[1] NetworkProcess origin-allowlist IPC gating
Severity: High | Component: WebKit NetworkProcess | 7143ace
Rated High because the diff confirms three IPC messages on NetworkConnectionToWebProcess were always dispatchable from any WebContent process and mutated the process-global origin access allowlist consulted by CORS/SOP; the included regression test demonstrates that a compromised renderer turns a same-origin XHR check into a cross-origin data read, which is a direct universal-CORS-bypass primitive on the Network process trust boundary.
Origin access allowlist IPC messages on NetworkConnectionToWebProcess modify a process-global allowlist with no validation, allowing a compromised WebContent process to bypass CORS for all connections. These messages are only used by TestRunner SPI. Gate them behind EnabledBy=AllowTestOnlyIPC so they are rejected unless the test-only flag is set.
Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in
- AddOriginAccessAllowListEntry(String sourceOrigin, String destinationProtocol, String destinationHost, bool allowDestinationSubdomains);
- RemoveOriginAccessAllowListEntry(String sourceOrigin, String destinationProtocol, String destinationHost, bool allowDestinationSubdomains);
- ResetOriginAccessAllowLists();
+ [EnabledBy=AllowTestOnlyOriginAccessAllowListIPC] AddOriginAccessAllowListEntry(String sourceOrigin, String destinationProtocol, String destinationHost, bool allowDestinationSubdomains);
+ [EnabledBy=AllowTestOnlyOriginAccessAllowListIPC] RemoveOriginAccessAllowListEntry(String sourceOrigin, String destinationProtocol, String destinationHost, bool allowDestinationSubdomains);
+ [EnabledBy=AllowTestOnlyOriginAccessAllowListIPC] ResetOriginAccessAllowLists();
Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
+AllowTestOnlyOriginAccessAllowListIPC:
+ type: bool
+ status: embedder
+ exposed: [ WebKit ]
+ webcoreBinding: none
+ defaultValue:
+ WebKit:
+ default: false
+ sharedPreferenceForWebProcess: true
Tools/TestWebKitAPI/Tests/WebKit/WKWebView/IPCTestingAPI.mm
+ [webViewA stringByEvaluatingJavaScript:[NSString stringWithFormat:
+ @"IPC.sendMessage('Networking', 0,"
+ " IPC.messages.NetworkConnectionToWebProcess_AddOriginAccessAllowListEntry.name,"
+ " ["
+ " { type: 'String', value: 'http://localhost:%u' },"
+ " { type: 'String', value: 'http' },"
+ " { type: 'String', value: '127.0.0.1' },"
+ " { type: 'bool', value: 1 }"
+ " ]"
+ ")", serverPort]];
+ EXPECT_WK_STREQ(result, "FETCHED:cross-origin-data");
Patch Details
The patch tags three IPC messages — AddOriginAccessAllowListEntry, RemoveOriginAccessAllowListEntry, and ResetOriginAccessAllowLists — with [EnabledBy=AllowTestOnlyOriginAccessAllowListIPC] in NetworkConnectionToWebProcess.messages.in. The corresponding preference is introduced in UnifiedWebPreferences.yaml with sharedPreferenceForWebProcess: true and default: false, then wired into WebKitTestRunner (TestOptions.cpp, TestOptions.h, TestController.cpp) so layout tests can opt in. Two regression tests (AddOriginAccessAllowListEntryRequiresTestOnlyIPC and AddOriginAccessAllowListEntryAllowedWithTestOnlyIPC) drive the IPC via the IPC testing API across two WKWebViews sharing a process pool and demonstrate the bypass is reachable when the flag is off and blocked when it is.
Test-only IPC entry point exposed on the production renderer-to-network surface, allowing a compromised WebContent process to mutate process-global same-origin/CORS policy without authorization.
Background
WebKit splits the browser into multiple processes; WebContent runs untrusted web content, and NetworkProcess performs all network I/O on its behalf, communicating via Mach IPC. NetworkConnectionToWebProcess is the per-WebContent endpoint inside NetworkProcess; the messages it accepts are declared in NetworkConnectionToWebProcess.messages.in and dispatched by code generated from that file.
The [EnabledBy=Pref] annotation on a message declaration tells the generator to inject a runtime check against the named preference — when the preference is false, the message is rejected before its handler runs. sharedPreferenceForWebProcess: true causes the preference value to be propagated from the UI process to the WebContent and Network processes so the generated check can see it.
The origin access allowlist (SecurityOrigin::addOriginAccessAllowlistEntry and its OriginAccessPatterns storage) is a process-global table of (source, protocol, host, subdomains) tuples; same-origin and CORS checks consult it, and a matching entry causes a cross-origin access to be treated as same-origin. The TestRunner SPI exposes a function so layout tests can populate this allowlist to simulate cross-origin scenarios — that is the API's only intended consumer.
Analysis
The bug is a missing IPC authorization check. Before the fix, the three origin-allowlist messages on NetworkConnectionToWebProcess were always dispatchable from any WebContent process with no validation. Their handlers mutate the process-global origin allowlist that SecurityOrigin::canAccess and the CORS path consult when deciding whether a cross-origin network access is permitted. The allowlist API exists only to support TestRunner SPI, so its presence on a production IPC surface is a trust-boundary violation: a compromised WebContent process could append an entry of its choosing, and from that point onward any page loaded by any WebContent process sharing that Network process is exempted from CORS for the chosen destination.
Aaa Aaaaaaaa Aaaaaaaaaa Aaaa Aaaaaaaaaaaa Aaa Aaaaa Aaaaaaaaaa Aaaa a Aa Aaaaaaaaaaa Aaaaaaa Aa Aaaaaaaaa Aaaaa Aaaaaaaaaaaa Aaaaaaaaaaa a Aaaaaaaaaaaa Aaaa Aaaa a Aa Aaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaa Aaaa Aaa Aaa Aaaaaaaaa Aa Aaaaaaaaaaa Aaaa Aaa Aaaa Aa Aa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaa Aaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaa a Aaaaaaaaaaaa Aaaaaaaaaaaa Aaaa Aaaaaaa Aaaaaaaaa Aaaaaaa Aaaaaaaa Aa Aaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaa Aaaaaaaaaaaaaaaa Aaaa Aaa Aaaaaaaa Aaaa Aaa Aaaa Aaa Aaaaaaaaaaaaaa Aaaaaaaa Aaaaa
Aaa Aaaaaaaaaaaaa Aaaaaaaa Aaaaa Aaaaaaa Aaaa a Aaaaaaaaaaa Aaaaaaaaaa Aaaaaaa Aa Aaaaa Aaaaaaaaaaa Aa Aaa Aaaaaaa Aaaaaaa Aa Aaaaaa Aaaa Aaa Aaaaaaaaaaaa Aaaaa a Aaa Aaaaaaa Aaaaaaa Aa Aaa Aaaaaa Aaaaaaaaaaa Aaaaa a Aaaaaaaaaaa Aaaaaaaa Aaaaaa Aaaa Aaaaa Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaa Aaaa Aaaaaaaaa Aaa Aaaaaaaaa Aa Aaaaaaaaaaaaaaa Aa Aaa Aaaaaa Aaaa Aaaaaaa Aaaaa Aaaaa Aaaaaaaaaa Aaaaaaa Aaaaaaa Aaa Aaaa Aaaaaaa Aaaaaaa Aaa Aaa Aaaaaaaa Aa Aaa Aaaaaaaaa Aaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaa
Aaa Aaaaaa Aa Aaaa Aaaaaa a Aaaaa Aaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaa Aaa Aaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaa Aaaaa Aaaa Aaaa Aaa Aaaaaaaaa Aaa Aaa Aa Aaaaaaa Aa Aaaaaaaaa Aaaaaaa Aaaaaaaa Aaa Aaaaaaa Aaaaaaaaa Aaa Aaaaaaa Aaaaa Aaaaa Aaa Aaaaaaaaaa Aaaa Aaaaaaa Aaaaaaaaa Aaa Aaa Aaaa Aa Aaa Aaaa Aaaaaa
🔒Trust-boundary analysis and post-renderer-compromise impact assessment for a process-global policy mutation reachable over IPC.
Subscribe to read more
Audit directions
a Aaaaa Aaaaaaaa Aaaaaaaaaa Aa Aaaaa Aaaaaaaaaaaa Aaa Aaa Aaaaa Aaaaa Aaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaa Aaaa Aa Aaaaaaaaaaaaaaaa Aaa Aaaaaaaa Aaaaa Aaaa Aaaaaaaaaa Aaaaaa Aa Aaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaa Aaa Aaaaaa Aaaa Aaa a Aaaaaaaaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaa Aaaaaaaa Aaaaa Aaaa Aaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaa Aaaa Aaa Aaaaaa
a Aaaaa Aaaaaaaa Aaaa Aaaaaa Aaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaa Aaaa Aa Aaaaaaaaaa Aa Aaaaaaaa Aaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaa Aaa Aaa Aaaaaaa Aaaa Aaaaaa Aa Aaaaaa Aaaaa Aaaa Aa Aaaa a Aaa a Aaa a Aaaa a Aaaaa Aaaaaaaa Aaaaaaaaaaaa Aaa Aaaa Aa Aaaa Aaa Aaaaaaaaaaaaa Aaaaa Aaaaaaa Aaaaaaaaaaaaaaa Aaaaa Aa Aaaaaaaa Aa Aaaaaaaaaaaa Aaa a Aaaaaa Aaaaa Aaaaa a Aaaaaaaaaaaaaaa Aaaaaaaaaa Aaaa a Aaaaaa Aaaaaa Aaaaaaaaaa Aaaaa Aa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaa Aa Aaaa Aaaaaaa Aaaaaaa Aaaa Aaaaaaa Aaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaa
a Aaaaaaaa a Aaaaaaaaa Aaa Aaaaaa a Aaaaa Aaaaaaaaaa Aaaaaa Aaaa Aa Aaaaaaaa Aaaaaaaa Aaaaaa Aaaa Aaaaaaa a Aaaa Aa Aaaaaaaaaaaaaaaa Aaaaa a Aaaaaa Aaaa Aa Aaaaaaaa Aaaaa Aaa Aaa Aaaaaaaaaa Aa Aaaaaaa Aaaaaaaaa Aa Aaaaaaa Aaaaaaaaa Aaaaaa Aaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaa Aaa Aa Aaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaaa a Aaaaaaaaaaaaaaaa Aaa Aaaa Aa Aaaaaaaaaa Aaaaaaaa Aaa Aaaaaaa Aaa Aaaa Aaaaaaaaaaaaaaaa Aaa Aaaaaaaa Aaa Aaa Aaaaaaaaaa Aaaa Aaa Aaa Aaa Aaaaaaa Aaaa Aaaaa Aaa Aa Aaa Aaaaaa Aaa
a Aaaaaaaaaaa Aaaaaaaaa Aaa Aaaaaaaa Aaaaaaaaaa Aa Aaaaa Aaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaa Aaa Aaaaaaa Aaaaaa Aaa Aaaaa Aaaaaaaaa Aa Aaaaaaaaaaaaa Aaaaaa Aa Aa Aaaaaaaa Aaaaaaa Aa Aaa Aaaaa Aaaaaa Aaaaaaaaa Aaaaaa Aaaa Aaaaaaa Aa Aaaaaaaa Aaaaaaaaaa Aaaaaaa Aaaaa Aaa Aaaaaaaa a Aaaaaaaa Aaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaa Aaa Aaaaaaa Aa Aaaaaaaaaaaaa Aaaaaaa
🔒Multiple reusable audit patterns identified for finding similar test-only IPC surfaces that may still be ungated, with concrete starting points across the Network and GPU process IPC layers.
Subscribe to read more