230269 – Add violations reporting support for Cross-Origin-Embedder-Policy

Bug 230269 - Add violations reporting support for Cross-Origin-Embedder-Policy

Summary: Add violations reporting support for Cross-Origin-Embedder-Policy

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:	228755
	Show dependency tree / graph

Reported:	2021-09-14 09:45 PDT by Chris Dumez
Modified:	2021-09-16 14:58 PDT (History)
CC List:	13 users (show)

See Also:

Attachments
WIP patch (47.60 KB, patch) 2021-09-14 14:28 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
WIP patch (46.53 KB, patch) 2021-09-14 14:34 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
WIP patch (44.71 KB, patch) 2021-09-14 14:52 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
WIP patch (44.69 KB, patch) 2021-09-14 16:36 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (54.55 KB, patch) 2021-09-15 07:35 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (54.48 KB, patch) 2021-09-16 07:22 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (54.46 KB, patch) 2021-09-16 10:05 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (6) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2021-09-14 09:45:25 PDT

Add violations reporting support for Cross-Origin-Embedder-Policy.

Comment 1 Chris Dumez 2021-09-14 14:09:14 PDT

Add to fix a WPT test to run within WebKit infra:
https://github.com/web-platform-tests/wpt/pull/30785

Comment 2 Chris Dumez 2021-09-14 14:28:59 PDT

Created attachment 438174 [details]
WIP patch

Comment 3 EWS Watchlist 2021-09-14 14:29:39 PDT

This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess

Comment 4 Chris Dumez 2021-09-14 14:34:00 PDT

Created attachment 438175 [details]
WIP patch

Comment 5 Chris Dumez 2021-09-14 14:52:22 PDT

Created attachment 438176 [details]
WIP patch

Comment 6 Chris Dumez 2021-09-14 16:36:57 PDT

Created attachment 438188 [details]
WIP patch

Comment 7 Chris Dumez 2021-09-15 07:35:25 PDT

Created attachment 438244 [details]
Patch

Comment 8 Radar WebKit Bug Importer 2021-09-15 07:35:57 PDT

<rdar://problem/83150069>

Comment 9 youenn fablet 2021-09-16 00:51:48 PDT

Comment on attachment 438244 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=438244&action=review

> Source/WebCore/loader/cache/CachedResourceLoader.cpp:803
> +        return frame.isMainFrame() ? FetchOptions::Destination::Document : FetchOptions::Destination::Iframe;

We could differentiate SVGDocumentResource from MainResource so that only MainResource checks for Document vs. Iframe.

> Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp:166
> +        return WTFMove(*error);

Why not just returning error here?

> Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp:177
> +            return WTFMove(*error);

Why not just returning error here?

> Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:647
>              return true;

Are we sure this return true is correct?
It seems we should return true if ownerPolicy's value is "unsafe-none" OR policy's value is "require-corp", but we do an if (AND) above.

Comment 10 Chris Dumez 2021-09-16 07:21:42 PDT

Comment on attachment 438244 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=438244&action=review

>> Source/WebCore/loader/cache/CachedResourceLoader.cpp:803
>> +        return frame.isMainFrame() ? FetchOptions::Destination::Document : FetchOptions::Destination::Iframe;
> 
> We could differentiate SVGDocumentResource from MainResource so that only MainResource checks for Document vs. Iframe.

Ok, will do.

>> Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp:166
>> +        return WTFMove(*error);
> 
> Why not just returning error here?

Will update.

>> Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp:177
>> +            return WTFMove(*error);
> 
> Why not just returning error here?

Will update.

>> Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:647
>>              return true;
> 
> Are we sure this return true is correct?
> It seems we should return true if ownerPolicy's value is "unsafe-none" OR policy's value is "require-corp", but we do an if (AND) above.

The function is named "shouldInterruptWorkerLoadForCrossOriginEmbedderPolicy" so `return true` means we interrupt the load.

The spec says:
"If ownerPolicy's value is "unsafe-none" or policy's value is "require-corp", then return true."

But this is to determine if we should let the load continue.

Given that our code is about interrupting the load, I believe it should be the opposite:
"If ownerPolicy's value is NOT "unsafe-none" (thus it is "require-corp") AND policy's value is NOT "require-corp" (thus it is "unsafe-none"), then return true."

My code looks correct to me.

Comment 11 Chris Dumez 2021-09-16 07:22:59 PDT

Created attachment 438347 [details]
Patch

Comment 12 Chris Dumez 2021-09-16 10:05:19 PDT

Created attachment 438362 [details]
Patch

Comment 13 EWS 2021-09-16 14:58:40 PDT

Committed r282604 (241765@main): <https://commits.webkit.org/241765@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 438362 [details].