Changeset 230602 in webkit

Timestamp:

Apr 12, 2018, 3:32:40 PM (7 years ago)

Author:

dbates@webkit.org

Message:

Content-Type not enforced for <script> allows for XSS
​https://bugs.webkit.org/show_bug.cgi?id=184386
<rdar://problem/39112268>

Reviewed by Brady Eidson.

LayoutTests/imported/w3c:

Update expected result now that we pass all sub tests.

• web-platform-tests/fetch/api/basic/block-mime-as-script-expected.txt:

Source/WebCore:

As per the Fetch standard, <​https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-mime-type?> (16 March 2018),
we should block JavaScript scripts that are served with MIME type text/csv, or a MIME type
that begins with "audio/", "image/" or "video/".

As a side benefit of this change we now set the destination property [1] on preload requests.

[1] <​https://fetch.spec.whatwg.org/#concept-request-destination>

Tests: http/tests/security/script-with-banned-mimetype.html

http/tests/workers/worker-importScripts-banned-mimetype.html

• Sources.txt: Add file FetchIdioms.cpp.
• WebCore.xcodeproj/project.pbxproj: Add files FetchIdioms.{cpp, h}.
• dom/LoadableClassicScript.cpp:

(WebCore::LoadableClassicScript::notifyFinished): Check the MIME type of the response and
block the script if applicable.

• dom/LoadableScript.h: Add error type MIMEType.
• loader/FetchIdioms.cpp: Added.

(WebCore::shouldBlockResponseDueToMIMEType): Implements the "Should response to request be blocked
due to its MIME type?" algorithm from the Fetch standard.

• loader/FetchIdioms.h: Added.
• loader/FetchOptions.h:

(WebCore::isScriptLikeDestination): Implements the definition of "script like" as per <​https://fetch.spec.whatwg.org/#request-destination-script-like>.

• loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::requestImage): Removed logic to set the destination property as
CachedResourceLoader::requestResource() is now responsible for doing this.
(WebCore::CachedResourceLoader::requestFont): Ditto.
(WebCore::CachedResourceLoader::requestTextTrack): Ditto.
(WebCore::CachedResourceLoader::requestCSSStyleSheet): Ditto.
(WebCore::CachedResourceLoader::requestScript): Ditto.
(WebCore::CachedResourceLoader::requestXSLStyleSheet): Ditto.
(WebCore::CachedResourceLoader::requestMedia): Update comment to express that we should assert
that the destination property is either video or audio.
(WebCore::CachedResourceLoader::requestIcon): Remove logic to set the destination property as
CachedResourceLoader::requestResource() is now responsible for doing this.
(WebCore::CachedResourceLoader::requestRawResource): Removed assertion as this function is used to
load many kinds of requests that have different destination properties. The caller is responsible
for setting the appropriate destintion property.
(WebCore::CachedResourceLoader::requestMainResource): Remove logic to set the destination property
as CachedResourceLoader::requestResource() is now responsible for doing this.
(WebCore::destinationForType): Helper function that maps CachedResource::Type to FetchOptions::Destination.
(WebCore::CachedResourceLoader::requestResource): Set the destination property on the request if not
already set.

• loader/cache/CachedResourceLoader.h: Segregate requestRawResource() from the other request functions

and add a comment to explain what it is used for.

• workers/Worker.cpp:

(WebCore::Worker::create):

• workers/WorkerScriptLoader.cpp:

(WebCore::WorkerScriptLoader::loadSynchronously): Set the destination property to FetchOptions::Destination::Script
and store it in an instance variable as we will need to reference it once we receive the HTTP response.
Note that this function is only used to support the Web API importScripts().
(WebCore::WorkerScriptLoader::loadAsynchronously): Store the passed destination property in an
instance as we will need to reference it once we receive the HTTP response.
(WebCore::WorkerScriptLoader::didReceiveResponse): Check the MIME type of the response and
block the script if applicable.

• workers/WorkerScriptLoader.h:
• workers/service/ServiceWorkerJob.cpp:

(WebCore::ServiceWorkerJob::fetchScriptWithContext): Set the destination property to FetchOptions::Destination::Serviceworker.

LayoutTests:

Add tests to ensure that we block JavaScript scripts with a banned MIME type and update expected results.

Update tests http/tests/security/{cross-origin-cached-scripts, cross-origin-cached-scripts-parallel}.html
to load JavaScript scripts with MIME type text/javascript. These tests load JavaScript scripts indirectly
via the helper script LayoutTests/http/tests/security/resources/allow-if-origin.php. The script
allow-if-origin.php returns a response with MIME type image/png in absence of query string argument
contentType. We need to update these tests to pass contentType=text/javascript to allow-if-origin.php.

• TestExpectations: Mark test web-platform-tests/fetch/api/basic/block-mime-as-script.html DumpJSConsoleLogInStdErr

to ignore console message output when comparing the actual and expected result because the order the
sub tests are run is non-deterministic and the blocked MIME error message is specific to the blocked
response.

• http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt:
• http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html:
• http/tests/security/contentTypeOptions/resources/script-with-header.pl: Modified to only

set the HTTP header X-Content-Type-Options if the query argument no-content-type-options it
not present or evaluates to false in a boolean context. This lets us make use of this script
to test banned JavaScript MIME types.

• http/tests/security/cross-origin-cached-scripts-expected.txt:
• http/tests/security/cross-origin-cached-scripts-parallel-expected.txt:
• http/tests/security/cross-origin-cached-scripts-parallel.html:
• http/tests/security/cross-origin-cached-scripts.html:
• http/tests/security/resources/abe-that-increments-scriptsSuccessfullyLoaded.jpg: Added.

This file is both a valid JPEG image and a valid JavaScript script. When interpreted as a JavaScript
script it will increment the global variable self.scriptsSuccessfullyLoaded (defining it if
not already defined).

• http/tests/security/script-with-banned-mimetype-expected.txt: Added.
• http/tests/security/script-with-banned-mimetype.html: Added.
• http/tests/workers/resources/worker-importScripts-banned-mimetype.php: Added.
• http/tests/workers/worker-importScripts-banned-mimetype-expected.txt: Added.
• http/tests/workers/worker-importScripts-banned-mimetype.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentTypeOptions/resources/script-with-header.pl (modified) (1 diff)
• LayoutTests/http/tests/security/cross-origin-cached-scripts-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/cross-origin-cached-scripts-parallel-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/cross-origin-cached-scripts-parallel.html (modified) (1 diff)
• LayoutTests/http/tests/security/cross-origin-cached-scripts.html (modified) (1 diff)
• LayoutTests/http/tests/security/resources/abe-that-increments-scriptsSuccessfullyLoaded.jpg (added)
• LayoutTests/http/tests/security/script-with-banned-mimetype-expected.txt (added)
• LayoutTests/http/tests/security/script-with-banned-mimetype.html (added)
• LayoutTests/http/tests/workers/resources/worker-importScripts-banned-mimetype.php (added)
• LayoutTests/http/tests/workers/worker-importScripts-banned-mimetype-expected.txt (added)
• LayoutTests/http/tests/workers/worker-importScripts-banned-mimetype.html (added)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Sources.txt (modified) (1 diff)
• Source/WebCore/WebCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/WebCore/dom/LoadableClassicScript.cpp (modified) (2 diffs)
• Source/WebCore/dom/LoadableScript.h (modified) (1 diff)
• Source/WebCore/loader/FetchIdioms.cpp (added)
• Source/WebCore/loader/FetchIdioms.h (added)
• Source/WebCore/loader/FetchOptions.h (modified) (1 diff)
• Source/WebCore/loader/cache/CachedResourceLoader.cpp (modified) (11 diffs)
• Source/WebCore/loader/cache/CachedResourceLoader.h (modified) (2 diffs)
• Source/WebCore/workers/Worker.cpp (modified) (1 diff)
• Source/WebCore/workers/WorkerScriptLoader.cpp (modified) (5 diffs)
• Source/WebCore/workers/WorkerScriptLoader.h (modified) (2 diffs)
• Source/WebCore/workers/service/ServiceWorkerJob.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2018-04-12  Daniel Bates  <dabates@apple.com>
+
+        Content-Type not enforced for <script> allows for XSS
+        https://bugs.webkit.org/show_bug.cgi?id=184386
+        <rdar://problem/39112268>
+
+        Reviewed by Brady Eidson.
+
+        Add tests to ensure that we block JavaScript scripts with a banned MIME type and update expected results.
+
+        Update tests http/tests/security/{cross-origin-cached-scripts, cross-origin-cached-scripts-parallel}.html
+        to load JavaScript scripts with MIME type text/javascript. These tests load JavaScript scripts indirectly
+        via the helper script LayoutTests/http/tests/security/resources/allow-if-origin.php. The script
+        allow-if-origin.php returns a response with MIME type image/png in absence of query string argument
+        contentType. We need to update these tests to pass contentType=text/javascript to allow-if-origin.php.
+
+        * TestExpectations: Mark test web-platform-tests/fetch/api/basic/block-mime-as-script.html DumpJSConsoleLogInStdErr
+        to ignore console message output when comparing the actual and expected result because the order the
+        sub tests are run is non-deterministic and the blocked MIME error message is specific to the blocked
+        response.
+        * http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt:
+        * http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html:
+        * http/tests/security/contentTypeOptions/resources/script-with-header.pl: Modified to only
+        set the HTTP header X-Content-Type-Options if the query argument no-content-type-options it
+        not present or evaluates to false in a boolean context. This lets us make use of this script
+        to test banned JavaScript MIME types.
+        * http/tests/security/cross-origin-cached-scripts-expected.txt:
+        * http/tests/security/cross-origin-cached-scripts-parallel-expected.txt:
+        * http/tests/security/cross-origin-cached-scripts-parallel.html:
+        * http/tests/security/cross-origin-cached-scripts.html:
+        * http/tests/security/resources/abe-that-increments-scriptsSuccessfullyLoaded.jpg: Added.
+        This file is both a valid JPEG image and a valid JavaScript script. When interpreted as a JavaScript
+        script it will increment the global variable self.scriptsSuccessfullyLoaded (defining it if
+        not already defined).
+        * http/tests/security/script-with-banned-mimetype-expected.txt: Added.
+        * http/tests/security/script-with-banned-mimetype.html: Added.
+        * http/tests/workers/resources/worker-importScripts-banned-mimetype.php: Added.
+        * http/tests/workers/worker-importScripts-banned-mimetype-expected.txt: Added.
+        * http/tests/workers/worker-importScripts-banned-mimetype.html: Added.
+
 2018-04-12  Antoine Quint  <graouts@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -609 +609 @@
 imported/w3c/web-platform-tests/XMLHttpRequest/responsexml-document-properties.htm [ Failure ]
 
+imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script.html [ DumpJSConsoleLogInStdErr ]
 imported/w3c/web-platform-tests/fetch/api/cors/cors-origin.any.html [ DumpJSConsoleLogInStdErr ]
 imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-status.any.html [ DumpJSConsoleLogInStdErr ]

trunk/LayoutTests/http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/json'.
-CONSOLE MESSAGE: line 2: Executed script with MIME type: 'image/png'.
 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/html'.
 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/vbs'.

trunk/LayoutTests/http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html

@@ -11 +11 @@
         var unscriptyMimeTypes = [
             'application/json',
-            'image/png',
             'text/html',
             'text/vbs',

trunk/LayoutTests/http/tests/security/contentTypeOptions/resources/script-with-header.pl

@@ -8 +8 @@
     print "Content-Type: " . $cgi->param('mime') . "\n";
 }
-if ($cgi->param('options')) {
-    print "X-Content-Type-Options: " . $cgi->param('options') . "\n";
-} else {
-    print "X-Content-Type-Options: nosniff\n";
+if (!$cgi->param('no-content-type-options')) {
+        if ($cgi->param('options')) {
+            print "X-Content-Type-Options: " . $cgi->param('options') . "\n";
+        } else {
+            print "X-Content-Type-Options: nosniff\n";
+        }
 }
 print "\n";

trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-expected.txt

@@ -6 +6 @@
 
 Trying to load sequentially the same script from different origins.
-Test 1 PASS: Loaded script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js from localhost:8000 (crossOrigin=anonymous)
-Test 2 PASS: Did not load script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js from localhost:8080 (crossOrigin=anonymous)
-Test 3 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js from localhost:8080
-Test 4 PASS: Did not load script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js from localhost:8080 (crossOrigin=anonymous)
-Test 5 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=*&name=notify-loaded.js from localhost:8000 (crossOrigin=anonymous)
-Test 6 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=*&name=notify-loaded.js from localhost:8080 (crossOrigin=anonymous)
+Test 1 PASS: Loaded script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&contentType=text/javascript from localhost:8000 (crossOrigin=anonymous)
+Test 2 PASS: Did not load script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&contentType=text/javascript from localhost:8080 (crossOrigin=anonymous)
+Test 3 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&contentType=text/javascript from localhost:8080
+Test 4 PASS: Did not load script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&contentType=text/javascript from localhost:8080 (crossOrigin=anonymous)
+Test 5 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=*&name=notify-loaded.js&contentType=text/javascript from localhost:8000 (crossOrigin=anonymous)
+Test 6 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=*&name=notify-loaded.js&contentType=text/javascript from localhost:8080 (crossOrigin=anonymous)
   
   

trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-parallel-expected.txt

@@ -6 +6 @@
 
 Trying to load sequentially the same script from various origins.
-Test 1 PASS: Loaded script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000 from localhost:8000 (crossOrigin=anonymous)
-Test 2 PASS: Did not load script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000 from localhost:8080 (crossOrigin=anonymous)
-Test 3 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000 from localhost:8080
-Test 4 PASS: Did not load script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000 from localhost:8080 (crossOrigin=anonymous)
+Test 1 PASS: Loaded script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000&contentType=text/javascript from localhost:8000 (crossOrigin=anonymous)
+Test 2 PASS: Did not load script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000&contentType=text/javascript from localhost:8080 (crossOrigin=anonymous)
+Test 3 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000&contentType=text/javascript from localhost:8080
+Test 4 PASS: Did not load script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000&contentType=text/javascript from localhost:8080 (crossOrigin=anonymous)
   
   

trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-parallel.html

@@ -37 +37 @@
 var iframeURL8080 = "http://localhost:8080/security/resources/cross-origin-cached-resource-iframe.html";
 
-var allow8000Script1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000";
-var allow8000Script2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000";
+var allow8000Script1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000&contentType=text/javascript";
+var allow8000Script2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000&contentType=text/javascript";
 
 function firstTest()

trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts.html

@@ -30 +30 @@
 var iframeURL8080 = "http://localhost:8080/security/resources/cross-origin-cached-resource-iframe.html";
 
-var allow8000Script1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js";
-var allow8000Script2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js";
-var allow8000Script3 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=*&name=notify-loaded.js";
+var allow8000Script1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&contentType=text/javascript";
+var allow8000Script2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&contentType=text/javascript";
+var allow8000Script3 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=*&name=notify-loaded.js&contentType=text/javascript";
 
 var counter = 0;

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2018-04-12  Daniel Bates  <dabates@apple.com>
+
+        Content-Type not enforced for <script> allows for XSS
+        https://bugs.webkit.org/show_bug.cgi?id=184386
+        <rdar://problem/39112268>
+
+        Reviewed by Brady Eidson.
+
+        Update expected result now that we pass all sub tests.
+
+        * web-platform-tests/fetch/api/basic/block-mime-as-script-expected.txt:
+
 2018-04-12  Antoine Quint  <graouts@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Script loaded
-CONSOLE MESSAGE: line 1: Script loaded
-CONSOLE MESSAGE: line 1: Script loaded
-CONSOLE MESSAGE: line 1: Script loaded
-CONSOLE MESSAGE: line 1: Script loaded
-CONSOLE MESSAGE: line 1: Script loaded
-CONSOLE MESSAGE: line 1: Script loaded
-CONSOLE MESSAGE: line 1: Script loaded
-CONSOLE MESSAGE: line 1: Script loaded
-CONSOLE MESSAGE: line 1: Script loaded
-CONSOLE MESSAGE: line 1: Script loaded
-CONSOLE MESSAGE: line 1: Script loaded
 
-FAIL Should fail loading non-empty script with text/csv MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading non-empty script with audio/aiff MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading non-empty script with audio/midi MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading non-empty script with audio/whatever MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading non-empty script with video/avi MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading non-empty script with video/fli MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading non-empty script with video/whatever MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading non-empty script with image/jpeg MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading non-empty script with image/gif MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading non-empty script with image/whatever MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading empty script with text/csv MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading empty script with audio/aiff MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading empty script with audio/midi MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading empty script with audio/whatever MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading empty script with video/avi MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading empty script with video/fli MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading empty script with video/whatever MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading empty script with image/jpeg MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading empty script with image/gif MIME type assert_unreached: Unexpected load event Reached unreachable code
-FAIL Should fail loading empty script with image/whatever MIME type assert_unreached: Unexpected load event Reached unreachable code
+PASS Should fail loading non-empty script with text/csv MIME type 
+PASS Should fail loading non-empty script with audio/aiff MIME type 
+PASS Should fail loading non-empty script with audio/midi MIME type 
+PASS Should fail loading non-empty script with audio/whatever MIME type 
+PASS Should fail loading non-empty script with video/avi MIME type 
+PASS Should fail loading non-empty script with video/fli MIME type 
+PASS Should fail loading non-empty script with video/whatever MIME type 
+PASS Should fail loading non-empty script with image/jpeg MIME type 
+PASS Should fail loading non-empty script with image/gif MIME type 
+PASS Should fail loading non-empty script with image/whatever MIME type 
+PASS Should fail loading empty script with text/csv MIME type 
+PASS Should fail loading empty script with audio/aiff MIME type 
+PASS Should fail loading empty script with audio/midi MIME type 
+PASS Should fail loading empty script with audio/whatever MIME type 
+PASS Should fail loading empty script with video/avi MIME type 
+PASS Should fail loading empty script with video/fli MIME type 
+PASS Should fail loading empty script with video/whatever MIME type 
+PASS Should fail loading empty script with image/jpeg MIME type 
+PASS Should fail loading empty script with image/gif MIME type 
+PASS Should fail loading empty script with image/whatever MIME type 
 PASS Should load script with text/html MIME type 
 PASS Should load script with text/plain MIME type 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-04-12  Daniel Bates  <dabates@apple.com>
+
+        Content-Type not enforced for <script> allows for XSS
+        https://bugs.webkit.org/show_bug.cgi?id=184386
+        <rdar://problem/39112268>
+
+        Reviewed by Brady Eidson.
+
+        As per the Fetch standard, <https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-mime-type?> (16 March 2018),
+        we should block JavaScript scripts that are served with MIME type text/csv, or a MIME type
+        that begins with "audio/", "image/" or "video/".
+
+        As a side benefit of this change we now set the destination property [1] on preload requests.
+
+        [1] <https://fetch.spec.whatwg.org/#concept-request-destination>
+
+        Tests: http/tests/security/script-with-banned-mimetype.html
+               http/tests/workers/worker-importScripts-banned-mimetype.html
+
+        * Sources.txt: Add file FetchIdioms.cpp.
+        * WebCore.xcodeproj/project.pbxproj: Add files FetchIdioms.{cpp, h}.
+        * dom/LoadableClassicScript.cpp:
+        (WebCore::LoadableClassicScript::notifyFinished): Check the MIME type of the response and
+        block the script if applicable.
+        * dom/LoadableScript.h: Add error type MIMEType.
+        * loader/FetchIdioms.cpp: Added.
+        (WebCore::shouldBlockResponseDueToMIMEType): Implements the "Should response to request be blocked
+        due to its MIME type?" algorithm from the Fetch standard.
+        * loader/FetchIdioms.h: Added.
+        * loader/FetchOptions.h:
+        (WebCore::isScriptLikeDestination): Implements the definition of "script like" as per <https://fetch.spec.whatwg.org/#request-destination-script-like>.
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::requestImage): Removed logic to set the destination property as
+        CachedResourceLoader::requestResource() is now responsible for doing this.
+        (WebCore::CachedResourceLoader::requestFont): Ditto.
+        (WebCore::CachedResourceLoader::requestTextTrack): Ditto.
+        (WebCore::CachedResourceLoader::requestCSSStyleSheet): Ditto.
+        (WebCore::CachedResourceLoader::requestScript): Ditto.
+        (WebCore::CachedResourceLoader::requestXSLStyleSheet): Ditto.
+        (WebCore::CachedResourceLoader::requestMedia): Update comment to express that we should assert
+        that the destination property is either video or audio.
+        (WebCore::CachedResourceLoader::requestIcon): Remove logic to set the destination property as
+        CachedResourceLoader::requestResource() is now responsible for doing this.
+        (WebCore::CachedResourceLoader::requestRawResource): Removed assertion as this function is used to
+        load many kinds of requests that have different destination properties. The caller is responsible
+        for setting the appropriate destintion property.
+        (WebCore::CachedResourceLoader::requestMainResource): Remove logic to set the destination property
+        as CachedResourceLoader::requestResource() is now responsible for doing this.
+        (WebCore::destinationForType): Helper function that maps CachedResource::Type to FetchOptions::Destination.
+        (WebCore::CachedResourceLoader::requestResource): Set the destination property on the request if not
+        already set.
+        * loader/cache/CachedResourceLoader.h: Segregate requestRawResource() from the other request functions
+        and add a comment to explain what it is used for.
+        * workers/Worker.cpp:
+        (WebCore::Worker::create):
+        * workers/WorkerScriptLoader.cpp:
+        (WebCore::WorkerScriptLoader::loadSynchronously): Set the destination property to FetchOptions::Destination::Script
+        and store it in an instance variable as we will need to reference it once we receive the HTTP response.
+        Note that this function is only used to support the Web API importScripts().
+        (WebCore::WorkerScriptLoader::loadAsynchronously): Store the passed destination property in an
+        instance as we will need to reference it once we receive the HTTP response.
+        (WebCore::WorkerScriptLoader::didReceiveResponse): Check the MIME type of the response and
+        block the script if applicable.
+        * workers/WorkerScriptLoader.h:
+        * workers/service/ServiceWorkerJob.cpp:
+        (WebCore::ServiceWorkerJob::fetchScriptWithContext): Set the destination property to FetchOptions::Destination::Serviceworker.
+
 2018-04-12  Antoine Quint  <graouts@apple.com>
 

trunk/Source/WebCore/Sources.txt

@@ -1225 +1225 @@
 loader/FrameLoader.cpp
 loader/FrameLoaderStateMachine.cpp
+loader/FetchIdioms.cpp
 loader/HTTPHeaderField.cpp
 loader/HistoryController.cpp

trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -4060 +4060 @@
                 CE7B2DB51586ABAD0098B3FA /* TextAlternativeWithRange.h in Headers */ = {isa = PBXBuildFile; fileRef = CE7B2DB11586ABAD0098B3FA /* TextAlternativeWithRange.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 CE7E17831C83A49100AD06AF /* ContentSecurityPolicyHash.h in Headers */ = {isa = PBXBuildFile; fileRef = CE7E17821C83A49100AD06AF /* ContentSecurityPolicyHash.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                CEBB8C3320786DCB00039547 /* FetchIdioms.h in Headers */ = {isa = PBXBuildFile; fileRef = CEBB8C3120786DCB00039547 /* FetchIdioms.h */; };
                 CECADFC7153778FF00E37068 /* DictationAlternative.h in Headers */ = {isa = PBXBuildFile; fileRef = CECADFC3153778FF00E37068 /* DictationAlternative.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 CECADFC9153778FF00E37068 /* DictationCommand.h in Headers */ = {isa = PBXBuildFile; fileRef = CECADFC5153778FF00E37068 /* DictationCommand.h */; };
@@ -13350 +13351 @@
                 CE7B2DB21586ABAD0098B3FA /* TextAlternativeWithRange.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = TextAlternativeWithRange.mm; sourceTree = "<group>"; };
                 CE7E17821C83A49100AD06AF /* ContentSecurityPolicyHash.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ContentSecurityPolicyHash.h; path = csp/ContentSecurityPolicyHash.h; sourceTree = "<group>"; };
+                CEBB8C3120786DCB00039547 /* FetchIdioms.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = FetchIdioms.h; sourceTree = "<group>"; };
+                CEBB8C3220786DCB00039547 /* FetchIdioms.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = FetchIdioms.cpp; sourceTree = "<group>"; };
                 CECADFC2153778FF00E37068 /* DictationAlternative.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DictationAlternative.cpp; sourceTree = "<group>"; };
                 CECADFC3153778FF00E37068 /* DictationAlternative.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DictationAlternative.h; sourceTree = "<group>"; };
@@ -23910 +23913 @@
                                 B255990D0D00D8B900BB825C /* EmptyClients.h */,
                                 414DEDE51F9FE9150047C40D /* EmptyFrameLoaderClient.h */,
+                                CEBB8C3220786DCB00039547 /* FetchIdioms.cpp */,
+                                CEBB8C3120786DCB00039547 /* FetchIdioms.h */,
                                 41AD75391CEF6BCE00A31486 /* FetchOptions.h */,
                                 656D37230ADBA5DE00A4554D /* FormState.cpp */,
@@ -27535 +27540 @@
                                 4129C9971F59B963009D7403 /* FetchBodySource.h in Headers */,
                                 41D129DB1F3D143800D15E47 /* FetchHeaders.h in Headers */,
+                                CEBB8C3320786DCB00039547 /* FetchIdioms.h in Headers */,
                                 4161E2D51FE48DC500EC2E96 /* FetchLoader.h in Headers */,
                                 517A53581F5889E800DCDC0A /* FetchLoaderClient.h in Headers */,

trunk/Source/WebCore/dom/LoadableClassicScript.cpp

@@ -27 +27 @@
 #include "LoadableClassicScript.h"
 
+#include "FetchIdioms.h"
 #include "ScriptElement.h"
 #include "ScriptSourceCode.h"
@@ -96 +97 @@
     }
 
+    if (!m_error && shouldBlockResponseDueToMIMEType(m_cachedScript->response(), m_cachedScript->options().destination)) {
+        m_error = Error {
+            ErrorType::MIMEType,
+            ConsoleMessage {
+                MessageSource::Security,
+                MessageLevel::Error,
+                makeString("Refused to execute ", m_cachedScript->url().stringCenterEllipsizedToLength(), " as script because ", m_cachedScript->response().mimeType(), " is not a script MIME type.")
+            }
+        };
+    }
+
     if (!m_error && !resource.errorOccurred() && !matchIntegrityMetadata(resource, m_integrity)) {
         m_error = Error {

trunk/Source/WebCore/dom/LoadableScript.h

@@ -41 +41 @@
         CachedScript,
         CrossOriginLoad,
+        MIMEType,
         Nosniff,
         FailedIntegrityCheck,

trunk/Source/WebCore/loader/FetchOptions.h

@@ -89 +89 @@
 }
 
+inline bool isScriptLikeDestination(FetchOptions::Destination destination)
+{
+    return destination == FetchOptions::Destination::Script
+        || destination == FetchOptions::Destination::Serviceworker
+        || destination == FetchOptions::Destination::Worker;
+}
+
 }
 

trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

@@ -198 +198 @@
 ResourceErrorOr<CachedResourceHandle<CachedImage>> CachedResourceLoader::requestImage(CachedResourceRequest&& request)
 {
-    request.setDestinationIfNotSet(FetchOptions::Destination::Image);
     if (Frame* frame = this->frame()) {
         if (frame->loader().pageDismissalEventBeingDispatched() != FrameLoader::PageDismissalType::None) {
@@ -216 +215 @@
 ResourceErrorOr<CachedResourceHandle<CachedFont>> CachedResourceLoader::requestFont(CachedResourceRequest&& request, bool isSVG)
 {
-    request.setDestinationIfNotSet(FetchOptions::Destination::Font);
 #if ENABLE(SVG_FONTS)
     if (isSVG)
@@ -229 +227 @@
 ResourceErrorOr<CachedResourceHandle<CachedTextTrack>> CachedResourceLoader::requestTextTrack(CachedResourceRequest&& request)
 {
-    request.setDestinationIfNotSet(FetchOptions::Destination::Track);
     return castCachedResourceTo<CachedTextTrack>(requestResource(CachedResource::TextTrackResource, WTFMove(request)));
 }
@@ -236 +233 @@
 ResourceErrorOr<CachedResourceHandle<CachedCSSStyleSheet>> CachedResourceLoader::requestCSSStyleSheet(CachedResourceRequest&& request)
 {
-    request.setDestinationIfNotSet(FetchOptions::Destination::Style);
     return castCachedResourceTo<CachedCSSStyleSheet>(requestResource(CachedResource::CSSStyleSheet, WTFMove(request)));
 }
@@ -270 +266 @@
 ResourceErrorOr<CachedResourceHandle<CachedScript>> CachedResourceLoader::requestScript(CachedResourceRequest&& request)
 {
-    request.setDestinationIfNotSet(FetchOptions::Destination::Script);
     return castCachedResourceTo<CachedScript>(requestResource(CachedResource::Script, WTFMove(request)));
 }
@@ -277 +272 @@
 ResourceErrorOr<CachedResourceHandle<CachedXSLStyleSheet>> CachedResourceLoader::requestXSLStyleSheet(CachedResourceRequest&& request)
 {
-    request.setDestinationIfNotSet(FetchOptions::Destination::Xslt);
     return castCachedResourceTo<CachedXSLStyleSheet>(requestResource(CachedResource::XSLStyleSheet, WTFMove(request)));
 }
@@ -296 +290 @@
 ResourceErrorOr<CachedResourceHandle<CachedRawResource>> CachedResourceLoader::requestMedia(CachedResourceRequest&& request)
 {
-    // FIXME: Set destination to either audio or video.
+    // FIXME: Assert request.options().destination is FetchOptions::Destination::{Audio, Video}.
     return castCachedResourceTo<CachedRawResource>(requestResource(CachedResource::MediaResource, WTFMove(request)));
 }
@@ -302 +296 @@
 ResourceErrorOr<CachedResourceHandle<CachedRawResource>> CachedResourceLoader::requestIcon(CachedResourceRequest&& request)
 {
-    request.setDestinationIfNotSet(FetchOptions::Destination::Image);
     return castCachedResourceTo<CachedRawResource>(requestResource(CachedResource::Icon, WTFMove(request)));
 }
@@ -308 +301 @@
 ResourceErrorOr<CachedResourceHandle<CachedRawResource>> CachedResourceLoader::requestRawResource(CachedResourceRequest&& request)
 {
-    ASSERT(request.options().destination == FetchOptions::Destination::EmptyString || request.options().serviceWorkersMode == ServiceWorkersMode::None);
     return castCachedResourceTo<CachedRawResource>(requestResource(CachedResource::RawResource, WTFMove(request)));
 }
@@ -320 +312 @@
 ResourceErrorOr<CachedResourceHandle<CachedRawResource>> CachedResourceLoader::requestMainResource(CachedResourceRequest&& request)
 {
-    request.setDestinationIfNotSet(FetchOptions::Destination::Document);
     return castCachedResourceTo<CachedRawResource>(requestResource(CachedResource::MainResource, WTFMove(request)));
 }
@@ -739 +730 @@
 }
 
+static FetchOptions::Destination destinationForType(CachedResource::Type type)
+{
+    switch (type) {
+    case CachedResource::MainResource:
+    case CachedResource::SVGDocumentResource:
+        return FetchOptions::Destination::Document;
+    case CachedResource::ImageResource:
+    case CachedResource::Icon:
+        return FetchOptions::Destination::Image;
+    case CachedResource::CSSStyleSheet:
+        return FetchOptions::Destination::Style;
+    case CachedResource::Script:
+        return FetchOptions::Destination::Script;
+    case CachedResource::FontResource:
+#if ENABLE(SVG_FONTS)
+    case CachedResource::SVGFontResource:
+#endif
+        return FetchOptions::Destination::Font;
+#if ENABLE(XSLT)
+    case CachedResource::XSLStyleSheet:
+        return FetchOptions::Destination::Xslt;
+#endif
+#if ENABLE(VIDEO_TRACK)
+    case CachedResource::TextTrackResource:
+        return FetchOptions::Destination::Track;
+#endif
+#if ENABLE(APPLICATION_MANIFEST)
+    case CachedResource::ApplicationManifest:
+        return FetchOptions::Destination::Manifest;
+#endif
+    case CachedResource::Beacon:
+    case CachedResource::LinkPrefetch:
+    case CachedResource::RawResource:
+    case CachedResource::MediaResource:
+        // The caller is responsible for setting the appropriate destination.
+        return FetchOptions::Destination::EmptyString;
+    }
+}
+
 ResourceErrorOr<CachedResourceHandle<CachedResource>> CachedResourceLoader::requestResource(CachedResource::Type type, CachedResourceRequest&& request, ForPreload forPreload, DeferOption defer)
 {
+    request.setDestinationIfNotSet(destinationForType(type));
+
     // Entry point to https://fetch.spec.whatwg.org/#main-fetch.
     std::unique_ptr<ResourceRequest> originalRequest;

trunk/Source/WebCore/loader/cache/CachedResourceLoader.h

@@ -88 +88 @@
     ResourceErrorOr<CachedResourceHandle<CachedRawResource>> requestIcon(CachedResourceRequest&&);
     ResourceErrorOr<CachedResourceHandle<CachedRawResource>> requestBeaconResource(CachedResourceRequest&&);
-    ResourceErrorOr<CachedResourceHandle<CachedRawResource>> requestRawResource(CachedResourceRequest&&);
     ResourceErrorOr<CachedResourceHandle<CachedRawResource>> requestMainResource(CachedResourceRequest&&);
     ResourceErrorOr<CachedResourceHandle<CachedSVGDocument>> requestSVGDocument(CachedResourceRequest&&);
@@ -101 +100 @@
     ResourceErrorOr<CachedResourceHandle<CachedApplicationManifest>> requestApplicationManifest(CachedResourceRequest&&);
 #endif
+
+    // Called to load Web Worker main script, Service Worker main script, importScripts(), XHR,
+    // EventSource, Fetch, and App Cache.
+    ResourceErrorOr<CachedResourceHandle<CachedRawResource>> requestRawResource(CachedResourceRequest&&);
 
     // Logs an access denied message to the console for the specified URL.

trunk/Source/WebCore/workers/Worker.cpp

@@ -108 +108 @@
     options.cache = FetchOptions::Cache::Default;
     options.redirect = FetchOptions::Redirect::Follow;
+    options.destination = FetchOptions::Destination::Worker;
     worker->m_scriptLoader->loadAsynchronously(context, WTFMove(request), WTFMove(options), contentSecurityPolicyEnforcement, ServiceWorkersMode::All, worker);
     return WTFMove(worker);

trunk/Source/WebCore/workers/WorkerScriptLoader.cpp

@@ -29 +29 @@
 
 #include "ContentSecurityPolicy.h"
+#include "FetchIdioms.h"
 #include "ResourceResponse.h"
 #include "ScriptExecutionContext.h"
@@ -50 +51 @@
 
     m_url = url;
+    m_destination = FetchOptions::Destination::Script;
 
     std::unique_ptr<ResourceRequest> request(createResourceRequest(initiatorIdentifier));
@@ -66 +68 @@
     options.sendLoadCallbacks = SendCallbacks;
     options.contentSecurityPolicyEnforcement = contentSecurityPolicyEnforcement;
+    options.destination = m_destination;
 #if ENABLE(SERVICE_WORKER)
     options.serviceWorkersMode = workerGlobalScope.isServiceWorkerGlobalScope() ? ServiceWorkersMode::None : ServiceWorkersMode::All;
@@ -78 +81 @@
     m_client = &client;
     m_url = scriptRequest.url();
+    m_destination = fetchOptions.destination;
 
     ASSERT(scriptRequest.httpMethod() == "GET");
@@ -133 +137 @@
     }
 
+    if (shouldBlockResponseDueToMIMEType(response, m_destination)) {
+        String message = makeString("Refused to execute ", response.url().stringCenterEllipsizedToLength(), " as script because ", response.mimeType(), " is not a script MIME type.");
+        m_error = ResourceError { errorDomainWebKitInternal, 0, response.url(), message, ResourceError::Type::General };
+        m_failed = true;
+        return;
+    }
+
     m_responseURL = response.url();
     m_responseMIMEType = response.mimeType();

trunk/Source/WebCore/workers/WorkerScriptLoader.h

@@ -28 +28 @@
 
 #include "ContentSecurityPolicyResponseHeaders.h"
+#include "FetchOptions.h"
 #include "ResourceError.h"
 #include "ResourceRequest.h"
@@ -92 +93 @@
     URL m_responseURL;
     String m_responseMIMEType;
+    FetchOptions::Destination m_destination;
     ContentSecurityPolicyResponseHeaders m_contentSecurityPolicy;
     unsigned long m_identifier { 0 };

trunk/Source/WebCore/workers/service/ServiceWorkerJob.cpp

@@ -103 +103 @@
     options.cache = cachePolicy;
     options.redirect = FetchOptions::Redirect::Error;
+    options.destination = FetchOptions::Destination::Serviceworker;
     m_scriptLoader->loadAsynchronously(context, WTFMove(request), WTFMove(options), ContentSecurityPolicyEnforcement::DoNotEnforce, ServiceWorkersMode::None, *this);
 }