Test enabling EnhancedSecurityHeuristics flag by default. #56550
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://bugs.webkit.org/show_bug.cgi?id=305317 rdar://167971340 Reviewed by NOBODY (OOPS!). We cannot make an EnhancedSecurity state change when we have an opener relationship, as we do not have the ability to maintain the opener relationship across process boundaries until site isolation is present. Therefore, we should not change EnhancedSecurity state when a navigation requires an opener relationship, as otherwise a process swap will have to occur to accommodate the change in state. This change applies this behaviour, which fixes the following tests when the Enhanced Security heuristics flag is enabled by default: * AdvancedPrivacyProtections.DoNotHideReferrerInPopupWindow * SOAuthorizationPopUp.InterceptionSucceedCloseByItself * SOAuthorizationPopUp.InterceptionSucceedCloseByParent * SOAuthorizationPopUp.InterceptionSucceedCloseByWebKit * SOAuthorizationPopUp.InterceptionSucceedNewWindowNavigation * SOAuthorizationPopUp.InterceptionSucceedSuppressActiveSession * SOAuthorizationPopUp.InterceptionSucceedTwice * SOAuthorizationPopUp.InterceptionSucceedWithCookie * SOAuthorizationPopUp.SOAuthorizationLoadPolicyAllowAsync * WKWebExtensionAPIDevTools.PortMessagePassingFromPanelToBackground An additional test is also added that ensures correct behaviour with and without site isolation: * EnhancedSecurityPolicies.HttpsOpeningHttp Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/EnhancedSecurityPolicies.mm * Source/WebKit/UIProcess/EnhancedSecurityTracking.cpp: (WebKit::EnhancedSecurityTracking::trackNavigation): * Source/WebKit/UIProcess/EnhancedSecurityTracking.h: * Source/WebKit/UIProcess/WebPageProxy.cpp: (WebKit::WebPageProxy::receivedNavigationActionPolicyDecision): * Tools/TestWebKitAPI/Tests/WebKitCocoa/EnhancedSecurityPolicies.mm: (runHttpsOpeningHttp):
https://bugs.webkit.org/show_bug.cgi?id=305319 rdar://167979248 Reviewed by NOBODY (OOPS!). The following test fails when the Enhanced Security heuristics flag is enabled by default: * WKBackForwardList.BackForwardNavigationSkipsItemsWithoutUserGestureFragment This appears to relate to our local storage / cookie check callback, which occurs in the background for a navigation when the heuristics flag is enabled. This checks if the site being navigated to has cookies or local storage set. If the callback is delayed, it looks like we can hit our assertion that the URL being checked does not match the current navigation URL. Instead, we should ignore the callback in this case as it is now irrelevant. No new test as this fixes occassional failures in existing test behaviour. * Source/WebKit/UIProcess/API/APINavigation.cpp: (API::Navigation::setHasStorageForCurrentSite):
https://bugs.webkit.org/show_bug.cgi?id=305325 rdar://167982762 Reviewed by NOBODY (OOPS!). When the EnhancedSecurityHeuristics flag is enabled, the following two tests in WKNavigation fail: * HTTPSFirstWithHTTPRedirect * PreferredHTTSPolicyAutomaticHTTPFallbackWithHTTPRedirect These have specific results which expect a particular load count and final URL. However, these have an underlying reliance on the initial load re-using a WebContent process, then a PSON occurring when we get the cross-site redirect. This is because we previously have loaded the same site as the initial request. Removing the initial load to site.example showcases this by hitting the same assertion failure. With Enhanced Security heuristics enabled, we'll perform a process swap earlier and so hit this same failure case. To make test behaviour consistent, with or without the Enhanced Security heuristics flag, this test fix simply ensures the second browse is to a different site than the initial browse, standardising the process swapping behaviour. * Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm: (TEST(WKNavigation, HTTPSFirstWithHTTPRedirect)): (TEST(WKNavigation, PreferredHTTPSPolicyAutomaticHTTPFallbackWithHTTPRedirect)):
https://bugs.webkit.org/show_bug.cgi?id=305328 rdar://164474301 Reviewed by NOBODY (OOPS!). With the introduction of Enhanced Security, it is now possible for a BrowsingContextGroup to contain multiple processes for a given site if their Enhanced Security requirement differs. This triggered an assertion when site isolation was enabled as it expects the process map in a BrowsingContextGroup to only contain a single process for any given site. Instead, we now need to track the required Enhanced Security state of the process when inspecting / modifying the process map. This also adjusts the MainFrameRedirectBetweenExistingProcesses test to use HTTPS instead of HTTP, as using HTTP affects the test behaviour when the Enhanced Security heuristics flag is enabled as it performs more process swapping. This change allows re-enabling various tests in EnhancedSecurityPolicies with site isolation enabled, which previously would fail. The MainFrameRedirectBetweenExistingProcesses test in SiteIsolation was also adjusted to not rely on a HTTP load, as otherwise the Enhanced Security swap due to HTTP complicates test behaviour. Tests: Tools/TestWebKitAPI/Tests/WebKitCocoa/EnhancedSecurityPolicies.mm Tools/TestWebKitAPI/Tests/WebKitCocoa/SiteIsolation.mm * Source/WebKit/UIProcess/BrowsingContextGroup.cpp: (WebKit::BrowsingContextGroup::sharedProcessForSite): (WebKit::BrowsingContextGroup::ensureProcessForSite): (WebKit::BrowsingContextGroup::processForSite): (WebKit::BrowsingContextGroup::addFrameProcessAndInjectPageContextIf): (WebKit::BrowsingContextGroup::removeFrameProcess): (WebKit::BrowsingContextGroup::addPage): * Source/WebKit/UIProcess/BrowsingContextGroup.h: * Source/WebKit/UIProcess/WebPageProxy.cpp: (WebKit::WebPageProxy::launchProcess): (WebKit::WebPageProxy::processForSite): * Source/WebKit/UIProcess/WebPageProxy.h: * Source/WebKit/UIProcess/WebProcessPool.cpp: (WebKit::WebProcessPool::processForNavigation): * Tools/TestWebKitAPI/Tests/WebKitCocoa/EnhancedSecurityPolicies.mm: * Tools/TestWebKitAPI/Tests/WebKitCocoa/SiteIsolation.mm: (TestWebKitAPI::TEST(SiteIsolation, MainFrameRedirectBetweenExistingProcesses)):
https://bugs.webkit.org/show_bug.cgi?id=305331 rdar://167988684 Reviewed by NOBODY (OOPS!). A bug exists in CFNetwork which can cause our notification registration for cookie changes to be unregistered. This occurs when a NSHTTPCookieStorage object is destroyed, particularly when a non-persistent website data store is used. When the Enhanced Security heuristics flag is enabled, we perform a hasCookies call to check for cookies more regularly, which surfaces this bug more frequently. This change applies a temporary workaround that re-registers for cookie notifications, if required, after a call to hasCookies. A new test is also added that ensures this behaviour is tested for. Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/EnhancedSecurityPolicies.mm * Source/WebCore/platform/network/cocoa/CookieStorageObserver.h: * Source/WebCore/platform/network/cocoa/CookieStorageObserver.mm: (WebCore::CookieStorageObserver::startObserving): (WebCore::CookieStorageObserver::registerInternalsForNotifications): * Source/WebCore/platform/network/cocoa/NetworkStorageSessionCocoa.mm: (WebCore::NetworkStorageSession::hasCookies const): * Tools/TestWebKitAPI/Tests/WebKitCocoa/EnhancedSecurityPolicies.mm: (-[EnhancedSecurityCookieObserver cookiesDidChangeInCookieStore:]): (TEST(EnhancedSecurityPolicies, NonPersistentDataStoreCookieNotification)):
https://bugs.webkit.org/show_bug.cgi?id=305376 rdar://168056407 Reviewed by NOBODY (OOPS!). Addresses the following test failures when Enhanced Security Heuristics are enabled: * HistoryDelegate.PersistentDataStoreSendsHistoryEvents * HistoryDelegate.NonpersistentDataStoreSendsHistoryEventsWhenAllowingPrivacySensitiveOperations The issue here relates to having begun to load a request in the regular WebContent process, before navigation policy decisions decide to switch to an Enhanced Security process. When this occurs, we do a new loadRequest call on the ProvisionalPageProxy via continueNavigationInNewProcess. This, however, uses the ResourceRequest from the Navigation object that was passed to decidePolicyForNavigationAction, which has already been mutated by the original WebContent process. When this is then passed to the new Enhanced Security process, this is treated as the original ResourceRequest and used for reporting history events, leading to the failing test. Instead, we now pass through the original ResourceRequest if we are doing a continuing load from such a policy decision, and use this as the original request when creating the DocumentLoader in the new Enhanced Security process. Some minor header refactoring was also required as ResourceRequest.h now becomes a necessary include in LocalFrameLoaderClient.h, which triggered some build issues on Linux and Windows platforms. Removing BlobData.h was feasible and prevented many other header includes that caused the build issue. Added a new test (HistoryEventsUseCorrectOriginalRequest) that ensures this behaviour is tested without the flag needing to be enabled by default. Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/EnhancedSecurityPolicies.mm * Source/WebCore/loader/DocumentLoader.cpp: (WebCore::DocumentLoader::DocumentLoader): * Source/WebCore/loader/DocumentLoader.h: (WebCore::DocumentLoader::create): * Source/WebCore/loader/EmptyClients.cpp: (WebCore::EmptyFrameLoaderClient::createDocumentLoader): * Source/WebCore/loader/EmptyFrameLoaderClient.h: * Source/WebCore/loader/FrameLoadRequest.h: (WebCore::FrameLoadRequest::setOriginalResourceRequest): (WebCore::FrameLoadRequest::hasOriginalResourceRequest): (WebCore::FrameLoadRequest::takeOriginalResourceRequest): * Source/WebCore/loader/FrameLoader.cpp: (WebCore::FrameLoader::load): * Source/WebCore/loader/LocalFrameLoaderClient.h: * Source/WebCore/platform/network/FormData.h: * Source/WebCore/platform/network/ResourceRequestBase.h: * Source/WebCore/platform/network/curl/CurlFormDataStream.cpp: * Source/WebKit/Shared/LoadParameters.h: * Source/WebKit/Shared/LoadParameters.serialization.in: * Source/WebKit/UIProcess/WebPageProxy.cpp: (WebKit::WebPageProxy::loadRequestWithNavigationShared): * Source/WebKit/WebProcess/Storage/RemoteWorkerFrameLoaderClient.cpp: (WebKit::RemoteWorkerFrameLoaderClient::createDocumentLoader): * Source/WebKit/WebProcess/Storage/RemoteWorkerFrameLoaderClient.h: * Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp: (WebKit::WebLocalFrameLoaderClient::createDocumentLoader): * Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.h: * Source/WebKit/WebProcess/WebPage/WebPage.cpp: (WebKit::WebPage::loadRequest): (WebKit::WebPage::createDocumentLoader): * Source/WebKit/WebProcess/WebPage/WebPage.h: * Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.h: * Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm: (WebFrameLoaderClient::createDocumentLoader): * Source/WebKitLegacy/mac/WebView/WebDocumentLoaderMac.h: (WebDocumentLoaderMac::create): * Source/WebKitLegacy/mac/WebView/WebDocumentLoaderMac.mm: (WebDocumentLoaderMac::WebDocumentLoaderMac): * Tools/TestWebKitAPI/Tests/WebKitCocoa/EnhancedSecurityPolicies.mm: (-[EnhancedSecurityHistoryDelegate _webView:didNavigateWithNavigationData:]): (-[EnhancedSecurityHistoryDelegate _webView:didUpdateHistoryTitle:forURL:]): (-[EnhancedSecurityHistoryDelegate _webView:didPerformServerRedirectFromURL:toURL:]): (TEST(EnhancedSecurityPolicies, HistoryEventsUseCorrectOriginalRequest)):
https://bugs.webkit.org/show_bug.cgi?id=305379 rdar://168058731 Reviewed by NOBODY (OOPS!). When the Enhanced Security heuristics flag is enabled by default, a test failure occurred in: * WebKit.RedirectToPlaintextHTTPSUpgrade This test ensures that a HTTPS site performing a same-site redirect to plaintext HTTP does not get upgraded by the ContentRuleList rules, as this is an explicit HTTP redirect. When the Enhanced Security heuristics flag is enabled, the redirect to the HTTP site causes us to process swap and load this in an Enhanced Security process. In doing so, we change the load code path taken and lost information that this explicit redirect had occurred. To address this, this change explicitly checks for us having continued the load due to a navigation policy change, and uses the original request URL, if different, when processing the ContentRuleList for this load. We also now have an explicit test that checks this case. Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/EnhancedSecurityPolicies.mm * Source/WebCore/loader/DocumentLoader.h: (WebCore::DocumentLoader::isContinuingLoadAfterNavigationPolicyDecision const): (WebCore::DocumentLoader::setIsContinuingLoadAfterNavigationPolicyDecision): * Source/WebCore/loader/FrameLoader.cpp: (WebCore::FrameLoader::load): * Source/WebCore/loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::requestResource): * Tools/TestWebKitAPI/Tests/WebKitCocoa/EnhancedSecurityPolicies.mm: (runHttpsToSameSiteHttpExplicitRedirect):
https://bugs.webkit.org/show_bug.cgi?id=305385 rdar://168062302 Reviewed by NOBODY (OOPS!). The WKNavigation.HTTPSOnlyWithHTTPRedirect failed when enabling the EnhancedSecurityHeuristics flag by default. Investigating this uncovered a slight issue in the HTTPS upgrade / same-site HTTP upgrade prevention logic which can also occur outside of the EnhancedSecurityHeuristics being enabled. The attached change to the HTTPSOnlyWithHTTPRedirect test shows this, which ensures we do a process swap for the initial load, rather than on the first redirect. Without this, we do a proces swap on the redirect, and the original request site that is used in upgradeRequestAfterRedirection is the newly redirected site - at which point we decide not to attempt a HTTPS upgrade because this is a same site HTTPS -> HTTP redirect. The issue appears to be that on a PSON, the original URL used in updateRequestAfterRedirection always remains as the initial load site, which prevents our HTTPS -> HTTP same-site logic from stopping the HTTPS upgrade, which results in a continuous loop of this request until it caps out at the max redirects count. This fix adds another parameter to updateRequestAfterRedirection which tracks the last redirect URL and uses this when determining if a HTTPS upgrade should occur. The original preRedirectURL is still required as this is later used for reporting CSP violations. The HTTPSOnlyWithHTTPRedirect test is modified to now test this PSON case, as well as standardise behaviour between EnhancedSecurityHeuristics flag being enabled or disabled. Another test is added to EnhancedSecurityPolicies, which ensures this HTTPSOnly behaviour is always tested with Enhanced Security: * HttpsOnlyExplicitlyBypassedWithHttpRedirect Tests: Tools/TestWebKitAPI/Tests/WebKitCocoa/EnhancedSecurityPolicies.mm Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm * Source/WebCore/loader/SubresourceLoader.cpp: (WebCore::SubresourceLoader::willSendRequestInternal): * Source/WebCore/loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::updateRequestAfterRedirection): * Source/WebCore/loader/cache/CachedResourceLoader.h: * Tools/TestWebKitAPI/Tests/WebKitCocoa/EnhancedSecurityPolicies.mm: (runHttpsOnlyExplicitlyBypassedWithHttpRedirect): * Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm: (TEST(WKNavigation, HTTPSOnlyWithHTTPRedirect)):
…urity https://bugs.webkit.org/show_bug.cgi?id=305405 rdar://168079499 Reviewed by NOBODY (OOPS!). When enabling the EnhancedSecurityHeuristics flag, the following test began to fail: * WKWebExtensionAPIDeclarativeNetRequest.RedirectRule This test performs a cross-site redirect from localhost -> 127.0.0.1 via a web extension using the DeclarativeNetRequest API, which is handled within the WebContent proecss. When such a redirect occurs, the WebContent process opts to perform a new load and cancel the existing load. When Enhanced Security is enabled, this cross-site redirect occurs in the newly selected Enhanced Security process, which is only alive due to this provisional load. When the current provisional load is cleared, to perform the new navigation policy check, the UI process decides that our WebContent process can be torn down now. This change handles this case by marking the new FrameLoadRequest as being related to such a ContentRuleList cross-site redirect. Then, when we clear the current provisional load and send the DidFailProvisionalLoad message to the UI process, we can check if this is a Cancellation error, and that it was due to such a cross-site redirect, and if so, indicate to the UI process that we will be handling this load failure internally. This is a similar mechanism to how HTTPS upgrade fallbacks are handled. Testing this is quite difficult - the only case I've managed to reliably produce this is by using the extension API and having Enhanced Security enabled. Rather than duplicating this into EnhancedSecurityPolicies, I've added some plumbing that allows us to enable the EnhancedSecurityHeuristics flag in the TestWebExtensionManager related code, and we now test this RedirectRule test both with and without EnhancedSecurityHeuristics. Tests: Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIDeclarativeNetRequest.mm Tools/TestWebKitAPI/cocoa/WebExtensionUtilities.h Tools/TestWebKitAPI/cocoa/WebExtensionUtilities.mm * Source/WebCore/loader/FrameLoadRequest.h: (WebCore::FrameLoadRequestBase::isCrossOriginContentRuleListRedirect const): (WebCore::FrameLoadRequestBase::setIsCrossOriginContentRuleListRedirect): * Source/WebCore/loader/FrameLoader.cpp: (WebCore::FrameLoader::load): (WebCore::FrameLoader::checkLoadCompleteForThisFrame): * Source/WebCore/loader/FrameLoader.h: * Source/WebCore/loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::requestResource): * Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIDeclarativeNetRequest.mm: (TestWebKitAPI::runRedirectRule): (TestWebKitAPI::TEST(WKWebExtensionAPIDeclarativeNetRequest, RedirectRule)): (TestWebKitAPI::TEST(WKWebExtensionAPIDeclarativeNetRequest, RedirectRuleWithEnhancedSecurity)): * Tools/TestWebKitAPI/cocoa/WebExtensionUtilities.h: * Tools/TestWebKitAPI/cocoa/WebExtensionUtilities.mm: (-[TestWebExtensionManager initForExtension:extensionControllerConfiguration:]): (-[TestWebExtensionManager initForExtension:extensionControllerConfiguration:usesEnhancedSecurity:]): (-[TestWebExtensionTab initWithWindow:extensionController:]): (-[TestWebExtensionWindow initWithExtensionController:usesPrivateBrowsing:]): (-[TestWebExtensionWindow initWithExtensionController:usesPrivateBrowsing:usesEnhancedSecurity:]): (TestWebKitAPI::Util::parseExtension): (TestWebKitAPI::Util::loadExtension):
Reviewed by NOBODY (OOPS!). Enables the EnhancedSecurityHeuristics flag by default, testing for results across EWS. No new tests (OOPS!). * Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
Collaborator
|
EWS run on current version of this PR (hash 0b65af3) Details |
🧪 api-mac
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
0b65af3
0793c39
bb99280
235bad8
dc4ffe0
b9dd852
f5d7b3b
2f47c41
1159c1c
df86629
0b65af3
🛠 playstation