Bug 182160

Summary: CSP post checks should be done for service worker responses
Product: WebKit Reporter: youenn fablet <youennf>
Component: Service WorkersAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, cdumez, commit-queue, dbates, ews-watchlist, japhet, mkwst, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Archive of layout-test-results from ews107 for mac-sierra-wk2
none
Archive of layout-test-results from ews123 for ios-simulator-wk2
none
Patch
none
Patch for landing none

youenn fablet
Reported 2018-01-25 17:00:24 PST
CSP post checks should be done for service worker responses
Attachments
Patch (5.72 KB, patch)
2018-01-25 17:02 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews107 for mac-sierra-wk2 (2.60 MB, application/zip)
2018-01-25 17:51 PST, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews123 for ios-simulator-wk2 (2.34 MB, application/zip)
2018-01-25 18:20 PST, EWS Watchlist 		no flags
Details
Patch (5.82 KB, patch)
2018-01-25 19:33 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch for landing (5.58 KB, patch)
2018-01-26 08:22 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2018-01-25 17:02:25 PST
Created attachment 332336 [details] Patch
Radar WebKit Bug Importer
Comment 2 2018-01-25 17:03:55 PST
<rdar://problem/36889274>
EWS Watchlist
Comment 3 2018-01-25 17:51:55 PST
Comment on attachment 332336 [details] Patch Attachment 332336 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/6216133 New failing tests: imported/w3c/web-platform-tests/service-workers/service-worker/fetch-event-referrer-policy.https.html
EWS Watchlist
Comment 4 2018-01-25 17:51:56 PST
Created attachment 332340 [details] Archive of layout-test-results from ews107 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 5 2018-01-25 18:20:52 PST
Comment on attachment 332336 [details] Patch Attachment 332336 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/6216405 New failing tests: imported/w3c/web-platform-tests/service-workers/service-worker/fetch-event-referrer-policy.https.html
EWS Watchlist
Comment 6 2018-01-25 18:20:54 PST
Created attachment 332341 [details] Archive of layout-test-results from ews123 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.12.6
youenn fablet
Comment 7 2018-01-25 19:33:41 PST
Created attachment 332344 [details] Patch
Daniel Bates
Comment 8 2018-01-25 19:56:28 PST
Comment on attachment 332344 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=332344&action=review This patch does more than adds a CSP check. It also adds a mixed content check. We also need to add a nosniff check and the Fetch spec also has a MIME type check. Do you plan to follow up to add the other checks? > Source/WebCore/loader/SubresourceLoader.cpp:305 > + || !loader.checkInsecureContent(m_resource->type(), response.url())) { Please add test(s) for mixed content.
youenn fablet
Comment 9 2018-01-26 08:16:44 PST
(In reply to Daniel Bates from comment #8) > Comment on attachment 332344 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=332344&action=review > > This patch does more than adds a CSP check. It also adds a mixed content > check. We also need to add a nosniff check and the Fetch spec also has a > MIME type check. Do you plan to follow up to add the other checks? no sniff and mime type checks are done at the response processing level right now. We could do some refactoring in the future to better match the spec but this is not needed right now. > > Source/WebCore/loader/SubresourceLoader.cpp:305 > > + || !loader.checkInsecureContent(m_resource->type(), response.url())) { > > Please add test(s) for mixed content. I'll remove the check for now and will investigate potential mixed content issues as a follow-up.
youenn fablet
Comment 10 2018-01-26 08:22:42 PST
Created attachment 332374 [details] Patch for landing
WebKit Commit Bot
Comment 11 2018-01-26 09:36:52 PST
Comment on attachment 332374 [details] Patch for landing Clearing flags on attachment: 332374 Committed r227680: <https://trac.webkit.org/changeset/227680>
WebKit Commit Bot
Comment 12 2018-01-26 09:36:53 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.