RESOLVED FIXED229203
[WK2] Implement process-swapping based on Cross-Origin-Opener-Policy HTTP header 
https://bugs.webkit.org/show_bug.cgi?id=229203
Summary [WK2] Implement process-swapping based on Cross-Origin-Opener-Policy HTTP header
Chris Dumez
Reported 2021-08-17 14:22:57 PDT
Implement process-swapping based on Cross-Origin-Opener-Policy HTTP header to improve security.
Attachments
WIP patch (77.94 KB, patch)
2021-08-17 16:38 PDT, Chris Dumez 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
WIP patch (85.61 KB, patch)
2021-08-17 17:16 PDT, Chris Dumez 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (106.81 KB, patch)
2021-08-18 09:40 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (107.91 KB, patch)
2021-08-18 09:48 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (107.91 KB, patch)
2021-08-18 10:57 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (110.94 KB, patch)
2021-08-19 12:08 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (110.82 KB, patch)
2021-08-23 10:26 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (114.26 KB, patch)
2021-08-23 12:18 PDT, Chris Dumez 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (114.67 KB, patch)
2021-08-23 15:56 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (111.69 KB, patch)
2021-08-23 16:14 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (111.67 KB, patch)
2021-08-24 07:38 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (114.45 KB, patch)
2021-08-24 11:24 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (114.60 KB, patch)
2021-08-24 12:19 PDT, Chris Dumez 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (12) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-08-17 14:46:47 PDT
<rdar://problem/82047686>
Chris Dumez
Comment 2 2021-08-17 16:38:58 PDT
Created attachment 435727 [details] WIP patch
Chris Dumez
Comment 3 2021-08-17 17:16:55 PDT
Created attachment 435729 [details] WIP patch
Chris Dumez
Comment 4 2021-08-18 09:40:50 PDT
Created attachment 435776 [details] Patch
Chris Dumez
Comment 5 2021-08-18 09:48:01 PDT
Created attachment 435778 [details] Patch
Chris Dumez
Comment 6 2021-08-18 10:57:46 PDT
Created attachment 435785 [details] Patch
Alex Christensen
Comment 7 2021-08-19 11:26:24 PDT
Comment on attachment 435785 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=435785&action=review > Source/WebCore/loader/DocumentLoader.cpp:1042 > + if (m_isContinuingLoadAfterResponsePolicyCheck) { Should this be std::exchange(m_isContinuingLoadAfterResponsePolicyCheck, false)? > Source/WebKit/UIProcess/ProvisionalPageProxy.cpp:233 > + auto* previousMainFrame = m_page.mainFrame(); May as well use a RefPtr here. > Source/WebKit/UIProcess/ProvisionalPageProxy.h:131 > + uint64_t listenerID, const UserData&); Can we keep all the parameters on one line? > Source/WebKit/UIProcess/WebPageProxy.cpp:5638 > + if (!navigation) { Why is this needed now but wasn't before? > Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:1221 > + [webViewConfiguration preferences].javaScriptCanOpenWindowsAutomatically = YES; Is this only needed on iOS? Could we only do it on iOS if it is? setJavaScriptCanOpenWindowsAutomaticallyIfNecessary(webViewConfiguration) > Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:7226 > + // When the provisional load starts in the provisional process, kill the WebView's processes. I don't understand this comment.
Chris Dumez
Comment 8 2021-08-19 11:40:22 PDT
Comment on attachment 435785 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=435785&action=review >> Source/WebCore/loader/DocumentLoader.cpp:1042 >> + if (m_isContinuingLoadAfterResponsePolicyCheck) { > > Should this be std::exchange(m_isContinuingLoadAfterResponsePolicyCheck, false)? I doesn't hurt. I will make the change. >> Source/WebKit/UIProcess/ProvisionalPageProxy.cpp:233 >> + auto* previousMainFrame = m_page.mainFrame(); > > May as well use a RefPtr here. OK >> Source/WebKit/UIProcess/ProvisionalPageProxy.h:131 >> + uint64_t listenerID, const UserData&); > > Can we keep all the parameters on one line? Not new but OK. >> Source/WebKit/UIProcess/WebPageProxy.cpp:5638 >> + if (!navigation) { > > Why is this needed now but wasn't before? I'll double check if this is still needed. It might be a reminiscence of an earlier iteration. Basically, the issue is that we need a NavigationAction object to do process-swapping. We have the same logic in decidePolicyForNavigationAction, for the same reason. >> Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:1221 >> + [webViewConfiguration preferences].javaScriptCanOpenWindowsAutomatically = YES; > > Is this only needed on iOS? Could we only do it on iOS if it is? > setJavaScriptCanOpenWindowsAutomaticallyIfNecessary(webViewConfiguration) Yes, only iOS requires it but I didn't feel adding #ifdefs was worth it? >> Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:7226 >> + // When the provisional load starts in the provisional process, kill the WebView's processes. > > I don't understand this comment. Oops, looks like a bad copy/paste. Will drop.
Chris Dumez
Comment 9 2021-08-19 11:49:31 PDT
Comment on attachment 435785 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=435785&action=review >>> Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:1221 >>> + [webViewConfiguration preferences].javaScriptCanOpenWindowsAutomatically = YES; >> >> Is this only needed on iOS? Could we only do it on iOS if it is? >> setJavaScriptCanOpenWindowsAutomaticallyIfNecessary(webViewConfiguration) > > Yes, only iOS requires it but I didn't feel adding #ifdefs was worth it? From our API: /*! @abstract A Boolean value indicating whether JavaScript can open windows without user interaction. @discussion The default value is NO in iOS and YES in OS X. */ @property (nonatomic) BOOL javaScriptCanOpenWindowsAutomatically; So this is the reason we need to set it to YES only on iOS: It is already YES on macOS by default. Therefore, it doesn't hurt to set it to YES no matter what.
Chris Dumez
Comment 10 2021-08-19 12:08:30 PDT
Created attachment 435892 [details] Patch
Chris Dumez
Comment 11 2021-08-19 14:18:39 PDT
Comment on attachment 435892 [details] Patch I think the imported/w3c/web-platform-tests/IndexedDB/serialize-sharedarraybuffer-throws.https.html flakiness may be a regression from this patch. I'll investigate.
Chris Dumez
Comment 12 2021-08-23 10:26:46 PDT
Created attachment 436208 [details] Patch
Chris Dumez
Comment 13 2021-08-23 12:18:49 PDT
Created attachment 436222 [details] Patch
Chris Dumez
Comment 14 2021-08-23 15:56:34 PDT
Created attachment 436244 [details] Patch
Chris Dumez
Comment 15 2021-08-23 16:14:14 PDT
Created attachment 436246 [details] Patch
Chris Dumez
Comment 16 2021-08-24 07:38:53 PDT
Created attachment 436285 [details] Patch
Chris Dumez
Comment 17 2021-08-24 11:24:01 PDT
Created attachment 436311 [details] Patch
Chris Dumez
Comment 18 2021-08-24 12:19:53 PDT
Created attachment 436319 [details] Patch
EWS
Comment 19 2021-08-24 14:11:48 PDT
Committed r281516 (240889@main): <https://commits.webkit.org/240889@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 436319 [details].
ayumi_kojima
Comment 20 2021-08-25 09:55:39 PDT
imported/w3c/web-platform-tests/IndexedDB/serialize-sharedarraybuffer-throws.https.html still shows up as a flaky test on EWS. I will create a new bug for this.
Chris Dumez
Comment 21 2021-08-26 12:30:47 PDT
Follow-up in https://trac.webkit.org/changeset/281632/webkit to fix fast/loader/reload-zero-byte-plugin.html.
Note You need to log in before you can comment on or make changes to this bug.