RESOLVED FIXED 184386
Content-Type not enforced for <script> allows for XSS 
https://bugs.webkit.org/show_bug.cgi?id=184386
Summary Content-Type not enforced for <script> allows for XSS
Daniel Bates
Reported 2018-04-07 09:34:10 PDT
We should implement "Should response to request be blocked due to its MIME type?" from the Fetch spec: [[ 2.7. Should response to request be blocked due to its MIME type? Run these steps: 1. Let mimeType be the result of extracting a MIME type from response’s header list. 2. Let destination be request’s destination. 3. If destination is script-like and one of the following is true, then return blocked: mimeType starts with `audio/`, `image/`, or `video/`. mimeType is `text/csv`. 4. Return allowed. ]] <https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-mime-type?> (16 March 2018)
Attachments
Patch and layout tests (44.27 KB, patch)
2018-04-07 10:22 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Patch and layout tests (44.17 KB, patch)
2018-04-07 20:46 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Patch and layout tests (44.19 KB, patch)
2018-04-07 23:46 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews103 for mac-sierra (2.27 MB, application/zip)
2018-04-08 01:00 PDT, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews125 for ios-simulator-wk2 (2.22 MB, application/zip)
2018-04-08 01:24 PDT, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews112 for mac-sierra (3.06 MB, application/zip)
2018-04-08 01:27 PDT, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews106 for mac-sierra-wk2 (2.74 MB, application/zip)
2018-04-08 04:38 PDT, EWS Watchlist 		no flags
Details
Patch and layout tests (64.37 KB, patch)
2018-04-08 14:07 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews101 for mac-sierra (2.28 MB, application/zip)
2018-04-08 15:20 PDT, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews106 for mac-sierra-wk2 (2.75 MB, application/zip)
2018-04-08 15:26 PDT, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews113 for mac-sierra (2.94 MB, application/zip)
2018-04-08 15:46 PDT, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews126 for ios-simulator-wk2 (2.19 MB, application/zip)
2018-04-08 15:47 PDT, EWS Watchlist 		no flags
Details
Patch and layout tests (62.69 KB, patch)
2018-04-09 12:25 PDT, Daniel Bates 		beidson: review+
ews-watchlist: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews106 for mac-sierra-wk2 (3.06 MB, application/zip)
2018-04-09 13:49 PDT, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews125 for ios-simulator-wk2 (2.54 MB, application/zip)
2018-04-09 13:55 PDT, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews113 for mac-sierra (2.94 MB, application/zip)
2018-04-09 14:20 PDT, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews100 for mac-sierra (2.30 MB, application/zip)
2018-04-09 15:41 PDT, EWS Watchlist 		no flags
Details
Show Obsolete (12) View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2018-04-07 09:36:07 PDT
<rdar://problem/39112268>
Daniel Bates
Comment 2 2018-04-07 10:22:21 PDT
Created attachment 337427 [details] Patch and layout tests This patch depends on the patch for bug 184385.
Daniel Bates
Comment 3 2018-04-07 20:46:54 PDT
Created attachment 337441 [details] Patch and layout tests This patch depends on the patch for bug 184385.
Daniel Bates
Comment 4 2018-04-07 23:46:06 PDT
Created attachment 337447 [details] Patch and layout tests Rebase patch following the landing of the patch for bug 184385.
EWS Watchlist
Comment 5 2018-04-08 01:00:07 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 6 2018-04-08 01:00:08 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 7 2018-04-08 01:24:25 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 8 2018-04-08 01:24:27 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 9 2018-04-08 01:27:56 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 10 2018-04-08 01:27:58 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 11 2018-04-08 04:38:07 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 12 2018-04-08 04:38:08 PDT Comment hidden (obsolete)
Daniel Bates
Comment 13 2018-04-08 13:58:34 PDT
(In reply to Build Bot from comment #11) > Comment on attachment 337447 [details] > Patch and layout tests > > Attachment 337447 [details] did not pass mac-wk2-ews (mac-wk2): > Output: http://webkit-queues.webkit.org/results/7244001 > > New failing tests: > http/tests/security/cross-origin-cached-scripts-parallel.html > http/tests/security/cross-origin-cached-scripts.html These tests load JavaScript scripts indirectly via the helper script LayoutTests/http/tests/security/resources/allow-if-origin.php. The script allow-if-origin.php returns a response with MIME type image/png in absence of query string argument contentType. We need to update these tests to pass contentType=text/javascript to allow-if-origin.php. > http/tests/security/contentTypeOptions/invalid-content-type-options-allowed. > html This test depended on loading a JavaScript script with MIME type image/png. This is now disallowed. > imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script.html Will rebase result as we now pass all sub tests.
Daniel Bates
Comment 14 2018-04-08 14:07:17 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 15 2018-04-08 15:20:07 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 16 2018-04-08 15:20:09 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 17 2018-04-08 15:26:41 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 18 2018-04-08 15:26:43 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 19 2018-04-08 15:46:39 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 20 2018-04-08 15:46:40 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 21 2018-04-08 15:47:23 PDT Comment hidden (obsolete)
EWS Watchlist
Comment 22 2018-04-08 15:47:24 PDT Comment hidden (obsolete)
Daniel Bates
Comment 23 2018-04-09 12:25:40 PDT
Created attachment 337523 [details] Patch and layout tests
Brady Eidson
Comment 24 2018-04-09 12:41:07 PDT
Comment on attachment 337523 [details] Patch and layout tests View in context: https://bugs.webkit.org/attachment.cgi?id=337523&action=review > Source/WebCore/dom/LoadableClassicScript.cpp:99 > + if (!m_error && shouldResponseToRequestDestinationBeBlockedDueToMIMEType(m_cachedScript->response(), m_cachedScript->options().destination)) { This name is hard to digest. I'd suggest something shorter and less specific. The method is solely for script destinations and mime types *right now* but I don't think we need to make sure the name makes that so explicitly clear. I would actually be perfectly happy with "shouldBlockResponse()"
EWS Watchlist
Comment 25 2018-04-09 13:49:31 PDT
Comment on attachment 337523 [details] Patch and layout tests Attachment 337523 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/7256698 New failing tests: imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script.html
EWS Watchlist
Comment 26 2018-04-09 13:49:33 PDT
Created attachment 337538 [details] Archive of layout-test-results from ews106 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 27 2018-04-09 13:55:18 PDT
Comment on attachment 337523 [details] Patch and layout tests Attachment 337523 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/7256566 New failing tests: imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script.html
EWS Watchlist
Comment 28 2018-04-09 13:55:20 PDT
Created attachment 337539 [details] Archive of layout-test-results from ews125 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews125 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.4
EWS Watchlist
Comment 29 2018-04-09 14:20:42 PDT
Comment on attachment 337523 [details] Patch and layout tests Attachment 337523 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/7256751 New failing tests: imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script.html
EWS Watchlist
Comment 30 2018-04-09 14:20:44 PDT
Created attachment 337541 [details] Archive of layout-test-results from ews113 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews113 Port: mac-sierra Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 31 2018-04-09 15:41:32 PDT
Comment on attachment 337523 [details] Patch and layout tests Attachment 337523 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/7258450 New failing tests: imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script.html
EWS Watchlist
Comment 32 2018-04-09 15:41:34 PDT
Created attachment 337555 [details] Archive of layout-test-results from ews100 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews100 Port: mac-sierra Platform: Mac OS X 10.12.6
Daniel Bates
Comment 33 2018-04-12 15:32:52 PDT
Committed r230602: <https://trac.webkit.org/changeset/230602>
Ryan Haddad
Comment 34 2018-04-12 15:58:10 PDT
This change broke the Windows build: c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\cache\cachedresourceloader.cpp(769): error C2220: warning treated as error - no 'object' file generated [C:\cygwin\home\buildbot\slave\win-release\build\WebKitBuild\Release\Source\WebCore\WebCore.vcxproj] c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\loader\cache\cachedresourceloader.cpp(769): warning C4715: 'WebCore::destinationForType': not all control paths return a value [C:\cygwin\home\buildbot\slave\win-release\build\WebKitBuild\Release\Source\WebCore\WebCore.vcxproj] https://build.webkit.org/builders/Apple%20Win%20Release%20%28Build%29/builds/8783
Daniel Bates
Comment 35 2018-04-12 17:11:30 PDT
(In reply to Ryan Haddad from comment #34) > This change broke the Windows build: > > c:\cygwin\home\buildbot\slave\win- > release\build\source\webcore\loader\cache\cachedresourceloader.cpp(769): > error C2220: warning treated as error - no 'object' file generated > [C:\cygwin\home\buildbot\slave\win- > release\build\WebKitBuild\Release\Source\WebCore\WebCore.vcxproj] > c:\cygwin\home\buildbot\slave\win- > release\build\source\webcore\loader\cache\cachedresourceloader.cpp(769): > warning C4715: 'WebCore::destinationForType': not all control paths return a > value > [C:\cygwin\home\buildbot\slave\win- > release\build\WebKitBuild\Release\Source\WebCore\WebCore.vcxproj] > > https://build.webkit.org/builders/Apple%20Win%20Release%20%28Build%29/builds/ > 8783 Committed build fix in <https://trac.webkit.org/changeset/230616/>.
Note You need to log in before you can comment on or make changes to this bug.