Changeset 265835 in webkit

Timestamp:

Aug 18, 2020 3:18:20 PM (4 years ago)

Author:

commit-queue@webkit.org

Message:

WKWebViews using fastServerTrustEvaluationEnabled should only allow legacy TLS for main resource loads
​https://bugs.webkit.org/show_bug.cgi?id=215626
<rdar://problem/67268892>

Patch by Alex Christensen <​achristensen@webkit.org> on 2020-08-18
Reviewed by Darin Adler.

Source/WebKit:

We have introduced public API webView:authenticationChallenge:shouldAllowDeprecatedTLS: in WKNavigationDelegate to allow
applications to choose whether to allow TLS 1.0 or 1.1 connections. We don't want to break this API or break existing third party
apps that load pages that load third party subresources that use TLS 1.0 or 1.1.

However, we do want Safari, which uses fastServerTrustEvaluationEnabled SPI, to silently fail subresource loads that use TLS 1.0 or 1.1.
This matches the current behavior of Chrome and Firefox, which was not implemented in those other browsers when we decided to ask about subresources.

Covered by an API test.

• NetworkProcess/cocoa/NetworkSessionCocoa.mm:

(WebKit::NetworkSessionCocoa::continueDidReceiveChallenge):

Tools:

• TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm:

(TestWebKitAPI::TEST):

Location:

trunk

Files:

• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm (modified) (1 diff)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2020-08-18  Alex Christensen  <achristensen@webkit.org>
+
+        WKWebViews using fastServerTrustEvaluationEnabled should only allow legacy TLS for main resource loads
+        https://bugs.webkit.org/show_bug.cgi?id=215626
+        <rdar://problem/67268892>
+
+        Reviewed by Darin Adler.
+
+        We have introduced public API webView:authenticationChallenge:shouldAllowDeprecatedTLS: in WKNavigationDelegate to allow
+        applications to choose whether to allow TLS 1.0 or 1.1 connections.  We don't want to break this API or break existing third party
+        apps that load pages that load third party subresources that use TLS 1.0 or 1.1.
+
+        However, we do want Safari, which uses fastServerTrustEvaluationEnabled SPI, to silently fail subresource loads that use TLS 1.0 or 1.1.
+        This matches the current behavior of Chrome and Firefox, which was not implemented in those other browsers when we decided to ask about subresources.
+
+        Covered by an API test.
+
+        * NetworkProcess/cocoa/NetworkSessionCocoa.mm:
+        (WebKit::NetworkSessionCocoa::continueDidReceiveChallenge):
+
 2020-08-18  Jer Noble  <jer.noble@apple.com>
 

trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm

@@ -1547 +1547 @@
         completionHandler(disposition, credential);
     };
+
+    if (negotiatedLegacyTLS == NegotiatedLegacyTLS::Yes
+        && fastServerTrustEvaluationEnabled()
+        && !networkDataTask->isTopLevelNavigation())
+        return completionHandler(AuthenticationChallengeDisposition::Cancel, { });
+
     networkDataTask->didReceiveChallenge(WTFMove(authenticationChallenge), negotiatedLegacyTLS, WTFMove(challengeCompletionHandler));
 }

trunk/Tools/ChangeLog

@@ +1 @@
+2020-08-18  Alex Christensen  <achristensen@webkit.org>
+
+        WKWebViews using fastServerTrustEvaluationEnabled should only allow legacy TLS for main resource loads
+        https://bugs.webkit.org/show_bug.cgi?id=215626
+        <rdar://problem/67268892>
+
+        Reviewed by Darin Adler.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm:
+        (TestWebKitAPI::TEST):
+
 2020-08-17  Aakash Jain  <aakash_jain@apple.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm

@@ -461 +461 @@
 }
 
+TEST(TLSVersion, LegacySubresources)
+{
+    HTTPServer legacyServer({
+        { "/frame", { "shouldn't load with fastServerTrustEvaluationEnabled" }}
+    }, HTTPServer::Protocol::HttpsWithLegacyTLS);
+
+    HTTPServer modernServer({
+        { "/", { makeString("<iframe src='https://127.0.0.1:", legacyServer.port(), "/frame'/>") }}
+    }, HTTPServer::Protocol::Https);
+
+    auto dataStoreConfiguration = [[[_WKWebsiteDataStoreConfiguration alloc] initNonPersistentConfiguration] autorelease];
+    dataStoreConfiguration.fastServerTrustEvaluationEnabled = YES;
+    auto webViewConfiguration = [[WKWebViewConfiguration new] autorelease];
+    webViewConfiguration.websiteDataStore = [[[WKWebsiteDataStore alloc] _initWithConfiguration:dataStoreConfiguration] autorelease];
+    auto webView = [[[WKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:webViewConfiguration] autorelease];
+
+    auto delegate = [[TestNavigationDelegate new] autorelease];
+    [delegate setDidReceiveAuthenticationChallenge:^(WKWebView *, NSURLAuthenticationChallenge *challenge, void (^callback)(NSURLSessionAuthChallengeDisposition, NSURLCredential *)) {
+        EXPECT_WK_STREQ(challenge.protectionSpace.authenticationMethod, NSURLAuthenticationMethodServerTrust);
+        callback(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
+    }];
+    [webView setNavigationDelegate:delegate];
+
+    [webView loadRequest:modernServer.request()];
+    [delegate waitForDidFinishNavigation];
+
+    EXPECT_EQ(legacyServer.totalRequests(), 0u);
+    EXPECT_EQ(modernServer.totalRequests(), 1u);
+
+    auto defaultWebView = [[WKWebView new] autorelease];
+    [defaultWebView setNavigationDelegate:delegate];
+    [defaultWebView loadRequest:modernServer.request()];
+    [delegate waitForDidFinishNavigation];
+    EXPECT_EQ(legacyServer.totalRequests(), 1u);
+    EXPECT_EQ(modernServer.totalRequests(), 2u);
+}
+
 #endif // HAVE(NETWORK_FRAMEWORK) && HAVE(TLS_PROTOCOL_VERSION_T)