Closed Bug 1740263 (wasm-csp) Opened 2 years ago Closed 2 years ago

Implement wasm-unsafe-eval

Categories

(Core :: DOM: Security, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
102 Branch
Tracking Status
relnote-firefox --- 102+
firefox102 --- fixed

People

(Reporter: annevk, Assigned: tschuster)

References

(Blocks 2 open bugs)

Details

(Keywords: dev-doc-complete, Whiteboard: [domsecurity-active], [wptsync upstream])

Attachments

(6 files)

https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md has an overview.

See https://github.com/w3c/webappsec-csp/pull/293 for the specification change. The Wasm specification hasn't been updated as far as I can tell, I filed https://github.com/WebAssembly/spec/issues/1393 on that.

Blocks: 1740269

This is on our radar and we'll tackle that early next year!

Severity: -- → S4
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

Lars: Can you help me understand how this would be best wired into existing functions?

I see that existing CSP eval() checks are in GlobalObject::isRuntimeCodeGenEnabled, which looks suitable for this case, as wasm is going to be generally disallowed by default CSP's from now on. E.g.:

  • CSP says nothing (eval and wasm disallowed)
  • CSP allows eval (eval and wasm allowed)
  • CSP allows wasm (eval still disallowed, but wasm allowed)

"wasm allowed/disallowed" includes the following execution sinks:
* {{new WebAssembly.Module()}}
* {{WebAssembly.compile()}}
* {{WebAssembly.compileStreaming()}}
* {{WebAssembly.instantiate()}}
* {{WebAssembly.instantiateStreaming()}}

I think I'll be able to figure the ends in our CSP code in parallel.

Flags: needinfo?(lhansen)

I expect that a function that looks very much like isRuntimeCodeGenEnabled (call it isWasmRuntimeCodeGenEnabled?) would do just fine. We would hook that into the compiler pipeline at a suitable choke point, I'll look for one. There are a couple of tricky places where we deserialize already-compiled code from the cache, and we want to be sure to cover these too. And we don't always have a JSContext available, and may need to work around that. But that can be my problem.

Flags: needinfo?(lhansen)

It sounds like we'll be able to meet in the middle eventually. Currently, I am not entirely sure where that middle is as I found a bit of a gap, having looked deeper into isRuntimeCodeGenEnabled: I am not really sure how its implementation works at all. Currently, there's some funky callback handling with the ScriptSecurityManager that I don't think I will be able to replicate or retrofit for the WASM usecase.

OK. I've reached out to the JS module owner (Jan) to ask about who might know the most about our CSP implementation.

Meanwhile, it looks like hooking whatever facility we end up with into wasm::HasSupport(JSContext*) or wasm::HasPlatformSupport(JSContext*) is fairly reasonable, depending on some fine detail around how we want to handle asm.js (which uses wasm for its back-end).

Jan says to maybe ask him or Olli about details, both cc'd.

Alias: wasm-csp
Blocks: wasm-lang
No longer blocks: 1740269

I am probably going to work on this in future. Right now the spec isn't ready yet. So we probably need to look into what Chrome is doing. I am mostly curious when the CSP check happens, i.e. in the case of WebAssembly.compileStreaming at the beginning of the function or when the Response argument resolves.

The relevant Chrome/V8 code can be found here: https://source.chromium.org/search?q=IsWasmCodegenAllowed

Assignee: nobody → tschuster
Attachment #9269258 - Attachment description: WIP: Bug 1740263 - Move isRuntimeCodeGenEnabled to JSContext → Bug 1740263 - Move isRuntimeCodeGenEnabled to JSContext. r?jandem
Attachment #9269259 - Attachment description: WIP: Bug 1740263 - Block WASM code generation by CSP → Bug 1740263 - Block WASM code generation by CSP. r?lth!,jandem!
Attachment #9259512 - Attachment description: WIP: Bug 1740263 - parser/context changes. this compiles. → Bug 1740263 - CSP parser and context changes for wasm-unsafe-eval. r?ckerschb
Attachment #9269260 - Attachment description: WIP: Bug 1740263 - Implement CSP checking callback → Bug 1740263 - Implement the CSP checking callback for WASM. r?#dom-worker-reviewers!,ckerschb!
Attachment #9269636 - Attachment description: WIP: Bug 1740263 - Test for postMessaging WASM Module to CSP restricted iframe → Bug 1740263 - Test for postMessaging WASM Module to CSP restricted iframe. r?lth
Keywords: dev-doc-needed
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-backlog1] → [domsecurity-active]
See Also: → 1766027
Attachment #9270888 - Attachment description: WIP: Bug 1740263 - Continue to allow WASM by default in Webextensions v2 → WIP: Bug 1740263 - Continue to allow WASM by default in Webextensions v2.
Attachment #9270888 - Attachment description: WIP: Bug 1740263 - Continue to allow WASM by default in Webextensions v2. → Bug 1740263 - Continue to allow WASM by default in Webextensions v2.
Attachment #9270888 - Attachment description: Bug 1740263 - Continue to allow WASM by default in Webextensions v2. → WIP: Bug 1740263 - Continue to allow WASM by default in Webextensions v2.
Attachment #9270888 - Attachment description: WIP: Bug 1740263 - Continue to allow WASM by default in Webextensions v2. → Bug 1740263 - Continue to allow WASM by default in Webextensions v2. r?robwu
Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d923462c9cd0
CSP parser and context changes for wasm-unsafe-eval. r=ckerschb,freddyb
https://hg.mozilla.org/integration/autoland/rev/8365b10be28e
Move isRuntimeCodeGenEnabled to JSContext. r=jandem
https://hg.mozilla.org/integration/autoland/rev/e34ba774b3f8
Block WASM code generation by CSP. r=lth,jandem
https://hg.mozilla.org/integration/autoland/rev/3978ccb95455
Implement the CSP checking callback for WASM. r=dom-worker-reviewers,smaug,freddyb
https://hg.mozilla.org/integration/autoland/rev/a1e7766cdb94
Test for postMessaging WASM Module to CSP restricted iframe. r=freddyb
https://hg.mozilla.org/integration/autoland/rev/2f5ec6ad0f81
Continue to allow WASM by default in Webextensions v2. r=mixedpuppy,robwu
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/34120 for changes under testing/web-platform/tests
Whiteboard: [domsecurity-active] → [domsecurity-active], [wptsync upstream]

Backed out for causing bp-hybrid bustages on nsScriptSecurityManager.

Push with failures

Failure log
Also we have some xpcshell failures on test_ext_wasm.js . Failure log

Backout link

[task 2022-05-19T00:09:52.654Z] 00:09:52     INFO -  gmake[4]: Entering directory '/builds/worker/workspace/obj-build/caps'
[task 2022-05-19T00:09:52.657Z] 00:09:52     INFO -  /builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang++ --sysroot /builds/worker/fetches/MacOSX10.12.sdk -mmacosx-version-min=10.12 -stdlib=libc++ -std=gnu++17 --target=x86_64-apple-darwin -o nsScriptSecurityManager.o -c  -fvisibility=hidden -fvisibility-inlines-hidden -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -DNDEBUG=1 -DTRIMMED=1 -DOS_POSIX=1 -DOS_MACOSX=1 -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -DSTATIC_EXPORTABLE_JS_API -I/builds/worker/checkouts/gecko/caps -I/builds/worker/workspace/obj-build/caps -I/builds/worker/checkouts/gecko/docshell/base -I/builds/worker/checkouts/gecko/dom/base -I/builds/worker/checkouts/gecko/js/xpconnect/src -I/builds/worker/checkouts/gecko/netwerk/base -I/builds/worker/checkouts/gecko/netwerk/cookie -I/builds/worker/checkouts/gecko/toolkit/components/jsoncpp/include -I/builds/worker/workspace/obj-build/ipc/ipdl/_ipdlheaders -I/builds/worker/checkouts/gecko/ipc/chromium/src -I/builds/worker/workspace/obj-build/dist/include -I/builds/worker/workspace/obj-build/dist/include/nspr -I/builds/worker/workspace/obj-build/dist/include/nss -DMOZILLA_CLIENT -include /builds/worker/workspace/obj-build/mozilla-config.h -Qunused-arguments -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wdeprecated-this-capture -Wempty-body -Wformat-type-confusion -Wignored-qualifiers -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wno-error=tautological-type-limit-compare -Wunreachable-code -Wunreachable-code-return -Wunused-but-set-parameter -Wno-invalid-offsetof -Wclass-varargs -Wempty-init-stmt -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wno-range-loop-analysis -Wc++2a-compat -Wcomma -Wenum-compare-conditional -Wimplicit-fallthrough -Wduplicate-method-arg -Wduplicate-method-match -Wmissing-method-return-type -Wobjc-signed-char-bool -Wsemicolon-before-method-body -Wsuper-class-method-mismatch -Werror=non-literal-null-conversion -Wstring-conversion -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=free-nonheap-object -Wno-error=return-std-move -Wno-error=atomic-alignment -Wno-error=deprecated-copy -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -Wno-psabi -Wthread-safety -Wno-unknown-warning-option -fno-sized-deallocation -fno-aligned-new -fcrash-diagnostics-dir=/builds/worker/artifacts -fno-exceptions -fPIC -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -gdwarf-4 -Xclang -load -Xclang /builds/worker/workspace/obj-build/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -O3 -fno-omit-frame-pointer -funwind-tables -Werror -fno-strict-aliasing -ffp-contract=off  -MD -MP -MF .deps/nsScriptSecurityManager.o.pp   /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp
[task 2022-05-19T00:09:52.658Z] 00:09:52     INFO -  In file included from /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:7:
[task 2022-05-19T00:09:52.658Z] 00:09:52    ERROR -  /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.h:93:56: error: no type named 'RuntimeCode' in namespace 'JS'
[task 2022-05-19T00:09:52.658Z] 00:09:52     INFO -                                                     JS::RuntimeCode kind,
[task 2022-05-19T00:09:52.658Z] 00:09:52     INFO -                                                     ~~~~^
[task 2022-05-19T00:09:52.659Z] 00:09:52    ERROR -  /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:450:31: error: out-of-line definition of 'ContentSecurityPolicyPermitsJSAction' does not match any declaration in 'nsScriptSecurityManager'
[task 2022-05-19T00:09:52.659Z] 00:09:52     INFO -  bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
[task 2022-05-19T00:09:52.659Z] 00:09:52     INFO -                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.660Z] 00:09:52     INFO -  In file included from /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:24:
[task 2022-05-19T00:09:52.660Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/ContentPrincipal.h:15:
[task 2022-05-19T00:09:52.660Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/WebExtensionPolicy.h:12:
[task 2022-05-19T00:09:52.663Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WebExtensionPolicyBinding.h:13:
[task 2022-05-19T00:09:52.664Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:24:
[task 2022-05-19T00:09:52.665Z] 00:09:52  WARNING -  /builds/worker/workspace/obj-build/dist/include/mozilla/dom/ToJSValue.h:414:3: warning: The fully qualified types are preferred over the shorthand typedefs for JS::Handle/JS::Rooted types outside SpiderMonkey.
[task 2022-05-19T00:09:52.665Z] 00:09:52     INFO -    JS::RootedObject recordObj(aCx, JS_NewPlainObject(aCx));
[task 2022-05-19T00:09:52.666Z] 00:09:52     INFO -    ^~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.667Z] 00:09:52     INFO -    JS::Rooted<JSObject*>
[task 2022-05-19T00:09:52.667Z] 00:09:52     INFO -  In file included from /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:24:
[task 2022-05-19T00:09:52.668Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/ContentPrincipal.h:15:
[task 2022-05-19T00:09:52.668Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/WebExtensionPolicy.h:14:
[task 2022-05-19T00:09:52.669Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/MatchPattern.h:13:
[task 2022-05-19T00:09:52.669Z] 00:09:52  WARNING -  /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/MatchGlob.h:44:32: warning: The fully qualified types are preferred over the shorthand typedefs for JS::Handle/JS::Rooted types outside SpiderMonkey.
[task 2022-05-19T00:09:52.670Z] 00:09:52     INFO -                                 JS::HandleObject aGivenProto) override;
[task 2022-05-19T00:09:52.670Z] 00:09:52     INFO -                                 ^~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.670Z] 00:09:52     INFO -                                 JS::Handle<JSObject*>
[task 2022-05-19T00:09:52.670Z] 00:09:52     INFO -  In file included from /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:24:
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/ContentPrincipal.h:15:
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/WebExtensionPolicy.h:14:
[task 2022-05-19T00:09:52.671Z] 00:09:52  WARNING -  /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/MatchPattern.h:225:32: warning: The fully qualified types are preferred over the shorthand typedefs for JS::Handle/JS::Rooted types outside SpiderMonkey.
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                 JS::HandleObject aGivenProto) override;
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                 ^~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                 JS::Handle<JSObject*>
[task 2022-05-19T00:09:52.671Z] 00:09:52  WARNING -  /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/MatchPattern.h:304:32: warning: The fully qualified types are preferred over the shorthand typedefs for JS::Handle/JS::Rooted types outside SpiderMonkey.
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                 JS::HandleObject aGivenProto) override;
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                 ^~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                 JS::Handle<JSObject*>
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -  In file included from /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:24:
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/ContentPrincipal.h:15:
[task 2022-05-19T00:09:52.671Z] 00:09:52  WARNING -  /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/WebExtensionPolicy.h:183:40: warning: The fully qualified types are preferred over the shorthand typedefs for JS::Handle/JS::Rooted types outside SpiderMonkey.
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -    void GetReadyPromise(JSContext* aCx, JS::MutableHandleObject aResult) const;
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                         ^~~~~~~~~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                         JS::MutableHandle<JSObject*>
[task 2022-05-19T00:09:52.672Z] 00:09:52  WARNING -  /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/WebExtensionPolicy.h:221:32: warning: The fully qualified types are preferred over the shorthand typedefs for JS::Handle/JS::Rooted types outside SpiderMonkey.
[task 2022-05-19T00:09:52.672Z] 00:09:52     INFO -                                 JS::HandleObject aGivenProto) override;
[task 2022-05-19T00:09:52.672Z] 00:09:52     INFO -                                 ^~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.672Z] 00:09:52     INFO -                                 JS::Handle<JSObject*>
[task 2022-05-19T00:09:52.672Z] 00:09:52     INFO -  6 warnings and 2 errors generated.
[task 2022-05-19T00:09:52.672Z] 00:09:52    ERROR -  gmake[4]: *** [/builds/worker/checkouts/gecko/config/rules.mk:660: nsScriptSecurityManager.o] Error 1
[task 2022-05-19T00:09:52.672Z] 00:09:52     INFO -  gmake[4]: Leaving directory '/builds/worker/workspace/obj-build/caps'
[task 2022-05-19T00:09:52.673Z] 00:09:52    ERROR -  gmake[3]: *** [/builds/worker/checkouts/gecko/config/recurse.mk:72: caps/target-objects] Error 2
[task 2022-05-19T00:09:52.673Z] 00:09:52     INFO -  gmake[3]: *** Waiting for unfinished jobs....
[task 2022-05-19T00:09:52.673Z] 00:09:52     INFO -  gmake[4]: Entering directory '/builds/worker/workspace/obj-build/docshell/shistory'
[task 2022-05-19T00:09:52.673Z] 00:09:52     INFO -  docshell/shistory/SessionHistoryEntry.o
[task 2022-05-19T00:09:52.673Z] 00:09:52     INFO -  gmake[4]: Leaving directory '/builds/worker/workspace/obj-build/docshell/shistory'
[task 2022-05-19T00:09:52.807Z] 00:09:52     INFO -  gmake[4]: Entering directory '/builds/worker/workspace/obj-build/accessible/xul'
Flags: needinfo?(tschuster)
Upstream PR was closed without merging
Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e1658a2c0baf
CSP parser and context changes for wasm-unsafe-eval. r=ckerschb,freddyb
https://hg.mozilla.org/integration/autoland/rev/5e08ab4006df
Move isRuntimeCodeGenEnabled to JSContext. r=jandem
https://hg.mozilla.org/integration/autoland/rev/f7f0363c1875
Block WASM code generation by CSP. r=lth,jandem
https://hg.mozilla.org/integration/autoland/rev/9ecb32826850
Implement the CSP checking callback for WASM. r=dom-worker-reviewers,smaug,freddyb
https://hg.mozilla.org/integration/autoland/rev/94ca7dad5199
Test for postMessaging WASM Module to CSP restricted iframe. r=freddyb
https://hg.mozilla.org/integration/autoland/rev/e0600a5f234b
Continue to allow WASM by default in Webextensions v2. r=mixedpuppy,robwu
Upstream PR merged by moz-wptsync-bot
Flags: needinfo?(tschuster)
Regressions: 1770667
Regressions: 1770468
See Also: → 1770909

Release Note Request (optional, but appreciated)
[Why is this notable]: We now support the Content-Security-Policy (CSP) directive 'wasm-unsafe-eval'. This means existing webpages that have strict CSP might now block WebAssembly from executing.
[Affects Firefox for Android]: Yes
[Suggested wording]: (suggestions welcome) Similar to Why is this notable.
[Links (documentation, blog post, etc)]: (MDN isn't updated yet)

relnote-firefox: --- → ?

Is a relnote about this really optional? Some web pages could break, just as web extensions broke in bug 1770667 and bug 1770468 (fixed by not enforcing this feature for older addons for now; won't fix web pages). Not as much risk since Chrome has enforced this for a while, but we definitely need to warn people.

Suggested wording: Firefox now supports the Content-Security-Policy (CSP) integration with WebAssembly. A document with a CSP that restricts scripts will no longer execute WebAssembly unless the CSP uses either the new 'wasm-unsafe-eval' or existing 'unsafe-eval' keyword.

I added the note to Firefox Beta/Release notes.

FYI marked as dev-doc-complete because associated work appears to have been done in https://github.com/mdn/content/issues/17619

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: