Bug 153622

Summary: CSP: Allow Web Workers initiated from an isolated world to bypass the main world Content Security Policy
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, ap, barraclough, bfulgham, commit-queue, mkwst, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar, WebExposed
Version: WebKit Local Build   
Hardware: All   
OS: All   
Bug Depends on: 153157    
Bug Blocks: 69359    
Attachments:
Description Flags
Patch and Layout Tests
none
Patch and Layout Tests
none
Patch and Layout Tests
none
Patch and Layout Tests
none
Patch and Layout Tests barraclough: review+

Daniel Bates
Reported 2016-01-28 16:09:59 PST
We should allow code that runs in a Web Worker that was initiated from an isolated world to bypass the main world Content Security Policy. Currently such code is subject to the main world CSP even though code that executes in an isolated world is allowed to bypass the main world Content Security Policy.
Attachments
Patch and Layout Tests (36.49 KB, patch)
2016-01-28 16:15 PST, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Patch and Layout Tests (36.30 KB, patch)
2016-02-01 10:06 PST, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Patch and Layout Tests (40.09 KB, patch)
2016-02-05 12:03 PST, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Patch and Layout Tests (40.10 KB, patch)
2016-02-05 12:21 PST, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Patch and Layout Tests (45.98 KB, patch)
2016-02-07 13:01 PST, Daniel Bates 		barraclough: review+
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-01-28 16:12:47 PST
<rdar://problem/24400023>
Daniel Bates
Comment 2 2016-01-28 16:15:20 PST
Created attachment 270159 [details] Patch and Layout Tests This patch will fail to apply because it depends on the patch for bug #153157.
Daniel Bates
Comment 3 2016-02-01 10:06:02 PST
Created attachment 270397 [details] Patch and Layout Tests Rebased patch following the landing of patches for bug #153157 and bug #153612.
Daniel Bates
Comment 4 2016-02-05 12:03:57 PST
Created attachment 270756 [details] Patch and Layout Tests Updated patch to bypass the CSP policy of the document when instantiating a worker whose script URL would otherwise be blocked and added a test case.
Daniel Bates
Comment 5 2016-02-05 12:21:42 PST
Created attachment 270758 [details] Patch and Layout Tests Include the date of the CSP 2.0 draft referenced by the comment in AbstractWorker::resolveURL().
Andy Estes
Comment 6 2016-02-05 13:51:00 PST
Comment on attachment 270758 [details] Patch and Layout Tests View in context: https://bugs.webkit.org/attachment.cgi?id=270758&action=review > Source/WebCore/ChangeLog:23 > + (WebCore::WorkerScriptController::WorkerScriptController): Modified to take a boolean argument and > + as to whether to bypass the main world Content Security Policy and store it in a member field. spurious "and". > Source/WebCore/ChangeLog:58 > + (WebCore::WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders): Moved instantiated of the ContentSecurityPolicy object > + from here to the constructor. instantiated => instantiation > Source/WebCore/ChangeLog:67 > + (WebCore::WorkerThreadStartupData::WorkerThreadStartupData): Modified to take a boolean argument and > + as to whether to bypass the main world Content Security Policy and store it in a member field. spurious "and"
Gavin Barraclough
Comment 7 2016-02-05 15:01:21 PST
Comment on attachment 270758 [details] Patch and Layout Tests View in context: https://bugs.webkit.org/attachment.cgi?id=270758&action=review > Source/WebCore/page/csp/ContentSecurityPolicy.cpp:1789 > + Could we just make shouldBypassMainWorldContentSecurityPolicy() a virtual function implemented on ScriptExecutionContext, with a base behavior to return false?
Daniel Bates
Comment 8 2016-02-07 12:58:50 PST
(In reply to comment #7) > Comment on attachment 270758 [details] > Patch and Layout Tests > > View in context: > https://bugs.webkit.org/attachment.cgi?id=270758&action=review > > > Source/WebCore/page/csp/ContentSecurityPolicy.cpp:1789 > > + > > Could we just make shouldBypassMainWorldContentSecurityPolicy() a virtual > function implemented on ScriptExecutionContext, with a base behavior to > return false? Yes, we can. Will update the patch.
Daniel Bates
Comment 9 2016-02-07 13:01:38 PST
Created attachment 270829 [details] Patch and Layout Tests Updated patch to address feedback from Andy Estes and Gavin Barraclough
Daniel Bates
Comment 10 2016-02-07 14:26:51 PST
Committed r196242: <http://trac.webkit.org/changeset/196242>
Note You need to log in before you can comment on or make changes to this bug.