Changeset 231263 in webkit

Timestamp:

May 2, 2018 2:13:28 PM (6 years ago)

Author:

youenn@apple.com

Message:

Use NetworkLoadChecker for navigation loads
​https://bugs.webkit.org/show_bug.cgi?id=184892
<rdar://problem/39652686>

Reviewed by Chris Dumez.

Source/WebCore:

Sanitize headers according response tainting.
If tainting is basic, it means same origin load in which case we only filter Cookie related headers.
If tainting is Opaque, we filter all uncommon headers.
If tainting is CORS, we filter all uncommon headers except the one explicitely allowed by CORS headers.
Covered by updated test.

• platform/network/ResourceResponseBase.cpp:

(WebCore::ResourceResponseBase::sanitizeHTTPHeaderFieldsAccordingToTainting):
(WebCore::ResourceResponseBase::sanitizeHTTPHeaderFields):

• platform/network/ResourceResponseBase.h:

Source/WebKit:

Compute whether a response is same origin in no-cors case.
This allows providing more precise filtering.
In case of navigate loads, set the tainting to basic which will make filtering to the minimum.

Pass the sourceOrigin for navigation loads as well.
Enable to restrict HTTP response access for navigation load.

Content Blockers are disabled for now in NetworkLoadChecker for navigation loads.
They should be reenabled as a follow-up.

Add a specific case to allow any redirection to about:// URLs.
While this does not conform with the spec, this keeps the existing WebKit behavior.

• NetworkProcess/NetworkLoadChecker.cpp:

(WebKit::NetworkLoadChecker::NetworkLoadChecker):
(WebKit::NetworkLoadChecker::validateResponse):
(WebKit::NetworkLoadChecker::continueCheckingRequest):
(WebKit::NetworkLoadChecker::doesNotNeedCORSCheck const):

• NetworkProcess/NetworkResourceLoader.cpp:

(WebKit::NetworkResourceLoader::sanitizeResponseIfPossible):

• WebProcess/Network/WebLoaderStrategy.cpp:

(WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):
(WebKit::WebLoaderStrategy::isDoingLoadingSecurityChecks const):
We only do security checks if this runtime flag is on.

• WebProcess/Network/WebLoaderStrategy.h:

LayoutTests:

Updated header-filtering.https.html to expect full headers except cookie-related for same origin loads.
Updated expected.txt files accordingly.

• http/wpt/service-workers/header-filtering.https-expected.txt:
• http/wpt/service-workers/header-filtering.https.html:
• platform/mac/http/tests/webarchive/test-preload-resources-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/wpt/service-workers/header-filtering.https-expected.txt (modified) (2 diffs)
• LayoutTests/http/wpt/service-workers/header-filtering.https.html (modified) (4 diffs)
• LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt (modified) (7 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/platform/network/ResourceResponseBase.cpp (modified) (2 diffs)
• Source/WebCore/platform/network/ResourceResponseBase.h (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp (modified) (6 diffs)
• Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp (modified) (2 diffs)
• Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp (modified) (3 diffs)
• Source/WebKit/WebProcess/Network/WebLoaderStrategy.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2018-05-02  Youenn Fablet  <youenn@apple.com>
+
+        Use NetworkLoadChecker for navigation loads
+        https://bugs.webkit.org/show_bug.cgi?id=184892
+        <rdar://problem/39652686>
+
+        Reviewed by Chris Dumez.
+
+        Updated header-filtering.https.html to expect full headers except cookie-related for same origin loads.
+        Updated expected.txt files accordingly.
+
+        * http/wpt/service-workers/header-filtering.https-expected.txt:
+        * http/wpt/service-workers/header-filtering.https.html:
+        * platform/mac/http/tests/webarchive/test-preload-resources-expected.txt:
+
 2018-05-02  Myles C. Maxfield  <mmaxfield@apple.com>
 

trunk/LayoutTests/http/wpt/service-workers/header-filtering.https-expected.txt

@@ -1 @@
-
 
 PASS Prepare tests: setup worker and register the client 
@@ -9 +8 @@
 PASS Test no-cors script load 
 PASS Test cors script load 
-FAIL Test HTML load assert_array_equals: lengths differ, expected 13 got 17
+PASS Test HTML load 
 PASS After tests clean-up 
 

trunk/LayoutTests/http/wpt/service-workers/header-filtering.https.html

@@ -101 +101 @@
     assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
         "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
-        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+        "SourceMap","Timing-Allow-Origin","X-SourceMap"]);
 }, "Test no-cors cross-origin fetch");
 
@@ -113 +113 @@
     assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
         "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
-        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+        "Server","SourceMap","Timing-Allow-Origin","X-SourceMap","x-header1","x-header2"]);
 }, "Test same-origin script load");
 
@@ -125 +125 @@
     assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
         "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
-        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+        "SourceMap","Timing-Allow-Origin","X-SourceMap"]);
 }, "Test no-cors script load");
 
@@ -149 +149 @@
     assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
         "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
-        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+        "Server", "SourceMap","Timing-Allow-Origin","X-SourceMap","x-header1", "x-header2"]);
     frame.remove();
 }, "Test HTML load");

trunk/LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt

@@ -66 +66 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                        <key>Server</key>
+                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>
@@ -101 +103 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                        <key>Server</key>
+                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>
@@ -136 +140 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                        <key>Server</key>
+                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>
@@ -171 +177 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                        <key>Server</key>
+                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>
@@ -206 +214 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                        <key>Server</key>
+                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>
@@ -241 +251 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                        <key>Server</key>
+                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>
@@ -276 +288 @@
                                         <key>Last-Modified</key>
                                         <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                        <key>Server</key>
+                                        <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                 </dict>
                                 <key>expectedContentLength</key>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-05-02  Youenn Fablet  <youenn@apple.com>
+
+        Use NetworkLoadChecker for navigation loads
+        https://bugs.webkit.org/show_bug.cgi?id=184892
+        <rdar://problem/39652686>
+
+        Reviewed by Chris Dumez.
+
+        Sanitize headers according response tainting.
+        If tainting is basic, it means same origin load in which case we only filter Cookie related headers.
+        If tainting is Opaque, we filter all uncommon headers.
+        If tainting is CORS, we filter all uncommon headers except the one explicitely allowed by CORS headers.
+        Covered by updated test.
+
+        * platform/network/ResourceResponseBase.cpp:
+        (WebCore::ResourceResponseBase::sanitizeHTTPHeaderFieldsAccordingToTainting):
+        (WebCore::ResourceResponseBase::sanitizeHTTPHeaderFields):
+        * platform/network/ResourceResponseBase.h:
+
 2018-05-02  Myles C. Maxfield  <mmaxfield@apple.com>
 

trunk/Source/WebCore/platform/network/ResourceResponseBase.cpp

@@ -390 +390 @@
 }
 
-void ResourceResponseBase::sanitizeHTTPHeaderFields(SanitizationType type)
-{
-    lazyInit(AllFields);
-
-    m_httpHeaderFields.commonHeaders().remove(HTTPHeaderName::SetCookie);
-    m_httpHeaderFields.commonHeaders().remove(HTTPHeaderName::SetCookie2);
-
-    switch (type) {
-    case SanitizationType::RemoveCookies:
+void ResourceResponseBase::sanitizeHTTPHeaderFieldsAccordingToTainting()
+{
+    switch (m_tainting) {
+    case ResourceResponse::Tainting::Basic:
         return;
-    case SanitizationType::Redirection: {
-        auto commonHeaders = WTFMove(m_httpHeaderFields.commonHeaders());
-        for (auto& header : commonHeaders) {
-            if (isSafeRedirectionResponseHeader(header.key))
-                m_httpHeaderFields.add(header.key, WTFMove(header.value));
-        }
-        m_httpHeaderFields.uncommonHeaders().clear();
-        return;
-    }
-    case SanitizationType::CrossOriginSafe: {
+    case ResourceResponse::Tainting::Cors: {
         HTTPHeaderMap filteredHeaders;
         for (auto& header : m_httpHeaderFields.commonHeaders()) {
@@ -425 +411 @@
         }
         m_httpHeaderFields = WTFMove(filteredHeaders);
-    }
+        return;
+    }
+    case ResourceResponse::Tainting::Opaque: {
+        HTTPHeaderMap filteredHeaders;
+        for (auto& header : m_httpHeaderFields.commonHeaders()) {
+            if (isSafeCrossOriginResponseHeader(header.key))
+                filteredHeaders.add(header.key, WTFMove(header.value));
+        }
+        m_httpHeaderFields = WTFMove(filteredHeaders);
+        return;
+    }
+    case ResourceResponse::Tainting::Opaqueredirect: {
+        auto location = httpHeaderField(HTTPHeaderName::Location);
+        m_httpHeaderFields.clear();
+        m_httpHeaderFields.add(HTTPHeaderName::Location, WTFMove(location));
+    }
+    }
+}
+
+void ResourceResponseBase::sanitizeHTTPHeaderFields(SanitizationType type)
+{
+    lazyInit(AllFields);
+
+    m_httpHeaderFields.commonHeaders().remove(HTTPHeaderName::SetCookie);
+    m_httpHeaderFields.commonHeaders().remove(HTTPHeaderName::SetCookie2);
+
+    switch (type) {
+    case SanitizationType::RemoveCookies:
+        return;
+    case SanitizationType::Redirection: {
+        auto commonHeaders = WTFMove(m_httpHeaderFields.commonHeaders());
+        for (auto& header : commonHeaders) {
+            if (isSafeRedirectionResponseHeader(header.key))
+                m_httpHeaderFields.add(header.key, WTFMove(header.value));
+        }
+        m_httpHeaderFields.uncommonHeaders().clear();
+        return;
+    }
+    case SanitizationType::CrossOriginSafe:
+        sanitizeHTTPHeaderFieldsAccordingToTainting();
     }
 }

trunk/Source/WebCore/platform/network/ResourceResponseBase.h

@@ -200 +200 @@
     void parseCacheControlDirectives() const;
     void updateHeaderParsedState(HTTPHeaderName);
+    void sanitizeHTTPHeaderFieldsAccordingToTainting();
 
 protected:

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-05-02  Youenn Fablet  <youenn@apple.com>
+
+        Use NetworkLoadChecker for navigation loads
+        https://bugs.webkit.org/show_bug.cgi?id=184892
+        <rdar://problem/39652686>
+
+        Reviewed by Chris Dumez.
+
+        Compute whether a response is same origin in no-cors case.
+        This allows providing more precise filtering.
+        In case of navigate loads, set the tainting to basic which will make filtering to the minimum.
+
+        Pass the sourceOrigin for navigation loads as well.
+        Enable to restrict HTTP response access for navigation load.
+
+        Content Blockers are disabled for now in NetworkLoadChecker for navigation loads.
+        They should be reenabled as a follow-up.
+
+        Add a specific case to allow any redirection to about:// URLs.
+        While this does not conform with the spec, this keeps the existing WebKit behavior.
+
+        * NetworkProcess/NetworkLoadChecker.cpp:
+        (WebKit::NetworkLoadChecker::NetworkLoadChecker):
+        (WebKit::NetworkLoadChecker::validateResponse):
+        (WebKit::NetworkLoadChecker::continueCheckingRequest):
+        (WebKit::NetworkLoadChecker::doesNotNeedCORSCheck const):
+        * NetworkProcess/NetworkResourceLoader.cpp:
+        (WebKit::NetworkResourceLoader::sanitizeResponseIfPossible):
+        * WebProcess/Network/WebLoaderStrategy.cpp:
+        (WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):
+        (WebKit::WebLoaderStrategy::isDoingLoadingSecurityChecks const):
+        We only do security checks if this runtime flag is on.
+        * WebProcess/Network/WebLoaderStrategy.h:
+
 2018-05-02  Jer Noble  <jer.noble@apple.com>
 

trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp

@@ -44 +44 @@
 using namespace WebCore;
 
+static inline bool isSameOrigin(const URL& url, const SecurityOrigin* origin)
+{
+    return url.protocolIsData() || url.protocolIsBlob() || !origin || origin->canRequest(url);
+}
+
 NetworkLoadChecker::NetworkLoadChecker(FetchOptions&& options, PAL::SessionID sessionID, HTTPHeaderMap&& originalRequestHeaders, URL&& url, RefPtr<SecurityOrigin>&& sourceOrigin, PreflightPolicy preflightPolicy)
     : m_options(WTFMove(options))
@@ -52 +57 @@
     , m_preflightPolicy(preflightPolicy)
 {
-    if (m_options.mode == FetchOptions::Mode::Cors || m_options.mode == FetchOptions::Mode::SameOrigin)
-        m_isSameOriginRequest = m_url.protocolIsData() || m_url.protocolIsBlob() || m_origin->canRequest(m_url);
+    m_isSameOriginRequest = isSameOrigin(m_url, m_origin.get());
     switch (options.credentials) {
     case FetchOptions::Credentials::Include:
@@ -129 +133 @@
     }
 
-    if (m_isSameOriginRequest) {
+    if (m_options.mode == FetchOptions::Mode::Navigate || m_isSameOriginRequest) {
         response.setTainting(ResourceResponse::Tainting::Basic);
         return { };
@@ -188 +192 @@
     if (m_options.credentials == FetchOptions::Credentials::SameOrigin)
         m_storedCredentialsPolicy = m_isSameOriginRequest && m_origin->canRequest(request.url()) ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse;
+
+    m_isSameOriginRequest = m_isSameOriginRequest && isSameOrigin(request.url(), m_origin.get());
 
     if (doesNotNeedCORSCheck(request.url())) {
@@ -302 +308 @@
         return true;
 
-    return m_isSameOriginRequest && m_origin->canRequest(url);
+    return m_isSameOriginRequest;
 }
 
@@ -317 +323 @@
 void NetworkLoadChecker::processContentExtensionRulesForLoad(ResourceRequest&& request, CompletionHandler<void(ResourceRequest&&, const ContentExtensions::BlockedStatus&)>&& callback)
 {
-    if (!m_userContentControllerIdentifier) {
+    // FIXME: Enable content blockers for navigation loads.
+    if (!m_userContentControllerIdentifier || m_options.mode == FetchOptions::Mode::Navigate) {
         ContentExtensions::BlockedStatus status;
         callback(WTFMove(request), status);

trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp

@@ -605 +605 @@
 ResourceResponse NetworkResourceLoader::sanitizeResponseIfPossible(ResourceResponse&& response, ResourceResponse::SanitizationType type)
 {
-    if (m_parameters.shouldRestrictHTTPResponseAccess) {
-        if (type == ResourceResponse::SanitizationType::CrossOriginSafe) {
-            // We reduce filtering when it would otherwise be visible to scripts.
-            // FIXME: We should use response tainting once computed in Network Process.
-            bool isSameOrigin = m_parameters.sourceOrigin ? m_parameters.sourceOrigin->canRequest(response.url()) : protocolHostAndPortAreEqual(response.url(), m_parameters.request.url());
-            if (isSameOrigin && m_parameters.options.destination == FetchOptions::Destination::EmptyString)
-                type = ResourceResponse::SanitizationType::RemoveCookies;
-        }
+    if (m_parameters.shouldRestrictHTTPResponseAccess)
         response.sanitizeHTTPHeaderFields(type);
-    }
+
     return WTFMove(response);
 }
@@ -621 +614 @@
 {
     if (m_networkLoadChecker) {
-        // FIXME: We should be doing this check when receiving the redirection.
-        if (!newRequest.url().protocolIsInHTTPFamily() && m_redirectCount) {
+        // FIXME: We should be doing this check when receiving the redirection and not allow about protocol as per fetch spec.
+        if (!newRequest.url().protocolIsInHTTPFamily() && !newRequest.url().isBlankURL() && m_redirectCount) {
             didFailLoading(ResourceError { String { }, 0, newRequest.url(), ASCIILiteral("Redirection to URL with a scheme that is not HTTP(S)"), ResourceError::Type::AccessControl });
             return;

trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp

@@ -302 +302 @@
 #endif
 
+    // FIXME: All loaders should provide their origin if navigation mode is cors/no-cors/same-origin.
+    // As a temporary approach, we use the document origin if available or the HTTP Origin header otherwise.
+    if (resourceLoader.isSubresourceLoader())
+        loadParameters.sourceOrigin = static_cast<SubresourceLoader&>(resourceLoader).origin();
+
+    if (!loadParameters.sourceOrigin && document)
+        loadParameters.sourceOrigin = &document->securityOrigin();
+    if (!loadParameters.sourceOrigin) {
+        auto origin = request.httpOrigin();
+        if (!origin.isNull())
+            loadParameters.sourceOrigin = SecurityOrigin::createFromString(origin);
+    }
+
     if (loadParameters.options.mode != FetchOptions::Mode::Navigate) {
-        // FIXME: All loaders should provide their origin if navigation mode is cors/no-cors/same-origin.
-        // As a temporary approach, we use the document origin if available or the HTTP Origin header otherwise.
-        if (resourceLoader.isSubresourceLoader())
-            loadParameters.sourceOrigin = static_cast<SubresourceLoader&>(resourceLoader).origin();
-
-        auto* document = resourceLoader.frame() ? resourceLoader.frame()->document() : nullptr;
-        if (!loadParameters.sourceOrigin && document)
-            loadParameters.sourceOrigin = &document->securityOrigin();
-        if (!loadParameters.sourceOrigin) {
-            auto origin = request.httpOrigin();
-            if (!origin.isNull())
-                loadParameters.sourceOrigin = SecurityOrigin::createFromString(origin);
-        }
         ASSERT(loadParameters.sourceOrigin);
         if (!loadParameters.sourceOrigin) {
@@ -323 +323 @@
     }
 
-    // FIXME: We should also sanitize redirect response for navigations.
-    loadParameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess() && resourceLoader.options().mode != FetchOptions::Mode::Navigate;
+    loadParameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess();
 
     loadParameters.isMainFrameNavigation = resourceLoader.frame() && resourceLoader.frame()->isMainFrame() && resourceLoader.options().mode == FetchOptions::Mode::Navigate;
@@ -664 +663 @@
 }
 
+bool WebLoaderStrategy::isDoingLoadingSecurityChecks() const
+{
+    return RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess();
+}
+
 } // namespace WebKit

trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.h

@@ -84 +84 @@
     void setOnLineState(bool);
 
-    bool isDoingLoadingSecurityChecks() const final { return true; }
-
 private:
     void scheduleLoad(WebCore::ResourceLoader&, WebCore::CachedResource*, bool shouldClearReferrerOnHTTPSToHTTPRedirect);
@@ -95 +93 @@
     WebCore::ResourceResponse responseFromResourceLoadIdentifier(uint64_t resourceLoadIdentifier) final;
     WebCore::NetworkLoadMetrics networkMetricsFromResourceLoadIdentifier(uint64_t resourceLoadIdentifier) final;
+
+    bool isDoingLoadingSecurityChecks() const final;
 
     HashSet<RefPtr<WebCore::ResourceLoader>> m_internallyFailedResourceLoaders;