New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permissions.query should return 'prompt' for unique origins #3575
Permissions.query should return 'prompt' for unique origins #3575
Conversation
EWS run on previous version of this PR (hash d176605) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't look great. How do we end up with a security origin data that has data members that are empty but not null?
Maybe we should fix that instead?
Having 2 states for security origin data (null & empty) adds complexity and I don't understand why we'd need both (and why we'd need to differentiate them)
I kind of agree with Chris: What is the null security origin, and how does it differ from the empty security origin? At first glance the distinction is super subtle -- and subtle is not good for security! |
My proposal offline was to:
|
Right, this is probably too subtle. The patch should probably have added a isUnique instead of isNullOrEmpty.
I think a check in UIProcess better integrates with how we handle permission computation. |
d176605
to
4ea0d4c
Compare
EWS run on previous version of this PR (hash 4ea0d4c) |
4ea0d4c
to
8120f61
Compare
@@ -8840,6 +8840,12 @@ void WebPageProxy::revokeGeolocationAuthorizationToken(const String& authorizati | |||
m_geolocationPermissionRequestManager.revokeAuthorizationToken(authorizationToken); | |||
} | |||
|
|||
static bool isOriginUnique(const SecurityOriginData& origin) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like I mentioned in my previous review, I think we should do the isUnique() check in WebCore's query(), on a SecurityOrigin.
Relying on data members of a SecurityOriginData to be empty (but not null) to determine that the origin is unique is a bit obscure and fragile.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The UIProcess side check can then be a MESSAGE_CHECK and this function can be name something like isValidOrigin().
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Besides clarity, another reason for my proposal is that there is no good reason to do IPC or involve the UIProcess for unique/opaque origins. It is more efficient to deal with them in the WebProcess.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is best to return 'denied' if possible (say application does not have the camera entitlement), or reject with NotSupported (say permission name is background-fetch).
This is best done in UIProcess.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand what that means, you are returning Prompt unconditionally so...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, whatever decisions about entitlements or not supporting a particular API should be doable at WebProcess-level if we wanted to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are cases where WebPageProxy::queryPermission is called but delegate is not called at all (leading to returning denied or rejecting with NotSupportedError depending on the permission name and/or app entitlements).
There are cases where even though delegate returns prompt, we will IPC grant to the WebProcess (camera and microphone).
This is existing logic in WebPageProxy that seems good to keep consistent.
All this patch does is, instead of calling delegate, we make it as if delegate returns Prompt for unique origins.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also have plenty of checks in the WebProcess that resolve/reject the promise early in WebCore's query().
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, we normally don't pass opaque origins to other processes since they are only valid within a single process (requires pointer identity). This is why we have a concept of unique/opaque SecurityOrigin but we don't have one for SecurityOriginData. Relying of SecurityOriginData having non-null / empty data members to make such determination is not robust or clear.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM but please add isUnique() member function to SecurityOriginData.
}); | ||
}; | ||
|
||
if (isOriginUnique(clientOrigin.topOrigin)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I discussed it offline with Youenn and it sounds like we want to deal with these unique origins on the UIProcess side because we don't always return "Prompt" for these, unlike what the next line makes it look like. There is some logic above in this function that could cause us to return Granted or Denied for unique origins and we wouldn't want to duplicate that logic in the WebProcess.
I think we should add a isUnique() member function to SecurityOriginData (which makes sure that the members are empty and non-null) instead of this new isOriginUnique() free function. It might be useful in other places as it sounds like we sometimes want to determine in other processes than the WebProcess if an origin is unique (even though we cannot at the moment determine if 2 unique security origins are the same).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, I think we should change isEmpty to isNull and add isUnique. Will do it in a follow-up.
8120f61
to
fde28e0
Compare
Committed 253785@main (fde28e0): https://commits.webkit.org/253785@main Reviewed commits have been landed. Closing PR #3575 and removing active labels. |
fde28e0
8120f61
π mac-debug