database names leak cross-origin within the same browser session

https://bugs.webkit.org/show_bug.cgi?id=233548 Reviewed by Geoff Garen. Source/WebCore: Test: http/tests/security/getdatabases-crossorigin.html * Modules/indexeddb/server/IDBServer.cpp: (WebCore::IDBServer::IDBServer::getAllDatabaseNamesAndVersions): When iterating the set of all open UniqueIDBDatabases, only add them to the results list if their origins match. * page/ClientOrigin.h: (WebCore::ClientOrigin::operator!= const): LayoutTests: * http/tests/security/getdatabases-crossorigin-expected.txt: Added. * http/tests/security/getdatabases-crossorigin.html: Added. * http/tests/security/resources/getdatabases-otherframe.html: Added. * http/tests/security/resources/getdatabases-otherwindow.html: Added. Canonical link: https://commits.webkit.org/246098@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@288078 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Jan 17, 2022 · f73005e · f73005e
1 parent 0046734
commit f73005e
Show file tree

Hide file tree

Showing 8 changed files with 97 additions and 0 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2022-01-16  Brady Eidson  <beidson@apple.com>
+
+        database names leak cross-origin within the same browser session
+        https://bugs.webkit.org/show_bug.cgi?id=233548
+
+        Reviewed by Geoff Garen.
+
+        * http/tests/security/getdatabases-crossorigin-expected.txt: Added.
+        * http/tests/security/getdatabases-crossorigin.html: Added.
+        * http/tests/security/resources/getdatabases-otherframe.html: Added.
+        * http/tests/security/resources/getdatabases-otherwindow.html: Added.
+
 2022-01-16  Fujii Hironori  <Hironori.Fujii@sony.com>
 
         [WinCairo] Unreviewed test gardening

diff --git a/LayoutTests/http/tests/security/getdatabases-crossorigin-expected.txt b/LayoutTests/http/tests/security/getdatabases-crossorigin-expected.txt
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Message received from other context
+CONSOLE MESSAGE: Message received from other context
+CONSOLE MESSAGE: PASS
+
diff --git a/LayoutTests/http/tests/security/getdatabases-crossorigin.html b/LayoutTests/http/tests/security/getdatabases-crossorigin.html
@@ -0,0 +1,43 @@
+<!-- webkit-test-runner [ JavaScriptCanOpenWindowsAutomatically=true ] -->
+<html>
+<head>
+<script>
+
+if (window.location.hostname == "localhost")
+    console.log("FAIL: Must be run as 127.0.0.1, not localhost");
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+var messagesReceived = 0;
+
+window.onmessage = function(event) {
+    console.log("Message received from other context")
+
+    if (++messagesReceived < 2)
+        return;
+
+    indexedDB.databases().then((result) => {
+        databases = result;
+        if (databases.length != 0)
+            console.log("FAIL: There are " + databases.length + " database(s) when there should be 0");
+        else
+            console.log("PASS");
+        if (testRunner)
+            testRunner.notifyDone();
+    });
+};
+
+function openOtherWindow()
+{
+    window.open("http://localhost:8000/security/resources/getdatabases-otherwindow.html")
+}
+
+</script>
+</head>
+<body onload="openOtherWindow()">
+<iframe src="http://localhost:8000/security/resources/getdatabases-otherframe.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/resources/getdatabases-otherframe.html b/LayoutTests/http/tests/security/resources/getdatabases-otherframe.html
@@ -0,0 +1,9 @@
+<head>
+<script>
+indexedDB.deleteDatabase('getdatabase-otherframe').onsuccess = () => {
+    indexedDB.open('getdatabase-otherframe').onsuccess = () => {
+        window.parent.postMessage("Hi there!", "*");
+    }        
+}
+</script>
+</head>
diff --git a/LayoutTests/http/tests/security/resources/getdatabases-otherwindow.html b/LayoutTests/http/tests/security/resources/getdatabases-otherwindow.html
@@ -0,0 +1,9 @@
+<head>
+<script>
+indexedDB.deleteDatabase('getdatabase-otherwindow').onsuccess = () => {
+    indexedDB.open('getdatabase-otherwindow').onsuccess = () => {
+        window.opener.postMessage("Hi there!", "*");
+    }        
+}
+</script>
+</head>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2022-01-16  Brady Eidson  <beidson@apple.com>
+
+        database names leak cross-origin within the same browser session
+        https://bugs.webkit.org/show_bug.cgi?id=233548
+
+        Reviewed by Geoff Garen.
+
+        Test: http/tests/security/getdatabases-crossorigin.html
+
+        * Modules/indexeddb/server/IDBServer.cpp:
+        (WebCore::IDBServer::IDBServer::getAllDatabaseNamesAndVersions): When iterating the set of all open
+          UniqueIDBDatabases, only add them to the results list if their origins match.
+
+        * page/ClientOrigin.h:
+        (WebCore::ClientOrigin::operator!= const):
+
 2022-01-16  Myles C. Maxfield  <mmaxfield@apple.com>
 
         [Win] Use character names instead of codepoint values in overrideControlCharacters()

diff --git a/Source/WebCore/Modules/indexeddb/server/IDBServer.cpp b/Source/WebCore/Modules/indexeddb/server/IDBServer.cpp
@@ -530,6 +530,9 @@ void IDBServer::getAllDatabaseNamesAndVersions(IDBConnectionIdentifier serverCon
     HashSet<String> visitedDatabasePaths;
 
     for (auto& database : m_uniqueIDBDatabaseMap.values()) {
+        if (database->identifier().origin() != origin)
+            continue;
+
         auto path = database->filePath();
         if (!path.isEmpty())
             visitedDatabasePaths.add(path);

diff --git a/Source/WebCore/page/ClientOrigin.h b/Source/WebCore/page/ClientOrigin.h
@@ -37,6 +37,7 @@ struct ClientOrigin {
 
     unsigned hash() const;
     bool operator==(const ClientOrigin&) const;
+    bool operator!=(const ClientOrigin& other) const { return !(*this == other); }
 
     template<class Encoder> void encode(Encoder&) const;
     template<class Decoder> static std::optional<ClientOrigin> decode(Decoder&);