Skip to content
Permalink
Browse files
Support integrity="" on module scripts
https://bugs.webkit.org/show_bug.cgi?id=177959

Reviewed by Sam Weinig.

Source/JavaScriptCore:

This patch adds Subresource Integrity check for module scripts. Currently,
only top-level module can be verified with integrity parameter since there
is no way to perform integrity check onto the imported modules.

In JSC side, we add `parameters` to the entry point of the module loader
pipeline. This is fetching parameters and used when fetching modules.

We separately pass this parameters to the pipeline along with the script fetcher.
The script fetcher is only one for module graph since this is the initiator of
this module graph loading. On the other hand, this parameters is for each
module fetching. While setting "integrity" parameters to this script fetcher is
sufficient to pass parameters to top-level-module's fetching, it is not enough
for the future extension.

In the future, we will investigate a way to pass parameters to each non-top-level
module. At that time, this `parameters` should be per-module. This is because
"integrity" value should be different for each module. For example, we will accept
some form of syntax to add parameters to `import`. Some proposed syntax is like
https://discourse.wicg.io/t/specifying-nonce-or-integrity-when-importing-modules/1861

import "./xxx.js" integrity "xxxxxxx"

In this case, this `parameters` will be passed to "./xxx.js" module fetching. This
`parameters` should be different from the one of top-level-module's one. That's why
we need per-module `parameters` and why this patch adds `parameters` to the module pipeline.

On the other hand, we also want to keep script fetcher. This `per-module-graph` thing
is important to offer module-graph-wide information. For example, import.meta would
have `import.meta.scriptElement`, which is the script element fetching the module graph
including this. So, we keep the both, script fetcher and parameters.
https://github.com/tc39/proposal-import-meta

This parameters will be finally used by pipeline's fetch hook, and WebCore side
can use this parameters to fetch modules.

We also further clean up the module pipeline by dropping unnecessary features.

* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* builtins/ModuleLoaderPrototype.js:
(requestFetch):
(requestInstantiate):
(requestSatisfy):
(loadModule):
(loadAndEvaluateModule):
This loadAndEvaluateModule should be implemented by just calling loadModule and
linkAndEvaluateModule. We can drop requestReady and requestLink.

(requestLink): Deleted.
(requestImportModule): Deleted.
* jsc.cpp:
(GlobalObject::moduleLoaderImportModule):
(GlobalObject::moduleLoaderFetch):
import and fetch hook takes parameters. Currently, we always pass `undefined` for
import hook. When dynamic `import()` is extended to accept additional parameters
like integrity, this parameters will be replaced with the actual value.

(functionLoadModule):
(runWithOptions):
* runtime/Completion.cpp:
(JSC::loadAndEvaluateModule):
(JSC::loadModule):
(JSC::importModule):
* runtime/Completion.h:
* runtime/JSGlobalObject.h:
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncImportModule):
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::loadAndEvaluateModule):
(JSC::JSModuleLoader::loadModule):
(JSC::JSModuleLoader::requestImportModule):
(JSC::JSModuleLoader::importModule):
(JSC::JSModuleLoader::fetch):
* runtime/JSModuleLoader.h:
* runtime/JSScriptFetchParameters.cpp: Added.
(JSC::JSScriptFetchParameters::destroy):
* runtime/JSScriptFetchParameters.h: Added.
(JSC::JSScriptFetchParameters::createStructure):
(JSC::JSScriptFetchParameters::create):
(JSC::JSScriptFetchParameters::parameters const):
(JSC::JSScriptFetchParameters::JSScriptFetchParameters):
Add ScriptFetchParameters' JSCell wrapper, JSScriptFetchParameters.
It is used in the module pipeline.

* runtime/JSType.h:
* runtime/ModuleLoaderPrototype.cpp:
(JSC::moduleLoaderPrototypeFetch):
* runtime/ScriptFetchParameters.h: Added.
(JSC::ScriptFetchParameters::~ScriptFetchParameters):
Add ScriptFetchParameters. We can define our own custom ScriptFetchParameters
by inheriting this class. WebCore creates ModuleFetchParameters by inheriting
this.

* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:

Source/WebCore:

This patch extends module hooks to accept fetching parameters.
When starting fetching modules, WebCore creates ModuleFetchParameters.
And this parameters is propagated to the fetch hook. Then, fetch
hook can use this parameters to fetch modules.

This parameters only contains `integrity` field. This "integrity" is
used to perform subresource integrity check in module loader pipeline.
And this error is just proparaged as errors in module pipeline, which
is the same to the other types of errors in module pipeline.

Test: http/tests/subresource-integrity/sri-module.html

* ForwardingHeaders/runtime/JSScriptFetchParameters.h: Added.
* ForwardingHeaders/runtime/ScriptFetchParameters.h: Added.
* WebCore.xcodeproj/project.pbxproj:
* bindings/js/CachedModuleScriptLoader.cpp:
(WebCore::CachedModuleScriptLoader::create):
(WebCore::CachedModuleScriptLoader::CachedModuleScriptLoader):
Take parameters, which includes "integrity".

* bindings/js/CachedModuleScriptLoader.h:
* bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::moduleLoaderFetch):
(WebCore::JSDOMWindowBase::moduleLoaderImportModule):
import and fetch hooks take parameters.

* bindings/js/JSDOMWindowBase.h:
* bindings/js/JSMainThreadExecState.h:
(WebCore::JSMainThreadExecState::loadModule):
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::loadModuleScriptInWorld):
(WebCore::ScriptController::loadModuleScript):
Pass parameters to the entry point of the module pipeline.

* bindings/js/ScriptController.h:
* bindings/js/ScriptModuleLoader.cpp:
(WebCore::ScriptModuleLoader::fetch):
If parameters are passed, we set them to CachedModuleScriptLoader.

(WebCore::ScriptModuleLoader::importModule):
Pass parameters to the entry point of dynamic import.

(WebCore::ScriptModuleLoader::notifyFinished):
If script loader has parameters, we perform subresource integrity check here.

* bindings/js/ScriptModuleLoader.h:
* dom/LoadableModuleScript.cpp:
(WebCore::LoadableModuleScript::create):
(WebCore::LoadableModuleScript::LoadableModuleScript):
(WebCore::LoadableModuleScript::load):
Create ModuleFetchParameters with "integrity" value.

* dom/LoadableModuleScript.h:
* dom/ModuleFetchParameters.h: Copied from Source/WebCore/bindings/js/CachedModuleScriptLoader.h.
(WebCore::ModuleFetchParameters::create):
(WebCore::ModuleFetchParameters::integrity const):
(WebCore::ModuleFetchParameters::ModuleFetchParameters):
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::requestModuleScript):
Pass "integrity" value to the module script.

LayoutTests:

* http/tests/subresource-integrity/resources/crossorigin-anon-script-module.js: Added.
* http/tests/subresource-integrity/resources/crossorigin-creds-script-module.js: Added.
* http/tests/subresource-integrity/resources/crossorigin-ineligible-script-module.js: Added.
* http/tests/subresource-integrity/resources/matching-digest-module.js: Added.
* http/tests/subresource-integrity/resources/non-matching-digest-module.js: Added.
* http/tests/subresource-integrity/resources/sri-utilities.js:
(add_result_callback):
(SRIModuleTest):
(SRIModuleTest.prototype.execute):
* http/tests/subresource-integrity/sri-module-expected.txt: Added.
* http/tests/subresource-integrity/sri-module.html: Added.
* js/dom/modules/module-inline-ignore-integrity-expected.txt: Added.
* js/dom/modules/module-inline-ignore-integrity.html: Added.
* js/dom/modules/module-integrity-non-top-level-expected.txt: Added.
* js/dom/modules/module-integrity-non-top-level.html: Added.
* js/dom/modules/script-tests/module-integrity-non-top-level-2.js: Added.
* js/dom/modules/script-tests/module-integrity-non-top-level.js: Added.


Canonical link: https://commits.webkit.org/194461@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@223237 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
Constellation committed Oct 12, 2017
1 parent 641cd81 commit ae8c45521208738973efc644b9955a69394d3da5
Showing 50 changed files with 940 additions and 158 deletions.
@@ -1,3 +1,28 @@
2017-10-12 Yusuke Suzuki <utatane.tea@gmail.com>

Support integrity="" on module scripts
https://bugs.webkit.org/show_bug.cgi?id=177959

Reviewed by Sam Weinig.

* http/tests/subresource-integrity/resources/crossorigin-anon-script-module.js: Added.
* http/tests/subresource-integrity/resources/crossorigin-creds-script-module.js: Added.
* http/tests/subresource-integrity/resources/crossorigin-ineligible-script-module.js: Added.
* http/tests/subresource-integrity/resources/matching-digest-module.js: Added.
* http/tests/subresource-integrity/resources/non-matching-digest-module.js: Added.
* http/tests/subresource-integrity/resources/sri-utilities.js:
(add_result_callback):
(SRIModuleTest):
(SRIModuleTest.prototype.execute):
* http/tests/subresource-integrity/sri-module-expected.txt: Added.
* http/tests/subresource-integrity/sri-module.html: Added.
* js/dom/modules/module-inline-ignore-integrity-expected.txt: Added.
* js/dom/modules/module-inline-ignore-integrity.html: Added.
* js/dom/modules/module-integrity-non-top-level-expected.txt: Added.
* js/dom/modules/module-integrity-non-top-level.html: Added.
* js/dom/modules/script-tests/module-integrity-non-top-level-2.js: Added.
* js/dom/modules/script-tests/module-integrity-non-top-level.js: Added.

2017-10-11 Per Arne Vollan <pvollan@apple.com>

Mark http/tests/cache-storage/cache-clearing.https.html as failing on Windows.
@@ -0,0 +1 @@
window.crossorigin_anon_script=true;
@@ -0,0 +1 @@
window.crossorigin_creds_script=true;
@@ -0,0 +1 @@
window.crossorigin_ineligible_script=true;
@@ -0,0 +1 @@
window.matching_digest=true;
@@ -0,0 +1 @@
window.non_matching_digest=true;
@@ -6,7 +6,7 @@ SRITests.execute = function() {
}

add_result_callback(function(res) {
if (res.name.startsWith("Script: ") || res.name.startsWith("Style: ")) {
if (res.name.startsWith("Script: ") || res.name.startsWith("Style: ") || res.name.startsWith("Module: ")) {
SRITests.execute();
}
});
@@ -107,3 +107,40 @@ SRIStyleTest.prototype.execute = function() {
container.appendChild(e);
this.customCallback(e, container);
};

var SRIModuleURLCounter = 0;
var SRIModuleTest = function(pass, name, src, integrityValue, crossoriginValue) {
this.pass = pass;
this.name = "Module: " + name;
this.src = src;
this.integrityValue = integrityValue;
this.crossoriginValue = crossoriginValue;

this.test = async_test(this.name);

this.queue = SRITests;
this.queue.push(this);
}

SRIModuleTest.prototype.execute = function() {
var test = this.test;
var e = document.createElement("script");
e.type = "module";
e.src = this.src + "#" + (SRIModuleURLCounter++);
e.setAttribute("integrity", this.integrityValue);
if(this.crossoriginValue) {
e.setAttribute("crossorigin", this.crossoriginValue);
}
if(this.pass) {
e.addEventListener("load", function() {test.done()});
e.addEventListener("error", function() {
test.step(function(){ assert_unreached("Good load fired error handler.") })
});
} else {
e.addEventListener("load", function() {
test.step(function() { assert_unreached("Bad load succeeded.") })
});
e.addEventListener("error", function() {test.done()});
}
document.body.appendChild(e);
};
@@ -0,0 +1,32 @@
CONSOLE MESSAGE: TypeError: Cannot load script http://127.0.0.1:8000/subresource-integrity/resources/non-matching-digest-module.js. Failed integrity metadata check.
CONSOLE MESSAGE: TypeError: Cannot load script http://127.0.0.1:8000/subresource-integrity/resources/matching-digest-module.js. Failed integrity metadata check.
CONSOLE MESSAGE: TypeError: Cannot load script http://localhost:8000/subresource-integrity/resources/crossorigin-anon-script-module.js. Failed integrity metadata check.
CONSOLE MESSAGE: TypeError: Cannot load script http://localhost:8000/subresource-integrity/resources/crossorigin-creds-script-module.js. Failed integrity metadata check.
CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
CONSOLE MESSAGE: TypeError: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
CONSOLE MESSAGE: TypeError: Cannot load script http://127.0.0.1:8000/subresource-integrity/resources/matching-digest-module.js. Failed integrity metadata check.
CONSOLE MESSAGE: TypeError: Cannot load script http://127.0.0.1:8000/subresource-integrity/resources/matching-digest-module.js. Failed integrity metadata check.

PASS Module: Same-origin with correct sha256 hash.
PASS Module: Same-origin with correct sha384 hash.
PASS Module: Same-origin with correct sha512 hash.
PASS Module: Same-origin with empty integrity.
PASS Module: Same-origin with incorrect hash.
PASS Module: Same-origin with multiple sha256 hashes, including correct.
PASS Module: Same-origin with multiple sha256 hashes, including unknown algorithm.
PASS Module: Same-origin with sha256 mismatch, sha512 match
PASS Module: Same-origin with sha256 match, sha512 mismatch
PASS Module: <crossorigin='anonymous'> with correct hash, ACAO: *
PASS Module: <crossorigin='anonymous'> with incorrect hash, ACAO: *
PASS Module: <crossorigin='use-credentials'> with correct hash, CORS-eligible
PASS Module: <crossorigin='use-credentials'> with incorrect hash CORS-eligible
PASS Module: <crossorigin='anonymous'> with CORS-ineligible resource
PASS Module: Cross-origin, empty integrity
PASS Module: Same-origin with correct hash, options.
PASS Module: Same-origin with unknown algorithm only.
PASS Module: Same-origin with correct sha256 hash, using base64URL encoding.
PASS Module: Same-origin with correct sha256 hash, using intermixed base64 and base64URL encoding, should fail.
PASS Module: Same-origin with invalid syntax only.
PASS Module: Same-origin with multiple valid sha256 hashes, including correct.
PASS Module: Same-origin with incorrect hash, options.

@@ -0,0 +1,192 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<script src="/js-test-resources/testharness.js"></script>
<script src="/js-test-resources/testharnessreport.js"></script>
<script src="resources/sri-utilities.js"></script>
</head>
<body>
<div id="log"></div>
<div id="container"></div>
<script>

var main_host = '127.0.0.1';
var remote_host = 'localhost';
var port_string = "8000";
var main_host_and_port = main_host + ':' + port_string;
var remote_host_and_port = remote_host + ':' + port_string;

var crossorigin_anon_script = location.protocol + '//' + remote_host_and_port + '/subresource-integrity/resources/crossorigin-anon-script-module.js';
var crossorigin_creds_script = location.protocol + '//' + remote_host_and_port + '/subresource-integrity/resources/crossorigin-creds-script-module.js';
var crossorigin_ineligible_script = location.protocol + '//' + remote_host_and_port + '/subresource-integrity/resources/crossorigin-ineligible-script-module.js';

// Script tests from web-platform-tests/subresource-integrity

new SRIModuleTest(
true,
"Same-origin with correct sha256 hash.",
"resources/matching-digest-module.js",
"sha256-cWh9nPfm7/mRbKhzarnRYlsJWz5XTNcsqPFzKEx+zSU="
);

new SRIModuleTest(
true,
"Same-origin with correct sha384 hash.",
"resources/matching-digest-module.js",
"sha384-g8fn+xx4btmBZDJlonZNN+dDSYjP5NsMqlJw0CSN6oGG+6MSH71sRhEPeAcRUMqJ"
);

new SRIModuleTest(
true,
"Same-origin with correct sha512 hash.",
"resources/matching-digest-module.js",
"sha512-v+XJeYrctfE2nOuR5oCz/JzMyhSzUtbmG4YEy2YbeAUzr+QaW3WmSdWAL9/JrSPFJW8BkLo5jQTO8GaWcNtRRg=="
);

new SRIModuleTest(
true,
"Same-origin with empty integrity.",
"resources/matching-digest-module.js",
""
);

new SRIModuleTest(
false,
"Same-origin with incorrect hash.",
"resources/non-matching-digest-module.js",
"sha256-cWh9nPfm7/mRbKhzarnRYlsJWz5XTNcsqPFzKEx+zSU="
);

new SRIModuleTest(
true,
"Same-origin with multiple sha256 hashes, including correct.",
"resources/matching-digest-module.js",
"sha256-cWh9nPfm7/mRbKhzarnRYlsJWz5XTNcsqPFzKEx+zSU= sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
);

new SRIModuleTest(
true,
"Same-origin with multiple sha256 hashes, including unknown algorithm.",
"resources/matching-digest-module.js",
"sha256-cWh9nPfm7/mRbKhzarnRYlsJWz5XTNcsqPFzKEx+zSU= foo666-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
);

new SRIModuleTest(
true,
"Same-origin with sha256 mismatch, sha512 match",
"resources/matching-digest-module.js",
"sha512-v+XJeYrctfE2nOuR5oCz/JzMyhSzUtbmG4YEy2YbeAUzr+QaW3WmSdWAL9/JrSPFJW8BkLo5jQTO8GaWcNtRRg== sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
);

new SRIModuleTest(
false,
"Same-origin with sha256 match, sha512 mismatch",
"resources/matching-digest-module.js",
"sha512-deadbeefspbnUnwooKGNNCb39nvg+EW0O9hDScTXeo/9pVZztLSUYU3LNV6H0lZapo8bCJUpyPPLAzE9fDzpxg== sha256-cWh9nPfm7/mRbKhzarnRYlsJWz5XTNcsqPFzKEx+zSU="
);

new SRIModuleTest(
true,
"<crossorigin='anonymous'> with correct hash, ACAO: *",
crossorigin_anon_script,
"sha256-viLyCYB6YddJKjUAJ4dZ1eHe+242Dd7wTICmvNj2IAA=",
"anonymous"
);

new SRIModuleTest(
false,
"<crossorigin='anonymous'> with incorrect hash, ACAO: *",
crossorigin_anon_script,
"sha256-deadbeefcSLlbFZCj1OACLxTxVck2TOrBTEdUbwz1yU=",
"anonymous"
);

new SRIModuleTest(
true,
"<crossorigin='use-credentials'> with correct hash, CORS-eligible",
crossorigin_creds_script,
"sha256-NngWiHG2N6KWjHhOcgGuF0iJXKR+MPMxl3Ip6wDAEGg=",
"use-credentials"
);

new SRIModuleTest(
false,
"<crossorigin='use-credentials'> with incorrect hash CORS-eligible",
crossorigin_creds_script,
"sha256-deadbeef2S+pTRZgiw3DWrhC6JLDlt2zRyGpwH7unU8=",
"use-credentials"
);

new SRIModuleTest(
false,
"<crossorigin='anonymous'> with CORS-ineligible resource",
crossorigin_ineligible_script,
"sha256-IhB+PkTnIf881zBDWNEOJ6pKtju9Kiw+L1fK5Zn/pl0=",
"anonymous"
);

new SRIModuleTest(
true,
"Cross-origin, empty integrity",
crossorigin_anon_script,
""
);

new SRIModuleTest(
true,
"Same-origin with correct hash, options.",
"resources/matching-digest-module.js",
"sha256-cWh9nPfm7/mRbKhzarnRYlsJWz5XTNcsqPFzKEx+zSU=?foo=bar?spam=eggs"
);

new SRIModuleTest(
true,
"Same-origin with unknown algorithm only.",
"resources/matching-digest-module.js",
"foo666-U9WYDtBWkcHx13+9UKk/3Q5eoqDc4YGxYb07EPWzb9E="
);

// WebKit additions to the web-platform-tests test cases.
// FIXME: Upstream these additional tests to the official web-platform-tests repository.

new SRIModuleTest(
true,
"Same-origin with correct sha256 hash, using base64URL encoding.",
"resources/matching-digest-module.js",
"sha256-cWh9nPfm7_mRbKhzarnRYlsJWz5XTNcsqPFzKEx-zSU="
);

new SRIModuleTest(
false,
"Same-origin with correct sha256 hash, using intermixed base64 and base64URL encoding, should fail.",
"resources/matching-digest-module.js",
"sha256-cWh9nPfm7_mRbKhzarnRYlsJWz5XTNcsqPFzKEx+zSU="
);

new SRIModuleTest(
true,
"Same-origin with invalid syntax only.",
"resources/matching-digest-module.js",
"?foo=bar?spam=eggs"
);

new SRIModuleTest(
true,
"Same-origin with multiple valid sha256 hashes, including correct.",
"resources/matching-digest-module.js",
"sha256-cWh9nPfm7/mRbKhzarnRYlsJWz5XTNcsqPFzKEx+zSU= sha256-cWh9nPfm7/mRbKhzarnRYlsJWz5XTNcsqPFzKEx+zSU="
);

new SRIModuleTest(
false,
"Same-origin with incorrect hash, options.",
"resources/matching-digest-module.js",
"sha256-U9WYDtBWkcHx13+9UKk/3Q5eoqDc4YGxYb07EPWzb9e=?foo=bar?spam=eggs"
);

SRITests.execute();

</script>
</body>
</html>
@@ -0,0 +1,3 @@

PASS Inline module script ignores integrity

@@ -0,0 +1,26 @@
<!DOCTYPE html>
<html>
<head>
<title>Inline module script ignores integrity</title>
<script src="../../../resources/testharness.js"></script>
<script src="../../../resources/testharnessreport.js"></script>
</head>
<body>
<script>
promise_test(() => {
return new Promise(function (resolve, reject) {
var script = document.createElement('script');
script.type = 'module';
script.textContent = `window.inlineModuleIsExecuted = true`;
script.integrity = 'sha256-deadbeef';
script.onload = function () {
assert_equals(window.inlineModuleIsExecuted, true);
resolve();
};
script.onerror = reject;
document.body.appendChild(script);
});
}, 'Inline module script ignores integrity');
</script>
</body>
</html>
@@ -0,0 +1,3 @@

PASS Non top level module script should work even with integrity

@@ -0,0 +1,26 @@
<!DOCTYPE html>
<html>
<head>
<title>Non top level module script should work even with integrity</title>
<script src="../../../resources/testharness.js"></script>
<script src="../../../resources/testharnessreport.js"></script>
</head>
<body>
<script>
promise_test(() => {
return new Promise(function (resolve, reject) {
var script = document.createElement('script');
script.type = 'module';
script.src = './script-tests/module-integrity-non-top-level.js';
script.integrity = 'sha256-XLav4d6mPNJP39uTWTzatQ7c3DqGXT1GyIb+3tnr7kA=';
script.onload = function () {
assert_equals(window.nonTopLevelModuleIsExecuted, true);
resolve();
};
script.onerror = reject;
document.body.appendChild(script);
});
}, 'Non top level module script should work even with integrity');
</script>
</body>
</html>
@@ -0,0 +1 @@
window.nonTopLevelModuleIsExecuted = true;
@@ -0,0 +1 @@
import "./module-integrity-non-top-level-2.js";

0 comments on commit ae8c455

Please sign in to comment.