Skip to content
Permalink
Browse files
Use isolated NSURLSessions for each first party registrable domain
https://bugs.webkit.org/show_bug.cgi?id=230750
<rdar://83159358>

Reviewed by Alex Christensen.

LayoutTests/imported/w3c:

Rebaseline WPT test that is now passing more checks.

* web-platform-tests/fetch/connection-pool/network-partition-key-expected.txt:

Source/WebCore:

Fix bug where service worker soft-update requests would have their "first-party-for-cookies"
field set to "https:" instead of a full origin (e.g. "https://localhost:8080"). This was
causing some service worker test failures now that we use different NSURLSession based on
the "first-party-for-cookies" field.

* workers/service/server/SWServer.cpp:
(WebCore::originURL):

Source/WebKit:

Previously would use up to 10 isolated NSURLSessions only for domains marked as prevalent
by ITP *and* that the user interacts with as first party website. We now use different
isolated NSURLSession for each top-level registrable domain, not matter their ITP status.
This significantly improves privacy.

To avoid having too many NSURLSession, we clear the ones that haven't been used in the
last 10 minutes, every time we add a new one.

* NetworkProcess/cocoa/NetworkSessionCocoa.h:
* NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(WebKit::NetworkSessionCocoa::sessionWrapperForTask):
(WebKit::SessionSet::isolatedSession):

LayoutTests:

This test is now passing more checks on WebKit2 but still completely fails on WebKit1 so I am
adding a WK1-specific baseline.

* platform/mac-wk1/imported/w3c/web-platform-tests/fetch/connection-pool/network-partition-key-expected.txt: Copied from LayoutTests/imported/w3c/web-platform-tests/fetch/connection-pool/network-partition-key-expected.txt.


Canonical link: https://commits.webkit.org/242303@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@283274 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
cdumez committed Sep 29, 2021
1 parent f9ae8e4 commit 601004a3c3c85813cffad8076874afd767738eae
@@ -1,3 +1,16 @@
2021-09-29 Chris Dumez <cdumez@apple.com>

Use isolated NSURLSessions for each first party registrable domain
https://bugs.webkit.org/show_bug.cgi?id=230750
<rdar://83159358>

Reviewed by Alex Christensen.

This test is now passing more checks on WebKit2 but still completely fails on WebKit1 so I am
adding a WK1-specific baseline.

* platform/mac-wk1/imported/w3c/web-platform-tests/fetch/connection-pool/network-partition-key-expected.txt: Copied from LayoutTests/imported/w3c/web-platform-tests/fetch/connection-pool/network-partition-key-expected.txt.

2021-09-29 Aditya Keerthi <akeerthi@apple.com>

[css-ui] getComputedStyle() must return the specified value for '-webkit-appearance'

This file was deleted.

This file was deleted.

@@ -1,4 +1,4 @@
Tests that the session is switched upon top frame navigation to a prevalent resource with user interaction.
Tests that the session is switched upon top frame navigation to a prevalent resource without user interaction.

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".

@@ -16,7 +16,7 @@
</head>
<body onload="runTest()">
<script>
description("Tests that the session is not switched upon top frame navigation to a prevalent resource without user interaction.");
description("Tests that the session is switched upon top frame navigation to a prevalent resource without user interaction.");
jsTestIsAsync = true;
const prevalentOrigin = "http://127.0.0.1:8000";
@@ -73,16 +73,18 @@
document.location.hash = "step1";
runTest();
});
break;
case "#step1":
setSessionCookie();
setPersistentCookie();
checkCookies(true, true);
if (testRunner.hasStatisticsIsolatedSession(prevalentOrigin)) {
testFailed("Origin has isolated session.");
if (testRunner.hasStatisticsIsolatedSession(prevalentOrigin))
testPassed("Origin has isolated session.");
else {
testFailed("Origin has no isolated session.");
setEnableFeature(false, finishJSTest);
} else
testPassed("Origin has no isolated session.");
document.location.href = nonPrevalentOrigin + "/resourceLoadStatistics/do-not-switch-session-on-navigation-to-prevalent-without-interaction.py#step2";
}
document.location.href = nonPrevalentOrigin + "/resourceLoadStatistics/switch-session-on-navigation-to-prevalent-without-interaction.py#step2";
break;
case "#step2":
document.location.hash = "step3";
@@ -97,14 +99,14 @@
});
break;
case "#step3":
document.location.href = prevalentOrigin + "/resourceLoadStatistics/do-not-switch-session-on-navigation-to-prevalent-without-interaction.py#step4";
document.location.href = prevalentOrigin + "/resourceLoadStatistics/switch-session-on-navigation-to-prevalent-without-interaction.py#step4";
break;
case "#step4":
checkCookies(true, true);
if (testRunner.hasStatisticsIsolatedSession(prevalentOrigin))
testFailed("Origin has isolated session.");
testPassed("Origin has isolated session.");
else
testPassed("Origin has no isolated session.");
testFailed("Origin has no isolated session.");
setEnableFeature(false, finishJSTest);
break;
default:
@@ -114,4 +116,4 @@
}
</script>
</body>
</html>''')
</html>''')
@@ -1,3 +1,15 @@
2021-09-29 Chris Dumez <cdumez@apple.com>

Use isolated NSURLSessions for each first party registrable domain
https://bugs.webkit.org/show_bug.cgi?id=230750
<rdar://83159358>

Reviewed by Alex Christensen.

Rebaseline WPT test that is now passing more checks.

* web-platform-tests/fetch/connection-pool/network-partition-key-expected.txt:

2021-09-29 Aditya Keerthi <akeerthi@apple.com>

[css-ui] getComputedStyle() must return the specified value for '-webkit-appearance'
@@ -1,12 +1,12 @@


FAIL With credentials promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL Without credentials promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL Cross-site resources with credentials promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL Cross-site resources without credentials promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL Iframes promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL Workers promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL Workers with cross-site resources promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
PASS With credentials
PASS Without credentials
PASS Cross-site resources with credentials
PASS Cross-site resources without credentials
PASS Iframes
PASS Workers
PASS Workers with cross-site resources
FAIL CSP sandbox promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL about:blank from opaque origin iframe promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""

@@ -896,8 +896,6 @@ webkit.org/b/209403 fast/forms/placeholder-content-center.html [ ImageOnlyFailur

webkit.org/b/209727 fast/forms/placeholder-content-line-height.html [ ImageOnlyFailure ]

webkit.org/b/210487 http/tests/resourceLoadStatistics/switch-session-on-navigation-to-prevalent-with-interaction.py [ Failure ]

webkit.org/b/210796 http/tests/resourceLoadStatistics/standalone-web-application-exempt-from-website-data-deletion.html [ Failure ]

webkit.org/b/210849 compositing/overflow/rtl-scrollbar-layer-positioning.html [ Failure ]
@@ -0,0 +1,12 @@


FAIL With credentials promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL Without credentials promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL Cross-site resources with credentials promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL Cross-site resources without credentials promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL Iframes promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL Workers promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL Workers with cross-site resources promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL CSP sandbox promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""
FAIL about:blank from opaque origin iframe promise_test: Unhandled rejection with value: "assert_equals: Socket unexpectedly reused expected \"ok\" but got \"Multiple partition IDs used on a socket\""

@@ -598,8 +598,6 @@ webkit.org/b/210236 webgl/webgl-vertex-array-object-defined.html [ Failure ]
webkit.org/b/210262 fast/selectors/text-field-selection-stroke-color.html [ ImageOnlyFailure ]
webkit.org/b/210262 fast/selectors/text-field-selection-text-shadow.html [ ImageOnlyFailure ]

webkit.org/b/210487 http/tests/resourceLoadStatistics/switch-session-on-navigation-to-prevalent-with-interaction.py [ Failure ]

webkit.org/b/211563 fast/text-indicator/text-indicator-estimated-color-with-implicit-newline.html [ Failure ]

# Only enabled on Mac/iOS so far.
@@ -1,3 +1,19 @@
2021-09-29 Chris Dumez <cdumez@apple.com>

Use isolated NSURLSessions for each first party registrable domain
https://bugs.webkit.org/show_bug.cgi?id=230750
<rdar://83159358>

Reviewed by Alex Christensen.

Fix bug where service worker soft-update requests would have their "first-party-for-cookies"
field set to "https:" instead of a full origin (e.g. "https://localhost:8080"). This was
causing some service worker test failures now that we use different NSURLSession based on
the "first-party-for-cookies" field.

* workers/service/server/SWServer.cpp:
(WebCore::originURL):

2021-09-29 Devin Rousso <drousso@apple.com>

Allow `DrawGlyphsRecorder` to be used with any `GraphicsContext` instead of just `DisplayList::Recorder`
@@ -440,11 +440,7 @@ void SWServer::resolveUnregistrationJob(const ServiceWorkerJobData& jobData, con

URL static inline originURL(const SecurityOrigin& origin)
{
URL url;
url.setProtocol(origin.protocol());
url.setHost(origin.host());
url.setPort(origin.port());
return url;
return URL(URL(), origin.data().toString());
}

void SWServer::startScriptFetch(const ServiceWorkerJobData& jobData, SWServerRegistration& registration)
@@ -1,3 +1,24 @@
2021-09-29 Chris Dumez <cdumez@apple.com>

Use isolated NSURLSessions for each first party registrable domain
https://bugs.webkit.org/show_bug.cgi?id=230750
<rdar://83159358>

Reviewed by Alex Christensen.

Previously would use up to 10 isolated NSURLSessions only for domains marked as prevalent
by ITP *and* that the user interacts with as first party website. We now use different
isolated NSURLSession for each top-level registrable domain, not matter their ITP status.
This significantly improves privacy.

To avoid having too many NSURLSession, we clear the ones that haven't been used in the
last 10 minutes, every time we add a new one.

* NetworkProcess/cocoa/NetworkSessionCocoa.h:
* NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(WebKit::NetworkSessionCocoa::sessionWrapperForTask):
(WebKit::SessionSet::isolatedSession):

2021-09-29 Sihui Liu <sihui_liu@apple.com>

Replace FileSystemHandleImpl with FileSystemStorageConnection
@@ -69,7 +69,7 @@ struct IsolatedSession {
public:
SessionWrapper sessionWithCredentialStorage;
SessionWrapper sessionWithoutCredentialStorage;
WallTime lastUsed;
MonotonicTime lastUsed;
};

struct SessionSet : public RefCounted<SessionSet>, public CanMakeWeakPtr<SessionSet> {

0 comments on commit 601004a

Please sign in to comment.