Changeset 287270 in webkit

Timestamp:

Dec 20, 2021 12:12:52 PM (7 months ago)

Author:

Patrick Griffis

Message:

CSP: Always use UTF-8 encoded content when checking hashes
​https://bugs.webkit.org/show_bug.cgi?id=234159

Reviewed by Kate Cheney.

LayoutTests/imported/w3c:

Update expectations as passing.

• web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate-expected.txt:
• web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub-expected.txt:

Source/WebCore:

As per the spec: ​https://www.w3.org/TR/CSP3/#match-element-to-source-list

Regardless of the encoding of the document, source will be converted to UTF-8

before applying any hashing algorithms.

StrictConversionReplacingUnpairedSurrogatesWithFFFD matches Chromiums behavior.

• page/csp/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::findHashOfContentInPolicies const):

LayoutTests:

Remove normalization tests that are counter to WPT's CSP normalization tests.

• http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html:
• http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization-expected.txt: Removed.
• http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html: Removed.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt (modified) (2 diffs)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html (modified) (2 diffs)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization-expected.txt (deleted)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html (deleted)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicy.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-12-20  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Always use UTF-8 encoded content when checking hashes
+        https://bugs.webkit.org/show_bug.cgi?id=234159
+
+        Reviewed by Kate Cheney.
+
+        Remove normalization tests that are counter to WPT's CSP normalization tests.
+
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization-expected.txt: Removed.
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html: Removed.
+
 2021-12-20  Tim Nguyen  <ntim@apple.com>
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
@@ -42 +43 @@
 PASS "Script that contains Unicode code point U+00C5" did run inline script.
 PASS "Unicode code point U+00C5 is not equivalent to U+212B" did not run inline script.
-PASS "Unicode code point U+212B is equivalent to U+00C5" did run inline script.
-PASS "Big-5 page with Big-5 hash" did run inline script.
+PASS "Big-5 page with Big-5 hash" did not run inline script.
 PASS "Big-5 page with UTF-8 hash" did not run inline script.
 PASS "Hash source with invalid prefix" did not run inline script.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html

@@ -83 +83 @@
     expectedResult: DoNotRunInlineScript,
 },
-{
-    name: "Unicode code point U+212B is equivalent to U+00C5",
-    charset: "UTF8",
-    script: "didRunInlineScript+%3D+true%3B+//+%E2%84%AB", // %E2%84%AB is the URL encoded UTF-8 byte sequence for U+212B.
-    hashSource: "'sha256-K3oo3dJj28X47TIh/UinhDWS3C5DfcQVCRzw4JM7SWE='", // Intentionally not 'sha256-rrdh0QCl46qqHxfnnk08ydh/rkhVi2JvD6DLuUP30MI='
-    expectedResult: RunInlineScript,
-},
 // Big-5 encoding test cases
 {
@@ -96 +89 @@
     script: "didRunInlineScript+%3D+true%3B+//+%A4%F4",
     hashSource: "'sha256-CAEkHFV/oUoz+L2Oa6gIFelb73og89vCbxrz4u/jAY4='",
-    expectedResult: RunInlineScript,
+    expectedResult: DoNotRunInlineScript,
 },
 {

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2021-12-20  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Always use UTF-8 encoded content when checking hashes
+        https://bugs.webkit.org/show_bug.cgi?id=234159
+
+        Reviewed by Kate Cheney.
+
+        Update expectations as passing.
+
+        * web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate-expected.txt:
+        * web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub-expected.txt:
+
 2021-12-20  Tim Nguyen  <ntim@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate-expected.txt

@@ -1 +1 @@
 
-FAIL Should convert the script contents to UTF-8 before hashing assert_unreached: Should not have fired a spv Reached unreachable code
+PASS Should convert the script contents to UTF-8 before hashing
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub-expected.txt

@@ -2 +2 @@
 
 
-Harness Error (TIMEOUT), message = null
+PASS Should fire securitypolicyviolation
+PASS Only matching content runs even with NFC normalization.
 
-NOTRUN Should fire securitypolicyviolation
-FAIL Only matching content runs even with NFC normalization. assert_unreached: nonMatchingContent script ran Reached unreachable code
-

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-12-20  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Always use UTF-8 encoded content when checking hashes
+        https://bugs.webkit.org/show_bug.cgi?id=234159
+
+        Reviewed by Kate Cheney.
+
+        As per the spec: https://www.w3.org/TR/CSP3/#match-element-to-source-list
+        > Regardless of the encoding of the document, source will be converted to UTF-8
+          before applying any hashing algorithms.
+
+        StrictConversionReplacingUnpairedSurrogatesWithFFFD matches Chromiums behavior.
+
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::findHashOfContentInPolicies const):
+
 2021-12-20  Fujii Hironori  <Hironori.Fujii@sony.com>
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

@@ -363 +363 @@
         return { false, false };
 
-    // FIXME: We should compute the document encoding once and cache it instead of computing it on each invocation.
-    PAL::TextEncoding documentEncoding;
-    if (is<Document>(m_scriptExecutionContext))
-        documentEncoding = downcast<Document>(*m_scriptExecutionContext).textEncoding();
-    const PAL::TextEncoding& encodingToUse = documentEncoding.isValid() ? documentEncoding : PAL::UTF8Encoding();
-
-    // FIXME: Compute the digest with respect to the raw bytes received from the page.
-    // See <https://bugs.webkit.org/show_bug.cgi?id=155184>.
-    auto encodedContent = encodingToUse.encode(content, PAL::UnencodableHandling::Entities);
+    CString utf8Content = content.utf8(StrictConversionReplacingUnpairedSurrogatesWithFFFD);
     bool foundHashInEnforcedPolicies = false;
     bool foundHashInReportOnlyPolicies = false;
     Vector<ContentSecurityPolicyHash> hashes;
     for (auto algorithm : algorithms) {
-        auto hash = cryptographicDigestForBytes(algorithm, encodedContent.data(), encodedContent.size());
+        auto hash = cryptographicDigestForBytes(algorithm, utf8Content.data(), utf8Content.length());
         hashes.append(hash);
     }