Changeset 142683 in webkit

Timestamp:

Feb 12, 2013 3:44:51 PM (11 years ago)

Author:

mkwst@chromium.org

Message:

Implement script MIME restrictions for X-Content-Type-Options: nosniff
​https://bugs.webkit.org/show_bug.cgi?id=71851

Reviewed by Adam Barth.

Source/WebCore:

This patch adds support for 'X-Content-Type-Options: nosniff' when
deciding whether or not to execute a given chunk of JavaScript. If the
header is present, script will only execute if it matches a predefined
set of MIME types[1] that are deemed "executable". Scripts served with
types that don't match the list will not execute.

IE introduced this feature, and Gecko is working on an implementation[2]
now. There's been some discussion on the WHATWG list about formalizing
the specification for this feature[3], but nothing significant has been
decided.

This implementation's list of acceptible MIME types differs from IE's:
it matches the list of supported JavaScript MIME types defined in
MIMETypeRegistry::initializeSupportedJavaScriptMIMETypes()[4]. In
particular, the VBScript types are not accepted, and
'text/javascript1.{1,2,3}' are accepted, along with 'text/livescript'.

This feature is locked tightly behind the ENABLE_NOSNIFF flag, which is
currently only enabled on the Chromium port.

[1]: ​http://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
[2]: ​https://bugzilla.mozilla.org/show_bug.cgi?id=471020
[3]: ​http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2012-November/037974.html
[4]: ​http://trac.webkit.org/browser/trunk/Source/WebCore/platform/MIMETypeRegistry.cpp?rev=142086#L307

Tests: http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html

http/tests/security/contentTypeOptions/nosniff-script-allowed.html
http/tests/security/contentTypeOptions/nosniff-script-blocked.html
http/tests/security/contentTypeOptions/nosniff-script-without-content-type-allowed.html

• dom/ScriptElement.cpp:

(WebCore::ScriptElement::executeScript):

Before executing script, ensure that it shouldn't be blocked due to
its MIME type. If it is blocked, write an error message to the
console.

• loader/cache/CachedScript.cpp:

(WebCore::CachedScript::mimeType):

Make scripts' MIME type available outside the context of
CachedScript in order to correctly populate error messages we write
to the console in ScriptElement::executeScript

(WebCore):
(WebCore::CachedScript::mimeTypeAllowedByNosniff):

• loader/cache/CachedScript.h:

(CachedScript):

A new method which checks the resource's HTTP headers to set the
'nosniff' disposition, and compares the resource's MIME type against
the list of allowed executable types. Returns true iff the script
is allowed.

• platform/network/HTTPParsers.cpp:

(WebCore):
(WebCore::parseContentTypeOptionsHeader):

• platform/network/HTTPParsers.h:

Adds a new enum which relates the sniffable status of the resource,
and a method to parse the HTTP header.

LayoutTests:

• http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt: Added.
• http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html: Added.
• http/tests/security/contentTypeOptions/nosniff-script-allowed-expected.txt: Added.
• http/tests/security/contentTypeOptions/nosniff-script-allowed.html: Added.
• http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt: Added.
• http/tests/security/contentTypeOptions/nosniff-script-blocked.html: Added.
• http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt: Added.
• http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html: Added.
• http/tests/security/contentTypeOptions/resources/script-with-header.pl: Added.

New tests!

• platform/efl/TestExpectations:
• platform/gtk/TestExpectations:
• platform/mac/TestExpectations:
• platform/qt/TestExpectations:
• platform/win/TestExpectations:
• platform/wincairo/TestExpectations:
• platform/wk2/TestExpectations:

Skip the new tests on platforms where ENABLE_NOSNIFF isn't yet
enabled (everything other than Chromium).

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentTypeOptions (added)
• LayoutTests/http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html (added)
• LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-allowed.html (added)
• LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt (added)
• LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked.html (added)
• LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt (added)
• LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html (added)
• LayoutTests/http/tests/security/contentTypeOptions/resources (added)
• LayoutTests/http/tests/security/contentTypeOptions/resources/script-with-header.pl (added)
• LayoutTests/platform/efl/TestExpectations (modified) (1 diff)
• LayoutTests/platform/gtk/TestExpectations (modified) (1 diff)
• LayoutTests/platform/mac/TestExpectations (modified) (1 diff)
• LayoutTests/platform/qt/TestExpectations (modified) (1 diff)
• LayoutTests/platform/win/TestExpectations (modified) (1 diff)
• LayoutTests/platform/wincairo/TestExpectations (modified) (1 diff)
• LayoutTests/platform/wk2/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/ScriptElement.cpp (modified) (1 diff)
• Source/WebCore/loader/cache/CachedScript.cpp (modified) (3 diffs)
• Source/WebCore/loader/cache/CachedScript.h (modified) (2 diffs)
• Source/WebCore/platform/network/HTTPParsers.cpp (modified) (1 diff)
• Source/WebCore/platform/network/HTTPParsers.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-02-12  Mike West  <mkwst@chromium.org>
+
+        Implement script MIME restrictions for X-Content-Type-Options: nosniff
+        https://bugs.webkit.org/show_bug.cgi?id=71851
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt: Added.
+        * http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html: Added.
+        * http/tests/security/contentTypeOptions/nosniff-script-allowed-expected.txt: Added.
+        * http/tests/security/contentTypeOptions/nosniff-script-allowed.html: Added.
+        * http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt: Added.
+        * http/tests/security/contentTypeOptions/nosniff-script-blocked.html: Added.
+        * http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt: Added.
+        * http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked.html: Added.
+        * http/tests/security/contentTypeOptions/resources/script-with-header.pl: Added.
+            New tests!
+        * platform/efl/TestExpectations:
+        * platform/gtk/TestExpectations:
+        * platform/mac/TestExpectations:
+        * platform/qt/TestExpectations:
+        * platform/win/TestExpectations:
+        * platform/wincairo/TestExpectations:
+        * platform/wk2/TestExpectations:
+            Skip the new tests on platforms where ENABLE_NOSNIFF isn't yet
+            enabled (everything other than Chromium).
+
 2013-02-12  Emil A Eklund  <eae@chromium.org>
 

trunk/LayoutTests/platform/efl/TestExpectations

@@ -307 +307 @@
 fast/forms/file/input-file-entries.html
 http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
+
+# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
+http/tests/security/contentTypeOptions
 
 # Transparent image being produced

trunk/LayoutTests/platform/gtk/TestExpectations

@@ -118 +118 @@
 webkit.org/b/103547 fast/xpath/xpath-template-element.html [ Skip ]
 webkit.org/b/103547 fast/xsl/xslt-processor-template.html [ Skip ]
+
+# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
+webkit.org/b/71851 http/tests/security/contentTypeOptions [ Skip ]
 
 # These test -apple- and -khtml- prefixed CSS properties, which we don't support.

trunk/LayoutTests/platform/mac/TestExpectations

@@ -198 +198 @@
 # ENABLE_GAMEPAD not enabled.
 gamepad/
+
+# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
+http/tests/security/contentTypeOptions
 
 # Speech input is not yet enabled.

trunk/LayoutTests/platform/qt/TestExpectations

@@ -482 +482 @@
 # Missing eventSender.scheduleAsynchronousKeyDown() implementation
 fast/dom/MutationObserver/inline-event-listener.html
+
+# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
+http/tests/security/contentTypeOptions
 
 # =========================================================================== #

trunk/LayoutTests/platform/win/TestExpectations

@@ -58 +58 @@
 fast/css/cursor-parsing-image-set.html
 fast/events/mouse-cursor-image-set.html
+
+# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
+http/tests/security/contentTypeOptions
 
 # https://bugs.webkit.org/show_bug.cgi?id=77645

trunk/LayoutTests/platform/wincairo/TestExpectations

@@ -2523 +2523 @@
 http/tests/security/contentSecurityPolicy/1.1
 
+# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
+http/tests/security/contentTypeOptions
+
 # Skip tests in fast/text/shaping
 fast/text/shaping

trunk/LayoutTests/platform/wk2/TestExpectations

@@ -564 +564 @@
 # https://bugs.webkit.org/show_bug.cgi?id=85558
 http/tests/security/contentSecurityPolicy/1.1
+
+# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
+http/tests/security/contentTypeOptions
 
 # Unexpected redirection happens.

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-02-12  Mike West  <mkwst@chromium.org>
+
+        Implement script MIME restrictions for X-Content-Type-Options: nosniff
+        https://bugs.webkit.org/show_bug.cgi?id=71851
+
+        Reviewed by Adam Barth.
+
+        This patch adds support for 'X-Content-Type-Options: nosniff' when
+        deciding whether or not to execute a given chunk of JavaScript. If the
+        header is present, script will only execute if it matches a predefined
+        set of MIME types[1] that are deemed "executable". Scripts served with
+        types that don't match the list will not execute.
+
+        IE introduced this feature, and Gecko is working on an implementation[2]
+        now. There's been some discussion on the WHATWG list about formalizing
+        the specification for this feature[3], but nothing significant has been
+        decided.
+
+        This implementation's list of acceptible MIME types differs from IE's:
+        it matches the list of supported JavaScript MIME types defined in
+        MIMETypeRegistry::initializeSupportedJavaScriptMIMETypes()[4]. In
+        particular, the VBScript types are not accepted, and
+        'text/javascript1.{1,2,3}' are accepted, along with 'text/livescript'.
+
+        This feature is locked tightly behind the ENABLE_NOSNIFF flag, which is
+        currently only enabled on the Chromium port.
+
+        [1]: http://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
+        [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=471020
+        [3]: http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2012-November/037974.html
+        [4]: http://trac.webkit.org/browser/trunk/Source/WebCore/platform/MIMETypeRegistry.cpp?rev=142086#L307
+
+        Tests: http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html
+               http/tests/security/contentTypeOptions/nosniff-script-allowed.html
+               http/tests/security/contentTypeOptions/nosniff-script-blocked.html
+               http/tests/security/contentTypeOptions/nosniff-script-without-content-type-allowed.html
+
+        * dom/ScriptElement.cpp:
+        (WebCore::ScriptElement::executeScript):
+            Before executing script, ensure that it shouldn't be blocked due to
+            its MIME type. If it is blocked, write an error message to the
+            console.
+        * loader/cache/CachedScript.cpp:
+        (WebCore::CachedScript::mimeType):
+            Make scripts' MIME type available outside the context of
+            CachedScript in order to correctly populate error messages we write
+            to the console in ScriptElement::executeScript
+        (WebCore):
+        (WebCore::CachedScript::mimeTypeAllowedByNosniff):
+        * loader/cache/CachedScript.h:
+        (CachedScript):
+            A new method which checks the resource's HTTP headers to set the
+            'nosniff' disposition, and compares the resource's MIME type against
+            the list of allowed executable types. Returns true iff the script
+            is allowed.
+        * platform/network/HTTPParsers.cpp:
+        (WebCore):
+        (WebCore::parseContentTypeOptionsHeader):
+        * platform/network/HTTPParsers.h:
+            Adds a new enum which relates the sniffable status of the resource,
+            and a method to parse the HTTP header.
+
 2013-02-12  Adam Barth  <abarth@webkit.org>
 

trunk/Source/WebCore/dom/ScriptElement.cpp

@@ -294 +294 @@
         return;
 
+#if ENABLE(NOSNIFF)
+    if (m_isExternalScript && m_cachedScript && !m_cachedScript->mimeTypeAllowedByNosniff()) {
+        m_element->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Refused to execute script from '" + m_cachedScript->url().string() + "' because its MIME type ('" + m_cachedScript->mimeType() + "') is not executable, and strict MIME type checking is enabled.");
+        return;
+    }
+#endif
+
     RefPtr<Document> document = m_element->document();
     ASSERT(document);

trunk/Source/WebCore/loader/cache/CachedScript.cpp

@@ -28 +28 @@
 #include "CachedScript.h"
 
-#include "MemoryCache.h"
 #include "CachedResourceClient.h"
 #include "CachedResourceClientWalker.h"
+#include "HTTPParsers.h"
+#include "MIMETypeRegistry.h"
+#include "MemoryCache.h"
 #include "ResourceBuffer.h"
 #include "TextResourceDecoder.h"
@@ -64 +66 @@
 {
     return m_decoder->encoding().name();
+}
+
+String CachedScript::mimeType() const
+{
+    return extractMIMETypeFromMediaType(m_response.httpHeaderField("Content-Type")).lower();
 }
 
@@ -120 +127 @@
 #endif
 
+#if ENABLE(NOSNIFF)
+bool CachedScript::mimeTypeAllowedByNosniff() const
+{
+    return !parseContentTypeOptionsHeader(m_response.httpHeaderField("X-Content-Type-Options")) == ContentTypeOptionsNosniff || MIMETypeRegistry::isSupportedJavaScriptMIMEType(mimeType());
+}
+#endif
+
 void CachedScript::reportMemoryUsage(MemoryObjectInfo* memoryObjectInfo) const
 {

trunk/Source/WebCore/loader/cache/CachedScript.h

@@ -50 +50 @@
         virtual String encoding() const;
         virtual void data(PassRefPtr<ResourceBuffer> data, bool allDataReceived);
+        String mimeType() const;
 
         virtual void destroyDecodedData();
@@ -56 +57 @@
         JSC::SourceProviderCache* sourceProviderCache() const;
         void sourceProviderCacheSizeChanged(int delta);
+#endif
+#if ENABLE(NOSNIFF)
+        bool mimeTypeAllowedByNosniff() const;
 #endif
 

trunk/Source/WebCore/platform/network/HTTPParsers.cpp

@@ -430 +430 @@
 }
 
+#if ENABLE(NOSNIFF)
+ContentTypeOptionsDisposition parseContentTypeOptionsHeader(const String& header)
+{
+    if (header.stripWhiteSpace().lower() == "nosniff")
+        return ContentTypeOptionsNosniff;
+    return ContentTypeOptionsNone;
+}
+#endif
+
 String extractReasonPhraseFromHTTPStatusLine(const String& statusLine)
 {

trunk/Source/WebCore/platform/network/HTTPParsers.h

@@ -54 +54 @@
 } ContentDispositionType;
 
+#if ENABLE(NOSNIFF)
+enum ContentTypeOptionsDisposition {
+    ContentTypeOptionsNone,
+    ContentTypeOptionsNosniff
+};
+#endif
+
 ContentDispositionType contentDispositionType(const String&);
 bool isRFC2616Token(const String&);
@@ -68 +75 @@
 bool parseRange(const String&, long long& rangeOffset, long long& rangeEnd, long long& rangeSuffixLength);
 
+#if ENABLE(NOSNIFF)
+ContentTypeOptionsDisposition parseContentTypeOptionsHeader(const String& header);
+#endif
+
 // Parsing Complete HTTP Messages.
 enum HTTPVersion { Unknown, HTTP_1_0, HTTP_1_1 };