[webkit-changes] [WebKit/WebKit] cfe162: The lifetime of user gesture authorization tokens ...

Charlie Wolfe noreply at github.com
Wed Dec 20 11:20:29 PST 2023


  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cfe162295f279478c8f8e5efdeec930aa6f874ef
      https://github.com/WebKit/WebKit/commit/cfe162295f279478c8f8e5efdeec930aa6f874ef
  Author: Charlie Wolfe <charliew at apple.com>
  Date:   2023-12-20 (Wed, 20 Dec 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Source/WebKit/UIProcess/WebProcessProxy.messages.in
    M Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp
    M Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp
    M Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp
    M Source/WebKit/WebProcess/WebProcess.cpp
    M Source/WebKit/WebProcess/WebProcess.h
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/VerifyUserGestureFromUIProcess.mm

  Log Message:
  -----------
  The lifetime of user gesture authorization tokens is owned by the WebContent process
rdar://117471805
https://bugs.webkit.org/show_bug.cgi?id=266607

Reviewed by Chris Dumez.

Authorization tokens are used to verify that a user gesture originated from the UI process. We do this
because we do not want the web process to be able to fake a user gesture to perform a privileged action,
like window.open(). Since the lifetime of these tokens is owned by the web process, a compromised web
process could choose not to dispatch the `DidDestroyUserGestureToken()` IPC messages, and later spend
several of the authorization tokens at the same time. To fix this, we should clear the previous
authorization tokens once one is used to perform a privileged action. This will make it so a new user
gesture is required for each window.open() call.

Also move a call to `recordUserGestureAuthorizationToken()` to `sendMouseEvent()` to match where we
record the user gesture for key events.

The test verifies that if there are two windows backed by the same web process that a click in one used
to open a pop-up doesn’t invalidate the click in the other window.

* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::sendMouseEvent):
(WebKit::WebPageProxy::processNextQueuedMouseEvent):
(WebKit::WebPageProxy::sendKeyEvent):
(WebKit::WebPageProxy::createNewPage):
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::recordUserGestureAuthorizationToken):
(WebKit::WebProcessProxy::userInitiatedActivity):
(WebKit::WebProcessProxy::consumeIfNotVerifiablyFromUIProcess):
(WebKit::WebProcessProxy::didDestroyUserGestureToken):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Source/WebKit/UIProcess/WebProcessProxy.messages.in:
* Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp:
(WebKit::WebChromeClient::createWindow):
* Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction):
* Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp:
(WebKit::WebLocalFrameLoaderClient::didSameDocumentNavigationForFrameViaJSHistoryAPI):
(WebKit::WebLocalFrameLoaderClient::dispatchDecidePolicyForNewWindowAction):
* Source/WebKit/WebProcess/WebProcess.cpp:
(WebKit::WebProcess::userGestureTokenIdentifier):
(WebKit::WebProcess::userGestureTokenDestroyed):
* Source/WebKit/WebProcess/WebProcess.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/VerifyUserGestureFromUIProcess.mm:
(TestWebKitAPI::TEST):

Canonical link: https://commits.webkit.org/272361@main




More information about the webkit-changes mailing list