Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 647e80ac22b36756d0b194b3f0526fae8f62447a
https://github.com/WebKit/WebKit/commit/647e80ac22b36756d0b194b3f0526fae8f62447a
Author: Kiet Ho <[email protected]>
Date: 2025-05-23 (Fri, 23 May 2025)
Changed paths:
A
LayoutTests/http/tests/security/access-cssstylesheet-after-removing-from-document-expected.txt
A
LayoutTests/http/tests/security/access-cssstylesheet-after-removing-from-document.html
A
LayoutTests/http/tests/security/access-imported-cssstylesheet-after-removing-from-document-expected.txt
A
LayoutTests/http/tests/security/access-imported-cssstylesheet-after-removing-from-document.html
M LayoutTests/http/tests/security/cannot-read-cssrules-redirect-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-css-cross-origin.https-expected.txt
M Source/WebCore/css/CSSImportRule.cpp
M Source/WebCore/css/CSSStyleSheet.cpp
M Source/WebCore/css/CSSStyleSheet.h
M Source/WebCore/dom/ProcessingInstruction.cpp
M Source/WebCore/html/HTMLLinkElement.cpp
Log Message:
-----------
Tighten up cross-site access to CSSStyleSheet
rdar://148513087
https://bugs.webkit.org/show_bug.cgi?id=290992
Reviewed by Youenn Fablet.
CSSStyleSheet::canAccessRules() gates access to rules within
CSSStyleSheet, depending on whether the JS code and stylesheet comes
from the same origin.
bool CSSStyleSheet::canAccessRules() const
{
if (m_isOriginClean) // (1)
return m_isOriginClean.value();
URL baseURL = m_contents->baseURL(); // (2)
if (baseURL.isEmpty())
return true;
Document* document = ownerDocument(); // (3)
if (!document)
return true; // (4)
return document->protectedSecurityOrigin()->canRequest(baseURL,
OriginAccessPatternsForWebProcess::singleton()); // (5)
}
If CSSStyleSheet is constructed with an explicit same-origin flag, (which
indicates the origin status of the JS code and stylesheet), that flag is
used (1). Otherwise, it manually checks the origin:
* get the base URL of the stylesheet (2)
* get the document owner of the CSSStyleSheet
(also the document that the JS code is in) (3)
* check whether the JS code and the stylesheet is same-origin (5)
There's a bug at (4) - it grants access if the CSSStyleSheet doesn't
belong to a Document. Malicious JS code can manipulate a cross-origin
CSSStyleSheet into this state:
* If the CSSStyleSheet comes from HTMLLinkElement.sheet (<link
rel="stylesheet">)
or HTMLStyleElement.sheet (<style>), remove the <link> or <style> element
from the document e.g using Node.removeChild
* If it comes from CSSImportRule.styleSheet (@import), remove the
stylesheet containing the @import rule from the document
Following the removal, ownerDocument() returns nullptr, and access is
granted. Fix this by changing (4) to return false instead.
Unfortunately, many places in the codebase construct CSSStyleSheet
without supplying the same-origin flag, instead relying on the
fallback check. For those cases, this change introduces a regression
where if a same-origin stylesheet is created without the same-origin
flag, then is removed from the document, the fallback check will
incorrectly deny access. Fix this by hunting down places that
construct CSSStyleSheet and supply the flag if possible.
Also fix CSSStyleSheet.{insert,delete}Rule to always check with
canAccessRules() before allowing insertion/deletion.
*
LayoutTests/http/tests/security/access-cssstylesheet-after-removing-from-document-expected.txt:
Added.
*
LayoutTests/http/tests/security/access-cssstylesheet-after-removing-from-document.html:
Added.
*
LayoutTests/http/tests/security/access-imported-cssstylesheet-after-removing-from-document-expected.txt:
Added.
*
LayoutTests/http/tests/security/access-imported-cssstylesheet-after-removing-from-document.html:
Added.
* LayoutTests/http/tests/security/cannot-read-cssrules-redirect-expected.txt:
- Adjust expectation. This now matches Chrome's output.
*
LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-css-cross-origin.https-expected.txt:
* Source/WebCore/css/CSSImportRule.cpp:
(WebCore::CSSImportRule::styleSheet const):
- Supply same-origin flag when creating CSSStyleSheet if possible.
* Source/WebCore/css/CSSStyleSheet.cpp:
(WebCore::CSSStyleSheet::create):
- Make ::create for @import rules take an optional same-origin flag.
(WebCore::CSSStyleSheet::createInline):
- Take an optional same-origin flag.
(WebCore::CSSStyleSheet::canAccessRules const):
- Deny access if the CSSStyleSheet does not belong to a Document.
(WebCore::CSSStyleSheet::insertRule):
- Deny access if not allowed (using canAccessRules())
(WebCore::CSSStyleSheet::deleteRule):
- Deny access if not allowed (using canAccessRules())
* Source/WebCore/css/CSSStyleSheet.h:
* Source/WebCore/dom/ProcessingInstruction.cpp:
(WebCore::ProcessingInstruction::setCSSStyleSheet):
- Supply same-origin flag when creating CSSStyleSheet.
* Source/WebCore/html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::initializeStyleSheet):
- Always set the origin clean flag, regardless whether the fetch
request is CORS or not.
Originally-landed-as: be53cebfe0d9. rdar://151714711
Canonical link: https://commits.webkit.org/295342@main
Commit: 1d88cd372a58384f14f98fb95b5d5c83a4fd4c22
https://github.com/WebKit/WebKit/commit/1d88cd372a58384f14f98fb95b5d5c83a4fd4c22
Author: Sihui Liu <[email protected]>
Date: 2025-05-23 (Fri, 23 May 2025)
Changed paths:
M Source/WebCore/platform/network/ResourceResponseBase.cpp
M Source/WebCore/platform/network/ResourceResponseBase.h
Log Message:
-----------
ResourceResponseData::proxyName is not properly isolated copied
https://bugs.webkit.org/show_bug.cgi?id=291646
rdar://148182167
Reviewed by Chris Dumez.
In existing implementation, ResourceResponseData::proxyName is not isolated
copied or moved correctly at the places it
is supposed to be, and this can be the cause of increasing crashes we saw in
recent builds. Credits to Chris who found
the issue.
* Source/WebCore/platform/network/ResourceResponseBase.cpp:
(WebCore::ResourceResponseData::isolatedCopy const):
(WebCore::ResourceResponseBase::crossThreadData const):
(WebCore::ResourceResponseBase::fromCrossThreadData):
* Source/WebCore/platform/network/ResourceResponseBase.h:
(WebCore::ResourceResponseBase::setProxyName):
(WebCore::ResourceResponseBase::proxyName const):
Originally-landed-as: cdd407b46a54. rdar://151714620
Canonical link: https://commits.webkit.org/295343@main
Compare: https://github.com/WebKit/WebKit/compare/150fa103a89e...1d88cd372a58
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
