Bug 233087

Summary: CSP: Implement protections against nonce-hijacking
Product: WebKit Reporter: Patrick Griffis <pgriffis>
Component: WebCore Misc.Assignee: Patrick Griffis <pgriffis>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, changseok, cmarcelo, esprehn+autocc, ews-watchlist, gyuyoung.kim, kangil.han, katherine_cheney, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 233102    
Bug Blocks:    
Attachments:
Description Flags
Patch
ews-feeder: commit-queue-
Patch
none
Patch
none
Patch none

Patrick Griffis
Reported 2021-11-13 10:16:52 PST
CSP: Implement protections against nonce-hijacking
Attachments
Patch (8.41 KB, patch)
2021-11-13 10:17 PST, Patrick Griffis 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (8.41 KB, patch)
2021-11-13 10:39 PST, Patrick Griffis 		no flags
DetailsFormatted DiffDiff
Patch (8.40 KB, patch)
2021-11-15 06:19 PST, Patrick Griffis 		no flags
DetailsFormatted DiffDiff
Patch (9.07 KB, patch)
2021-12-10 09:15 PST, Patrick Griffis 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Patrick Griffis
Comment 1 2021-11-13 10:17:45 PST
Created attachment 444141 [details] Patch
Patrick Griffis
Comment 2 2021-11-13 10:39:22 PST
Created attachment 444143 [details] Patch
Patrick Griffis
Comment 3 2021-11-13 11:26:18 PST
Comment on attachment 444143 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=444143&action=review > LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/nonce-enforce-blocked-expected.txt:2 > +FAIL Unnonced scripts generate reports. Type error Note that this is a different bug in CSP reporting code that I'll be looking into fixing. The previous error was an assert much earlier where unsafe code was ran which no longer does.
Patrick Griffis
Comment 4 2021-11-14 11:45:48 PST
(In reply to Patrick Griffis from comment #3) > Note that this is a different bug in CSP reporting code that I'll be looking > into fixing. Fixed in bug 233102, I'll update expectations here as PASS after that lands.
Patrick Griffis
Comment 5 2021-11-15 06:19:28 PST
Created attachment 444244 [details] Patch
Radar WebKit Bug Importer
Comment 6 2021-11-20 10:17:20 PST
<rdar://problem/85635546>
Brent Fulgham
Comment 7 2021-12-08 12:21:27 PST
Comment on attachment 444244 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=444244&action=review r=me > Source/WebCore/dom/Element.cpp:334 > + const auto& name = attribute.localName(); If you did "localName().convertToASCIILowercase()", you could do the following four string comparisons without doing case insensitive compares. > Source/WebCore/dom/Element.cpp:335 > + const auto& value = attribute.value(); Ditto for value
Chris Dumez
Comment 8 2021-12-08 12:31:12 PST
Comment on attachment 444244 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=444244&action=review > Source/WebCore/dom/Element.h:769 > + bool isNonceable() const; Please move this up. We don't put getters in the middle of data members. > Source/WebCore/html/parser/HTMLConstructionSite.cpp:517 > + setAttributes(element, attributes, false, m_parserContentPolicy); false here is really unclear. This should use an enum class, not a bool. e.g.: enum class HasDuplicateAttribute : bool { No, Yes };
Patrick Griffis
Comment 9 2021-12-10 09:15:10 PST
Created attachment 446741 [details] Patch
Patrick Griffis
Comment 10 2021-12-10 09:27:06 PST
(In reply to Chris Dumez from comment #8) > Comment on attachment 444244 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=444244&action=review > > > Source/WebCore/dom/Element.h:769 > > + bool isNonceable() const; > > Please move this up. We don't put getters in the middle of data members. > > > Source/WebCore/html/parser/HTMLConstructionSite.cpp:517 > > + setAttributes(element, attributes, false, m_parserContentPolicy); > > false here is really unclear. This should use an enum class, not a bool. > e.g.: > enum class HasDuplicateAttribute : bool { No, Yes }; Before committing this just wanted to make sure my changes look good.
Brent Fulgham
Comment 11 2021-12-10 09:32:07 PST
Comment on attachment 446741 [details] Patch r=me
EWS
Comment 12 2021-12-10 11:02:04 PST
Committed r286860 (245093@main): <https://commits.webkit.org/245093@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 446741 [details].
Note You need to log in before you can comment on or make changes to this bug.