Changeset 282366 in webkit

Timestamp:

Sep 13, 2021 3:18:26 PM (10 months ago)

Author:

Chris Dumez

Message:

Relax BroadcastChannel origin partitioning if iframe has storage access
​https://bugs.webkit.org/show_bug.cgi?id=230164

Reviewed by Alex Christensen.

Source/WebCore:

In r282105, we started partitioning origins for BroadcastChannel using topOrigin/frameOrigin.
This prevents a topFrame of origin A to message a subframe of origin A if that subframe if under
another domain B. However, the document.requestStorageAccess() API exists to relax storage
partitioning and Gecko relies on this to relax BroadcastChannel origin partitioning as well.
This patch aligns WebKit's behavior with Gecko.

Test: http/tests/messaging/broadcastchannel-partitioning-with-storage-access.html

• dom/BroadcastChannel.cpp:

(WebCore::shouldPartitionOrigin):
(WebCore::BroadcastChannel::MainThreadBridge::create):
(WebCore::BroadcastChannel::MainThreadBridge::name const):
(WebCore::BroadcastChannel::MainThreadBridge::identifier const):
(WebCore::BroadcastChannel::MainThreadBridge::MainThreadBridge):
(WebCore::BroadcastChannel::MainThreadBridge::ensureOnMainThread):
(WebCore::BroadcastChannel::MainThreadBridge::registerChannel):
(WebCore::BroadcastChannel::MainThreadBridge::unregisterChannel):
(WebCore::BroadcastChannel::MainThreadBridge::postMessage):
(WebCore::BroadcastChannel::BroadcastChannel):
(WebCore::BroadcastChannel::~BroadcastChannel):
(WebCore::BroadcastChannel::identifier const):
(WebCore::BroadcastChannel::name const):
(WebCore::BroadcastChannel::postMessage):
(WebCore::BroadcastChannel::close):
(WebCore::BroadcastChannel::dispatchMessage):

• dom/BroadcastChannel.h:
• page/ChromeClient.h:

(WebCore::ChromeClient::hasPageLevelStorageAccess const):

Source/WebKit:

• WebProcess/WebCoreSupport/WebChromeClient.cpp:

(WebKit::WebChromeClient::hasPageLevelStorageAccess const):

• WebProcess/WebCoreSupport/WebChromeClient.h:

LayoutTests:

Add layout test coverage.

• http/tests/messaging/broadcastchannel-partitioning-with-storage-access-expected.txt: Added.
• http/tests/messaging/broadcastchannel-partitioning-with-storage-access.html: Added.
• http/tests/messaging/resources/broadcastchannel-partitioning-with-storage-access-iframe.html: Added.
• http/tests/messaging/resources/broadcastchannel-partitioning-with-storage-access-popup.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/messaging/broadcastchannel-partitioning-with-storage-access-expected.txt (added)
• LayoutTests/http/tests/messaging/broadcastchannel-partitioning-with-storage-access.html (added)
• LayoutTests/http/tests/messaging/resources/broadcastchannel-partitioning-with-storage-access-iframe.html (added)
• LayoutTests/http/tests/messaging/resources/broadcastchannel-partitioning-with-storage-access-popup.html (added)
• LayoutTests/platform/mac-wk1/TestExpectations (modified) (1 diff)
• LayoutTests/platform/win/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/BroadcastChannel.cpp (modified) (6 diffs)
• Source/WebCore/dom/BroadcastChannel.h (modified) (2 diffs)
• Source/WebCore/page/ChromeClient.h (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp (modified) (1 diff)
• Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-09-13  Chris Dumez  <cdumez@apple.com>
+
+        Relax BroadcastChannel origin partitioning if iframe has storage access
+        https://bugs.webkit.org/show_bug.cgi?id=230164
+
+        Reviewed by Alex Christensen.
+
+        Add layout test coverage.
+
+        * http/tests/messaging/broadcastchannel-partitioning-with-storage-access-expected.txt: Added.
+        * http/tests/messaging/broadcastchannel-partitioning-with-storage-access.html: Added.
+        * http/tests/messaging/resources/broadcastchannel-partitioning-with-storage-access-iframe.html: Added.
+        * http/tests/messaging/resources/broadcastchannel-partitioning-with-storage-access-popup.html: Added.
+
 2021-09-13  Arcady Goldmints-Orlov  <agoldmints@igalia.com>
 

trunk/LayoutTests/platform/mac-wk1/TestExpectations

@@ -79 +79 @@
 editing/async-clipboard/clipboard-read-text-same-origin.html [ Skip ]
 editing/async-clipboard/sanitize-when-reading-markup.html [ Skip ]
+
+# No requestStorageAccess() support for WK1.
+http/tests/messaging/broadcastchannel-partitioning-with-storage-access.html [ Skip ]
 
 imported/w3c/web-platform-tests/websockets/Close-1000-reason.any.html [ Pass Failure ]

trunk/LayoutTests/platform/win/TestExpectations

@@ -4637 +4637 @@
 fast/html/broadcast-channel-between-different-sessions.html [ Skip ]
 http/tests/messaging/broadcastchannel-partitioning.html [ Skip ]
+http/tests/messaging/broadcastchannel-partitioning-with-storage-access.html [ Skip ]
 
 # This test is skipped because the necessary feature flag functionality specific to the Windows WebKit legacy port is

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-09-13  Chris Dumez  <cdumez@apple.com>
+
+        Relax BroadcastChannel origin partitioning if iframe has storage access
+        https://bugs.webkit.org/show_bug.cgi?id=230164
+
+        Reviewed by Alex Christensen.
+
+        In r282105, we started partitioning origins for BroadcastChannel using topOrigin/frameOrigin.
+        This prevents a topFrame of origin A to message a subframe of origin A if that subframe if under
+        another domain B. However, the `document.requestStorageAccess()` API exists to relax storage
+        partitioning and Gecko relies on this to relax BroadcastChannel origin partitioning as well.
+        This patch aligns WebKit's behavior with Gecko.
+
+        Test: http/tests/messaging/broadcastchannel-partitioning-with-storage-access.html
+
+        * dom/BroadcastChannel.cpp:
+        (WebCore::shouldPartitionOrigin):
+        (WebCore::BroadcastChannel::MainThreadBridge::create):
+        (WebCore::BroadcastChannel::MainThreadBridge::name const):
+        (WebCore::BroadcastChannel::MainThreadBridge::identifier const):
+        (WebCore::BroadcastChannel::MainThreadBridge::MainThreadBridge):
+        (WebCore::BroadcastChannel::MainThreadBridge::ensureOnMainThread):
+        (WebCore::BroadcastChannel::MainThreadBridge::registerChannel):
+        (WebCore::BroadcastChannel::MainThreadBridge::unregisterChannel):
+        (WebCore::BroadcastChannel::MainThreadBridge::postMessage):
+        (WebCore::BroadcastChannel::BroadcastChannel):
+        (WebCore::BroadcastChannel::~BroadcastChannel):
+        (WebCore::BroadcastChannel::identifier const):
+        (WebCore::BroadcastChannel::name const):
+        (WebCore::BroadcastChannel::postMessage):
+        (WebCore::BroadcastChannel::close):
+        (WebCore::BroadcastChannel::dispatchMessage):
+        * dom/BroadcastChannel.h:
+        * page/ChromeClient.h:
+        (WebCore::ChromeClient::hasPageLevelStorageAccess const):
+
 2021-09-13  Youenn Fablet  <youenn@apple.com>
 

trunk/Source/WebCore/dom/BroadcastChannel.cpp

@@ -28 +28 @@
 
 #include "BroadcastChannelRegistry.h"
+#include "Chrome.h"
+#include "ChromeClient.h"
 #include "EventNames.h"
 #include "MessageEvent.h"
@@ -58 +60 @@
 }
 
+static bool shouldPartitionOrigin(Document& document)
+{
+    if (!document.settings().broadcastChannelOriginPartitioningEnabled())
+        return false;
+
+#if ENABLE(RESOURCE_LOAD_STATISTICS)
+    if (!document.settings().storageAccessAPIEnabled())
+        return true;
+
+    auto* page = document.page();
+    if (!page)
+        return true;
+
+    return !page->chrome().client().hasPageLevelStorageAccess(RegistrableDomain::uncheckedCreateFromHost(document.topDocument().securityOrigin().host()), RegistrableDomain::uncheckedCreateFromHost(document.securityOrigin().host()));
+#else
+    return true;
+#endif
+}
+
+class BroadcastChannel::MainThreadBridge : public ThreadSafeRefCounted<MainThreadBridge, WTF::DestructionThread::Main> {
+public:
+    static Ref<MainThreadBridge> create(BroadcastChannel& channel, const String& name)
+    {
+        return adoptRef(*new MainThreadBridge(channel, name));
+    }
+
+    void registerChannel();
+    void unregisterChannel();
+    void postMessage(Ref<SerializedScriptValue>&&);
+
+    String name() const { return m_name.isolatedCopy(); }
+    BroadcastChannelIdentifier identifier() const { return m_identifier; }
+
+private:
+    MainThreadBridge(BroadcastChannel&, const String& name);
+
+    void ensureOnMainThread(Function<void(Document&)>&&);
+
+    WeakPtr<BroadcastChannel> m_broadcastChannel;
+    const BroadcastChannelIdentifier m_identifier;
+    const String m_name; // Main thread only.
+    ClientOrigin m_origin; // Main thread only.
+};
+
+BroadcastChannel::MainThreadBridge::MainThreadBridge(BroadcastChannel& channel, const String& name)
+    : m_broadcastChannel(makeWeakPtr(channel))
+    , m_identifier(BroadcastChannelIdentifier::generateThreadSafe())
+    , m_name(name.isolatedCopy())
+{
+}
+
+void BroadcastChannel::MainThreadBridge::ensureOnMainThread(Function<void(Document&)>&& task)
+{
+    ASSERT(m_broadcastChannel);
+    if (!m_broadcastChannel)
+        return;
+
+    auto* context = m_broadcastChannel->scriptExecutionContext();
+    if (!context)
+        return;
+    ASSERT(context->isContextThread());
+
+    Ref protectedThis { *this };
+    if (is<Document>(*context))
+        task(downcast<Document>(*context));
+    else {
+        downcast<WorkerGlobalScope>(*context).thread().workerLoaderProxy().postTaskToLoader([protectedThis = WTFMove(protectedThis), task = WTFMove(task)](auto& context) {
+            task(downcast<Document>(context));
+        });
+    }
+}
+
+void BroadcastChannel::MainThreadBridge::registerChannel()
+{
+    ensureOnMainThread([this, contextIdentifier = m_broadcastChannel->scriptExecutionContext()->contextIdentifier()](auto& document) {
+        m_origin = { shouldPartitionOrigin(document) ? document.topOrigin().data() : document.securityOrigin().data(), document.securityOrigin().data() };
+        if (auto* page = document.page())
+            page->broadcastChannelRegistry().registerChannel(m_origin, m_name, m_identifier);
+        channelToContextIdentifier().add(m_identifier, contextIdentifier);
+    });
+}
+
+void BroadcastChannel::MainThreadBridge::unregisterChannel()
+{
+    ensureOnMainThread([this](auto& document) {
+        if (auto* page = document.page())
+            page->broadcastChannelRegistry().unregisterChannel(m_origin, m_name, m_identifier);
+        channelToContextIdentifier().remove(m_identifier);
+    });
+}
+
+void BroadcastChannel::MainThreadBridge::postMessage(Ref<SerializedScriptValue>&& message)
+{
+    ensureOnMainThread([this, message = WTFMove(message)](auto& document) mutable {
+        auto* page = document.page();
+        if (!page)
+            return;
+
+        auto blobHandles = message->blobHandles();
+        page->broadcastChannelRegistry().postMessage(m_origin, m_name, m_identifier, WTFMove(message), [blobHandles = WTFMove(blobHandles)] {
+            // Keeps Blob data inside messageData alive until the message has been delivered.
+        });
+    });
+}
+
 BroadcastChannel::BroadcastChannel(ScriptExecutionContext& context, const String& name)
     : ActiveDOMObject(&context)
-    , m_name(name)
-    , m_origin { context.settingsValues().broadcastChannelOriginPartitioningEnabled ? context.topOrigin().data() : context.securityOrigin()->data(), context.securityOrigin()->data() }
-    , m_identifier(BroadcastChannelIdentifier::generateThreadSafe())
+    , m_mainThreadBridge(MainThreadBridge::create(*this, name))
 {
     {
         Locker locker { allBroadcastChannelsLock };
-        allBroadcastChannels().add(m_identifier, this);
-    }
-
-    ensureOnMainThread([origin = crossThreadCopy(m_origin), name = crossThreadCopy(m_name), contextIdentifier = context.contextIdentifier(), channelIdentifier = m_identifier](auto& document) {
-        if (auto* page = document.page())
-            page->broadcastChannelRegistry().registerChannel(origin, name, channelIdentifier);
-        channelToContextIdentifier().add(channelIdentifier, contextIdentifier);
-    });
+        allBroadcastChannels().add(m_mainThreadBridge->identifier(), this);
+    }
+    m_mainThreadBridge->registerChannel();
 }
 
@@ -81 +181 @@
     {
         Locker locker { allBroadcastChannelsLock };
-        allBroadcastChannels().remove(m_identifier);
-    }
+        allBroadcastChannels().remove(m_mainThreadBridge->identifier());
+    }
+}
+
+BroadcastChannelIdentifier BroadcastChannel::identifier() const
+{
+    return m_mainThreadBridge->identifier();
+}
+
+String BroadcastChannel::name() const
+{
+    return m_mainThreadBridge->name();
 }
 
@@ -96 +206 @@
     ASSERT(ports.isEmpty());
 
-    ensureOnMainThread([origin = crossThreadCopy(m_origin), name = crossThreadCopy(m_name), identifier = m_identifier, messageData = messageData.releaseReturnValue()](auto& document) mutable {
-        auto* page = document.page();
-        if (!page)
-            return;
-
-        auto blobHandles = messageData->blobHandles();
-        page->broadcastChannelRegistry().postMessage(origin, name, identifier, WTFMove(messageData), [blobHandles = WTFMove(blobHandles)] {
-            // Keeps Blob data inside messageData alive until the message has been delivered.
-        });
-    });
-
+    m_mainThreadBridge->postMessage(messageData.releaseReturnValue());
     return { };
 }
@@ -116 +216 @@
 
     m_isClosed = true;
-    ensureOnMainThread([origin = crossThreadCopy(m_origin), name = crossThreadCopy(m_name), channelIdentifier = m_identifier](auto& document) {
-        if (auto* page = document.page())
-            page->broadcastChannelRegistry().unregisterChannel(origin, name, channelIdentifier);
-        channelToContextIdentifier().remove(channelIdentifier);
-    });
+    m_mainThreadBridge->unregisterChannel();
 }
 
@@ -150 +246 @@
 
     queueTaskKeepingObjectAlive(*this, TaskSource::PostedMessageQueue, [this, message = WTFMove(message)]() mutable {
-        if (!m_isClosed)
-            dispatchEvent(MessageEvent::create({ }, WTFMove(message), m_origin.clientOrigin.toString()));
-    });
-}
-
-void BroadcastChannel::ensureOnMainThread(Function<void(Document&)>&& task)
-{
-    auto* context = scriptExecutionContext();
-    if (!context)
-        return;
-
-    if (is<Document>(*context))
-        task(downcast<Document>(*context));
-    else {
-        downcast<WorkerGlobalScope>(*context).thread().workerLoaderProxy().postTaskToLoader([task = WTFMove(task)](auto& context) {
-            task(downcast<Document>(context));
-        });
-    }
+        if (!m_isClosed && scriptExecutionContext())
+            dispatchEvent(MessageEvent::create({ }, WTFMove(message), scriptExecutionContext()->securityOrigin()->toString()));
+    });
 }
 

trunk/Source/WebCore/dom/BroadcastChannel.h

@@ -57 +57 @@
     using RefCounted<BroadcastChannel>::deref;
 
-    BroadcastChannelIdentifier identifier() const { return m_identifier; }
-    const String& name() const { return m_name; }
+    BroadcastChannelIdentifier identifier() const;
+    String name() const;
 
     ExceptionOr<void> postMessage(JSC::JSGlobalObject&, JSC::JSValue message);
@@ -83 +83 @@
     void stop() final { close(); }
 
-    const String m_name;
-    const ClientOrigin m_origin;
-    const BroadcastChannelIdentifier m_identifier;
+    class MainThreadBridge;
+    Ref<MainThreadBridge> m_mainThreadBridge;
     bool m_isClosed { false };
     bool m_hasRelevantEventListener { false };

trunk/Source/WebCore/page/ChromeClient.h

@@ -555 +555 @@
     virtual void hasStorageAccess(RegistrableDomain&& /*subFrameDomain*/, RegistrableDomain&& /*topFrameDomain*/, Frame&, WTF::CompletionHandler<void(bool)>&& completionHandler) { completionHandler(false); }
     virtual void requestStorageAccess(RegistrableDomain&& subFrameDomain, RegistrableDomain&& topFrameDomain, Frame&, StorageAccessScope scope, WTF::CompletionHandler<void(RequestStorageAccessResult)>&& completionHandler) { completionHandler({ StorageAccessWasGranted::No, StorageAccessPromptWasShown::No, scope, WTFMove(topFrameDomain), WTFMove(subFrameDomain) }); }
+    virtual bool hasPageLevelStorageAccess(const RegistrableDomain& /*topLevelDomain*/, const RegistrableDomain& /*resourceDomain*/) const { return false; }
 #endif
 

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2021-09-13  Chris Dumez  <cdumez@apple.com>
+
+        Relax BroadcastChannel origin partitioning if iframe has storage access
+        https://bugs.webkit.org/show_bug.cgi?id=230164
+
+        Reviewed by Alex Christensen.
+
+        * WebProcess/WebCoreSupport/WebChromeClient.cpp:
+        (WebKit::WebChromeClient::hasPageLevelStorageAccess const):
+        * WebProcess/WebCoreSupport/WebChromeClient.h:
+
 2021-09-13  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp

@@ -1442 +1442 @@
     m_page.requestStorageAccess(WTFMove(subFrameDomain), WTFMove(topFrameDomain), *webFrame, scope, WTFMove(completionHandler));
 }
+
+bool WebChromeClient::hasPageLevelStorageAccess(const WebCore::RegistrableDomain& topLevelDomain, const WebCore::RegistrableDomain& resourceDomain) const
+{
+    return m_page.hasPageLevelStorageAccess(topLevelDomain, resourceDomain);
+}
 #endif
 

trunk/Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.h

@@ -411 +411 @@
     void hasStorageAccess(WebCore::RegistrableDomain&& subFrameDomain, WebCore::RegistrableDomain&& topFrameDomain, WebCore::Frame&, WTF::CompletionHandler<void(bool)>&&) final;
     void requestStorageAccess(WebCore::RegistrableDomain&& subFrameDomain, WebCore::RegistrableDomain&& topFrameDomain, WebCore::Frame&, WebCore::StorageAccessScope, WTF::CompletionHandler<void(WebCore::RequestStorageAccessResult)>&&) final;
+    bool hasPageLevelStorageAccess(const WebCore::RegistrableDomain& topLevelDomain, const WebCore::RegistrableDomain& resourceDomain) const final;
 #endif