Warn against cookie access in the WebContent process using ProcessPrivilege assertions
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Mar 2018 17:55:45 +0000 (17:55 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Mar 2018 17:55:45 +0000 (17:55 +0000)
https://bugs.webkit.org/show_bug.cgi?id=183911
<rdar://problem/38762306>

Reviewed by Youenn Fablet.

Source/WebCore:

Add a set of ProcessPrivilege assertions to enforce the rule that the WebContent process
should never call Cookie API directly. That should only happen in the Networking or
UIProcess.

Add a new static flag to NetworkStorageSession that indicates if the current process has
permission to interact with the Cookie API.

No new tests since there is no change in behavior.

* platform/network/NetworkStorageSession.cpp:
(WebCore::NetworkStorageSession::NetworkStorageSession):
(WebCore::NetworkStorageSession::processMayUseCookieAPI): Added.
(WebCore::NetworkStorageSession::permitProcessToUseCookieAPI): Added. This also adds
the appropriate flag to the ProcessPrivileges data for the current process.
* platform/network/NetworkStorageSession.h:
* platform/network/cf/NetworkStorageSessionCFNet.cpp:
(WebCore::createCFStorageSessionForIdentifier): Do not create cookie storage if the current
process is prohibited from interacting with the Cookie API.
(WebCore::NetworkStorageSession::NetworkStorageSession): Add assertions.
(WebCore::NetworkStorageSession::switchToNewTestingSession): Do not create cookie storage if
the current process is prohibited from interacting with the Cookie API.
(WebCore::NetworkStorageSession::defaultStorageSession): Ditto.
(WebCore::NetworkStorageSession::ensureSession): Ditto.
(WebCore::NetworkStorageSession::cookieStorage const): Ditto.
* platform/network/cocoa/CookieStorageObserver.mm:
(WebCore::CookieStorageObserver::CookieStorageObserver): Assert if accessed from untrusted process.
(WebCore::CookieStorageObserver::startObserving): Ditto.
(WebCore::CookieStorageObserver::stopObserving): Ditto.
* platform/network/cocoa/NetworkStorageSessionCocoa.mm:
(WebCore::NetworkStorageSession::setCookie):
(WebCore::NetworkStorageSession::setCookies):
(WebCore::NetworkStorageSession::deleteCookie):
(WebCore::nsCookiesToCookieVector):
(WebCore::NetworkStorageSession::getAllCookies):
(WebCore::NetworkStorageSession::getCookies):
(WebCore::NetworkStorageSession::flushCookieStore):
(WebCore::NetworkStorageSession::nsCookieStorage const):
(WebCore::createPrivateStorageSession):
* platform/network/mac/CookieJarMac.mm:
(WebCore::httpCookies):
(WebCore::deleteHTTPCookie):
(WebCore::httpCookiesForURL):
(WebCore::filterCookies):
(WebCore::applyPartitionToCookies):
(WebCore::cookiesInPartitionForURL):
(WebCore::cookiesForSession):
(WebCore::setHTTPCookiesForURL):
(WebCore::deleteAllHTTPCookies):
(WebCore::setCookiesFromDOM):
(WebCore::httpCookieAcceptPolicy):
(WebCore::deleteCookie):
(WebCore::deleteCookiesForHostnames):
(WebCore::deleteAllCookiesModifiedSince):

Source/WebKit:

Add a set of ProcessPrivilege assertions to enforce the rule that the WebContent process
should never call Cookie API directly. That should only happen in the Networking or
UIProcess.

* NetworkProcess/Cookies/mac/WebCookieManagerMac.mm:
(WebKit::WebCookieManager::platformSetHTTPCookieAcceptPolicy):
(WebKit::WebCookieManager::platformGetHTTPCookieAcceptPolicy):
* NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::initializeNetworkProcess):
* NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
(WebKit::NetworkDataTaskCocoa::applyCookieBlockingPolicy):
* NetworkProcess/cocoa/NetworkProcessCocoa.mm:
(WebKit::NetworkProcess::setSharedHTTPCookieStorage):
(WebKit::NetworkProcess::syncAllCookies):
* NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(WebKit::NetworkSessionCocoa::NetworkSessionCocoa):
* NetworkProcess/mac/RemoteNetworkingContext.mm:
(WebKit::RemoteNetworkingContext::ensureWebsiteDataStoreSession):
* PluginProcess/PluginProcess.cpp:
(WebKit::PluginProcess::initializeProcess):
* Shared/cf/CookieStorageUtilsCF.mm:
(WebKit::cookieStorageFromIdentifyingData):
(WebKit::identifyingDataFromCookieStorage):
* UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::WebProcessPool::platformInitializeWebProcess):
(WebKit::WebProcessPool::platformInitializeNetworkProcess):
(WebKit::privateBrowsingSession):
* UIProcess/WebProcessPool.cpp:
* UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm:
(WebKit::WebsiteDataStore::parameters):
* UIProcess/mac/WebCookieManagerProxyMac.mm:
(WebKit::WebCookieManagerProxy::persistHTTPCookieAcceptPolicy):
* WebProcess/InjectedBundle/InjectedBundle.cpp:
(WebKit::InjectedBundle::setPrivateBrowsingEnabled):
* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::createNetworkingContext):
* WebProcess/WebCoreSupport/mac/WebFrameNetworkingContext.mm:
(WebKit::WebFrameNetworkingContext::ensureWebsiteDataStoreSession):
(WebKit::WebFrameNetworkingContext::storageSession const):
* WebProcess/WebProcess.cpp:
(WebKit::WebProcess::initializeProcess):

Source/WebKitLegacy/mac:

Initialize the ProcessPrivilege and Cookie API access levels for single-process use.

* WebView/WebView.mm:
(+[WebView initialize]):

Source/WebKitLegacy/win:

Initialize the ProcessPrivilege and Cookie API access levels for single-process use.

* WebView.cpp:
(WebView::WebView):

Source/WTF:

Extend the ProcessPrivilege API with the ability to add and remove individual
privileges.

* wtf/ProcessPrivilege.cpp:
(WTF::addProcessPrivilege):
(WTF::removeProcessPrivilege):
* wtf/ProcessPrivilege.h:

Tools:

Add a set of ProcessPrivilege assertions to enforce the rule that the WebContent process
should never call Cookie API directly. That should only happen in the Networking or
UIProcess.

* DumpRenderTree/mac/DumpRenderTree.mm:
(DumpRenderTreeMain):
* TestWebKitAPI/TestsController.cpp:
(TestWebKitAPI::TestsController::TestsController):
* WebKitTestRunner/TestController.cpp:
(WTR::TestController::initialize):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@229978 268f45cc-cd09-0410-ab3c-d52691b4dbfc

34 files changed:
Source/WTF/ChangeLog
Source/WTF/wtf/ProcessPrivilege.cpp
Source/WTF/wtf/ProcessPrivilege.h
Source/WebCore/ChangeLog
Source/WebCore/platform/network/NetworkStorageSession.cpp
Source/WebCore/platform/network/NetworkStorageSession.h
Source/WebCore/platform/network/cf/NetworkStorageSessionCFNet.cpp
Source/WebCore/platform/network/cocoa/CookieStorageObserver.mm
Source/WebCore/platform/network/cocoa/NetworkStorageSessionCocoa.mm
Source/WebCore/platform/network/mac/CookieJarMac.mm
Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/Cookies/mac/WebCookieManagerMac.mm
Source/WebKit/NetworkProcess/NetworkProcess.cpp
Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm
Source/WebKit/NetworkProcess/cocoa/NetworkProcessCocoa.mm
Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm
Source/WebKit/PluginProcess/PluginProcess.cpp
Source/WebKit/Shared/cf/CookieStorageUtilsCF.mm
Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm
Source/WebKit/UIProcess/WebProcessPool.cpp
Source/WebKit/UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm
Source/WebKit/UIProcess/mac/WebCookieManagerProxyMac.mm
Source/WebKit/WebProcess/InjectedBundle/InjectedBundle.cpp
Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp
Source/WebKit/WebProcess/WebCoreSupport/mac/WebFrameNetworkingContext.mm
Source/WebKit/WebProcess/WebProcess.cpp
Source/WebKitLegacy/mac/ChangeLog
Source/WebKitLegacy/mac/WebView/WebView.mm
Source/WebKitLegacy/win/ChangeLog
Source/WebKitLegacy/win/WebView.cpp
Tools/ChangeLog
Tools/DumpRenderTree/mac/DumpRenderTree.mm
Tools/TestWebKitAPI/TestsController.cpp
Tools/WebKitTestRunner/TestController.cpp

index 0117463..0af6131 100644 (file)
@@ -1,3 +1,19 @@
+2018-03-26  Brent Fulgham  <bfulgham@apple.com>
+
+        Warn against cookie access in the WebContent process using ProcessPrivilege assertions
+        https://bugs.webkit.org/show_bug.cgi?id=183911
+        <rdar://problem/38762306>
+
+        Reviewed by Youenn Fablet.
+
+        Extend the ProcessPrivilege API with the ability to add and remove individual
+        privileges.
+
+        * wtf/ProcessPrivilege.cpp:
+        (WTF::addProcessPrivilege):
+        (WTF::removeProcessPrivilege):
+        * wtf/ProcessPrivilege.h:
+
 2018-03-25  Carlos Alberto Lopez Perez  <clopez@igalia.com>
 
         WebProcess memory monitor: use %zu format specifier for size_t
index 2333532..5a6a0e5 100644 (file)
@@ -55,4 +55,14 @@ bool hasProcessPrivilege(ProcessPrivilege privilege)
     return processPrivileges().contains(privilege);
 }
 
+void addProcessPrivilege(ProcessPrivilege privilege)
+{
+    processPrivileges() |= privilege;
+}
+
+void removeProcessPrivilege(ProcessPrivilege privilege)
+{
+    processPrivileges() = processPrivileges() - privilege;
+}
+
 } // namespace WTF
index 9adb757..7d99cb4 100644 (file)
@@ -36,6 +36,8 @@ enum class ProcessPrivilege {
 };
 
 WTF_EXPORT void setProcessPrivileges(OptionSet<ProcessPrivilege>);
+WTF_EXPORT void addProcessPrivilege(ProcessPrivilege);
+WTF_EXPORT void removeProcessPrivilege(ProcessPrivilege);
 WTF_EXPORT bool hasProcessPrivilege(ProcessPrivilege);
 WTF_EXPORT OptionSet<ProcessPrivilege> allPrivileges();
 
index 38ad1b9..f8888cd 100644 (file)
@@ -1,3 +1,65 @@
+2018-03-26  Brent Fulgham  <bfulgham@apple.com>
+
+        Warn against cookie access in the WebContent process using ProcessPrivilege assertions
+        https://bugs.webkit.org/show_bug.cgi?id=183911
+        <rdar://problem/38762306>
+
+        Reviewed by Youenn Fablet.
+
+        Add a set of ProcessPrivilege assertions to enforce the rule that the WebContent process
+        should never call Cookie API directly. That should only happen in the Networking or
+        UIProcess. 
+
+        Add a new static flag to NetworkStorageSession that indicates if the current process has
+        permission to interact with the Cookie API.
+
+        No new tests since there is no change in behavior.
+
+        * platform/network/NetworkStorageSession.cpp:
+        (WebCore::NetworkStorageSession::NetworkStorageSession):
+        (WebCore::NetworkStorageSession::processMayUseCookieAPI): Added.
+        (WebCore::NetworkStorageSession::permitProcessToUseCookieAPI): Added. This also adds
+        the appropriate flag to the ProcessPrivileges data for the current process.
+        * platform/network/NetworkStorageSession.h:
+        * platform/network/cf/NetworkStorageSessionCFNet.cpp:
+        (WebCore::createCFStorageSessionForIdentifier): Do not create cookie storage if the current
+        process is prohibited from interacting with the Cookie API.
+        (WebCore::NetworkStorageSession::NetworkStorageSession): Add assertions.
+        (WebCore::NetworkStorageSession::switchToNewTestingSession): Do not create cookie storage if
+        the current process is prohibited from interacting with the Cookie API.
+        (WebCore::NetworkStorageSession::defaultStorageSession): Ditto.
+        (WebCore::NetworkStorageSession::ensureSession): Ditto.
+        (WebCore::NetworkStorageSession::cookieStorage const): Ditto.
+        * platform/network/cocoa/CookieStorageObserver.mm:
+        (WebCore::CookieStorageObserver::CookieStorageObserver): Assert if accessed from untrusted process.
+        (WebCore::CookieStorageObserver::startObserving): Ditto.
+        (WebCore::CookieStorageObserver::stopObserving): Ditto.
+        * platform/network/cocoa/NetworkStorageSessionCocoa.mm:
+        (WebCore::NetworkStorageSession::setCookie):
+        (WebCore::NetworkStorageSession::setCookies):
+        (WebCore::NetworkStorageSession::deleteCookie):
+        (WebCore::nsCookiesToCookieVector):
+        (WebCore::NetworkStorageSession::getAllCookies):
+        (WebCore::NetworkStorageSession::getCookies):
+        (WebCore::NetworkStorageSession::flushCookieStore):
+        (WebCore::NetworkStorageSession::nsCookieStorage const):
+        (WebCore::createPrivateStorageSession):
+        * platform/network/mac/CookieJarMac.mm:
+        (WebCore::httpCookies):
+        (WebCore::deleteHTTPCookie):
+        (WebCore::httpCookiesForURL):
+        (WebCore::filterCookies):
+        (WebCore::applyPartitionToCookies):
+        (WebCore::cookiesInPartitionForURL):
+        (WebCore::cookiesForSession):
+        (WebCore::setHTTPCookiesForURL):
+        (WebCore::deleteAllHTTPCookies):
+        (WebCore::setCookiesFromDOM):
+        (WebCore::httpCookieAcceptPolicy):
+        (WebCore::deleteCookie):
+        (WebCore::deleteCookiesForHostnames):
+        (WebCore::deleteAllCookiesModifiedSince):
+
 2018-03-26  Alex Christensen  <achristensen@webkit.org>
 
         Merge ResourceHandleClient::willCacheResponseAsync with ResourceHandleClient::willCacheResponse
index 1f444e3..03307a6 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016 Apple Inc.  All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
 
 #include <pal/SessionID.h>
 #include <wtf/NeverDestroyed.h>
+#include <wtf/ProcessPrivilege.h>
 
 namespace WebCore {
 
+bool NetworkStorageSession::m_processMayUseCookieAPI = false;
+
 HashMap<PAL::SessionID, std::unique_ptr<NetworkStorageSession>>& NetworkStorageSession::globalSessionMap()
 {
     static NeverDestroyed<HashMap<PAL::SessionID, std::unique_ptr<NetworkStorageSession>>> map;
@@ -57,4 +60,18 @@ void NetworkStorageSession::forEach(const WTF::Function<void(const WebCore::Netw
         functor(*storageSession);
 }
 
+bool NetworkStorageSession::processMayUseCookieAPI()
+{
+    return m_processMayUseCookieAPI;
+};
+
+void NetworkStorageSession::permitProcessToUseCookieAPI(bool value)
+{
+    m_processMayUseCookieAPI = value;
+    if (m_processMayUseCookieAPI)
+        addProcessPrivilege(ProcessPrivilege::CanAccessRawCookies);
+    else
+        removeProcessPrivilege(ProcessPrivilege::CanAccessRawCookies);
+}
+
 }
index ffc6f5c..c031f66 100644 (file)
@@ -73,6 +73,8 @@ public:
     WEBCORE_EXPORT static void ensureSession(PAL::SessionID, const String& identifierBase = String());
     WEBCORE_EXPORT static void destroySession(PAL::SessionID);
     WEBCORE_EXPORT static void forEach(const WTF::Function<void(const WebCore::NetworkStorageSession&)>&);
+    WEBCORE_EXPORT static void permitProcessToUseCookieAPI(bool);
+    WEBCORE_EXPORT static bool processMayUseCookieAPI();
 
     WEBCORE_EXPORT static void switchToNewTestingSession();
 
@@ -91,6 +93,7 @@ public:
 #if PLATFORM(COCOA) || USE(CFURLCONNECTION)
     WEBCORE_EXPORT static void ensureSession(PAL::SessionID, const String& identifierBase, RetainPtr<CFHTTPCookieStorageRef>&&);
     NetworkStorageSession(PAL::SessionID, RetainPtr<CFURLStorageSessionRef>&&, RetainPtr<CFHTTPCookieStorageRef>&&);
+    explicit NetworkStorageSession(PAL::SessionID);
 
     // May be null, in which case a Foundation default should be used.
     CFURLStorageSessionRef platformSession() { return m_platformSession.get(); }
@@ -193,6 +196,7 @@ public:
 private:
     mutable RefPtr<CookieStorageObserver> m_cookieStorageObserver;
 #endif
+    static bool m_processMayUseCookieAPI;
 };
 
 #if PLATFORM(COCOA)
index 0d97017..2eb601c 100644 (file)
@@ -29,6 +29,7 @@
 #include <wtf/MainThread.h>
 #include <wtf/NeverDestroyed.h>
 #include <wtf/ProcessID.h>
+#include <wtf/ProcessPrivilege.h>
 
 #if PLATFORM(COCOA)
 #include "PublicSuffix.h"
@@ -58,6 +59,11 @@ static RetainPtr<CFURLStorageSessionRef> createCFStorageSessionForIdentifier(CFS
     auto sharedCache = adoptCF(CFURLCacheCopySharedURLCache());
     CFURLCacheSetMemoryCapacity(cache.get(), CFURLCacheMemoryCapacity(sharedCache.get()));
 
+    if (!NetworkStorageSession::processMayUseCookieAPI())
+        return storageSession;
+
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     auto cookieStorage = adoptCF(_CFURLStorageSessionCopyCookieStorage(kCFAllocatorDefault, storageSession.get()));
     if (!cookieStorage)
         return nullptr;
@@ -73,9 +79,16 @@ NetworkStorageSession::NetworkStorageSession(PAL::SessionID sessionID, RetainPtr
     : m_sessionID(sessionID)
     , m_platformSession(WTFMove(platformSession))
 {
+    ASSERT(processMayUseCookieAPI() || !platformCookieStorage);
     m_platformCookieStorage = platformCookieStorage ? WTFMove(platformCookieStorage) : cookieStorage();
 }
 
+NetworkStorageSession::NetworkStorageSession(PAL::SessionID sessionID)
+    : m_sessionID(sessionID)
+{
+}
+
+
 static std::unique_ptr<NetworkStorageSession>& defaultNetworkStorageSession()
 {
     ASSERT(isMainThread());
@@ -96,8 +109,11 @@ void NetworkStorageSession::switchToNewTestingSession()
 #endif
 
     RetainPtr<CFHTTPCookieStorageRef> cookieStorage;
-    if (session)
-        cookieStorage = adoptCF(_CFURLStorageSessionCopyCookieStorage(kCFAllocatorDefault, session.get()));
+    if (NetworkStorageSession::processMayUseCookieAPI()) {
+        ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+        if (session)
+            cookieStorage = adoptCF(_CFURLStorageSessionCopyCookieStorage(kCFAllocatorDefault, session.get()));
+    }
 
     defaultNetworkStorageSession() = std::make_unique<NetworkStorageSession>(PAL::SessionID::defaultSessionID(), WTFMove(session), WTFMove(cookieStorage));
 }
@@ -105,7 +121,7 @@ void NetworkStorageSession::switchToNewTestingSession()
 NetworkStorageSession& NetworkStorageSession::defaultStorageSession()
 {
     if (!defaultNetworkStorageSession())
-        defaultNetworkStorageSession() = std::make_unique<NetworkStorageSession>(PAL::SessionID::defaultSessionID(), nullptr, nullptr);
+        defaultNetworkStorageSession() = std::make_unique<NetworkStorageSession>(PAL::SessionID::defaultSessionID());
     return *defaultNetworkStorageSession();
 }
 
@@ -127,8 +143,11 @@ void NetworkStorageSession::ensureSession(PAL::SessionID sessionID, const String
     } else
         storageSession = createCFStorageSessionForIdentifier(cfIdentifier.get());
 
-    if (!cookieStorage && storageSession)
-        cookieStorage = adoptCF(_CFURLStorageSessionCopyCookieStorage(kCFAllocatorDefault, storageSession.get()));
+    if (NetworkStorageSession::processMayUseCookieAPI()) {
+        ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+        if (!cookieStorage && storageSession)
+            cookieStorage = adoptCF(_CFURLStorageSessionCopyCookieStorage(kCFAllocatorDefault, storageSession.get()));
+    }
 
     addResult.iterator->value = std::make_unique<NetworkStorageSession>(sessionID, WTFMove(storageSession), WTFMove(cookieStorage));
 }
@@ -140,6 +159,11 @@ void NetworkStorageSession::ensureSession(PAL::SessionID sessionID, const String
 
 RetainPtr<CFHTTPCookieStorageRef> NetworkStorageSession::cookieStorage() const
 {
+    if (!processMayUseCookieAPI())
+        return nullptr;
+
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     if (m_platformCookieStorage)
         return m_platformCookieStorage;
 
index f8418d7..bbc1beb 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -28,6 +28,7 @@
 
 #import <pal/spi/cocoa/NSURLConnectionSPI.h>
 #import <wtf/MainThread.h>
+#import <wtf/ProcessPrivilege.h>
 
 @interface WebNSHTTPCookieStorageInternal : NSObject {
 @public
@@ -79,6 +80,7 @@ CookieStorageObserver::CookieStorageObserver(NSHTTPCookieStorage *cookieStorage)
 {
     ASSERT(isMainThread());
     ASSERT(m_cookieStorage);
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
 }
 
 CookieStorageObserver::~CookieStorageObserver()
@@ -96,6 +98,7 @@ void CookieStorageObserver::startObserving(WTF::Function<void()>&& callback)
     ASSERT(isMainThread());
     ASSERT(!m_cookieChangeCallback);
     ASSERT(!m_observerAdapter);
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
 
     m_cookieChangeCallback = WTFMove(callback);
     m_observerAdapter = adoptNS([[WebCookieObserverAdapter alloc] initWithObserver:*this]);
@@ -119,6 +122,7 @@ void CookieStorageObserver::stopObserving()
     ASSERT(isMainThread());
     ASSERT(m_cookieChangeCallback);
     ASSERT(m_observerAdapter);
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
 
     [[NSNotificationCenter defaultCenter] removeObserver:m_observerAdapter.get() name:NSHTTPCookieManagerCookiesChangedNotification object:nil];
 
index 3a71807..b9a95fd 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2017 Apple Inc.  All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
 #import "URL.h"
 #import <pal/spi/cf/CFNetworkSPI.h>
 #import <wtf/BlockObjCExceptions.h>
+#import <wtf/ProcessPrivilege.h>
 
 namespace WebCore {
 
 void NetworkStorageSession::setCookie(const Cookie& cookie)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     BEGIN_BLOCK_OBJC_EXCEPTIONS;
     [nsCookieStorage() setCookie:(NSHTTPCookie *)cookie];
     END_BLOCK_OBJC_EXCEPTIONS;
@@ -43,6 +46,8 @@ void NetworkStorageSession::setCookie(const Cookie& cookie)
 
 void NetworkStorageSession::setCookies(const Vector<Cookie>& cookies, const URL& url, const URL& mainDocumentURL)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     RetainPtr<NSMutableArray> nsCookies = adoptNS([[NSMutableArray alloc] initWithCapacity:cookies.size()]);
     for (const auto& cookie : cookies)
         [nsCookies addObject:(NSHTTPCookie *)cookie];
@@ -54,11 +59,15 @@ void NetworkStorageSession::setCookies(const Vector<Cookie>& cookies, const URL&
 
 void NetworkStorageSession::deleteCookie(const Cookie& cookie)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     [nsCookieStorage() deleteCookie:(NSHTTPCookie *)cookie];
 }
 
 static Vector<Cookie> nsCookiesToCookieVector(NSArray<NSHTTPCookie *> *nsCookies)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     Vector<Cookie> cookies;
     cookies.reserveInitialCapacity(nsCookies.count);
     for (NSHTTPCookie *nsCookie in nsCookies)
@@ -69,21 +78,25 @@ static Vector<Cookie> nsCookiesToCookieVector(NSArray<NSHTTPCookie *> *nsCookies
 
 Vector<Cookie> NetworkStorageSession::getAllCookies()
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     return nsCookiesToCookieVector(nsCookieStorage().cookies);
 }
 
 Vector<Cookie> NetworkStorageSession::getCookies(const URL& url)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     return nsCookiesToCookieVector([nsCookieStorage() cookiesForURL:(NSURL *)url]);
 }
 
 void NetworkStorageSession::flushCookieStore()
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     [nsCookieStorage() _saveCookies];
 }
 
 NSHTTPCookieStorage *NetworkStorageSession::nsCookieStorage() const
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     auto cfCookieStorage = cookieStorage();
     if (!cfCookieStorage || [NSHTTPCookieStorage sharedHTTPCookieStorage]._cookieStorage == cfCookieStorage)
         return [NSHTTPCookieStorage sharedHTTPCookieStorage];
@@ -123,6 +136,11 @@ CFURLStorageSessionRef createPrivateStorageSession(CFStringRef identifier)
     CFURLCacheSetDiskCapacity(cache.get(), 0); // Setting disk cache size should not be necessary once <rdar://problem/12656814> is fixed.
     CFURLCacheSetMemoryCapacity(cache.get(), [[NSURLCache sharedURLCache] memoryCapacity]);
 
+    if (!NetworkStorageSession::processMayUseCookieAPI())
+        return storageSession.leakRef();
+
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     auto cookieStorage = adoptCF(_CFURLStorageSessionCopyCookieStorage(kCFAllocatorDefault, storageSession.get()));
     if (!cookieStorage)
         return nullptr;
index 6eec368..8624237 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2003-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -35,6 +35,7 @@
 #import "CookieStorage.h"
 #import "URL.h"
 #import <wtf/Optional.h>
+#import <wtf/ProcessPrivilege.h>
 #import <wtf/text/StringBuilder.h>
 
 @interface NSURL ()
@@ -45,6 +46,7 @@ namespace WebCore {
 
 static NSArray *httpCookies(CFHTTPCookieStorageRef cookieStorage)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     if (!cookieStorage)
         return [[NSHTTPCookieStorage sharedHTTPCookieStorage] cookies];
     
@@ -54,6 +56,7 @@ static NSArray *httpCookies(CFHTTPCookieStorageRef cookieStorage)
 
 static void deleteHTTPCookie(CFHTTPCookieStorageRef cookieStorage, NSHTTPCookie *cookie)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     if (!cookieStorage) {
         [[NSHTTPCookieStorage sharedHTTPCookieStorage] deleteCookie:cookie];
         return;
@@ -64,6 +67,7 @@ static void deleteHTTPCookie(CFHTTPCookieStorageRef cookieStorage, NSHTTPCookie
 
 static NSArray *httpCookiesForURL(CFHTTPCookieStorageRef cookieStorage, NSURL *firstParty, NSURL *url)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     if (!cookieStorage)
         cookieStorage = _CFHTTPCookieStorageGetDefault(kCFAllocatorDefault);
 
@@ -78,6 +82,7 @@ static NSArray *httpCookiesForURL(CFHTTPCookieStorageRef cookieStorage, NSURL *f
     
 static RetainPtr<NSArray> filterCookies(NSArray *unfilteredCookies)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     NSUInteger count = [unfilteredCookies count];
     RetainPtr<NSMutableArray> filteredCookies = adoptNS([[NSMutableArray alloc] initWithCapacity:count]);
 
@@ -104,6 +109,8 @@ static RetainPtr<NSArray> filterCookies(NSArray *unfilteredCookies)
 
 static NSArray *applyPartitionToCookies(NSString *partition, NSArray *cookies)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     // FIXME 24747739: CFNetwork should expose this key as SPI
     static NSString * const partitionKey = @"StoragePartition";
 
@@ -124,6 +131,7 @@ static bool cookiesAreBlockedForURL(const NetworkStorageSession& session, const
 
 static NSArray *cookiesInPartitionForURL(const NetworkStorageSession& session, const URL& firstParty, const URL& url, std::optional<uint64_t> frameID, std::optional<uint64_t> pageID)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     String partition = session.cookieStoragePartition(firstParty, url, frameID, pageID);
     if (partition.isEmpty())
         return nil;
@@ -166,6 +174,8 @@ static NSArray *cookiesForURL(const NetworkStorageSession& session, const URL& f
 enum IncludeHTTPOnlyOrNot { DoNotIncludeHTTPOnly, IncludeHTTPOnly };
 static std::pair<String, bool> cookiesForSession(const NetworkStorageSession& session, const URL& firstParty, const URL& url, std::optional<uint64_t> frameID, std::optional<uint64_t> pageID, IncludeHTTPOnlyOrNot includeHTTPOnly, IncludeSecureCookies includeSecureCookies)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     BEGIN_BLOCK_OBJC_EXCEPTIONS;
 
     NSArray *cookies = cookiesForURL(session, firstParty, url, frameID, pageID);
@@ -202,6 +212,8 @@ static std::pair<String, bool> cookiesForSession(const NetworkStorageSession& se
 
 static void setHTTPCookiesForURL(CFHTTPCookieStorageRef cookieStorage, NSArray *cookies, NSURL *url, NSURL *mainDocumentURL)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     if (!cookieStorage) {
         [[NSHTTPCookieStorage sharedHTTPCookieStorage] setCookies:cookies forURL:url mainDocumentURL:mainDocumentURL];
         return;
@@ -213,6 +225,8 @@ static void setHTTPCookiesForURL(CFHTTPCookieStorageRef cookieStorage, NSArray *
 
 static void deleteAllHTTPCookies(CFHTTPCookieStorageRef cookieStorage)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     if (!cookieStorage) {
         NSHTTPCookieStorage *cookieStorage = [NSHTTPCookieStorage sharedHTTPCookieStorage];
         NSArray *cookies = [cookieStorage cookies];
@@ -239,6 +253,8 @@ std::pair<String, bool> cookieRequestHeaderFieldValue(const NetworkStorageSessio
 
 void setCookiesFromDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, std::optional<uint64_t> frameID, std::optional<uint64_t> pageID, const String& cookieStr)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     BEGIN_BLOCK_OBJC_EXCEPTIONS;
 
     // <rdar://problem/5632883> On 10.5, NSHTTPCookieStorage would store an empty cookie,
@@ -278,6 +294,8 @@ void setCookiesFromDOM(const NetworkStorageSession& session, const URL& firstPar
 
 static NSHTTPCookieAcceptPolicy httpCookieAcceptPolicy(CFHTTPCookieStorageRef cookieStorage)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     if (!cookieStorage)
         return [[NSHTTPCookieStorage sharedHTTPCookieStorage] cookieAcceptPolicy];
 
@@ -314,6 +332,8 @@ bool getRawCookies(const NetworkStorageSession& session, const URL& firstParty,
 
 void deleteCookie(const NetworkStorageSession& session, const URL& url, const String& cookieName)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     BEGIN_BLOCK_OBJC_EXCEPTIONS;
 
     RetainPtr<CFHTTPCookieStorageRef> cookieStorage = session.cookieStorage();
@@ -350,6 +370,8 @@ void deleteAllCookies(const NetworkStorageSession& session)
 
 void deleteCookiesForHostnames(const NetworkStorageSession& session, const Vector<String>& hostnames)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     BEGIN_BLOCK_OBJC_EXCEPTIONS;
 
     RetainPtr<CFHTTPCookieStorageRef> cookieStorage = session.cookieStorage();
@@ -379,6 +401,8 @@ void deleteCookiesForHostnames(const NetworkStorageSession& session, const Vecto
 
 void deleteAllCookiesModifiedSince(const NetworkStorageSession& session, WallTime timePoint)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     if (![NSHTTPCookieStorage instancesRespondToSelector:@selector(removeCookiesSinceDate:)])
         return;
 
index d6d2e73..99f2d6a 100644 (file)
@@ -1,3 +1,53 @@
+2018-03-26  Brent Fulgham  <bfulgham@apple.com>
+
+        Warn against cookie access in the WebContent process using ProcessPrivilege assertions
+        https://bugs.webkit.org/show_bug.cgi?id=183911
+        <rdar://problem/38762306>
+
+        Reviewed by Youenn Fablet.
+
+        Add a set of ProcessPrivilege assertions to enforce the rule that the WebContent process
+        should never call Cookie API directly. That should only happen in the Networking or
+        UIProcess. 
+
+        * NetworkProcess/Cookies/mac/WebCookieManagerMac.mm:
+        (WebKit::WebCookieManager::platformSetHTTPCookieAcceptPolicy):
+        (WebKit::WebCookieManager::platformGetHTTPCookieAcceptPolicy):
+        * NetworkProcess/NetworkProcess.cpp:
+        (WebKit::NetworkProcess::initializeNetworkProcess):
+        * NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
+        (WebKit::NetworkDataTaskCocoa::applyCookieBlockingPolicy):
+        * NetworkProcess/cocoa/NetworkProcessCocoa.mm:
+        (WebKit::NetworkProcess::setSharedHTTPCookieStorage):
+        (WebKit::NetworkProcess::syncAllCookies):
+        * NetworkProcess/cocoa/NetworkSessionCocoa.mm:
+        (WebKit::NetworkSessionCocoa::NetworkSessionCocoa):
+        * NetworkProcess/mac/RemoteNetworkingContext.mm:
+        (WebKit::RemoteNetworkingContext::ensureWebsiteDataStoreSession):
+        * PluginProcess/PluginProcess.cpp:
+        (WebKit::PluginProcess::initializeProcess):
+        * Shared/cf/CookieStorageUtilsCF.mm:
+        (WebKit::cookieStorageFromIdentifyingData):
+        (WebKit::identifyingDataFromCookieStorage):
+        * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+        (WebKit::WebProcessPool::platformInitializeWebProcess):
+        (WebKit::WebProcessPool::platformInitializeNetworkProcess):
+        (WebKit::privateBrowsingSession):
+        * UIProcess/WebProcessPool.cpp:
+        * UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm:
+        (WebKit::WebsiteDataStore::parameters):
+        * UIProcess/mac/WebCookieManagerProxyMac.mm:
+        (WebKit::WebCookieManagerProxy::persistHTTPCookieAcceptPolicy):
+        * WebProcess/InjectedBundle/InjectedBundle.cpp:
+        (WebKit::InjectedBundle::setPrivateBrowsingEnabled):
+        * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+        (WebKit::WebFrameLoaderClient::createNetworkingContext):
+        * WebProcess/WebCoreSupport/mac/WebFrameNetworkingContext.mm:
+        (WebKit::WebFrameNetworkingContext::ensureWebsiteDataStoreSession):
+        (WebKit::WebFrameNetworkingContext::storageSession const):
+        * WebProcess/WebProcess.cpp:
+        (WebKit::WebProcess::initializeProcess):
+
 2018-03-26  Alex Christensen  <achristensen@webkit.org>
 
         Merge ResourceHandleClient::willCacheResponseAsync with ResourceHandleClient::willCacheResponse
index 96f0bce..980bac1 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -27,9 +27,9 @@
 #import "WebCookieManager.h"
 
 #import "NetworkSession.h"
-#import "WebFrameNetworkingContext.h"
 #import <WebCore/NetworkStorageSession.h>
 #import <pal/spi/cf/CFNetworkSPI.h>
+#import <wtf/ProcessPrivilege.h>
 
 using namespace WebCore;
 
@@ -37,6 +37,8 @@ namespace WebKit {
 
 void WebCookieManager::platformSetHTTPCookieAcceptPolicy(HTTPCookieAcceptPolicy policy)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     [[NSHTTPCookieStorage sharedHTTPCookieStorage] setCookieAcceptPolicy:static_cast<NSHTTPCookieAcceptPolicy>(policy)];
 
     NetworkStorageSession::forEach([&] (const NetworkStorageSession& networkStorageSession) {
@@ -47,6 +49,8 @@ void WebCookieManager::platformSetHTTPCookieAcceptPolicy(HTTPCookieAcceptPolicy
 
 HTTPCookieAcceptPolicy WebCookieManager::platformGetHTTPCookieAcceptPolicy()
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     return [[NSHTTPCookieStorage sharedHTTPCookieStorage] cookieAcceptPolicy];
 }
 
index 5f62afc..025bdbb 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2018 Sony Interactive Entertainment Inc.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -73,6 +73,7 @@
 #include <pal/SessionID.h>
 #include <wtf/CallbackAggregator.h>
 #include <wtf/OptionSet.h>
+#include <wtf/ProcessPrivilege.h>
 #include <wtf/RunLoop.h>
 #include <wtf/text/AtomicString.h>
 #include <wtf/text/CString.h>
@@ -209,6 +210,8 @@ void NetworkProcess::lowMemoryHandler(Critical critical)
 
 void NetworkProcess::initializeNetworkProcess(NetworkProcessCreationParameters&& parameters)
 {
+    WTF::setProcessPrivileges({ ProcessPrivilege::CanAccessRawCookies, ProcessPrivilege::CanAccessCredentials });
+    WebCore::NetworkStorageSession::permitProcessToUseCookieAPI(true);
     WebCore::setPresentingApplicationPID(parameters.presentingApplicationPID);
     platformInitializeNetworkProcess(parameters);
 
index 363e3f9..95bc845 100644 (file)
@@ -41,6 +41,7 @@
 #import <WebCore/ResourceRequest.h>
 #import <pal/spi/cf/CFNetworkSPI.h>
 #import <wtf/MainThread.h>
+#import <wtf/ProcessPrivilege.h>
 #import <wtf/text/Base64.h>
 
 namespace WebKit {
@@ -120,6 +121,8 @@ NSHTTPCookieStorage *NetworkDataTaskCocoa::statelessCookieStorage()
 
 void NetworkDataTaskCocoa::applyCookieBlockingPolicy(bool shouldBlock)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     if (shouldBlock == m_hasBeenSetToUseStatelessCookieStorage)
         return;
 
index 9b68f53..a47189b 100644 (file)
@@ -41,6 +41,7 @@
 #import <WebCore/SecurityOriginData.h>
 #import <pal/spi/cf/CFNetworkSPI.h>
 #import <wtf/BlockPtr.h>
+#import <wtf/ProcessPrivilege.h>
 
 namespace WebKit {
 
@@ -208,6 +209,7 @@ void NetworkProcess::clearDiskCache(WallTime modifiedSince, Function<void ()>&&
 #if PLATFORM(MAC)
 void NetworkProcess::setSharedHTTPCookieStorage(const Vector<uint8_t>& identifier)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     [NSHTTPCookieStorage _setSharedHTTPCookieStorage:adoptNS([[NSHTTPCookieStorage alloc] _initWithCFHTTPCookieStorage:cookieStorageFromIdentifyingData(identifier).get()]).get()];
 }
 #endif
@@ -224,6 +226,7 @@ void NetworkProcess::setStorageAccessAPIEnabled(bool enabled)
 
 void NetworkProcess::syncAllCookies()
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
     _CFHTTPCookieStorageFlushCookieStores();
index 8582f82..b3c8cd6 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -50,6 +50,7 @@
 #import <pal/spi/cf/CFNetworkSPI.h>
 #import <wtf/MainThread.h>
 #import <wtf/NeverDestroyed.h>
+#import <wtf/ProcessPrivilege.h>
 
 using namespace WebKit;
 
@@ -637,6 +638,8 @@ NetworkSessionCocoa::NetworkSessionCocoa(NetworkSessionCreationParameters&& para
     : NetworkSession(parameters.sessionID)
     , m_boundInterfaceIdentifier(parameters.boundInterfaceIdentifier)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     relaxAdoptionRequirement();
 
 #if !ASSERT_DISABLED
index f7e9860..447cbc8 100644 (file)
 #include "PluginProcessCreationParameters.h"
 #include "PluginProcessProxyMessages.h"
 #include "WebProcessConnection.h"
+#include <WebCore/NetworkStorageSession.h>
 #include <WebCore/NotImplemented.h>
 #include <wtf/MemoryPressureHandler.h>
 #include <wtf/NeverDestroyed.h>
+#include <wtf/ProcessPrivilege.h>
 #include <wtf/RunLoop.h>
 
 #if PLATFORM(MAC)
@@ -69,6 +71,8 @@ PluginProcess::~PluginProcess()
 
 void PluginProcess::initializeProcess(const ChildProcessInitializationParameters& parameters)
 {
+    WTF::setProcessPrivileges(allPrivileges());
+    WebCore::NetworkStorageSession::permitProcessToUseCookieAPI(true);
     m_pluginPath = parameters.extraInitializationData.get("plugin-path");
     platformInitializeProcess(parameters);
 }
index 6987a7f..caa8637 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#include "config.h"
-#include "CookieStorageUtilsCF.h"
+#import "config.h"
+#import "CookieStorageUtilsCF.h"
 
-#include <pal/spi/cocoa/NSURLConnectionSPI.h>
+#import <pal/spi/cocoa/NSURLConnectionSPI.h>
+#import <wtf/ProcessPrivilege.h>
 
 namespace WebKit {
 
 RetainPtr<CFHTTPCookieStorageRef> cookieStorageFromIdentifyingData(const Vector<uint8_t>& data)
 {
     ASSERT(!data.isEmpty());
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
 
     auto cookieStorageData = adoptCF(CFDataCreate(kCFAllocatorDefault, data.data(), data.size()));
     auto cookieStorage = adoptCF(CFHTTPCookieStorageCreateFromIdentifyingData(kCFAllocatorDefault, cookieStorageData.get()));
@@ -45,6 +47,8 @@ RetainPtr<CFHTTPCookieStorageRef> cookieStorageFromIdentifyingData(const Vector<
 
 Vector<uint8_t> identifyingDataFromCookieStorage(CFHTTPCookieStorageRef cookieStorage)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     Vector<uint8_t> result;
 
     auto cfData = adoptCF(CFHTTPCookieStorageCreateIdentifyingData(kCFAllocatorDefault, cookieStorage));
index 536ae3f..e9d3c47 100644 (file)
@@ -51,6 +51,7 @@
 #import <pal/spi/cf/CFNetworkSPI.h>
 #import <pal/spi/cocoa/NSKeyedArchiverSPI.h>
 #import <sys/param.h>
+#import <wtf/ProcessPrivilege.h>
 
 #if PLATFORM(IOS)
 #import "ArgumentCodersCF.h"
@@ -248,6 +249,7 @@ void WebProcessPool::platformInitializeWebProcess(WebProcessCreationParameters&
 
 #if PLATFORM(MAC)
     ASSERT(parameters.uiProcessCookieStorageIdentifier.isEmpty());
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     parameters.uiProcessCookieStorageIdentifier = identifyingDataFromCookieStorage([[NSHTTPCookieStorage sharedHTTPCookieStorage] _cookieStorage]);
 #endif
 #if ENABLE(MEDIA_STREAM)
@@ -310,6 +312,7 @@ void WebProcessPool::platformInitializeNetworkProcess(NetworkProcessCreationPara
 
 #if PLATFORM(MAC)
     ASSERT(parameters.uiProcessCookieStorageIdentifier.isEmpty());
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     parameters.uiProcessCookieStorageIdentifier = identifyingDataFromCookieStorage([[NSHTTPCookieStorage sharedHTTPCookieStorage] _cookieStorage]);
 #endif
 
index 351bf6a..aa29b82 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -78,6 +78,7 @@
 #include <JavaScriptCore/JSCInlines.h>
 #include <WebCore/ApplicationCacheStorage.h>
 #include <WebCore/LogInitialization.h>
+#include <WebCore/NetworkStorageSession.h>
 #include <WebCore/PlatformScreen.h>
 #include <WebCore/ResourceRequest.h>
 #include <WebCore/URLParser.h>
@@ -85,6 +86,7 @@
 #include <wtf/Language.h>
 #include <wtf/MainThread.h>
 #include <wtf/NeverDestroyed.h>
+#include <wtf/ProcessPrivilege.h>
 #include <wtf/RunLoop.h>
 #include <wtf/WallTime.h>
 #include <wtf/text/StringBuilder.h>
@@ -242,6 +244,12 @@ WebProcessPool::WebProcessPool(API::ProcessPoolConfiguration& configuration)
     , m_backgroundWebProcessCounter([this](RefCounterEvent) { updateProcessAssertions(); })
 #endif
 {
+    static std::once_flag onceFlag;
+    std::call_once(onceFlag, [] {
+        WTF::setProcessPrivileges(allPrivileges());
+        WebCore::NetworkStorageSession::permitProcessToUseCookieAPI(true);
+    });
+
     if (m_configuration->shouldHaveLegacyDataStore())
         m_websiteDataStore = API::WebsiteDataStore::createLegacy(legacyWebsiteDataStoreConfiguration(m_configuration));
 
index a74c2fc..daf89ed 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -34,6 +34,7 @@
 #import <WebCore/SearchPopupMenuCocoa.h>
 #import <pal/spi/cf/CFNetworkSPI.h>
 #import <wtf/NeverDestroyed.h>
+#import <wtf/ProcessPrivilege.h>
 
 #if PLATFORM(IOS)
 #import <UIKit/UIApplication.h>
@@ -52,6 +53,8 @@ static Vector<WebsiteDataStore*>& dataStoresWithStorageManagers()
 
 WebsiteDataStoreParameters WebsiteDataStore::parameters()
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     resolveDirectoriesIfNecessary();
 
     WebsiteDataStoreParameters parameters;
index 0d0e73e..eed97ab 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011, 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
 #import "WebCookieManagerProxy.h"
 
 #import <pal/spi/cf/CFNetworkSPI.h>
+#import <wtf/ProcessPrivilege.h>
 
 namespace WebKit {
 
 void WebCookieManagerProxy::persistHTTPCookieAcceptPolicy(HTTPCookieAcceptPolicy policy)
 {
+    ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
+
     // FIXME: The sandbox appears to prevent persisting the new policy to disk, so we must set the
     // policy in the UI Process as well as in the Web Process (to make sure it gets set on any
     // Private Browsing Cookie Storage).
index c232ffa..1b9b0c8 100644 (file)
@@ -77,6 +77,7 @@
 #include <WebCore/UserScript.h>
 #include <WebCore/UserStyleSheet.h>
 #include <pal/SessionID.h>
+#include <wtf/ProcessPrivilege.h>
 
 #if ENABLE(NOTIFICATIONS)
 #include "WebNotificationManager.h"
@@ -327,6 +328,7 @@ void InjectedBundle::setJavaScriptCanAccessClipboard(WebPageGroupProxy* pageGrou
 
 void InjectedBundle::setPrivateBrowsingEnabled(WebPageGroupProxy* pageGroup, bool enabled)
 {
+    ASSERT(!hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     if (enabled) {
         WebProcess::singleton().ensureLegacyPrivateBrowsingSessionInNetworkProcess();
         WebFrameNetworkingContext::ensureWebsiteDataStoreSession(WebsiteDataStoreParameters::legacyPrivateSessionParameters());
index c42166e..4f455f8 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -90,6 +90,7 @@
 #include <WebCore/Widget.h>
 #include <WebCore/WindowFeatures.h>
 #include <wtf/NeverDestroyed.h>
+#include <wtf/ProcessPrivilege.h>
 
 using namespace WebCore;
 
@@ -1793,6 +1794,7 @@ bool WebFrameLoaderClient::shouldForceUniversalAccessFromLocalURL(const WebCore:
 
 Ref<FrameNetworkingContext> WebFrameLoaderClient::createNetworkingContext()
 {
+    ASSERT(!hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     return WebFrameNetworkingContext::create(m_frame);
 }
 
index a54f4da..e3d4cd1 100644 (file)
@@ -38,6 +38,7 @@
 #include <WebCore/Page.h>
 #include <WebCore/ResourceError.h>
 #include <WebCore/Settings.h>
+#include <wtf/ProcessPrivilege.h>
 
 using namespace WebCore;
 
@@ -45,6 +46,7 @@ namespace WebKit {
 
 void WebFrameNetworkingContext::ensureWebsiteDataStoreSession(WebsiteDataStoreParameters&& parameters)
 {
+    ASSERT(!hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     auto sessionID = parameters.networkSessionParameters.sessionID;
     if (NetworkStorageSession::storageSession(sessionID))
         return;
@@ -88,6 +90,7 @@ ResourceError WebFrameNetworkingContext::blockedError(const ResourceRequest& req
 NetworkStorageSession& WebFrameNetworkingContext::storageSession() const
 {
     ASSERT(RunLoop::isMain());
+    ASSERT(!hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
     if (frame()) {
         if (auto* storageSession = WebCore::NetworkStorageSession::storageSession(frame()->page()->sessionID()))
             return *storageSession;
index b6fdf0a..eb0d36b 100644 (file)
 #include <WebCore/URLParser.h>
 #include <WebCore/UserGestureIndicator.h>
 #include <wtf/Language.h>
+#include <wtf/ProcessPrivilege.h>
 #include <wtf/RunLoop.h>
 #include <wtf/text/StringHash.h>
 
@@ -219,6 +220,8 @@ WebProcess::~WebProcess()
 
 void WebProcess::initializeProcess(const ChildProcessInitializationParameters& parameters)
 {
+    WTF::setProcessPrivileges({ });
+
     MessagePortChannelProvider::setSharedProvider(WebMessagePortChannelProvider::singleton());
     
 #if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400
index 0215d77..5f04d51 100644 (file)
@@ -1,3 +1,16 @@
+2018-03-26  Brent Fulgham  <bfulgham@apple.com>
+
+        Warn against cookie access in the WebContent process using ProcessPrivilege assertions
+        https://bugs.webkit.org/show_bug.cgi?id=183911
+        <rdar://problem/38762306>
+
+        Reviewed by Youenn Fablet.
+
+        Initialize the ProcessPrivilege and Cookie API access levels for single-process use.
+
+        * WebView/WebView.mm:
+        (+[WebView initialize]):
+
 2018-03-26  Alex Christensen  <achristensen@webkit.org>
 
         Merge ResourceHandleClient::willCacheResponseAsync with ResourceHandleClient::willCacheResponse
index 14c1d19..ba9c79c 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2005-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2006 David Smith (catfish.man@gmail.com)
  * Copyright (C) 2010 Igalia S.L
  *
 #import <wtf/HashTraits.h>
 #import <wtf/MainThread.h>
 #import <wtf/ObjcRuntimeExtras.h>
+#import <wtf/ProcessPrivilege.h>
 #import <wtf/RAMSize.h>
 #import <wtf/RefCountedLeakCounter.h>
 #import <wtf/RefPtr.h>
@@ -5493,6 +5494,9 @@ static Vector<String> toStringVector(NSArray* patterns)
     RunLoop::initializeMainRunLoop();
 #endif
 
+    WTF::setProcessPrivileges(allPrivileges());
+    WebCore::NetworkStorageSession::permitProcessToUseCookieAPI(true);
+
 #if !PLATFORM(IOS)
     [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(_applicationWillTerminate) name:NSApplicationWillTerminateNotification object:NSApp];
 #endif
index a7b9220..41ee45a 100644 (file)
@@ -1,3 +1,16 @@
+2018-03-26  Brent Fulgham  <bfulgham@apple.com>
+
+        Warn against cookie access in the WebContent process using ProcessPrivilege assertions
+        https://bugs.webkit.org/show_bug.cgi?id=183911
+        <rdar://problem/38762306>
+
+        Reviewed by Youenn Fablet.
+
+        Initialize the ProcessPrivilege and Cookie API access levels for single-process use.
+
+        * WebView.cpp:
+        (WebView::WebView):
+
 2018-03-25  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r229954.
index f6c2996..49cd7bd 100644 (file)
 #include <WebCore/MemoryCache.h>
 #include <WebCore/MemoryRelease.h>
 #include <WebCore/NavigationPolicyCheck.h>
+#include <WebCore/NetworkStorageSession.h>
 #include <WebCore/NotImplemented.h>
 #include <WebCore/Page.h>
 #include <WebCore/PageCache.h>
 #include <comdef.h>
 #include <d2d1.h>
 #include <wtf/MainThread.h>
+#include <wtf/ProcessPrivilege.h>
 #include <wtf/RAMSize.h>
 #include <wtf/SoftLinking.h>
 #include <wtf/UniqueRef.h>
@@ -412,6 +414,8 @@ WebView::WebView()
 {
     JSC::initializeThreading();
     RunLoop::initializeMainRunLoop();
+    WTF::setProcessPrivileges(allPrivileges());
+    WebCore::NetworkStorageSession::permitProcessToUseCookieAPI(true);
 
     m_backingStoreSize.cx = m_backingStoreSize.cy = 0;
 
index 4974316..5a7a16c 100644 (file)
@@ -1,3 +1,22 @@
+2018-03-26  Brent Fulgham  <bfulgham@apple.com>
+
+        Warn against cookie access in the WebContent process using ProcessPrivilege assertions
+        https://bugs.webkit.org/show_bug.cgi?id=183911
+        <rdar://problem/38762306>
+
+        Reviewed by Youenn Fablet.
+
+        Add a set of ProcessPrivilege assertions to enforce the rule that the WebContent process
+        should never call Cookie API directly. That should only happen in the Networking or
+        UIProcess. 
+
+        * DumpRenderTree/mac/DumpRenderTree.mm:
+        (DumpRenderTreeMain):
+        * TestWebKitAPI/TestsController.cpp:
+        (TestWebKitAPI::TestsController::TestsController):
+        * WebKitTestRunner/TestController.cpp:
+        (WTR::TestController::initialize):
+
 2018-03-26  Zalan Bujtas  <zalan@apple.com>
 
         [LayoutReloaded] Add InlineText DOM interface and dependencies
index 2853315..ea65bb9 100644 (file)
@@ -59,6 +59,7 @@
 #import <CoreFoundation/CoreFoundation.h>
 #import <JavaScriptCore/TestRunnerUtils.h>
 #import <WebCore/LogInitialization.h>
+#import <WebCore/NetworkStorageSession.h>
 #import <WebKit/DOMElement.h>
 #import <WebKit/DOMExtensions.h>
 #import <WebKit/DOMRange.h>
@@ -92,6 +93,7 @@
 #import <wtf/FastMalloc.h>
 #import <wtf/LoggingAccumulator.h>
 #import <wtf/ObjcRuntimeExtras.h>
+#import <wtf/ProcessPrivilege.h>
 #import <wtf/RetainPtr.h>
 #import <wtf/Threading.h>
 #import <wtf/text/WTFString.h>
@@ -1350,6 +1352,9 @@ int DumpRenderTreeMain(int argc, const char *argv[])
 {
     atexit(atexitFunction);
 
+    WTF::setProcessPrivileges(allPrivileges());
+    WebCore::NetworkStorageSession::permitProcessToUseCookieAPI(true);
+
 #if PLATFORM(IOS)
     _UIApplicationLoadWebKit();
 #endif
index bc556ed..f227be4 100644 (file)
@@ -27,6 +27,7 @@
 #include "TestsController.h"
 
 #include <wtf/MainThread.h>
+#include <wtf/ProcessPrivilege.h>
 #include <wtf/Threading.h>
 #include <wtf/text/AtomicString.h>
 
@@ -70,6 +71,7 @@ TestsController::TestsController()
     // ThreadSafeRefCounted so that we don't have to initialize threading at all here.
     WTF::initializeThreading();
     WTF::initializeMainThread();
+    WTF::setProcessPrivileges(allPrivileges());
     AtomicString::init();
 }
 
index 994efd5..ec90a10 100644 (file)
@@ -71,6 +71,7 @@
 #include <wtf/CryptographicallyRandomNumber.h>
 #include <wtf/HexNumber.h>
 #include <wtf/MainThread.h>
+#include <wtf/ProcessPrivilege.h>
 #include <wtf/RefCounted.h>
 #include <wtf/RunLoop.h>
 #include <wtf/SetForScope.h>
@@ -347,6 +348,7 @@ void TestController::initialize(int argc, const char* argv[])
 {
     JSC::initializeThreading();
     RunLoop::initializeMainRunLoop();
+    WTF::setProcessPrivileges(allPrivileges());
 
     platformInitialize();