Changeset 230365 in webkit

Timestamp:

Apr 6, 2018 8:48:55 PM (6 years ago)

Author:

youenn@apple.com

Message:

Response headers should be filtered when sent from NetworkProcess to WebProcess
​https://bugs.webkit.org/show_bug.cgi?id=184310

Reviewed by Ryosuke Niwa.

Source/WebCore:

Did some refactoring to allow ResourceResponse to use header value parsing routines.
We add sanitization levels for regular responses in case responses might be exposed to scripts or not.
If not exposed to scripts, additional filtering is done.

Add internal API to get unfiltered response headers from a fetch response.
Test: http/wpt/service-workers/header-filtering.https.html

• Modules/fetch/FetchResponse.h:
• loader/CrossOriginPreflightResultCache.cpp:

(WebCore::CrossOriginPreflightResultCacheItem::parse):

• platform/network/HTTPParsers.h:

(WebCore::addToAccessControlAllowList):
(WebCore::parseAccessControlAllowList):

• platform/network/ResourceResponseBase.cpp:

(WebCore::isSafeToKeepRedirectionResponseHeader):
(WebCore::isCrossOriginSafeToKeepResponseHeader):
(WebCore::ResourceResponseBase::sanitizeHTTPHeaderFields):

• platform/network/ResourceResponseBase.h:
• testing/ServiceWorkerInternals.cpp:

(WebCore::ServiceWorkerInternals::fetchResponseHeaderList):

• testing/ServiceWorkerInternals.h:
• testing/ServiceWorkerInternals.idl:

Source/WebKit:

Pass destination parameter to NetworkResourceLoader.
Use new sanitization routine to filter response headers as needed:

• Cross-origin routines are filtered by removing any non CORS allowed headers.
• Same-origin responses are filtered by removing non used headers, except when filtering would be visible by JS (XHR, fetch).

In all cases, Set-Cookie/Set-Cookie2 headers are filtered out.

• NetworkProcess/NetworkResourceLoadParameters.cpp:

(WebKit::NetworkResourceLoadParameters::encode const):
(WebKit::NetworkResourceLoadParameters::decode):

• NetworkProcess/NetworkResourceLoadParameters.h:
• NetworkProcess/NetworkResourceLoader.cpp:

(WebKit::NetworkResourceLoader::didReceiveResponse):
(WebKit::NetworkResourceLoader::willSendRedirectedRequest):
(WebKit::NetworkResourceLoader::sanitizeResponseIfPossible):
(WebKit::NetworkResourceLoader::didRetrieveCacheEntry):
(WebKit::NetworkResourceLoader::dispatchWillSendRequestForCacheEntry):

• NetworkProcess/NetworkResourceLoader.h:
• WebProcess/Network/WebLoaderStrategy.cpp:

(WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):

• WebProcess/Storage/WebSWContextManagerConnection.cpp:

(WebKit::WebSWContextManagerConnection::updatePreferencesStore):

LayoutTests:

Rebased tests for WK2 as Server response header is now filtered out for cross-origin and not fetch/XHR loads.

• http/wpt/service-workers/header-filtering-worker.js: Added.
• http/wpt/service-workers/header-filtering.https-expected.txt: Added.

Some tests are failing as navigation loads are not yet filtered and we
have no good way yet to detect cross origin loads.

• http/wpt/service-workers/header-filtering.https.html: Added.
• http/wpt/service-workers/resources/header-filtering-iframe.html: Added.
• http/wpt/service-workers/resources/response-full-of-headers.py: Added.
• http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
• http/tests/webarchive/test-preload-resources-expected.txt: Added.
• platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
• platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt: Added.
• platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
• platform/win/http/tests/webarchive/test-preload-resources-expected.txt: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/wpt/service-workers/header-filtering-worker.js (added)
• LayoutTests/http/wpt/service-workers/header-filtering.https-expected.txt (added)
• LayoutTests/http/wpt/service-workers/header-filtering.https.html (added)
• LayoutTests/http/wpt/service-workers/resources/header-filtering-iframe.html (added)
• LayoutTests/http/wpt/service-workers/resources/response-full-of-headers.py (added)
• LayoutTests/platform/mac-wk1/http/tests (added)
• LayoutTests/platform/mac-wk1/http/tests/webarchive (added)
• LayoutTests/platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt (copied) (copied from trunk/LayoutTests/platform/mac/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt)
• LayoutTests/platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt (copied) (copied from trunk/LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt)
• LayoutTests/platform/mac/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt (modified) (1 diff)
• LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt (modified) (7 diffs)
• LayoutTests/platform/win/http/tests/webarchive (added)
• LayoutTests/platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt (copied) (copied from trunk/LayoutTests/platform/mac/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt)
• LayoutTests/platform/win/http/tests/webarchive/test-preload-resources-expected.txt (copied) (copied from trunk/LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/fetch/FetchResponse.h (modified) (1 diff)
• Source/WebCore/loader/CrossOriginPreflightResultCache.cpp (modified) (1 diff)
• Source/WebCore/platform/network/HTTPParsers.h (modified) (1 diff)
• Source/WebCore/platform/network/ResourceResponseBase.cpp (modified) (3 diffs)
• Source/WebCore/platform/network/ResourceResponseBase.h (modified) (1 diff)
• Source/WebCore/testing/ServiceWorkerInternals.cpp (modified) (1 diff)
• Source/WebCore/testing/ServiceWorkerInternals.h (modified) (1 diff)
• Source/WebCore/testing/ServiceWorkerInternals.idl (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp (modified) (2 diffs)
• Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h (modified) (1 diff)
• Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp (modified) (5 diffs)
• Source/WebKit/NetworkProcess/NetworkResourceLoader.h (modified) (2 diffs)
• Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp (modified) (3 diffs)
• Source/WebKit/WebProcess/Storage/WebSWContextManagerConnection.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2018-04-06  Youenn Fablet  <youenn@apple.com>
+
+        Response headers should be filtered when sent from NetworkProcess to WebProcess
+        https://bugs.webkit.org/show_bug.cgi?id=184310
+
+        Reviewed by Ryosuke Niwa.
+
+        Rebased tests for WK2 as Server response header is now filtered out for cross-origin and not fetch/XHR loads.
+
+        * http/wpt/service-workers/header-filtering-worker.js: Added.
+        * http/wpt/service-workers/header-filtering.https-expected.txt: Added.
+        Some tests are failing as navigation loads are not yet filtered and we
+        have no good way yet to detect cross origin loads.
+        * http/wpt/service-workers/header-filtering.https.html: Added.
+        * http/wpt/service-workers/resources/header-filtering-iframe.html: Added.
+        * http/wpt/service-workers/resources/response-full-of-headers.py: Added.
+        * http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
+        * http/tests/webarchive/test-preload-resources-expected.txt: Added.
+        * platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
+        * platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt: Added.
+        * platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
+        * platform/win/http/tests/webarchive/test-preload-resources-expected.txt: Added.
+
 2018-04-06  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/LayoutTests/platform/mac/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt

@@ -56 +56 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                        <key>Server</key>
-                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>

trunk/LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt

@@ -66 +66 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                        <key>Server</key>
-                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>
@@ -103 +101 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                        <key>Server</key>
-                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>
@@ -140 +136 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                        <key>Server</key>
-                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>
@@ -177 +171 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                        <key>Server</key>
-                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>
@@ -214 +206 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                        <key>Server</key>
-                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>
@@ -251 +241 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                        <key>Server</key>
-                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>
@@ -288 +276 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                        <key>Server</key>
-                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-04-06  Youenn Fablet  <youenn@apple.com>
+
+        Response headers should be filtered when sent from NetworkProcess to WebProcess
+        https://bugs.webkit.org/show_bug.cgi?id=184310
+
+        Reviewed by Ryosuke Niwa.
+
+        Did some refactoring to allow ResourceResponse to use header value parsing routines.
+        We add sanitization levels for regular responses in case responses might be exposed to scripts or not.
+        If not exposed to scripts, additional filtering is done.
+
+        Add internal API to get unfiltered response headers from a fetch response.
+        Test: http/wpt/service-workers/header-filtering.https.html
+
+        * Modules/fetch/FetchResponse.h:
+        * loader/CrossOriginPreflightResultCache.cpp:
+        (WebCore::CrossOriginPreflightResultCacheItem::parse):
+        * platform/network/HTTPParsers.h:
+        (WebCore::addToAccessControlAllowList):
+        (WebCore::parseAccessControlAllowList):
+        * platform/network/ResourceResponseBase.cpp:
+        (WebCore::isSafeToKeepRedirectionResponseHeader):
+        (WebCore::isCrossOriginSafeToKeepResponseHeader):
+        (WebCore::ResourceResponseBase::sanitizeHTTPHeaderFields):
+        * platform/network/ResourceResponseBase.h:
+        * testing/ServiceWorkerInternals.cpp:
+        (WebCore::ServiceWorkerInternals::fetchResponseHeaderList):
+        * testing/ServiceWorkerInternals.h:
+        * testing/ServiceWorkerInternals.idl:
+
 2018-04-06  Michael Catanzaro  <mcatanzaro@igalia.com>
 

trunk/Source/WebCore/Modules/fetch/FetchResponse.h

@@ -110 +110 @@
     const std::optional<ResourceError>& loadingError() const { return m_loadingError; }
 
+    const HTTPHeaderMap& internalResponseHeaders() const { return m_internalResponse.httpHeaderFields(); }
+
 private:
     FetchResponse(ScriptExecutionContext&, std::optional<FetchBody>&&, Ref<FetchHeaders>&&, ResourceResponse&&);

trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp

@@ -53 +53 @@
 }
 
-template<class HashType>
-static void addToAccessControlAllowList(const String& string, unsigned start, unsigned end, HashSet<String, HashType>& set)
-{
-    StringImpl* stringImpl = string.impl();
-    if (!stringImpl)
-        return;
-
-    // Skip white space from start.
-    while (start <= end && isSpaceOrNewline((*stringImpl)[start]))
-        ++start;
-
-    // only white space
-    if (start > end) 
-        return;
-
-    // Skip white space from end.
-    while (end && isSpaceOrNewline((*stringImpl)[end]))
-        --end;
-
-    set.add(string.substring(start, end - start + 1));
-}
-
-template<class HashType>
-static bool parseAccessControlAllowList(const String& string, HashSet<String, HashType>& set)
-{
-    unsigned start = 0;
-    size_t end;
-    while ((end = string.find(',', start)) != notFound) {
-        if (start != end)
-            addToAccessControlAllowList(string, start, end - 1, set);
-        start = end + 1;
-    }
-    if (start != string.length())
-        addToAccessControlAllowList(string, start, string.length() - 1, set);
-
-    return true;
-}
-
 bool CrossOriginPreflightResultCacheItem::parse(const ResourceResponse& response, String& errorDescription)
 {
     m_methods.clear();
-    if (!parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowMethods), m_methods)) {
+    auto methods = parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowMethods));
+    if (!methods) {
         errorDescription = "Cannot parse Access-Control-Allow-Methods response header field.";
         return false;
     }
+    m_methods = WTFMove(methods.value());
 
     m_headers.clear();
-    if (!parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowHeaders), m_headers)) {
+    auto headers = parseAccessControlAllowList<ASCIICaseInsensitiveHash>(response.httpHeaderField(HTTPHeaderName::AccessControlAllowHeaders));
+    if (!headers) {
         errorDescription = "Cannot parse Access-Control-Allow-Headers response header field.";
         return false;
     }
+    m_headers = WTFMove(headers.value());
 
     Seconds expiryDelta = 0_s;

trunk/Source/WebCore/platform/network/HTTPParsers.h

@@ -120 +120 @@
 }
 
+template<class HashType>
+void addToAccessControlAllowList(const String& string, unsigned start, unsigned end, HashSet<String, HashType>& set)
+{
+    StringImpl* stringImpl = string.impl();
+    if (!stringImpl)
+        return;
+
+    // Skip white space from start.
+    while (start <= end && isSpaceOrNewline((*stringImpl)[start]))
+        ++start;
+
+    // only white space
+    if (start > end)
+        return;
+
+    // Skip white space from end.
+    while (end && isSpaceOrNewline((*stringImpl)[end]))
+        --end;
+
+    set.add(string.substring(start, end - start + 1));
 }
+
+template<class HashType = DefaultHash<String>::Hash>
+std::optional<HashSet<String, HashType>> parseAccessControlAllowList(const String& string)
+{
+    HashSet<String, HashType> set;
+    unsigned start = 0;
+    size_t end;
+    while ((end = string.find(',', start)) != notFound) {
+        if (start != end)
+            addToAccessControlAllowList(string, start, end - 1, set);
+        start = end + 1;
+    }
+    if (start != string.length())
+        addToAccessControlAllowList(string, start, string.length() - 1, set);
+
+    return set;
+}
+
+}

trunk/Source/WebCore/platform/network/ResourceResponseBase.cpp

@@ -318 +318 @@
 }
 
-static bool isSafeToKeepRedirectionHeader(HTTPHeaderName name)
+static bool isSafeRedirectionResponseHeader(HTTPHeaderName name)
 {
     // WebCore needs to keep location and cache related headers as it does caching.
@@ -331 +331 @@
         || name == HTTPHeaderName::Age
         || name == HTTPHeaderName::Pragma
+        || name == HTTPHeaderName::ReferrerPolicy
         || name == HTTPHeaderName::Refresh
         || name == HTTPHeaderName::Vary
@@ -342 +343 @@
 }
 
-void ResourceResponseBase::sanitizeRedirectionHTTPHeaderFields()
-{
-    lazyInit(AllFields);
-
-    auto commonHeaders = WTFMove(m_httpHeaderFields.commonHeaders());
-    for (auto& header : commonHeaders) {
-        if (isSafeToKeepRedirectionHeader(header.key))
-            m_httpHeaderFields.add(header.key, WTFMove(header.value));
-    }
-    m_httpHeaderFields.uncommonHeaders().clear();
+static bool isSafeCrossOriginResponseHeader(HTTPHeaderName name)
+{
+    // All known response headers used in WebProcesses.
+    return name == HTTPHeaderName::AcceptRanges
+        || name == HTTPHeaderName::AccessControlAllowCredentials
+        || name == HTTPHeaderName::AccessControlAllowHeaders
+        || name == HTTPHeaderName::AccessControlAllowMethods
+        || name == HTTPHeaderName::AccessControlAllowOrigin
+        || name == HTTPHeaderName::AccessControlExposeHeaders
+        || name == HTTPHeaderName::AccessControlMaxAge
+        || name == HTTPHeaderName::AccessControlRequestHeaders
+        || name == HTTPHeaderName::AccessControlRequestMethod
+        || name == HTTPHeaderName::Age
+        || name == HTTPHeaderName::CacheControl
+        || name == HTTPHeaderName::ContentDisposition
+        || name == HTTPHeaderName::ContentEncoding
+        || name == HTTPHeaderName::ContentLanguage
+        || name == HTTPHeaderName::ContentLength
+        || name == HTTPHeaderName::ContentRange
+        || name == HTTPHeaderName::ContentSecurityPolicy
+        || name == HTTPHeaderName::ContentSecurityPolicyReportOnly
+        || name == HTTPHeaderName::ContentType
+        || name == HTTPHeaderName::Date
+        || name == HTTPHeaderName::ETag
+        || name == HTTPHeaderName::Expires
+        || name == HTTPHeaderName::IcyMetaInt
+        || name == HTTPHeaderName::IcyMetadata
+        || name == HTTPHeaderName::LastEventID
+        || name == HTTPHeaderName::LastModified
+        || name == HTTPHeaderName::Link
+        || name == HTTPHeaderName::Pragma
+        || name == HTTPHeaderName::Range
+        || name == HTTPHeaderName::ReferrerPolicy
+        || name == HTTPHeaderName::Refresh
+        || name == HTTPHeaderName::SourceMap
+        || name == HTTPHeaderName::XSourceMap
+        || name == HTTPHeaderName::TimingAllowOrigin
+        || name == HTTPHeaderName::Trailer
+        || name == HTTPHeaderName::Vary
+        || name == HTTPHeaderName::XContentTypeOptions
+        || name == HTTPHeaderName::XDNSPrefetchControl
+        || name == HTTPHeaderName::XFrameOptions
+        || name == HTTPHeaderName::XWebKitCSP
+        || name == HTTPHeaderName::XWebKitCSPReportOnly
+        || name == HTTPHeaderName::XXSSProtection;
+}
+
+void ResourceResponseBase::sanitizeHTTPHeaderFields(SanitizationType type)
+{
+    lazyInit(AllFields);
+
+    m_httpHeaderFields.commonHeaders().remove(HTTPHeaderName::SetCookie);
+    m_httpHeaderFields.commonHeaders().remove(HTTPHeaderName::SetCookie2);
+
+    switch (type) {
+    case SanitizationType::RemoveCookies:
+        return;
+    case SanitizationType::Redirection: {
+        auto commonHeaders = WTFMove(m_httpHeaderFields.commonHeaders());
+        for (auto& header : commonHeaders) {
+            if (isSafeRedirectionResponseHeader(header.key))
+                m_httpHeaderFields.add(header.key, WTFMove(header.value));
+        }
+        m_httpHeaderFields.uncommonHeaders().clear();
+        return;
+    }
+    case SanitizationType::CrossOriginSafe: {
+        HTTPHeaderMap filteredHeaders;
+        for (auto& header : m_httpHeaderFields.commonHeaders()) {
+            if (isSafeCrossOriginResponseHeader(header.key))
+                filteredHeaders.add(header.key, WTFMove(header.value));
+        }
+        if (auto corsSafeHeaderSet = parseAccessControlAllowList(httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders))) {
+            for (auto& headerName : *corsSafeHeaderSet) {
+                if (!filteredHeaders.contains(headerName)) {
+                    auto value = m_httpHeaderFields.get(headerName);
+                    if (!value.isNull())
+                        filteredHeaders.add(headerName, value);
+                }
+            }
+        }
+        m_httpHeaderFields = WTFMove(filteredHeaders);
+    }
+    }
 }
 

trunk/Source/WebCore/platform/network/ResourceResponseBase.h

@@ -103 +103 @@
     WEBCORE_EXPORT const HTTPHeaderMap& httpHeaderFields() const;
     void setHTTPHeaderFields(HTTPHeaderMap&&);
-    WEBCORE_EXPORT void sanitizeRedirectionHTTPHeaderFields();
+
+    enum class SanitizationType { Redirection, RemoveCookies, CrossOriginSafe };
+    WEBCORE_EXPORT void sanitizeHTTPHeaderFields(SanitizationType);
 
     String httpHeaderField(const String& name) const;

trunk/Source/WebCore/testing/ServiceWorkerInternals.cpp

@@ -81 +81 @@
 }
 
+Vector<String> ServiceWorkerInternals::fetchResponseHeaderList(FetchResponse& response)
+{
+    Vector<String> headerNames;
+    headerNames.reserveInitialCapacity(response.internalResponseHeaders().size());
+    for (auto keyValue : response.internalResponseHeaders())
+        headerNames.uncheckedAppend(keyValue.key);
+    return headerNames;
+}
+
 } // namespace WebCore
 

trunk/Source/WebCore/testing/ServiceWorkerInternals.h

@@ -48 +48 @@
     Ref<FetchResponse> createOpaqueWithBlobBodyResponse(ScriptExecutionContext&);
 
+    Vector<String> fetchResponseHeaderList(FetchResponse&);
+
 private:
     explicit ServiceWorkerInternals(ServiceWorkerIdentifier);

trunk/Source/WebCore/testing/ServiceWorkerInternals.idl

@@ -34 +34 @@
     [CallWith=ScriptExecutionContext] FetchEvent createBeingDispatchedFetchEvent();
     [CallWith=ScriptExecutionContext] FetchResponse createOpaqueWithBlobBodyResponse();
+
+    sequence<ByteString> fetchResponseHeaderList(FetchResponse response);
 };

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-04-06  Youenn Fablet  <youenn@apple.com>
+
+        Response headers should be filtered when sent from NetworkProcess to WebProcess
+        https://bugs.webkit.org/show_bug.cgi?id=184310
+
+        Reviewed by Ryosuke Niwa.
+
+        Pass destination parameter to NetworkResourceLoader.
+        Use new sanitization routine to filter response headers as needed:
+        - Cross-origin routines are filtered by removing any non CORS allowed headers.
+        - Same-origin responses are filtered by removing non used headers, except when filtering would be visible by JS (XHR, fetch).
+        In all cases, Set-Cookie/Set-Cookie2 headers are filtered out.
+
+        * NetworkProcess/NetworkResourceLoadParameters.cpp:
+        (WebKit::NetworkResourceLoadParameters::encode const):
+        (WebKit::NetworkResourceLoadParameters::decode):
+        * NetworkProcess/NetworkResourceLoadParameters.h:
+        * NetworkProcess/NetworkResourceLoader.cpp:
+        (WebKit::NetworkResourceLoader::didReceiveResponse):
+        (WebKit::NetworkResourceLoader::willSendRedirectedRequest):
+        (WebKit::NetworkResourceLoader::sanitizeResponseIfPossible):
+        (WebKit::NetworkResourceLoader::didRetrieveCacheEntry):
+        (WebKit::NetworkResourceLoader::dispatchWillSendRequestForCacheEntry):
+        * NetworkProcess/NetworkResourceLoader.h:
+        * WebProcess/Network/WebLoaderStrategy.cpp:
+        (WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):
+        * WebProcess/Storage/WebSWContextManagerConnection.cpp:
+        (WebKit::WebSWContextManagerConnection::updatePreferencesStore):
+
 2018-04-05  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp

@@ -90 +90 @@
         encoder << sourceOrigin->data();
     encoder.encodeEnum(mode);
+    encoder.encodeEnum(destination);
     encoder << cspResponseHeaders;
 
@@ -180 +181 @@
     if (!decoder.decodeEnum(result.mode))
         return false;
+    if (!decoder.decodeEnum(result.destination))
+        return false;
     if (!decoder.decode(result.cspResponseHeaders))
         return false;

trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h

@@ -58 +58 @@
     RefPtr<WebCore::SecurityOrigin> sourceOrigin;
     WebCore::FetchOptions::Mode mode;
+    WebCore::FetchOptions::Destination destination;
     std::optional<WebCore::ContentSecurityPolicyResponseHeaders> cspResponseHeaders;
     bool shouldRestrictHTTPResponseAccess { false };

trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp

@@ -336 +336 @@
     bool shouldWaitContinueDidReceiveResponse = isMainResource();
     if (shouldSendDidReceiveResponse) {
+        // FIXME: Sanitize response.
+        auto response = sanitizeResponseIfPossible(ResourceResponse { m_response }, ResourceResponse::SanitizationType::CrossOriginSafe);
         if (isSynchronous())
-            m_synchronousLoadData->response = m_response;
+            m_synchronousLoadData->response = WTFMove(response);
         else
-            send(Messages::WebResourceLoader::DidReceiveResponse(m_response, shouldWaitContinueDidReceiveResponse));
+            send(Messages::WebResourceLoader::DidReceiveResponse { response, shouldWaitContinueDidReceiveResponse });
     }
 
@@ -460 +462 @@
         m_cache->storeRedirect(request, redirectResponse, redirectRequest);
 
-    send(Messages::WebResourceLoader::WillSendRequest(redirectRequest, sanitizeRedirectResponseIfPossible(WTFMove(redirectResponse))));
-}
-
-ResourceResponse NetworkResourceLoader::sanitizeRedirectResponseIfPossible(ResourceResponse&& response)
-{
-    if (m_parameters.shouldRestrictHTTPResponseAccess)
-        response.sanitizeRedirectionHTTPHeaderFields();
+    send(Messages::WebResourceLoader::WillSendRequest(redirectRequest, sanitizeResponseIfPossible(WTFMove(redirectResponse), ResourceResponse::SanitizationType::Redirection)));
+}
+
+ResourceResponse NetworkResourceLoader::sanitizeResponseIfPossible(ResourceResponse&& response, ResourceResponse::SanitizationType type)
+{
+    if (m_parameters.shouldRestrictHTTPResponseAccess) {
+        if (type == ResourceResponse::SanitizationType::CrossOriginSafe) {
+            // We reduce filtering when it would otherwise be visible to scripts.
+            // FIXME: We should use response tainting once computed in Network Process.
+            bool isSameOrigin = m_parameters.sourceOrigin ? m_parameters.sourceOrigin->canRequest(response.url()) : protocolHostAndPortAreEqual(response.url(), m_parameters.request.url());
+            if (isSameOrigin && m_parameters.destination == FetchOptions::Destination::EmptyString)
+                type = ResourceResponse::SanitizationType::RemoveCookies;
+        }
+        response.sanitizeHTTPHeaderFields(type);
+    }
     return WTFMove(response);
 }
@@ -569 +579 @@
 void NetworkResourceLoader::didRetrieveCacheEntry(std::unique_ptr<NetworkCache::Entry> entry)
 {
+    auto response = sanitizeResponseIfPossible(ResourceResponse { entry->response() }, ResourceResponse::SanitizationType::CrossOriginSafe);
     if (isSynchronous()) {
-        m_synchronousLoadData->response = entry->response();
+        m_synchronousLoadData->response = WTFMove(response);
         sendReplyToSynchronousRequest(*m_synchronousLoadData, entry->buffer());
         cleanup();
@@ -577 +588 @@
 
     bool needsContinueDidReceiveResponseMessage = isMainResource();
-    send(Messages::WebResourceLoader::DidReceiveResponse(entry->response(), needsContinueDidReceiveResponseMessage));
+    send(Messages::WebResourceLoader::DidReceiveResponse { response, needsContinueDidReceiveResponseMessage });
 
     if (needsContinueDidReceiveResponseMessage)
@@ -673 +684 @@
 
     ++m_redirectCount;
-    send(Messages::WebResourceLoader::WillSendRequest { *entry->redirectRequest(), sanitizeRedirectResponseIfPossible(ResourceResponse { entry->response() }) });
+    send(Messages::WebResourceLoader::WillSendRequest { *entry->redirectRequest(), sanitizeResponseIfPossible(ResourceResponse { entry->response() }, ResourceResponse::SanitizationType::Redirection) });
     m_isWaitingContinueWillSendRequestForCachedRedirect = true;
 }

trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.h

@@ -33 +33 @@
 #include "NetworkResourceLoadParameters.h"
 #include "ShareableResource.h"
+#include <WebCore/ResourceResponse.h>
 #include <WebCore/Timer.h>
 
@@ -147 +148 @@
 #endif
 
-    WebCore::ResourceResponse sanitizeRedirectResponseIfPossible(WebCore::ResourceResponse&&);
+    WebCore::ResourceResponse sanitizeResponseIfPossible(WebCore::ResourceResponse&&, WebCore::ResourceResponse::SanitizationType);
 
     const NetworkResourceLoadParameters m_parameters;

trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp

@@ -274 +274 @@
     loadParameters.maximumBufferingTime = maximumBufferingTime;
     loadParameters.derivedCachedDataTypesToRetrieve = resourceLoader.options().derivedCachedDataTypesToRetrieve;
+    loadParameters.destination = resourceLoader.options().destination;
 
     // FIXME: We should also sanitize redirect response for navigations.
@@ -433 +434 @@
     loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect = shouldClearReferrerOnHTTPSToHTTPRedirect(webFrame ? webFrame->coreFrame() : nullptr);
     loadParameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess();
+    // FIXME: Use the proper destination once all fetch options are passed.
+    loadParameters.destination = FetchOptions::Destination::EmptyString;
 
     data.shrink(0);
@@ -529 +532 @@
     parameters.shouldPreconnectOnly = PreconnectOnly::Yes;
     parameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess();
+    // FIXME: Use the proper destination once all fetch options are passed.
+    parameters.destination = FetchOptions::Destination::EmptyString;
 
     WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkConnectionToWebProcess::PreconnectTo(preconnectionIdentifier, WTFMove(parameters)), 0);

trunk/Source/WebKit/WebProcess/Storage/WebSWContextManagerConnection.cpp

@@ -129 +129 @@
     RuntimeEnabledFeatures::sharedFeatures().setResourceTimingEnabled(store.getBoolValueForKey(WebPreferencesKey::resourceTimingEnabledKey()));
     RuntimeEnabledFeatures::sharedFeatures().setFetchAPIKeepAliveEnabled(store.getBoolValueForKey(WebPreferencesKey::fetchAPIKeepAliveEnabledKey()));
+    RuntimeEnabledFeatures::sharedFeatures().setRestrictedHTTPResponseAccess(store.getBoolValueForKey(WebPreferencesKey::restrictedHTTPResponseAccessKey()));
 
     m_storageBlockingPolicy = static_cast<SecurityOrigin::StorageBlockingPolicy>(store.getUInt32ValueForKey(WebPreferencesKey::storageBlockingPolicyKey()));