Bug 93392

Summary:

CSP doesn't turn off eval, etc. in Web Workers

Product:

WebKit

Reporter:

Thomas Sepez <tsepez>

Component:

WebKit Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, commit-queue, dglazkov, eric, haraken, japhet, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Tests, more or less.	none
Patch, in-progress, fixes for JSC side, missing chromium eval() fix.	webkit.review.bot: commit-queue-
Archive of layout-test-results from gce-cr-linux-05	none
Patch for review.	webkit.review.bot: commit-queue-
Archive of layout-test-results from gce-cr-linux-03	none
Archive of layout-test-results from gce-cr-linux-01	none
Patch (including chromium eval() fix).	tsepez: review-, tsepez: commit-queue-
Patch (fix changelog)	abarth: review+
Patch (fix nits).	abarth: review+, webkit.review.bot: commit-queue-
Patch, update-webkit	abarth: review+, abarth: commit-queue-

Description Thomas Sepez 2012-08-07 14:02:30 PDT

Originally reported by mazurak [at] cs.wisc.edu at http://code.google.com/p/chromium/issues/detail?id=140544

VULNERABILITY DETAILS
By default, eval and eval-like functionality should be turned off whenever a Content Security Policy is in place, but this isn't happening in workers.  The CSP spec definitely says that the policy on a worker should match the policy on its parent page, and checks on the origins of scripts do appear working correctly.

Comparing SetTimeoutOrInterval in V8WorkerContextCustom.cpp to WindowSetTimeoutImpl in V8DomWindowCustom.cpp, it looks like the necessary checks are just missing on the worker side.

VERSION
Chrome Version: 21.0.1180.57 (stable)
Operating System: Linux (Debian testing) (doesn't appear OS-dependent)

REPRODUCTION CASE
The tests here should all pass for a browser that is implementing CSP and Web Workers correctly (assuming I have not made some silly JavaScript mistakes):

http://pages.cs.wisc.edu/~mazurak/csp_demo/

Comment 1 Thomas Sepez 2012-08-07 14:03:37 PDT

I believe this to be specific to the chromium platform; we'll know once I convert (shortly) the example to layout tests.

Comment 2 Thomas Sepez 2012-08-09 10:18:23 PDT

Created attachment 157478 [details]
Tests, more or less.

Comment 3 Thomas Sepez 2012-08-09 16:01:35 PDT

Created attachment 157570 [details]
Patch, in-progress, fixes for JSC side, missing chromium eval() fix.

Comment 4 Thomas Sepez 2012-08-13 13:14:50 PDT

BTW, not specific to chromium side.

Comment 5 Eric Seidel (no email) 2012-08-13 13:22:07 PDT

This isn't a security bug. :)  It was a conscious FIXME of the time, no need to restrict viewership here.

Comment 6 WebKit Review Bot 2012-08-13 14:44:35 PDT

Comment on attachment 157570 [details]
Patch, in-progress, fixes for JSC side, missing chromium eval() fix.

Attachment 157570 [details] did not pass chromium-ews (chromium-xvfb):
Output: http://queues.webkit.org/results/13492247

New failing tests:
http/tests/security/contentSecurityPolicy/worker-eval-blocked.html
http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html

Comment 7 WebKit Review Bot 2012-08-13 14:44:39 PDT

Created attachment 158110 [details]
Archive of layout-test-results from gce-cr-linux-05

The attached test failures were seen while running run-webkit-tests on the chromium-ews.
Bot: gce-cr-linux-05  Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'>  Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid

Comment 8 Thomas Sepez 2012-08-13 14:56:32 PDT

Created attachment 158115 [details]
Patch for review.

Comment 9 WebKit Review Bot 2012-08-13 16:56:26 PDT

Comment on attachment 158115 [details]
Patch for review.

Attachment 158115 [details] did not pass chromium-ews (chromium-xvfb):
Output: http://queues.webkit.org/results/13485673

New failing tests:
http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html
http/tests/security/contentSecurityPolicy/worker-eval-blocked.html
http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html

Comment 10 WebKit Review Bot 2012-08-13 16:56:30 PDT

Created attachment 158147 [details]
Archive of layout-test-results from gce-cr-linux-03

The attached test failures were seen while running run-webkit-tests on the chromium-ews.
Bot: gce-cr-linux-03  Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'>  Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid

Comment 11 WebKit Review Bot 2012-08-13 17:30:10 PDT

Comment on attachment 158115 [details]
Patch for review.

Attachment 158115 [details] did not pass chromium-ews (chromium-xvfb):
Output: http://queues.webkit.org/results/13484957

New failing tests:
http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html
http/tests/security/contentSecurityPolicy/worker-eval-blocked.html
http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html

Comment 12 WebKit Review Bot 2012-08-13 17:30:14 PDT

Created attachment 158156 [details]
Archive of layout-test-results from gce-cr-linux-01

The attached test failures were seen while running run-webkit-tests on the chromium-ews.
Bot: gce-cr-linux-01  Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'>  Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid

Comment 13 Thomas Sepez 2012-08-20 12:40:18 PDT

Created attachment 159491 [details]
Patch (including chromium eval() fix).

Comment 14 Thomas Sepez 2012-08-20 12:51:27 PDT

Comment on attachment 159491 [details]
Patch (including chromium eval() fix).

bleh.  Source/WebCore/ChangeLog fell out of the patch :(.

Comment 15 Thomas Sepez 2012-08-20 12:57:56 PDT

Created attachment 159495 [details]
Patch (fix changelog)

Comment 16 Adam Barth 2012-08-20 13:03:42 PDT

Comment on attachment 159495 [details]
Patch (fix changelog)

View in context: https://bugs.webkit.org/attachment.cgi?id=159495&action=review

> Source/WebCore/bindings/v8/WorkerContextExecutionProxy.cpp:249
> +    m_disableEvalPending = !enable;

What if m_context already exists?  Should we call AllowCodeGenerationFromStrings on it?

> Source/WebCore/bindings/v8/WorkerContextExecutionProxy.h:72
> +        void allowEval(bool enable);

setEvalAllowed ?

> Source/WebCore/bindings/v8/custom/V8WorkerContextCustom.cpp:69
> +        if (ContentSecurityPolicy *policy = workerContext->contentSecurityPolicy()) {

ContentSecurityPolicy * -> ContentSecurityPolicy*

Comment 17 Thomas Sepez 2012-08-20 13:13:36 PDT

(In reply to comment #16)
> (From update of attachment 159495 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=159495&action=review
> 
> > Source/WebCore/bindings/v8/WorkerContextExecutionProxy.cpp:249
> > +    m_disableEvalPending = !enable;
> 
> What if m_context already exists?  Should we call AllowCodeGenerationFromStrings on it?
> 

Nah.  You don't do any work until you call evaluate(), so we just use that one path always.


> > Source/WebCore/bindings/v8/WorkerContextExecutionProxy.h:72
> > +        void allowEval(bool enable);
> 
> setEvalAllowed ?
> 
Will Do.

> > Source/WebCore/bindings/v8/custom/V8WorkerContextCustom.cpp:69
> > +        if (ContentSecurityPolicy *policy = workerContext->contentSecurityPolicy()) {
> 
> ContentSecurityPolicy * -> ContentSecurityPolicy*
Will Do.

Comment 18 Thomas Sepez 2012-08-20 13:24:25 PDT

Created attachment 159506 [details]
Patch (fix nits).

Comment 19 Adam Barth 2012-08-22 15:29:37 PDT

Comment on attachment 159506 [details]
Patch (fix nits).

Thanks.

Comment 20 WebKit Review Bot 2012-08-27 13:21:59 PDT

Comment on attachment 159506 [details]
Patch (fix nits).

Rejecting attachment 159506 [details] from commit-queue.

Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 2

Last 500 characters of output:
er-set-timeout-blocked-expected.txt
patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-eval.js
patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-function-function.js
patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-set-timeout.js

Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', u'--force', u'--reviewer', u'Adam Barth']" exit_code: 1 cwd: /mnt/git/webkit-commit-queue/

Full output: http://queues.webkit.org/results/13616310

Comment 21 Thomas Sepez 2012-08-27 14:46:18 PDT

Created attachment 160811 [details]
Patch, update-webkit

re-upload patch.  Unclear if out of date or if infrastructure itself is borked.

Comment 22 Adam Barth 2012-08-28 15:18:16 PDT

Comment on attachment 160811 [details]
Patch, update-webkit

I'm building this locally and will land manually.

Comment 23 Adam Barth 2012-08-28 18:15:51 PDT

Committed r126947: <http://trac.webkit.org/changeset/126947>