Bug 153622 - CSP: Allow Web Workers initiated from an isolated world to bypass the main world Content Security Policy
Summary: CSP: Allow Web Workers initiated from an isolated world to bypass the main wo...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: InRadar, WebExposed
Depends on: 153157
Blocks: 69359
  Show dependency treegraph
 
Reported: 2016-01-28 16:09 PST by Daniel Bates
Modified: 2016-02-07 14:27 PST (History)
8 users (show)

See Also:


Attachments
Patch and Layout Tests (36.49 KB, patch)
2016-01-28 16:15 PST, Daniel Bates
no flags Details | Formatted Diff | Diff
Patch and Layout Tests (36.30 KB, patch)
2016-02-01 10:06 PST, Daniel Bates
no flags Details | Formatted Diff | Diff
Patch and Layout Tests (40.09 KB, patch)
2016-02-05 12:03 PST, Daniel Bates
no flags Details | Formatted Diff | Diff
Patch and Layout Tests (40.10 KB, patch)
2016-02-05 12:21 PST, Daniel Bates
no flags Details | Formatted Diff | Diff
Patch and Layout Tests (45.98 KB, patch)
2016-02-07 13:01 PST, Daniel Bates
barraclough: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2016-01-28 16:09:59 PST
We should allow code that runs in a Web Worker that was initiated from an isolated world to bypass the main world Content Security Policy. Currently such code is subject to the main world CSP even though code that executes in an isolated world is allowed to bypass the main world Content Security Policy.
Comment 1 Radar WebKit Bug Importer 2016-01-28 16:12:47 PST
<rdar://problem/24400023>
Comment 2 Daniel Bates 2016-01-28 16:15:20 PST
Created attachment 270159 [details]
Patch and Layout Tests

This patch will fail to apply because it depends on the patch for bug #153157.
Comment 3 Daniel Bates 2016-02-01 10:06:02 PST
Created attachment 270397 [details]
Patch and Layout Tests

Rebased patch following the landing of patches for bug #153157 and bug #153612.
Comment 4 Daniel Bates 2016-02-05 12:03:57 PST
Created attachment 270756 [details]
Patch and Layout Tests

Updated patch to bypass the CSP policy of the document when instantiating a worker whose script URL would otherwise be blocked and added a test case.
Comment 5 Daniel Bates 2016-02-05 12:21:42 PST
Created attachment 270758 [details]
Patch and Layout Tests

Include the date of the CSP 2.0 draft referenced by the comment in AbstractWorker::resolveURL().
Comment 6 Andy Estes 2016-02-05 13:51:00 PST
Comment on attachment 270758 [details]
Patch and Layout Tests

View in context: https://bugs.webkit.org/attachment.cgi?id=270758&action=review

> Source/WebCore/ChangeLog:23
> +        (WebCore::WorkerScriptController::WorkerScriptController): Modified to take a boolean argument and
> +        as to whether to bypass the main world Content Security Policy and store it in a member field.

spurious "and".

> Source/WebCore/ChangeLog:58
> +        (WebCore::WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders): Moved instantiated of the ContentSecurityPolicy object
> +        from here to the constructor.

instantiated => instantiation

> Source/WebCore/ChangeLog:67
> +        (WebCore::WorkerThreadStartupData::WorkerThreadStartupData): Modified to take a boolean argument and
> +        as to whether to bypass the main world Content Security Policy and store it in a member field.

spurious "and"
Comment 7 Gavin Barraclough 2016-02-05 15:01:21 PST
Comment on attachment 270758 [details]
Patch and Layout Tests

View in context: https://bugs.webkit.org/attachment.cgi?id=270758&action=review

> Source/WebCore/page/csp/ContentSecurityPolicy.cpp:1789
> +

Could we just make shouldBypassMainWorldContentSecurityPolicy() a virtual function implemented on ScriptExecutionContext, with a base behavior to return false?
Comment 8 Daniel Bates 2016-02-07 12:58:50 PST
(In reply to comment #7)
> Comment on attachment 270758 [details]
> Patch and Layout Tests
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=270758&action=review
> 
> > Source/WebCore/page/csp/ContentSecurityPolicy.cpp:1789
> > +
> 
> Could we just make shouldBypassMainWorldContentSecurityPolicy() a virtual
> function implemented on ScriptExecutionContext, with a base behavior to
> return false?

Yes, we can. Will update the patch.
Comment 9 Daniel Bates 2016-02-07 13:01:38 PST
Created attachment 270829 [details]
Patch and Layout Tests

Updated patch to address feedback from Andy Estes and Gavin Barraclough
Comment 10 Daniel Bates 2016-02-07 14:26:51 PST
Committed r196242: <http://trac.webkit.org/changeset/196242>