[webkit-changes] [WebKit/WebKit] cfe162: The lifetime of user gesture authorization tokens ...
Charlie Wolfe
noreply at github.com
Wed Dec 20 11:20:29 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cfe162295f279478c8f8e5efdeec930aa6f874ef
https://github.com/WebKit/WebKit/commit/cfe162295f279478c8f8e5efdeec930aa6f874ef
Author: Charlie Wolfe <charliew at apple.com>
Date: 2023-12-20 (Wed, 20 Dec 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.h
M Source/WebKit/UIProcess/WebProcessProxy.messages.in
M Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp
M Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp
M Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp
M Source/WebKit/WebProcess/WebProcess.cpp
M Source/WebKit/WebProcess/WebProcess.h
M Tools/TestWebKitAPI/Tests/WebKitCocoa/VerifyUserGestureFromUIProcess.mm
Log Message:
-----------
The lifetime of user gesture authorization tokens is owned by the WebContent process
rdar://117471805
https://bugs.webkit.org/show_bug.cgi?id=266607
Reviewed by Chris Dumez.
Authorization tokens are used to verify that a user gesture originated from the UI process. We do this
because we do not want the web process to be able to fake a user gesture to perform a privileged action,
like window.open(). Since the lifetime of these tokens is owned by the web process, a compromised web
process could choose not to dispatch the `DidDestroyUserGestureToken()` IPC messages, and later spend
several of the authorization tokens at the same time. To fix this, we should clear the previous
authorization tokens once one is used to perform a privileged action. This will make it so a new user
gesture is required for each window.open() call.
Also move a call to `recordUserGestureAuthorizationToken()` to `sendMouseEvent()` to match where we
record the user gesture for key events.
The test verifies that if there are two windows backed by the same web process that a click in one used
to open a pop-up doesn’t invalidate the click in the other window.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::sendMouseEvent):
(WebKit::WebPageProxy::processNextQueuedMouseEvent):
(WebKit::WebPageProxy::sendKeyEvent):
(WebKit::WebPageProxy::createNewPage):
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::recordUserGestureAuthorizationToken):
(WebKit::WebProcessProxy::userInitiatedActivity):
(WebKit::WebProcessProxy::consumeIfNotVerifiablyFromUIProcess):
(WebKit::WebProcessProxy::didDestroyUserGestureToken):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Source/WebKit/UIProcess/WebProcessProxy.messages.in:
* Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp:
(WebKit::WebChromeClient::createWindow):
* Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction):
* Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp:
(WebKit::WebLocalFrameLoaderClient::didSameDocumentNavigationForFrameViaJSHistoryAPI):
(WebKit::WebLocalFrameLoaderClient::dispatchDecidePolicyForNewWindowAction):
* Source/WebKit/WebProcess/WebProcess.cpp:
(WebKit::WebProcess::userGestureTokenIdentifier):
(WebKit::WebProcess::userGestureTokenDestroyed):
* Source/WebKit/WebProcess/WebProcess.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/VerifyUserGestureFromUIProcess.mm:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/272361@main
More information about the webkit-changes
mailing list