[webkit-changes] [WebKit/WebKit] 1bf1b5: Cherry-pick 252432.944 at safari-7614-branch (50b1632...

Chris Dumez noreply at github.com
Thu Jan 26 10:55:03 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1bf1b5844dfcf02db5ae378aedf274146cef4c5a
      https://github.com/WebKit/WebKit/commit/1bf1b5844dfcf02db5ae378aedf274146cef4c5a
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-01-26 (Thu, 26 Jan 2023)

  Changed paths:
    M LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back.html
    A LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache-expected.txt
    A LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache.html
    R LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache-expected.txt
    R LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache.html
    A LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-1.html
    A LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-2.html
    R LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-1.html
    R LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-2.html
    M LayoutTests/fast/loader/stateobjects/resources/replacestate-in-iframe-window-child.html
    M Source/WebCore/history/CachedPage.cpp
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/loader/FrameLoader.h
    M Source/WebKit/UIProcess/WebBackForwardList.cpp
    M Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm

  Log Message:
  -----------
  Cherry-pick 252432.944 at safari-7614-branch (50b1632f78ae). rdar://104656472

    Tweak back/forward list hijacking prevention logic
    https://bugs.webkit.org/show_bug.cgi?id=248716
    rdar://102923240

    Reviewed by Geoffrey Garen and Ryan Haddad.

    Tweak back/forward list hijacking prevention logic for better protection and to
    align our behavior with Chrome.

    In particular, let's consider this example:
    Yahoo -> Yahoo#a (no userInteraction) -> Google -> Google#a (no user interaction) -> Google#b (no user interaction)

    If we're currently on Google#b and navigate backwards:
    - Old behavior: We load Google
    - New behavior: We load Yahoo#a
    The new behavior makes sense since the user feels like they are on Google
    (since Google#a & Google#b happened without user interaction) and the last
    page they viewed before Google was Yahoo#b.

    If we're on Yahoo#a and navigate forwards:
    - Old behavior: We load Google
    - New behavior: We load Google#b
    The new behavior makes sense as a symmetry to the case above.

    Now let's consider this example:
    Yahoo -> Yahoo#a (no userInteraction) -> Google

    If we're on Google and navigate backwards:
    - Old behavior: we load Yahoo
    - New behavior: We load Yahoo#a

    Finally, with this example:
    Yahoo -> Google -> Google#a (no user interaction) -> Google#b (no user interaction)

    If we're on Yahoo and navigate forwards:
    - Old behavior: We load Google
    - New behavior: We load Google#b

    This patch also changes the behavior of the popstate event. We used to fire the
    popstate event for navigations that were not within the same document. However,
    this behavior wasn't aligned with the specification [1] or with other browsers.
    The exploit attached to the radar was also relying on this event to hijack the
    back/forward navigation and lock the user on a specific site.
    I updated our code so that the popstate is now only fired for same-document
    navigations and I updated our tests accordingly. I have verified that our
    behavior is consistent with Blink on these new test versions.

    * LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back-expected.txt:
    * LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back-with-fragment-scroll-expected.txt:
    * LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back.html:
    * LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache-expected.txt: Renamed from LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache-expected.txt.
    * LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache.html: Renamed from LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache.html.
    * LayoutTests/fast/loader/stateobjects/replacestate-in-iframe-expected.txt:
    * LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-1.html: Renamed from LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-1.html.
    * LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-2.html: Added.
    * LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-2.html: Removed.
    * LayoutTests/fast/loader/stateobjects/resources/replacestate-in-iframe-window-child.html:
    * Source/WebCore/history/CachedPage.cpp:
    (WebCore::firePageShowEvent):
    (WebCore::CachedPage::restore):
    (WebCore::firePageShowAndPopStateEvents): Deleted.
    * Source/WebCore/loader/FrameLoader.cpp:
    (WebCore::FrameLoader::didBeginDocument):
    (WebCore::FrameLoader::transitionToCommitted):
    * Source/WebCore/loader/FrameLoader.h:
    * Source/WebKit/UIProcess/WebBackForwardList.cpp:
    (WebKit::itemSkippingBackForwardItemsAddedByJSWithoutUserGesture):
    * Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm:
    (runBackForwardNavigationSkipsItemsWithoutUserGestureTest):
    (TEST):
    (runBackForwardNavigationDoesNotSkipItemsWithUserGestureTest):

    Canonical link: https://commits.webkit.org/252432.944@safari-7614-branch

Canonical link: https://commits.webkit.org/259437@main

More information about the webkit-changes mailing list