[8] [WebKit] Validate firstPartyForCookies on StartDownload/ConvertMainResourceLoadToDownload IPC
Severity: High | Component: WebKit NetworkProcess | e30ca29
Rated High because the diff adds origin validation to the NetworkProcess download-initiation IPCs that previously accepted any firstPartyForCookies URL from a compromised WebContent process; absent the check, the NetworkProcess attached the targeted site's SameSite cookies to attacker-shaped downloads.
NetworkConnectionToWebProcess::startDownload and convertMainResourceLoadToDownload validate that the supplied firstPartyForCookies is one the calling WebContent process is authorised to act for.
Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
IPC origin-spoofing on the download path: a compromised renderer forges firstPartyForCookies and the NetworkProcess attaches the victim origin's cookies to its chosen request.
Patch Details
Both download-IPC receivers gain a MESSAGE_CHECK that the supplied first-party URL is one this WebContent process has legitimately loaded. Other request fields remain forwarded as before.
Background
firstPartyForCookies is the URL the network layer uses for cookie attribution and SameSite computation. On a compromised-renderer threat model, any field crossing into the NetworkProcess must be re-validated against the per-connection knowledge of which origins the WebProcess legitimately hosts.
Analysis
A compromised renderer constructed a ResourceRequest whose firstPartyForCookies() named an attacker-targeted site and sent it via Messages::NetworkConnectionToWebProcess::StartDownload. The NetworkProcess used the URL when assembling the outgoing HTTP request; NetworkStorageSession attached the user's cookies (including SameSite=Strict) for that origin. The download dispatched as if from a legitimate top-level navigation to the victim origin, riding the user's authenticated session.