Bug 93392

Summary:

CSP doesn't turn off eval, etc. in Web Workers

Product:

WebKit

Reporter:

Thomas Sepez <tsepez>

Component:

WebKit Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, commit-queue, dglazkov, eric, haraken, japhet, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Tests, more or less.	none
Patch, in-progress, fixes for JSC side, missing chromium eval() fix.	webkit.review.bot: commit-queue-
Archive of layout-test-results from gce-cr-linux-05	none
Patch for review.	webkit.review.bot: commit-queue-
Archive of layout-test-results from gce-cr-linux-03	none
Archive of layout-test-results from gce-cr-linux-01	none
Patch (including chromium eval() fix).	tsepez: review-, tsepez: commit-queue-
Patch (fix changelog)	abarth: review+
Patch (fix nits).	abarth: review+, webkit.review.bot: commit-queue-
Patch, update-webkit	abarth: review+, abarth: commit-queue-

Thomas Sepez

Reported 2012-08-07 14:02:30 PDT

Originally reported by mazurak [at] cs.wisc.edu at http://code.google.com/p/chromium/issues/detail?id=140544 VULNERABILITY DETAILS By default, eval and eval-like functionality should be turned off whenever a Content Security Policy is in place, but this isn't happening in workers. The CSP spec definitely says that the policy on a worker should match the policy on its parent page, and checks on the origins of scripts do appear working correctly. Comparing SetTimeoutOrInterval in V8WorkerContextCustom.cpp to WindowSetTimeoutImpl in V8DomWindowCustom.cpp, it looks like the necessary checks are just missing on the worker side. VERSION Chrome Version: 21.0.1180.57 (stable) Operating System: Linux (Debian testing) (doesn't appear OS-dependent) REPRODUCTION CASE The tests here should all pass for a browser that is implementing CSP and Web Workers correctly (assuming I have not made some silly JavaScript mistakes): http://pages.cs.wisc.edu/~mazurak/csp_demo/

Attachments
Tests, more or less. (4.80 KB, patch) 2012-08-09 10:18 PDT, Thomas Sepez	no flags	Details Formatted Diff Diff
Patch, in-progress, fixes for JSC side, missing chromium eval() fix. (8.50 KB, patch) 2012-08-09 16:01 PDT, Thomas Sepez	webkit.review.bot: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from gce-cr-linux-05 (325.38 KB, application/zip) 2012-08-13 14:44 PDT, WebKit Review Bot	no flags	Details
Patch for review. (12.90 KB, patch) 2012-08-13 14:56 PDT, Thomas Sepez	webkit.review.bot: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from gce-cr-linux-03 (399.24 KB, application/zip) 2012-08-13 16:56 PDT, WebKit Review Bot	no flags	Details
Archive of layout-test-results from gce-cr-linux-01 (434.13 KB, application/zip) 2012-08-13 17:30 PDT, WebKit Review Bot	no flags	Details
Patch (including chromium eval() fix). (12.11 KB, patch) 2012-08-20 12:40 PDT, Thomas Sepez	tsepez: review- tsepez: commit-queue-	Details Formatted Diff Diff
Patch (fix changelog) (14.05 KB, patch) 2012-08-20 12:57 PDT, Thomas Sepez	abarth: review+	Details Formatted Diff Diff
Patch (fix nits). (14.07 KB, patch) 2012-08-20 13:24 PDT, Thomas Sepez	abarth: review+ webkit.review.bot: commit-queue-	Details Formatted Diff Diff
Patch, update-webkit (14.07 KB, patch) 2012-08-27 14:46 PDT, Thomas Sepez	abarth: review+ abarth: commit-queue-	Details Formatted Diff Diff
Show Obsolete (9) View All Add attachment proposed patch, testcase, etc.

Thomas Sepez

Comment 1 2012-08-07 14:03:37 PDT

I believe this to be specific to the chromium platform; we'll know once I convert (shortly) the example to layout tests.

Thomas Sepez

Comment 2 2012-08-09 10:18:23 PDT

Created attachment 157478 [details] Tests, more or less.

Thomas Sepez

Comment 3 2012-08-09 16:01:35 PDT

Created attachment 157570 [details] Patch, in-progress, fixes for JSC side, missing chromium eval() fix.

Thomas Sepez

Comment 4 2012-08-13 13:14:50 PDT

BTW, not specific to chromium side.

Eric Seidel (no email)

Comment 5 2012-08-13 13:22:07 PDT

This isn't a security bug. :) It was a conscious FIXME of the time, no need to restrict viewership here.

WebKit Review Bot

Comment 6 2012-08-13 14:44:35 PDT

Comment on attachment 157570 [details] Patch, in-progress, fixes for JSC side, missing chromium eval() fix. Attachment 157570 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/13492247 New failing tests: http/tests/security/contentSecurityPolicy/worker-eval-blocked.html http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html

WebKit Review Bot

Comment 7 2012-08-13 14:44:39 PDT

Created attachment 158110 [details] Archive of layout-test-results from gce-cr-linux-05 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-05 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid

Thomas Sepez

Comment 8 2012-08-13 14:56:32 PDT

Created attachment 158115 [details] Patch for review.

WebKit Review Bot

Comment 9 2012-08-13 16:56:26 PDT

Comment on attachment 158115 [details] Patch for review. Attachment 158115 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/13485673 New failing tests: http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html http/tests/security/contentSecurityPolicy/worker-eval-blocked.html http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html

WebKit Review Bot

Comment 10 2012-08-13 16:56:30 PDT

Created attachment 158147 [details] Archive of layout-test-results from gce-cr-linux-03 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-03 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid

WebKit Review Bot

Comment 11 2012-08-13 17:30:10 PDT

Comment on attachment 158115 [details] Patch for review. Attachment 158115 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/13484957 New failing tests: http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html http/tests/security/contentSecurityPolicy/worker-eval-blocked.html http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html

WebKit Review Bot

Comment 12 2012-08-13 17:30:14 PDT

Created attachment 158156 [details] Archive of layout-test-results from gce-cr-linux-01 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-01 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid

Thomas Sepez

Comment 13 2012-08-20 12:40:18 PDT

Created attachment 159491 [details] Patch (including chromium eval() fix).

Thomas Sepez

Comment 14 2012-08-20 12:51:27 PDT

Comment on attachment 159491 [details] Patch (including chromium eval() fix). bleh. Source/WebCore/ChangeLog fell out of the patch :(.

Thomas Sepez

Comment 15 2012-08-20 12:57:56 PDT

Created attachment 159495 [details] Patch (fix changelog)

Adam Barth

Comment 16 2012-08-20 13:03:42 PDT

Comment on attachment 159495 [details] Patch (fix changelog) View in context: https://bugs.webkit.org/attachment.cgi?id=159495&action=review > Source/WebCore/bindings/v8/WorkerContextExecutionProxy.cpp:249 > + m_disableEvalPending = !enable; What if m_context already exists? Should we call AllowCodeGenerationFromStrings on it? > Source/WebCore/bindings/v8/WorkerContextExecutionProxy.h:72 > + void allowEval(bool enable); setEvalAllowed ? > Source/WebCore/bindings/v8/custom/V8WorkerContextCustom.cpp:69 > + if (ContentSecurityPolicy *policy = workerContext->contentSecurityPolicy()) { ContentSecurityPolicy * -> ContentSecurityPolicy*

Thomas Sepez

Comment 17 2012-08-20 13:13:36 PDT

(In reply to comment #16) > (From update of attachment 159495 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=159495&action=review > > > Source/WebCore/bindings/v8/WorkerContextExecutionProxy.cpp:249 > > + m_disableEvalPending = !enable; > > What if m_context already exists? Should we call AllowCodeGenerationFromStrings on it? > Nah. You don't do any work until you call evaluate(), so we just use that one path always. > > Source/WebCore/bindings/v8/WorkerContextExecutionProxy.h:72 > > + void allowEval(bool enable); > > setEvalAllowed ? > Will Do. > > Source/WebCore/bindings/v8/custom/V8WorkerContextCustom.cpp:69 > > + if (ContentSecurityPolicy *policy = workerContext->contentSecurityPolicy()) { > > ContentSecurityPolicy * -> ContentSecurityPolicy* Will Do.

Thomas Sepez

Comment 18 2012-08-20 13:24:25 PDT

Created attachment 159506 [details] Patch (fix nits).

Adam Barth

Comment 19 2012-08-22 15:29:37 PDT

Comment on attachment 159506 [details] Patch (fix nits). Thanks.

WebKit Review Bot

Comment 20 2012-08-27 13:21:59 PDT

Comment on attachment 159506 [details] Patch (fix nits). Rejecting attachment 159506 [details] from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 2 Last 500 characters of output: er-set-timeout-blocked-expected.txt patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-eval.js patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-function-function.js patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-set-timeout.js Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', u'--force', u'--reviewer', u'Adam Barth']" exit_code: 1 cwd: /mnt/git/webkit-commit-queue/ Full output: http://queues.webkit.org/results/13616310

Thomas Sepez

Comment 21 2012-08-27 14:46:18 PDT

Created attachment 160811 [details] Patch, update-webkit re-upload patch. Unclear if out of date or if infrastructure itself is borked.

Adam Barth

Comment 22 2012-08-28 15:18:16 PDT

Comment on attachment 160811 [details] Patch, update-webkit I'm building this locally and will land manually.

Adam Barth

Comment 23 2012-08-28 18:15:51 PDT

Committed r126947: <http://trac.webkit.org/changeset/126947>

Note You need to log in before you can comment on or make changes to this bug.