDOM):
(WebKit::NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue):
(WebKit::NetworkConnectionToWebProcess::getRawCookies):
(WebKit::NetworkConnectionToWebProcess::cookiesForDOMAsync):
(WebKit::NetworkConnectionToWebProcess::setCookieFromDOMAsync):
Validate all cookie messages that contain `sameSiteInfo`.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm:
(InvalidSameSiteInfoCookieRequestHeaderFieldValue)):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/SOAuthorizationTests.mm:
(TestWebKitAPI::TEST(SOAuthorizationSubFrame, InterceptionSucceedWithCookie)):
Fix this test, which was trying to a cookie from example.com on a page with an empty main frame URL.
Originally-landed-as: 283286.501 at safari-7620-branch (b7402f10b17c). rdar://141317150
Canonical link: https://commits.webkit.org/288893@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list