Bug 213816 - WKUserScripts injecting into all frames seem to violate app-bound domains
Summary: WKUserScripts injecting into all frames seem to violate app-bound domains
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Kate Cheney
Keywords: InRadar
Depends on:
Reported: 2020-06-30 14:22 PDT by Kate Cheney
Modified: 2020-07-01 09:04 PDT (History)
3 users (show)

See Also:

Patch (25.96 KB, patch)
2020-06-30 14:55 PDT, Kate Cheney
no flags Details | Formatted Diff | Diff
Patch (30.47 KB, patch)
2020-06-30 16:16 PDT, Kate Cheney
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kate Cheney 2020-06-30 14:22:23 PDT
WKUserScripts can inject user script into all frames when the top frame is app-bound, since only the top frame navigation is checked for app-bound status. This seems to violate principles of app-bound domains.
Comment 1 Kate Cheney 2020-06-30 14:23:41 PDT
Comment 2 Kate Cheney 2020-06-30 14:55:23 PDT
Created attachment 403244 [details]
Comment 3 Brady Eidson 2020-06-30 15:08:10 PDT
Comment on attachment 403244 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=403244&action=review

Other than rebasing first and adding a test, looks good.

> Source/WebKit/WebProcess/WebPage/WebPage.cpp:3461
> -    if (shouldEnableInAppBrowserPrivacyProtections()) {
> +    if (frame->shouldEnableInAppBrowserPrivacyProtections()) {
>          send(Messages::WebPageProxy::ScriptValueCallback({ }, ExceptionDetails { "Unable to execute JavaScript"_s }, callbackID));

You will have to rebase before this lands.

Also, this is an interesting new case that now needs to be tested (as of https://trac.webkit.org/changeset/263727/webkit) - Could you add to the API test an attempt to evaluate javascript to the non app-bound domain should fail?

> Tools/TestWebKitAPI/Tests/WebKitCocoa/InAppBrowserPrivacy.mm:113
> +    else if ([task.request.URL.path isEqualToString:@"/should-load-for-main-frame-only"])
> +        countInjectedScriptSource++;

Another way to do this is checking the WKFrameInfo on the WKURLSchemeHandlerTask and see if it's the main frame, and get its URL, etc.
Comment 4 Kate Cheney 2020-06-30 16:16:15 PDT
Created attachment 403250 [details]
Comment 5 EWS 2020-07-01 09:04:01 PDT
Committed r263806: <https://trac.webkit.org/changeset/263806>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 403250 [details].