[8] NetworkProcess setRawCookie IPC validation
Severity: High | Component: WebKit NetworkProcess | fb75cae
Rated High because the diff fixes two co-located issues: a compromised WebProcess could plant cookies for arbitrary registrable domains (session fixation, login-CSRF), and a malformed commentURL could crash NetworkProcess via an unhandled NSException.
NetworkConnectionToWebProcess::setRawCookie validated allowsFirstPartyForCookies but not the cookie's own domain field or the url parameter. A compromised renderer could plant a cookie for bank.com from a session anchored to evil.com.
Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
MESSAGE_CHECK(allowCookieAccess != NetworkProcess::AllowCookieAccess::Terminate);
+ MESSAGE_CHECK(RegistrableDomain::uncheckedCreateFromHost(cookie.domain).matches(firstParty));
+ MESSAGE_CHECK(RegistrableDomain(url).matches(firstParty));
Source/WebCore/platform/network/cocoa/NetworkStorageSessionCocoa.mm
+ BEGIN_BLOCK_OBJC_EXCEPTIONS
auto nsCookies = createNSArray(cookies, [] (auto& cookie) -> NSHTTPCookie * {
return cookie.createNSHTTPCookie().autorelease();
});
- BEGIN_BLOCK_OBJC_EXCEPTIONS
[nsCookieStorage() setCookies:nsCookies.get() forURL:url.createNSURL().get() mainDocumentURL:mainDocumentURL.createNSURL().get()];
END_BLOCK_OBJC_EXCEPTIONS
Patch Details
Two MESSAGE_CHECKs confirm cookie.domain and the url argument are within the same registrable domain as firstParty. The BEGIN_BLOCK_OBJC_EXCEPTIONS macro is widened so it now wraps the cookie.createNSHTTPCookie() conversion loop, where Foundation's initializer can raise NSException on malformed properties (e.g. commentURL).
Trusting WebProcess-supplied IPC arguments at a privileged-process trust boundary without cross-validating the security-relevant fields (cookie domain vs. firstParty) against the asserted origin.
Background
In WebKit's multi-process architecture, the WebProcess is sandboxed and untrusted from NetworkProcess's perspective; every IPC argument must be validated. RegistrableDomain represents an eTLD+1 computed via the Public Suffix List. cookie.domain is the Domain= attribute that the platform cookie store uses to decide which sites the cookie is sent to. BEGIN_BLOCK_OBJC_EXCEPTIONS installs @try/@catch around the enclosed block so a raised NSException does not propagate into C++ stack frames.
Analysis
The classic "NetworkProcess trusts WebProcess-supplied tuple" pattern: a (firstParty, url, cookie) triple with only one component validated and the other two riding free. The companion BEGIN_BLOCK_OBJC_EXCEPTIONS placement bug is a recurring footgun — the macro must wrap every Objective-C call that can throw, including conversion helpers in the same C++ function.
Aaa Aaaaaaaaaaaa Aaaaaa Aaa Aaaaaa Aaaaaaaaa Aaaaaaa Aaa Aaaaaaaa Aaa Aaaaaaaaaa Aaaa Aaaaaaaaaa Aaaa Aaaaa a Aaaaaaaaaaaaaa Aaa Aaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaa Aaaaa Aaa a Aaaaaaaaaaaaaaa Aaa Aa a Aaaaaa Aaaa Aaaaaaaaaaa Aaa Aaaaaa Aaaaa Aaaa Aaaaaaa Aa Aaaaaaaaa Aa Aaaaaaaaaa Aaaaaaaa Aa Aaaaaaaa Aaaaa Aa a Aaaaaaa Aaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaa Aaa Aaaaaaaaaaaaaa Aaa Aaa Aaaaaaaaa Aaaaaaaaaaaa Aaaaaa Aaa Aaaaaaa Aaa Aaaaa Aaa Aa Aaa Aaaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaa Aaaaa Aaaaaaaa Aaaaaaa Aaaaaaaaa Aaaaaaaaaa Aaa Aaaaaaaaaa Aaaaaaaaaaaaaaa Aaa Aaaaaaa Aaa Aaaaaa Aaaaaa Aaaaa Aaaaaa a a Aaaaaaaaaaa Aaaaaaaaaa Aaaaa Aaaaaa Aaaaaaa Aa Aaaaaaa Aaa Aaaaa Aaa Aaaa Aaa Aaaaa Aaaaaaa Aaaa Aaaa Aaaaaaaaa
🔒The cross-process trust model around cookie IPC and the realistic attacker model for chaining this with a renderer compromise are analyzed in depth, alongside a secondary NetworkProcess availability angle.
Subscribe to read more
Audit directions
a Aaaaaaaaaaaaaaaa Aaa Aaaaaaaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaa Aaa Aaaaaaaaaa Aaaa Aaa Aaaaaaaaa Aaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaa Aaaa Aa Aaaaa Aaa a Aaaaaaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaa Aa Aaaaaaa Aaaaaa Aaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaaa Aaaaaa
a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaa Aaaaa a Aaaaaaa Aaaaaaaaaaa Aaaa Aaaa Aaaaaaa Aaa Aaaaaaaaa Aaaaaaa Aaaaa Aa Aaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaa
a Aaaaaaaaaaaaa Aaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaa Aaaaa Aaa Aaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaa a Aaaa Aa Aaaaaaaa Aaaaaaaaa Aaaaaaa Aaaaaaaaaaaaa Aaaaaaaaa Aa Aaaaaaa Aa Aaa Aaa Aaaaaa Aaaaaaa Aaaaaaaa
a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaaaaaaaa Aaaaaaaaaaaaa Aaaaaa Aaaaaaaa Aaaa Aaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaa Aaaaaaaa Aaaa Aaaa Aa Aaaaaaaaaa Aaaaa Aaaaaaaaa Aaaaaaa a Aaaaaaaa Aaaaaaaaaa
🔒Four reusable audit patterns identified spanning IPC validation discipline and Objective-C exception scoping, with concrete grep targets for variant discovery across the NetworkProcess surface.
Subscribe to read more