Bug 231313

Summary: CSP: Implement unsafe-hashes
Product: WebKit Reporter: Kate Cheney <katherine_cheney>
Component: WebKit Misc.Assignee: Kate Cheney <katherine_cheney>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, dvoytenko, esprehn+autocc, ews-watchlist, japhet, kangil.han, mkwst
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch
none
Patch for landing
none
Patch for landing none

Kate Cheney
Reported 2021-10-06 11:10:34 PDT
CSP: Implement unsafe-hashes
Attachments
Patch (83.36 KB, patch)
2021-10-06 12:06 PDT, Kate Cheney
no flags
Patch (81.03 KB, patch)
2021-10-06 12:13 PDT, Kate Cheney
no flags
Patch (88.03 KB, patch)
2021-10-07 15:57 PDT, Kate Cheney
no flags
Patch (94.43 KB, patch)
2021-10-08 07:19 PDT, Kate Cheney
no flags
Patch for landing (96.50 KB, patch)
2021-10-12 16:14 PDT, Kate Cheney
no flags
Patch for landing (96.50 KB, patch)
2021-10-12 16:16 PDT, Kate Cheney
no flags
Kate Cheney
Comment 1 2021-10-06 11:10:57 PDT
Kate Cheney
Comment 2 2021-10-06 12:06:40 PDT
Kate Cheney
Comment 3 2021-10-06 12:08:08 PDT
(In reply to Kate Cheney from comment #2) > Created attachment 440407 [details] > Patch WIP, not ready for review quite yet but wanted to see what EWS thinks. Will update ChangeLogs with more detail in the next patch.
Kate Cheney
Comment 4 2021-10-06 12:13:48 PDT
Kate Cheney
Comment 5 2021-10-07 15:57:27 PDT
Kate Cheney
Comment 6 2021-10-08 07:19:42 PDT
Brent Fulgham
Comment 7 2021-10-12 15:03:33 PDT
Comment on attachment 440604 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440604&action=review r=me > Source/WebCore/ChangeLog:9 > + unsafe-hashes allows specific event handlers and style attributes double-space between 'handlers' and 'and'. > Source/WebCore/dom/StyledElement.cpp:208 > + if (reason == ModifiedByCloning || document().contentSecurityPolicy()->allowInlineStyle(document().url().string(), startLineNumber, newStyleString.string(), CheckUnsafeHashes::Yes, isInUserAgentShadowTree())) Looks like two spaces before "newStyleString.string()". > Source/WebCore/page/csp/ContentSecurityPolicy.h:98 > + bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String&, bool overrideContentSecurityPolicy = false) const; I think showing 'code' for the new string makes sense here. Otherwise it's not clear what that parameter is for. > Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:169 > + ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get()); Could this be auto* ? > Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:177 > + ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get()); Ditto > LayoutTests/ChangeLog:15 > + bug in our DOM code. Could you please file a Bugzilla about that one failing test (and send me the #?) > LayoutTests/TestExpectations:-957 > -imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html [ Skip ] Yes! > LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location-expected.txt:2 > +PASS Test that the javascript: src is allowed to run Yes! > LayoutTests/imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic-expected.txt:10 > +PASS inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail Nice!
Chris Dumez
Comment 8 2021-10-12 15:15:06 PDT
Comment on attachment 440604 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440604&action=review > Source/WebCore/page/csp/ContentSecurityPolicy.cpp:389 > + auto [foundHashInEnforcedPolicies, foundHashInReportOnlyPolicies] = findHashOfContentInPolicies(WTFMove(searchPolicy), source, hashAlgorithms); It is unclear why this function and findHashOfContentInPolicies() take searchPolicy as an r-value reference instead of simply a const reference. > Source/WebCore/page/csp/ContentSecurityPolicy.cpp:407 > + reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, "inline", consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber())); Assuming the parameter is a String, "inline"_s would be better (same comment elsewhere).
Kate Cheney
Comment 9 2021-10-12 16:03:32 PDT
Comment on attachment 440604 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440604&action=review >> Source/WebCore/ChangeLog:9 >> + unsafe-hashes allows specific event handlers and style attributes > > double-space between 'handlers' and 'and'. Oops, will fix. >> Source/WebCore/dom/StyledElement.cpp:208 >> + if (reason == ModifiedByCloning || document().contentSecurityPolicy()->allowInlineStyle(document().url().string(), startLineNumber, newStyleString.string(), CheckUnsafeHashes::Yes, isInUserAgentShadowTree())) > > Looks like two spaces before "newStyleString.string()". Ditto, will fix. >> Source/WebCore/page/csp/ContentSecurityPolicy.h:98 >> + bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String&, bool overrideContentSecurityPolicy = false) const; > > I think showing 'code' for the new string makes sense here. Otherwise it's not clear what that parameter is for. Fair point, I'll add that back. >> Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:169 >> + ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get()); > > Could this be auto* ? Yes, I'll fix it. We should probably change the rest of this file to use auto in another patch. >> LayoutTests/ChangeLog:15 >> + bug in our DOM code. > > Could you please file a Bugzilla about that one failing test (and send me the #?) Yes. Bug: https://bugs.webkit.org/show_bug.cgi?id=231642
Kate Cheney
Comment 10 2021-10-12 16:04:09 PDT
(In reply to Chris Dumez from comment #8) > Comment on attachment 440604 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=440604&action=review > > > Source/WebCore/page/csp/ContentSecurityPolicy.cpp:389 > > + auto [foundHashInEnforcedPolicies, foundHashInReportOnlyPolicies] = findHashOfContentInPolicies(WTFMove(searchPolicy), source, hashAlgorithms); > > It is unclear why this function and findHashOfContentInPolicies() take > searchPolicy as an r-value reference instead of simply a const reference. > No good reason. Will change in the patch-for-landing. > > Source/WebCore/page/csp/ContentSecurityPolicy.cpp:407 > > + reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, "inline", consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber())); > > Assuming the parameter is a String, "inline"_s would be better (same comment > elsewhere). Will change.
Kate Cheney
Comment 11 2021-10-12 16:14:03 PDT
Created attachment 441013 [details] Patch for landing
Kate Cheney
Comment 12 2021-10-12 16:16:28 PDT
Created attachment 441014 [details] Patch for landing
EWS
Comment 13 2021-10-12 17:31:21 PDT
Committed r284067 (242896@main): <https://commits.webkit.org/242896@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 441014 [details].
Sam Sneddon [:gsnedders]
Comment 14 2022-03-30 11:47:01 PDT
*** Bug 205885 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.