Bug 230269

Summary: Add violations reporting support for Cross-Origin-Embedder-Policy
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebKit2Assignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, clopez, darin, esprehn+autocc, ews-watchlist, ggaren, japhet, kkinnunen, kondapallykalyan, mkwst, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 228755    
Attachments:
Description Flags
WIP patch
none
WIP patch
none
WIP patch
none
WIP patch
none
Patch
none
Patch
none
Patch none

Chris Dumez
Reported 2021-09-14 09:45:25 PDT
Add violations reporting support for Cross-Origin-Embedder-Policy.
Attachments
WIP patch (47.60 KB, patch)
2021-09-14 14:28 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
WIP patch (46.53 KB, patch)
2021-09-14 14:34 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
WIP patch (44.71 KB, patch)
2021-09-14 14:52 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
WIP patch (44.69 KB, patch)
2021-09-14 16:36 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (54.55 KB, patch)
2021-09-15 07:35 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (54.48 KB, patch)
2021-09-16 07:22 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (54.46 KB, patch)
2021-09-16 10:05 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (6) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2021-09-14 14:09:14 PDT
Add to fix a WPT test to run within WebKit infra: https://github.com/web-platform-tests/wpt/pull/30785
Chris Dumez
Comment 2 2021-09-14 14:28:59 PDT
Created attachment 438174 [details] WIP patch
EWS Watchlist
Comment 3 2021-09-14 14:29:39 PDT
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Chris Dumez
Comment 4 2021-09-14 14:34:00 PDT
Created attachment 438175 [details] WIP patch
Chris Dumez
Comment 5 2021-09-14 14:52:22 PDT
Created attachment 438176 [details] WIP patch
Chris Dumez
Comment 6 2021-09-14 16:36:57 PDT
Created attachment 438188 [details] WIP patch
Chris Dumez
Comment 7 2021-09-15 07:35:25 PDT
Created attachment 438244 [details] Patch
Radar WebKit Bug Importer
Comment 8 2021-09-15 07:35:57 PDT
<rdar://problem/83150069>
youenn fablet
Comment 9 2021-09-16 00:51:48 PDT
Comment on attachment 438244 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=438244&action=review > Source/WebCore/loader/cache/CachedResourceLoader.cpp:803 > + return frame.isMainFrame() ? FetchOptions::Destination::Document : FetchOptions::Destination::Iframe; We could differentiate SVGDocumentResource from MainResource so that only MainResource checks for Document vs. Iframe. > Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp:166 > + return WTFMove(*error); Why not just returning error here? > Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp:177 > + return WTFMove(*error); Why not just returning error here? > Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:647 > return true; Are we sure this return true is correct? It seems we should return true if ownerPolicy's value is "unsafe-none" OR policy's value is "require-corp", but we do an if (AND) above.
Chris Dumez
Comment 10 2021-09-16 07:21:42 PDT
Comment on attachment 438244 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=438244&action=review >> Source/WebCore/loader/cache/CachedResourceLoader.cpp:803 >> + return frame.isMainFrame() ? FetchOptions::Destination::Document : FetchOptions::Destination::Iframe; > > We could differentiate SVGDocumentResource from MainResource so that only MainResource checks for Document vs. Iframe. Ok, will do. >> Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp:166 >> + return WTFMove(*error); > > Why not just returning error here? Will update. >> Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp:177 >> + return WTFMove(*error); > > Why not just returning error here? Will update. >> Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:647 >> return true; > > Are we sure this return true is correct? > It seems we should return true if ownerPolicy's value is "unsafe-none" OR policy's value is "require-corp", but we do an if (AND) above. The function is named "shouldInterruptWorkerLoadForCrossOriginEmbedderPolicy" so `return true` means we interrupt the load. The spec says: "If ownerPolicy's value is "unsafe-none" or policy's value is "require-corp", then return true." But this is to determine if we should let the load continue. Given that our code is about interrupting the load, I believe it should be the opposite: "If ownerPolicy's value is NOT "unsafe-none" (thus it is "require-corp") AND policy's value is NOT "require-corp" (thus it is "unsafe-none"), then return true." My code looks correct to me.
Chris Dumez
Comment 11 2021-09-16 07:22:59 PDT
Created attachment 438347 [details] Patch
Chris Dumez
Comment 12 2021-09-16 10:05:19 PDT
Created attachment 438362 [details] Patch
EWS
Comment 13 2021-09-16 14:58:40 PDT
Committed r282604 (241765@main): <https://commits.webkit.org/241765@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 438362 [details].
Note You need to log in before you can comment on or make changes to this bug.