[webkit-changes] [WebKit/WebKit] 129492: WebKit applies dynamic sandbox flags on failed nav...

Mon Oct 9 13:55:49 PDT 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1294929f7ff20abdc681ae2e5555273e4639004a
      https://github.com/WebKit/WebKit/commit/1294929f7ff20abdc681ae2e5555273e4639004a
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox-expected.txt
    A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox.html
    A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/frame-posting-messages.html
    A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/only-same-origin-allowed.py
    M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt
    M Source/WebCore/loader/DocumentLoader.cpp
    M Source/WebCore/loader/DocumentLoader.h

  Log Message:
  -----------
  WebKit applies dynamic sandbox flags on failed navigation
https://bugs.webkit.org/show_bug.cgi?id=259099
rdar://112044768

Reviewed by Alex Christensen.

In case of stopped navigation or failed navigation, we were sandboxing the current document.
The current document was thus running but in a different configuration.
Other browsers create a new document in that case, Firefox with the request URL and Chrome with a special error scheme URL.
To limit the scope of changes, we are now creating a new error document, which is empty, and are sandboxing this new document.
This gets us closer to Firefox and Safari.
We are still calling the fail delegate in case the application wants to do additional handling on this document.

* LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox-expected.txt: Added.
* LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox.html: Added.
* LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/frame-posting-messages.html: Added.
* LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/only-same-origin-allowed.py: Added.
(main):
* LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt:
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):
(WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied):
(WebCore::DocumentLoader::loadErrorDocument):
* Source/WebCore/loader/DocumentLoader.h:

Originally-landed-as: 265870.62 at safari-7616-branch (4fc1843e1263). rdar://116425228
Canonical link: https://commits.webkit.org/269105@main

  Commit: a5dec2a6471d8212558d030e733681803ea0b3fe
      https://github.com/WebKit/WebKit/commit/a5dec2a6471d8212558d030e733681803ea0b3fe
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    A JSTests/stress/typed-array-extends.js
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

  Log Message:
  -----------
  [JSC] TypedArray setFromArrayLike condition is wrong
https://bugs.webkit.org/show_bug.cgi?id=259268
rdar://112387533

Reviewed by Mark Lam.

The condition is opposite. This patch fixes it with the test.

* JSTests/stress/typed-array-extends.js: Added.
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::setFromArrayLike):

Originally-landed-as: 265870.128 at safari-7616-branch (e4cc04578783). rdar://116425595
Canonical link: https://commits.webkit.org/269106@main

  Commit: 19642719bec427c59771fdb0c90bc9980129406a
      https://github.com/WebKit/WebKit/commit/19642719bec427c59771fdb0c90bc9980129406a
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    A LayoutTests/workers/empty-post-message-service-workers-crash-expected.txt
    A LayoutTests/workers/empty-post-message-service-workers-crash.html
    A LayoutTests/workers/empty-post-message-service-workers-crash.js
    M Source/WebCore/workers/WorkerScriptLoader.h
    M Source/WebCore/workers/WorkerScriptLoaderClient.h

  Log Message:
  -----------
  Fix UAF in WorkerScriptLoader::didReceiveResponse
https://bugs.webkit.org/show_bug.cgi?id=259278
rdar://109722407

Reviewed by Chris Dumez and David Kilzer.

This change adopts WeakPtrs for WorkerScriptLoaderClient, thereby fixing
the UAF which happens when m_client goes away when the callback passed
to swConnection.matchRegistration is invoked.

* LayoutTests/workers/empty-post-message-service-workers-crash-expected.txt: Added.
* LayoutTests/workers/empty-post-message-service-workers-crash.html: Added.
* LayoutTests/workers/empty-post-message-service-workers-crash.js: Added.
(onmessage):
* Source/WebCore/workers/WorkerScriptLoader.h:
* Source/WebCore/workers/WorkerScriptLoaderClient.h:

Originally-landed-as: 265870.130 at safari-7616-branch (6b1737e3545c). rdar://116425737
Canonical link: https://commits.webkit.org/269107@main

  Commit: 65f6eb50727a9f91a15f35f0971e26ba5b858391
      https://github.com/WebKit/WebKit/commit/65f6eb50727a9f91a15f35f0971e26ba5b858391
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    A LayoutTests/http/tests/security/resources/xslt-external-entity.svg
    A LayoutTests/http/tests/security/resources/xslt2.py
    A LayoutTests/http/tests/security/xslt-external-entity-expected.txt
    A LayoutTests/http/tests/security/xslt-external-entity.html
    A LayoutTests/platform/mac-monterey-wk1/http/tests/security/xss-DENIED-xsl-external-entity-no-logging-expected.txt
    A LayoutTests/platform/mac-monterey/http/tests/security/xslt-external-entity-expected.txt
    M LayoutTests/platform/mac-monterey/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

  Log Message:
  -----------
  Check if external entity loads from libxslt are allowed before loading them
https://bugs.webkit.org/show_bug.cgi?id=259235
rdar://111457167

Reviewed by David Kilzer.

Otherwise tricky use of libxslt can make arbitrary file loads to files allowed by the
web content process's sandbox.  We should limit it to what the current security origin
can request.

Monterey has an older version of libxml2 which fails differently in this case.
Tests exist that verify that allowed external entities are still allowed.
The important thing is that the contents of the files are not in the Monterey test expectations.

* LayoutTests/http/tests/security/resources/xslt-external-entity.svg: Added.
* LayoutTests/http/tests/security/resources/xslt2.py: Added.
* LayoutTests/http/tests/security/xslt-external-entity-expected.txt: Added.
* LayoutTests/http/tests/security/xslt-external-entity.html: Added.
* Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::shouldAllowExternalLoad):
(WebCore::entityLoader):
(WebCore::initializeXMLParser):

Originally-landed-as: 265870.131 at safari-7616-branch (d2e39548861d). rdar://116425810
Canonical link: https://commits.webkit.org/269108@main

  Commit: 29f66ed8b60d011f66c423fa9bee7882381dab7c
      https://github.com/WebKit/WebKit/commit/29f66ed8b60d011f66c423fa9bee7882381dab7c
  Author: J Pascoe <j_pascoe at apple.com>
  Date:   2023-10-09 (Mon, 09 Oct 2023)

  Changed paths:
    M Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp
    M Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm

  Log Message:
  -----------
  [WebAuthn] Pass correct origin as parent and display as RegistrableDomain
https://bugs.webkit.org/show_bug.cgi?id=258165
rdar://110863705

Reviewed by Chris Dumez.

We passed the wrong domain as the parent origin here. This patch fixes it and also changes
the format to just the registrable domain to match how the other domain is shown.

* Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp:
(WebCore::CredentialsContainer::scopeAndCrossOriginParent const):
* Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:
(WebKit::configureAssertionOptions):

Originally-landed-as: 265870.134 at safari-7616-branch (54fe9f25d668). rdar://116425892
Canonical link: https://commits.webkit.org/269109@main

Compare: https://github.com/WebKit/WebKit/compare/089727e3a24a...29f66ed8b60d