93392 – CSP doesn't turn off eval, etc. in Web Workers

Bug 93392 - CSP doesn't turn off eval, etc. in Web Workers

Summary: CSP doesn't turn off eval, etc. in Web Workers

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-08-07 14:02 PDT by Thomas Sepez
Modified:	2012-08-28 18:15 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Tests, more or less. (4.80 KB, patch) 2012-08-09 10:18 PDT, Thomas Sepez	no flags	Details \| Formatted Diff \| Diff
Patch, in-progress, fixes for JSC side, missing chromium eval() fix. (8.50 KB, patch) 2012-08-09 16:01 PDT, Thomas Sepez	webkit.review.bot: commit-queue-	Details \| Formatted Diff \| Diff
Archive of layout-test-results from gce-cr-linux-05 (325.38 KB, application/zip) 2012-08-13 14:44 PDT, WebKit Review Bot	no flags	Details
Patch for review. (12.90 KB, patch) 2012-08-13 14:56 PDT, Thomas Sepez	webkit.review.bot: commit-queue-	Details \| Formatted Diff \| Diff
Archive of layout-test-results from gce-cr-linux-03 (399.24 KB, application/zip) 2012-08-13 16:56 PDT, WebKit Review Bot	no flags	Details
Archive of layout-test-results from gce-cr-linux-01 (434.13 KB, application/zip) 2012-08-13 17:30 PDT, WebKit Review Bot	no flags	Details
Patch (including chromium eval() fix). (12.11 KB, patch) 2012-08-20 12:40 PDT, Thomas Sepez	tsepez: review- tsepez: commit-queue-	Details \| Formatted Diff \| Diff
Patch (fix changelog) (14.05 KB, patch) 2012-08-20 12:57 PDT, Thomas Sepez	abarth: review+	Details \| Formatted Diff \| Diff
Patch (fix nits). (14.07 KB, patch) 2012-08-20 13:24 PDT, Thomas Sepez	abarth: review+ webkit.review.bot: commit-queue-	Details \| Formatted Diff \| Diff
Patch, update-webkit (14.07 KB, patch) 2012-08-27 14:46 PDT, Thomas Sepez	abarth: review+ abarth: commit-queue-	Details \| Formatted Diff \| Diff
Show Obsolete (9) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Sepez 2012-08-07 14:02:30 PDT

Originally reported by mazurak [at] cs.wisc.edu at http://code.google.com/p/chromium/issues/detail?id=140544

VULNERABILITY DETAILS
By default, eval and eval-like functionality should be turned off whenever a Content Security Policy is in place, but this isn't happening in workers.  The CSP spec definitely says that the policy on a worker should match the policy on its parent page, and checks on the origins of scripts do appear working correctly.

Comparing SetTimeoutOrInterval in V8WorkerContextCustom.cpp to WindowSetTimeoutImpl in V8DomWindowCustom.cpp, it looks like the necessary checks are just missing on the worker side.

VERSION
Chrome Version: 21.0.1180.57 (stable)
Operating System: Linux (Debian testing) (doesn't appear OS-dependent)

REPRODUCTION CASE
The tests here should all pass for a browser that is implementing CSP and Web Workers correctly (assuming I have not made some silly JavaScript mistakes):

http://pages.cs.wisc.edu/~mazurak/csp_demo/

Comment 1 Thomas Sepez 2012-08-07 14:03:37 PDT

I believe this to be specific to the chromium platform; we'll know once I convert (shortly) the example to layout tests.

Comment 2 Thomas Sepez 2012-08-09 10:18:23 PDT

Created attachment 157478 [details]
Tests, more or less.

Comment 3 Thomas Sepez 2012-08-09 16:01:35 PDT

Created attachment 157570 [details]
Patch, in-progress, fixes for JSC side, missing chromium eval() fix.

Comment 4 Thomas Sepez 2012-08-13 13:14:50 PDT

BTW, not specific to chromium side.

Comment 5 Eric Seidel (no email) 2012-08-13 13:22:07 PDT

This isn't a security bug. :)  It was a conscious FIXME of the time, no need to restrict viewership here.

Comment 6 WebKit Review Bot 2012-08-13 14:44:35 PDT

Comment on attachment 157570 [details]
Patch, in-progress, fixes for JSC side, missing chromium eval() fix.

Attachment 157570 [details] did not pass chromium-ews (chromium-xvfb):
Output: http://queues.webkit.org/results/13492247

New failing tests:
http/tests/security/contentSecurityPolicy/worker-eval-blocked.html
http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html

Comment 7 WebKit Review Bot 2012-08-13 14:44:39 PDT

Created attachment 158110 [details]
Archive of layout-test-results from gce-cr-linux-05

The attached test failures were seen while running run-webkit-tests on the chromium-ews.
Bot: gce-cr-linux-05  Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'>  Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid

Comment 8 Thomas Sepez 2012-08-13 14:56:32 PDT

Created attachment 158115 [details]
Patch for review.

Comment 9 WebKit Review Bot 2012-08-13 16:56:26 PDT

Comment on attachment 158115 [details]
Patch for review.

Attachment 158115 [details] did not pass chromium-ews (chromium-xvfb):
Output: http://queues.webkit.org/results/13485673

New failing tests:
http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html
http/tests/security/contentSecurityPolicy/worker-eval-blocked.html
http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html

Comment 10 WebKit Review Bot 2012-08-13 16:56:30 PDT

Created attachment 158147 [details]
Archive of layout-test-results from gce-cr-linux-03

The attached test failures were seen while running run-webkit-tests on the chromium-ews.
Bot: gce-cr-linux-03  Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'>  Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid

Comment 11 WebKit Review Bot 2012-08-13 17:30:10 PDT

Comment on attachment 158115 [details]
Patch for review.

Attachment 158115 [details] did not pass chromium-ews (chromium-xvfb):
Output: http://queues.webkit.org/results/13484957

New failing tests:
http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html
http/tests/security/contentSecurityPolicy/worker-eval-blocked.html
http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html

Comment 12 WebKit Review Bot 2012-08-13 17:30:14 PDT

Created attachment 158156 [details]
Archive of layout-test-results from gce-cr-linux-01

The attached test failures were seen while running run-webkit-tests on the chromium-ews.
Bot: gce-cr-linux-01  Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'>  Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid

Comment 13 Thomas Sepez 2012-08-20 12:40:18 PDT

Created attachment 159491 [details]
Patch (including chromium eval() fix).

Comment 14 Thomas Sepez 2012-08-20 12:51:27 PDT

Comment on attachment 159491 [details]
Patch (including chromium eval() fix).

bleh.  Source/WebCore/ChangeLog fell out of the patch :(.

Comment 15 Thomas Sepez 2012-08-20 12:57:56 PDT

Created attachment 159495 [details]
Patch (fix changelog)

Comment 16 Adam Barth 2012-08-20 13:03:42 PDT

Comment on attachment 159495 [details]
Patch (fix changelog)

View in context: https://bugs.webkit.org/attachment.cgi?id=159495&action=review

> Source/WebCore/bindings/v8/WorkerContextExecutionProxy.cpp:249
> +    m_disableEvalPending = !enable;

What if m_context already exists?  Should we call AllowCodeGenerationFromStrings on it?

> Source/WebCore/bindings/v8/WorkerContextExecutionProxy.h:72
> +        void allowEval(bool enable);

setEvalAllowed ?

> Source/WebCore/bindings/v8/custom/V8WorkerContextCustom.cpp:69
> +        if (ContentSecurityPolicy *policy = workerContext->contentSecurityPolicy()) {

ContentSecurityPolicy * -> ContentSecurityPolicy*

Comment 17 Thomas Sepez 2012-08-20 13:13:36 PDT

(In reply to comment #16)
> (From update of attachment 159495 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=159495&action=review
> 
> > Source/WebCore/bindings/v8/WorkerContextExecutionProxy.cpp:249
> > +    m_disableEvalPending = !enable;
> 
> What if m_context already exists?  Should we call AllowCodeGenerationFromStrings on it?
> 

Nah.  You don't do any work until you call evaluate(), so we just use that one path always.


> > Source/WebCore/bindings/v8/WorkerContextExecutionProxy.h:72
> > +        void allowEval(bool enable);
> 
> setEvalAllowed ?
> 
Will Do.

> > Source/WebCore/bindings/v8/custom/V8WorkerContextCustom.cpp:69
> > +        if (ContentSecurityPolicy *policy = workerContext->contentSecurityPolicy()) {
> 
> ContentSecurityPolicy * -> ContentSecurityPolicy*
Will Do.

Comment 18 Thomas Sepez 2012-08-20 13:24:25 PDT

Created attachment 159506 [details]
Patch (fix nits).

Comment 19 Adam Barth 2012-08-22 15:29:37 PDT

Comment on attachment 159506 [details]
Patch (fix nits).

Thanks.

Comment 20 WebKit Review Bot 2012-08-27 13:21:59 PDT

Comment on attachment 159506 [details]
Patch (fix nits).

Rejecting attachment 159506 [details] from commit-queue.

Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 2

Last 500 characters of output:
er-set-timeout-blocked-expected.txt
patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-eval.js
patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-function-function.js
patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-set-timeout.js

Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', u'--force', u'--reviewer', u'Adam Barth']" exit_code: 1 cwd: /mnt/git/webkit-commit-queue/

Full output: http://queues.webkit.org/results/13616310

Comment 21 Thomas Sepez 2012-08-27 14:46:18 PDT

Created attachment 160811 [details]
Patch, update-webkit

re-upload patch.  Unclear if out of date or if infrastructure itself is borked.

Comment 22 Adam Barth 2012-08-28 15:18:16 PDT

Comment on attachment 160811 [details]
Patch, update-webkit

I'm building this locally and will land manually.

Comment 23 Adam Barth 2012-08-28 18:15:51 PDT

Committed r126947: <http://trac.webkit.org/changeset/126947>