Bug 206403

Summary: Safari does not present CertificateInfo for service-worker served documents
Product: WebKit Reporter: youenn fablet <youennf>
Component: Service WorkersAssignee: Alex Christensen <achristensen>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, ap, beidson, berto, cgarcia, darin, ews-watchlist, ggaren, gustavo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=196182
https://bugs.webkit.org/show_bug.cgi?id=216038
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch none

youenn fablet
Reported 2020-01-17 00:35:16 PST
Safari does not present CertificateInfo for service-worker served documents
Attachments
Patch (10.80 KB, patch)
2020-07-20 22:31 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (12.44 KB, patch)
2020-07-21 13:07 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (12.90 KB, patch)
2020-07-21 13:50 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (12.07 KB, patch)
2020-07-21 17:31 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (39.86 KB, patch)
2020-07-21 21:10 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (40.17 KB, patch)
2020-07-22 09:44 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (40.67 KB, patch)
2020-07-22 11:37 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (72.71 KB, patch)
2020-07-22 12:59 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Show Obsolete (7) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-01-17 00:36:24 PST
<rdar://problem/58674661>
youenn fablet
Comment 2 2020-01-20 00:50:07 PST
This happens in a few cases: - service worker intercepts the document fetch, call fetch() itself and sends back the response - service worker intercepts the document fetch and returns a DOMCache response/synthesized response.
youenn fablet
Comment 3 2020-07-20 11:06:35 PDT
<rdar://problem/65410875>
Alex Christensen
Comment 4 2020-07-20 22:31:21 PDT
Created attachment 404796 [details] Patch
Geoffrey Garen
Comment 5 2020-07-21 10:19:23 PDT
EWS says the new API tests are failing.
youenn fablet
Comment 6 2020-07-21 10:40:48 PDT
Comment on attachment 404796 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=404796&action=review > Tools/TestWebKitAPI/Tests/WebKitCocoa/ServiceWorkerBasic.mm:2163 > + " event.respondWith(new Response(new Blob(['<script>alert(\"hello from service worker\")</script>'], {type: 'text/html'})));" We should probably exercise three code paths here. The first one with synthetic responses as above. The second one is when using DOMCache by putting in DOMCache an existing resource and the feeding it into respondWith. You can find an example in https://mdn.github.io/sw-test/sw.js The third one by doing something like: event.respondWith(fetch(event.request.url)). Hopefully this one should work.
Alex Christensen
Comment 7 2020-07-21 13:07:44 PDT
Created attachment 404857 [details] Patch
Alex Christensen
Comment 8 2020-07-21 13:50:51 PDT
Created attachment 404859 [details] Patch
Alex Christensen
Comment 9 2020-07-21 17:31:32 PDT
Created attachment 404889 [details] Patch
Brady Eidson
Comment 10 2020-07-21 17:40:27 PDT
We don't check in failing tests though
EWS
Comment 11 2020-07-21 18:11:20 PDT
Committed r264687: <https://trac.webkit.org/changeset/264687> All reviewed patches have been landed. Closing bug and clearing flags on attachment 404889 [details].
Alex Christensen
Comment 12 2020-07-21 18:19:22 PDT
Reopening to attach actual fix. That was just a test showing current behavior.
Alex Christensen
Comment 13 2020-07-21 21:10:53 PDT
Created attachment 404898 [details] Patch
Darin Adler
Comment 14 2020-07-21 21:37:14 PDT
Comment on attachment 404898 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=404898&action=review > Source/WebCore/platform/network/cf/CertificateInfoCFNet.cpp:53 > + CertificateInfo copy; > +#if HAVE(SEC_TRUST_SERIALIZATION) > + copy.m_trust = m_trust; > +#endif > + copy.m_certificateChain = m_certificateChain; > + return copy; Since there is nothing to isolate, can just write this: return *this; Could even put it inline in the header if you like.
youenn fablet
Comment 15 2020-07-21 23:39:06 PDT
Comment on attachment 404898 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=404898&action=review > Source/WebCore/workers/WorkerScriptLoader.cpp:130 > + options.certificateInfoPolicy = certificateInfoPolicy; Another way to pass this information down to network process is to piggy back on the destination option, which should be Destination::ServiceWorker, not Destination::Worker. For ServiceWorker destination, NetworkResourceLoader could decide to pass the certificateInfo (or WebLoaderStrategy could set needsCertificateInfo to true). We could think of removing certificateInfoPolicy/needsCertificateInfo in the future. > Source/WebCore/workers/service/ServiceWorkerGlobalScope.h:71 > + const CertificateInfo& certificateInfo() { return m_contextData.certificateInfo; } const > Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp:106 > + resourceResponse.setCertificateInfo(WTFMove(certificateInfo)); We should probably only do that if the response has no certificate info. And restrict that to navigation loads only. We do not want to pretend to use the service worker certificate info for third party resources. > Source/WebCore/workers/service/server/RegistrationDatabase.cpp:408 > + // FIXME: Consider serializing the certificate info to disk so WKWebView.serverTrust will be non-null when offline. Could you also add a FIXME for the following case: - service worker is installed and has a certificate info - service worker is soft updated, script does not change but certificate info does (say the old certificate was soon to be obsolete). We should in that case update the service worker registration info and potentially the service worker certificate info. A quick fix would be to consider that a change in certificate info is like a change in the script. We would then trigger install/activate and update the on disk registration. See SWServerJobQueue::scriptFetchFinished.
Alex Christensen
Comment 16 2020-07-22 09:35:47 PDT
Thanks for the reviews. I found that we do need to persist the data to fix the radar, so I incremented schemaVersion and added it. I added a FIXME for the certificate change in soft update, and used destination to mean certificate info policy.
youenn fablet
Comment 17 2020-07-22 09:39:54 PDT
(In reply to Alex Christensen from comment #16) > Thanks for the reviews. I found that we do need to persist the data to fix > the radar, so I incremented schemaVersion and added it. > I added a FIXME for the certificate change in soft update, and used > destination to mean certificate info policy. Great! Is there an way to easily compare CertificateInfo equality? If so, we should probably try to update CertificateInfo as if the script was modified as a follow-up patch.
Alex Christensen
Comment 18 2020-07-22 09:44:53 PDT
Created attachment 404930 [details] Patch
Alex Christensen
Comment 19 2020-07-22 10:16:39 PDT
(In reply to youenn fablet from comment #17) > Is there an way to easily compare CertificateInfo equality? There is a function called certificatesMatch. We should probably refactor that into something like CertificateInfo::operator==.
Alex Christensen
Comment 20 2020-07-22 11:37:39 PDT
Created attachment 404942 [details] Patch
Alex Christensen
Comment 21 2020-07-22 12:59:43 PDT
Created attachment 404953 [details] Patch
Alex Christensen
Comment 22 2020-07-22 13:19:45 PDT
https://trac.webkit.org/changeset/264724/webkit
Note You need to log in before you can comment on or make changes to this bug.