Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 7f2ea8fcf41a68add90efab89609218407e1a824 https://github.com/WebKit/WebKit/commit/7f2ea8fcf41a68add90efab89609218407e1a824 Author: Matthew Finkel <sys...@apple.com> Date: 2023-08-22 (Tue, 22 Aug 2023)
Changed paths: M LayoutTests/TestExpectations A LayoutTests/http/tests/local/blob/download-blob-from-iframe-expected.txt A LayoutTests/http/tests/local/blob/download-blob-from-iframe.html A LayoutTests/http/tests/local/blob/navigate-blob-expected.txt A LayoutTests/http/tests/local/blob/navigate-blob.html A LayoutTests/http/tests/local/blob/resources/broadcast-channel-proxy.html A LayoutTests/http/tests/local/blob/resources/iframe-creating-or-downloading-blob.html A LayoutTests/http/tests/local/blob/resources/iframe-for-creating-and-navigating-to-blob.html A LayoutTests/http/tests/local/blob/resources/main-frame-with-iframe-creating-or-navigating-to-blob.html A LayoutTests/http/tests/local/blob/resources/main-frame-with-iframe-downloading-blob.html M LayoutTests/http/tests/security/blob-null-url-location-origin-expected.txt M LayoutTests/http/tests/security/blob-null-url-location-origin.html A LayoutTests/http/tests/security/cross-origin-blob-transfer-expected.txt A LayoutTests/http/tests/security/cross-origin-blob-transfer.html A LayoutTests/http/tests/security/resources/iframe-cross-origin-blob-transfer.html M LayoutTests/http/tests/security/top-level-unique-origin2.https.html A LayoutTests/platform/gtk/http/tests/local/blob/download-blob-from-iframe-expected.txt M LayoutTests/platform/mac-wk1/TestExpectations M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml M Source/WebCore/fileapi/BlobURL.cpp M Source/WebCore/fileapi/BlobURL.h M Source/WebCore/fileapi/ThreadableBlobRegistry.cpp M Source/WebCore/loader/FrameLoader.cpp M Source/WebCore/platform/network/BlobRegistryImpl.cpp M Source/WebCore/platform/network/BlobRegistryImpl.h Log Message: ----------- Partition Blob Registry by the top-level main document origin https://bugs.webkit.org/show_bug.cgi?id=260035 rdar://problem/113705298 Reviewed by Alex Christensen and Sihui Liu. Public blob URLs are only accessible from same-origin dcuments, but access is not restricted by the top-level origin. This means that Blob URLs can be used as a cross-origin tracking mechanism within iframes. In this patch we partition public blob URLs within the Blob Registry by top-level origin. This partitioning is controlled by a feature flag that is disabled by default. I took a few approaches at solving this. The most difficult challenge was finding a solution that allowed retrieving BlobData using a public blob URL from WKWebView APIs. In that case, the relevant top document may not be obvious, or may not exist. As a result, the design of this partitioning is more like access control rather than adding another key into the hashmap. Two alternative designs I considered include creating a second hashmap that is keyed by <URL, SecurityOriginData> and we lookup the BlobData in that map if we have a SecurityOriginData, otherwise we use the unpartitioned map. Or, we create a new map from URL -> SecurityOriginData where we can lookup the associated top origin SecurityOriginData if we don't already know it. However, both of these options are more complex than the chosen implementation, and neither of them seemed safer. This change also enforces a noopener policy on new windows when the top origin of the opener is cross-origin with the blob's security origin. This is a mitigation that was discussed in the blob URL storage partitioning issue [0] with cross-engine support, and that seemed reasonable to me. [0] https://github.com/w3c/FileAPI/issues/153 * LayoutTests/TestExpectations: * LayoutTests/http/tests/local/blob/download-blob-from-iframe-expected.txt: Added. * LayoutTests/http/tests/local/blob/download-blob-from-iframe.html: Added. * LayoutTests/http/tests/local/blob/navigate-blob-expected.txt: Added. * LayoutTests/http/tests/local/blob/navigate-blob.html: Added. * LayoutTests/http/tests/local/blob/resources/broadcast-channel-proxy.html: Added. * LayoutTests/http/tests/local/blob/resources/iframe-creating-or-downloading-blob.html: Added. * LayoutTests/http/tests/local/blob/resources/iframe-for-creating-and-navigating-to-blob.html: Added. * LayoutTests/http/tests/local/blob/resources/main-frame-with-iframe-creating-or-navigating-to-blob.html: Added. * LayoutTests/http/tests/local/blob/resources/main-frame-with-iframe-downloading-blob.html: Added. * LayoutTests/http/tests/security/blob-null-url-location-origin-expected.txt: * LayoutTests/http/tests/security/blob-null-url-location-origin.html: * LayoutTests/http/tests/security/cross-origin-blob-transfer-expected.txt: Added. * LayoutTests/http/tests/security/cross-origin-blob-transfer.html: Added. * LayoutTests/http/tests/security/resources/iframe-cross-origin-blob-transfer.html: Added. * LayoutTests/http/tests/security/top-level-unique-origin2.https.html: * LayoutTests/platform/gtk-wk2/http/tests/local/blob/download-blob-from-iframe-expected.txt: Added. * LayoutTests/platform/mac-wk1/TestExpectations: * Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml: * Source/WebCore/fileapi/BlobURL.cpp: (WebCore::BlobURL::isInternalURL): * Source/WebCore/fileapi/BlobURL.h: * Source/WebCore/fileapi/ThreadableBlobRegistry.cpp: (WebCore::ThreadableBlobRegistry::registerInternalFileBlobURL): (WebCore::ThreadableBlobRegistry::registerInternalBlobURL): (WebCore::ThreadableBlobRegistry::registerInternalBlobURLOptionallyFileBacked): (WebCore::ThreadableBlobRegistry::registerInternalBlobURLForSlice): (WebCore::isInternalBlobURL): Deleted. * Source/WebCore/loader/FrameLoader.cpp: (WebCore::FrameLoader::loadURL): (WebCore::FrameLoader::loadPostRequest): (WebCore::createWindow): * Source/WebCore/platform/network/BlobRegistryImpl.cpp: (WebCore::BlobRegistryImpl::registerBlobURLOptionallyFileBacked): (WebCore::BlobRegistryImpl::unregisterBlobURL): (WebCore::BlobRegistryImpl::getBlobDataFromURL const): (WebCore::BlobRegistryImpl::addBlobData): (WebCore::BlobRegistryImpl::registerBlobURLHandle): (WebCore::BlobRegistryImpl::unregisterBlobURLHandle): * Source/WebCore/platform/network/BlobRegistryImpl.h: Canonical link: https://commits.webkit.org/267172@main _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes