Changeset 289022 in webkit

Timestamp:

Feb 2, 2022 6:17:13 PM (6 months ago)

Author:

Patrick Griffis

Message:

CSP: Implement wasm-unsafe-eval
​https://bugs.webkit.org/show_bug.cgi?id=235408

Reviewed by Kate Cheney.

LayoutTests/imported/w3c:

Update expectations with new passes.

• web-platform-tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any-expected.txt:
• web-platform-tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.serviceworker-expected.txt:
• web-platform-tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.worker-expected.txt:
• web-platform-tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any-expected.txt:
• web-platform-tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.serviceworker-expected.txt:
• web-platform-tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.worker-expected.txt:

Source/WebCore:

This is similar to 'unsafe-eval' except limited in scope to WebAssembly.

• page/csp/ContentSecurityPolicyDirectiveList.cpp:

(WebCore::checkWasmEval):
(WebCore::ContentSecurityPolicyDirectiveList::create):

• page/csp/ContentSecurityPolicySourceList.cpp:

(WebCore::ContentSecurityPolicySourceList::parseSource):

• page/csp/ContentSecurityPolicySourceList.h:

(WebCore::ContentSecurityPolicySourceList::allowWasmEval const):

• page/csp/ContentSecurityPolicySourceListDirective.h:

(WebCore::ContentSecurityPolicySourceListDirective::allowWasmEval const):

LayoutTests:

Update expectations with new CSP message.

• http/tests/security/contentSecurityPolicy/WebAssembly-blocked-expected.txt:
• http/tests/security/contentSecurityPolicy/WebAssembly-blocked-in-about-blank-iframe-expected.txt:
• http/tests/security/contentSecurityPolicy/WebAssembly-blocked-in-external-script-expected.txt:
• http/tests/security/contentSecurityPolicy/WebAssembly-blocked-in-subframe-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/WebAssembly-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/WebAssembly-blocked-in-about-blank-iframe-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/WebAssembly-blocked-in-external-script-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/WebAssembly-blocked-in-subframe-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.serviceworker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.serviceworker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.worker-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (modified) (2 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicySourceList.h (modified) (2 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2022-02-02  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Implement wasm-unsafe-eval
+        https://bugs.webkit.org/show_bug.cgi?id=235408
+
+        Reviewed by Kate Cheney.
+
+        Update expectations with new CSP message.
+
+        * http/tests/security/contentSecurityPolicy/WebAssembly-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/WebAssembly-blocked-in-about-blank-iframe-expected.txt:
+        * http/tests/security/contentSecurityPolicy/WebAssembly-blocked-in-external-script-expected.txt:
+        * http/tests/security/contentSecurityPolicy/WebAssembly-blocked-in-subframe-expected.txt:
+
 2022-02-02  Patrick Griffis  <pgriffis@igalia.com>
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/WebAssembly-blocked-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
 
-CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
 
-CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
 
-CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
 
-CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
 
-CONSOLE MESSAGE: CompileError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: CompileError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
  (evaluating 'new WebAssembly.Instance(new WebAssembly.Module(empty))')
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/WebAssembly-blocked-in-about-blank-iframe-expected.txt

@@ -1 +1 @@
 ALERT: /PASS/
-CONSOLE MESSAGE: CompileError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: CompileError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
  (evaluating 'new WebAssembly.Instance(new WebAssembly.Module(Uint8Array.of(0x0, 0x61, 0x73, 0x6d, 0x1, 0x00, 0x00, 0x00)))')
  WebAssembly should be blocked in the iframe, but inline script should be allowed.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/WebAssembly-blocked-in-external-script-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: CompileError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
+CONSOLE MESSAGE: CompileError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
  (evaluating 'new WebAssembly.Instance(new WebAssembly.Module(Uint8Array.of(0x0, 0x61, 0x73, 0x6d, 0x1, 0x00, 0x00, 0x00)))')
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/WebAssembly-blocked-in-subframe-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
 
-CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
 
-CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
 
-CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
 
-CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: EvalError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
 
-CONSOLE MESSAGE: CompileError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: CompileError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
  (evaluating 'new WebAssembly.Instance(new WebAssembly.Module(empty))')
 Tests that WebAssembly is blocked in a subframe that disallows WebAssembly when the parent frame allows WebAssembly.

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2022-02-02  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Implement wasm-unsafe-eval
+        https://bugs.webkit.org/show_bug.cgi?id=235408
+
+        Reviewed by Kate Cheney.
+
+        Update expectations with new passes.
+
+        * web-platform-tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any-expected.txt:
+        * web-platform-tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.serviceworker-expected.txt:
+        * web-platform-tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.worker-expected.txt:
+        * web-platform-tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any-expected.txt:
+        * web-platform-tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.serviceworker-expected.txt:
+        * web-platform-tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.worker-expected.txt:
+
 2022-02-02  Patrick Griffis  <pgriffis@igalia.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any-expected.txt

@@ -1 +1 @@
 
-FAIL default-src-wasm-unsafe-eval-allows-wasm promise_test: Unhandled rejection with value: object "CompileError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'".
-"
+PASS default-src-wasm-unsafe-eval-allows-wasm
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.serviceworker-expected.txt

@@ -1 +1 @@
 
-FAIL default-src-wasm-unsafe-eval-allows-wasm promise_test: Unhandled rejection with value: object "CompileError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'".
-"
+PASS default-src-wasm-unsafe-eval-allows-wasm
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/wasm-unsafe-eval/default-src-wasm-unsafe-eval-allows-wasm.any.worker-expected.txt

@@ -1 +1 @@
 
-FAIL default-src-wasm-unsafe-eval-allows-wasm promise_test: Unhandled rejection with value: object "CompileError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'".
-"
+PASS default-src-wasm-unsafe-eval-allows-wasm
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any-expected.txt

@@ -1 +1 @@
 
-FAIL script-src-wasm-unsafe-eval-allows-wasm promise_test: Unhandled rejection with value: object "CompileError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'".
-"
+PASS script-src-wasm-unsafe-eval-allows-wasm
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.serviceworker-expected.txt

@@ -1 +1 @@
 
-FAIL script-src-wasm-unsafe-eval-allows-wasm promise_test: Unhandled rejection with value: object "CompileError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'".
-"
+PASS script-src-wasm-unsafe-eval-allows-wasm
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/wasm-unsafe-eval/script-src-wasm-unsafe-eval-allows-wasm.any.worker-expected.txt

@@ -1 +1 @@
 
-FAIL script-src-wasm-unsafe-eval-allows-wasm promise_test: Unhandled rejection with value: object "CompileError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'".
-"
+PASS script-src-wasm-unsafe-eval-allows-wasm
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2022-02-02  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Implement wasm-unsafe-eval
+        https://bugs.webkit.org/show_bug.cgi?id=235408
+
+        Reviewed by Kate Cheney.
+
+        This is similar to 'unsafe-eval' except limited in scope to WebAssembly.
+
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::checkWasmEval):
+        (WebCore::ContentSecurityPolicyDirectiveList::create):
+        * page/csp/ContentSecurityPolicySourceList.cpp:
+        (WebCore::ContentSecurityPolicySourceList::parseSource):
+        * page/csp/ContentSecurityPolicySourceList.h:
+        (WebCore::ContentSecurityPolicySourceList::allowWasmEval const):
+        * page/csp/ContentSecurityPolicySourceListDirective.h:
+        (WebCore::ContentSecurityPolicySourceListDirective::allowWasmEval const):
+
 2022-02-02  Patrick Griffis  <pgriffis@igalia.com>
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

@@ -52 +52 @@
 }
 
+static inline bool checkWasmEval(ContentSecurityPolicySourceListDirective* directive)
+{
+    return !directive || directive->allowWasmEval();
+}
+
 static inline bool checkInline(ContentSecurityPolicySourceListDirective* directive)
 {
@@ -141 +146 @@
     directives->parse(header, from);
 
-    if (!checkEval(directives->operativeDirective(directives->m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc))) {
+    if (!checkEval(directives->operativeDirective(directives->m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc)))
         directives->setEvalDisabledErrorMessage(makeString("Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc)->text(), "\".\n"));
-        directives->setWebAssemblyDisabledErrorMessage(makeString("Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc)->text(), "\".\n"));
-    }
+
+    if (!checkWasmEval(directives->operativeDirective(directives->m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc)))
+        directives->setWebAssemblyDisabledErrorMessage(makeString("Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc)->text(), "\".\n"));
 
     if (directives->isReportOnly() && directives->reportURIs().isEmpty())

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp

@@ -254 +254 @@
     if (skipExactlyIgnoringASCIICase(buffer, "'unsafe-eval'")) {
         m_allowEval = true;
-        return source;
-    }
-    
+        m_allowWasmEval = true;
+        return source;
+    }
+
+    if (skipExactlyIgnoringASCIICase(buffer, "'wasm-unsafe-eval'")) {
+        m_allowWasmEval = true;
+        return source;
+    }
+
     if (skipExactlyIgnoringASCIICase(buffer, "'unsafe-hashes'")) {
         m_allowUnsafeHashes = true;

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h

@@ -53 +53 @@
     bool allowInline() const { return m_allowInline && m_hashes.isEmpty() && m_nonces.isEmpty(); }
     bool allowEval() const { return m_allowEval; }
+    bool allowWasmEval() const { return m_allowWasmEval; }
     bool allowSelf() const { return m_allowSelf; }
     bool isNone() const { return m_isNone; }
@@ -96 +97 @@
     bool m_allowInline { false };
     bool m_allowEval { false };
+    bool m_allowWasmEval { false };
     bool m_isNone { false };
     bool m_allowNonParserInsertedScripts { false };

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h

@@ -46 +46 @@
     bool allowInline() const { return m_sourceList.allowInline(); }
     bool allowEval() const { return m_sourceList.allowEval(); }
+    bool allowWasmEval() const { return m_sourceList.allowWasmEval(); }
     bool allowNonParserInsertedScripts() const { return m_sourceList.allowNonParserInsertedScripts(); }
     bool shouldReportSample() const { return m_sourceList.shouldReportSample(); }