[1] [WebKit] Remove SetCORSDisablingPatterns IPC from NetworkConnectionToWebProcess

Severity: High | Component: WebKit NetworkProcess | 841ad59

Rated High because the diff removes a WebContent-reachable IPC that wrote arbitrary URL patterns into m_pageCORSDisablingPatterns/originAccessPatterns, directly silencing same-origin enforcement on outbound cross-origin loads for the renderer's page; the primitive is reached without further escalation from a compromised WebProcess.

Removes SetCORSDisablingPatterns(PageIdentifier, Vector<String>) from NetworkConnectionToWebProcess and re-routes the policy delivery to flow directly WebPageProxy → NetworkProcess. Previously the NetworkProcess parsed each pattern into a UserContentURLPattern, stored it keyed by PageIdentifier, and added it to the per-connection NetworkOriginAccessPatterns consulted by shouldDisableCORSForRequestTo().

Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp

-void NetworkConnectionToWebProcess::setCORSDisablingPatterns(PageIdentifier pageIdentifier, Vector<String>&& patterns)
-{
-    Vector<UserContentURLPattern> parsedPatterns;
-    parsedPatterns.reserveInitialCapacity(patterns.size());
-    for (auto&& pattern : WTFMove(patterns)) {
-        UserContentURLPattern parsedPattern(WTFMove(pattern));
-        if (parsedPattern.isValid()) {
-            originAccessPatterns().allowAccessTo(parsedPattern);
-            parsedPatterns.append(WTFMove(parsedPattern));
-        }
-    }
-    parsedPatterns.shrinkToFit();
-    m_networkProcess->setCORSDisablingPatterns(pageIdentifier, WTFMove(parsedPatterns));
-}

Confused-deputy IPC: NetworkProcess treated WebContent as the source of trust for per-page CORS-disabling policy when the policy actually originates from the UIProcess SPI.

Patch Details

The renderer-originated path is deleted. WebPage::synchronizeCORSDisablingPatternsWithNetworkProcess is removed; APIPageConfiguration::setCORSDisablingPatterns now persists into WebPageProxy, which sends the parsed patterns to NetworkProcess over the UI→Network IPC channel. The m_pageCORSDisablingPatterns map and shouldDisableCORSForRequestTo() lookup remain — only the writer changes.

Background

WebKit's CORS implementation lives on both the WebContent (preflight, response checks) and NetworkProcess (cross-origin scheduling) sides. The per-page allow list m_pageCORSDisablingPatterns, plus the per-connection NetworkOriginAccessPatterns, is consulted in shouldDisableCORSForRequestTo() to skip CORS for matching URLs. The legitimate writer of this policy is the embedder, which calls -[WKWebView _setCORSDisablingPatterns:] and propagates through APIPageConfiguration in the UI process. The IPC sandbox boundary between UI/Network (trusted) and WebContent (untrusted) demands that any policy that loosens CORS must not flow through the renderer.

Analysis

The pre-fix path went UIProcess → WebContent → NetworkProcess: the WebContent process held the patterns and synchronised them to the NetworkProcess. A compromised WebContent process could craft SetCORSDisablingPatterns(pageIdentifier, ["*://*/*"]) over its existing NetworkConnectionToWebProcess endpoint. The NetworkProcess parsed each UserContentURLPattern without verifying caller authority and appended it to originAccessPatterns(). Every subsequent outbound load from that page hit shouldDisableCORSForRequestTo() with a positive match and skipped CORS — including same-origin preflight and credentials decisions on the network side.

Aaa Aaaaaaaaa Aa Aaaaaaa a Aaaaaaaaaaa Aaaaaaaa Aaaaa a Aaaaaaaaaaaa Aaaa Aaaaaaaaa Aaaaaaa Aaa Aaaa Aaaaaa Aaaaaaaaa Aaaa Aaa Aaaaaaaaaaaaaaa Aaaaaa Aa Aaa Aaaa Aaaaaaaaaaa Aaa Aaa Aaaa Aaa Aaa Aaaaaaa Aaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaaa Aaaa Aaa Aaaaaaaaa Aaaa Aaa Aaa Aaaaaaa Aaaaa Aaa Aaa Aaaaaaa Aaa Aaaaaaaa Aa a Aaaaaa Aaaaaaaa a Aaaaaaaa Aaa Aaaa Aaaaaaaaaaaaa a Aaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaa Aaa Aaaaa Aaaaa

Aaaa Aaaaaaa Aaa Aaaaaaaaaa a Aaaaaaaaaaaaaa Aaaaa Aaaaaaaa Aaaaaa Aaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaa Aa Aaaaaaaaaaaaaaaaaa Aaaaaaa Aaa Aaaa Aaaaaaa Aaaa Aa Aaaaaaaa Aaaaaaaa Aaaaaaa Aaa Aaaaaaa Aaaa Aaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaa Aa Aaa Aaaaaa Aaaaaaa Aaaaaaaaaa

🔒

Walks the policy-delivery trust path before and after the fix and assesses what a compromised renderer could achieve at the network boundary.

Subscribe to read more

Audit directions

a Aaaaaaaaaaaa a Aaaaaaaaaaaaaa Aaa Aaaaaaaa Aaaa Aaaaaa Aaaaaaaa Aa Aaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaa Aaaaa Aaaaa Aaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaa Aaaa Aaaaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaa Aaaaaaa Aaa Aaaaa Aaaaaaa Aaa Aaaaaa Aaaaaa Aa Aaa Aaaaaaaaa Aaa Aaaa Aa Aaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaa
a Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaa Aaaa Aaaaaaaaa Aaaaaaaaaa Aaa Aaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaa Aaa Aaa Aaaaaaaa Aaaaaaaaa Aa Aaaaaaaa Aaaaa Aaaaa Aaaaaa Aaaa Aaaaaa Aaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaa a Aaaaaaaaaaaaaa Aaaaa Aaaaa
a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaa Aaa Aaa Aaaaaaaaa Aaaaaa Aaaa Aa Aaaaaaa Aaaa Aaaaaaaaaaaaaa Aa Aaa Aa Aaaaaaa Aaaaaaaaa

🔒

Multiple reusable audit patterns identified for trust-boundary IPCs across NetworkProcess and GPUProcess, with concrete starting points for variant discovery.

Subscribe to read more