[webkit-changes] [WebKit/WebKit] a1ba00: Cherry-pick 267558 at main (ade70bdb664e). https://bu...

Richard Robinson noreply at github.com
Tue Sep 26 11:17:56 PDT 2023


  Branch: refs/heads/webkitglib/2.42
  Home:   https://github.com/WebKit/WebKit
  Commit: a1ba00c549074c0bbd4f490be8d70fbac2138c31
      https://github.com/WebKit/WebKit/commit/a1ba00c549074c0bbd4f490be8d70fbac2138c31
  Author: Michael Catanzaro <mcatanzaro at redhat.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    M Tools/Scripts/webkitpy/common/checkout/checkout.py

  Log Message:
  -----------
  Cherry-pick 267558 at main (ade70bdb664e). https://bugs.webkit.org/show_bug.cgi?id=260729

    SyntaxWarning when running 'git-webkit pr'
    https://bugs.webkit.org/show_bug.cgi?id=260729

    Reviewed by Jonathan Bedard.

    The backslashes here are python string escapes, but they were intended
    to be regex escapes. Each \ would need to be replaced with \\ for them
    to function as regex escapes. We can use raw string notation to avoid
    this problem.

    * Tools/Scripts/webkitpy/common/checkout/checkout.py:
    (Checkout):

    Canonical link: https://commits.webkit.org/267558@main


  Commit: bc7c7e0a9d2b08caf825fe46d1d43fdee9993634
      https://github.com/WebKit/WebKit/commit/bc7c7e0a9d2b08caf825fe46d1d43fdee9993634
  Author: Jer Noble <jer.noble at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/iso/ISOBox.cpp

  Log Message:
  -----------
  Cherry-pick 265870.2 at safari-7616-branch (dfdca2cf04a5). https://bugs.webkit.org/show_bug.cgi?id=258712

    Crash in Vector::expandCapacity; WebCore::ISOFairPlayStreamingKeyContextBox::parse()
    https://bugs.webkit.org/show_bug.cgi?id=258712
    rdar://111171940

    Reviewed by Youenn Fablet.

    In a number of cases, malformed or malicious boxes claim to have a size much larger
    than the memory passed to the parser. Cap the m_size parameter to the remaining size
    of the memory buffer to avoid situations where we attempt to create a vector big
    enough to hold MAX_INT entries.

    * Source/WebCore/platform/graphics/iso/ISOBox.cpp:
    (WebCore::ISOBox::peekBox):
    (WebCore::ISOBox::parse):

    Canonical link: https://commits.webkit.org/265870.2@safari-7616-branch


  Commit: 2a769cb485605844994aef802f032a9bb1dd3690
      https://github.com/WebKit/WebKit/commit/2a769cb485605844994aef802f032a9bb1dd3690
  Author: Abrar Rahman Protyasha <a_protyasha at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    A LayoutTests/security/clip-invalid-rect-2-expected.txt
    A LayoutTests/security/clip-invalid-rect-2.html
    A LayoutTests/security/clip-invalid-rect-expected.txt
    A LayoutTests/security/clip-invalid-rect.html
    M Source/WebCore/platform/graphics/IntRect.cpp
    M Source/WebCore/platform/graphics/IntRect.h
    M Source/WebKit/Shared/EditorState.cpp
    M Source/WebKit/Shared/EditorState.h
    M Source/WebKit/Shared/RemoteLayerTree/RemoteScrollingCoordinatorTransaction.cpp
    M Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp
    M Source/WebKit/WebProcess/WebPage/mac/WebPageMac.mm

  Log Message:
  -----------
  Cherry-pick 265870.4 at safari-7616-branch (cfccd68b8bb2). https://bugs.webkit.org/show_bug.cgi?id=258222

    IPC deserialization: Clip IntRect rather than fail to decode entirely
    https://bugs.webkit.org/show_bug.cgi?id=258222
    rdar://109925899
    Reviewed by Chris Dumez.

    We hardened IntRect decoding by using IntRect::isValid as a validator in
    262412 at main, however this has the inadvertent effect of terminating a
    sending process if they send a degenerately large IntRect (i.e. one that
    overflows at x + width or y + height and thus fails IntRect::isValid).

    The messages with degerate rects reposinble for recently reported
    deserialization crashes are namely `WebPageProxy::RootViewToScreen`,
    `WebPageProxy::EditorStateChanged`,
    `RemoteLayerTreeDrawingAreaProxy::CommitLayerTree`, and
    `WebPageProxy::MouseDidMoveOverElement`. In this patch, we suggest
    clipping the IntRect at the IPC sender call-site, thereby avoiding
    overflow issues and not crashing the sending process. For the
    `EditorState` case, it makes more sense to sanitize the owned rects in
    `WebPage::editorState()`, which is a layer before the IPC sender
    call-site.

    * LayoutTests/security/clip-invalid-rect-expected.txt: Added.
    * LayoutTests/security/clip-invalid-rect.html: Added.
    * LayoutTests/security/clip-invalid-rect-2-expected.txt: Added.
    * LayoutTests/security/clip-invalid-rect-2.html: Added.
    Layout tests that crash trying to decode degenerate IntRect messages.

    * Source/WebCore/platform/graphics/IntRect.cpp:
    (WebCore::IntRect::toRectWithExtentsClippedToNumericLimits const):
    * Source/WebCore/platform/graphics/IntRect.h:
    Add a function that returns an IntRect with clipped size such that there
    is no int32_t overflow at x + width or y + height.

    * Source/WebKit/Shared/EditorState.cpp:
    * Source/WebKit/Shared/EditorState.h:
    (WebKit::EditorState::clipOwnedRectExtentsToNumericLimits):
    Add a function that performs clipping of the rects owned by an EditorState
    object.

    * Source/WebKit/Shared/RemoteLayerTree/RemoteScrollingCoordinatorTransaction.cpp:
    Drive-by fix to improve readability of a conditional directive.

    * Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp:
    (WebKit::WebChromeClient::mouseDidMoveOverElement):
    Perform `IntRect` clipping before sending a `MouseDidMoveOverElement` IPC
    message.

    * Source/WebKit/WebProcess/WebPage/WebPage.cpp:
    (WebKit::WebPage::editorState const):
    Perform `IntRect` clipping for all the rects owned by an EditorState,
    thus sanitizing both the `EditorStateChanged` and the `CommitLayerTree`
    IPC messages.
    (WebKit::WebPage::rootViewToScreen):
    Perform `IntRect` clipping before sending a `RootViewToScreen` IPC
    message.

    * Source/WebKit/WebProcess/WebPage/mac/WebPageMac.mm:
    (WebKit::WebPage::performImmediateActionHitTestAtLocation):
    Perform `IntRect` clipping before sending a `MouseDidMoveOverElement` IPC
    message.

    Canonical link: https://commits.webkit.org/265870.4@safari-7616-branch


  Commit: 5507f062339a4cc5acfd754ad45d92dc3f72e47b
      https://github.com/WebKit/WebKit/commit/5507f062339a4cc5acfd754ad45d92dc3f72e47b
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    M Source/WebCore/html/ImageBitmap.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
    M Source/WebCore/loader/cache/CachedImage.h
    M Source/WebCore/platform/graphics/BitmapImage.cpp
    M Source/WebCore/platform/graphics/GraphicsContextGL.cpp
    M Source/WebCore/platform/graphics/Image.cpp
    M Source/WebCore/platform/graphics/Image.h
    M Source/WebCore/platform/graphics/ImageObserver.h
    M Source/WebCore/platform/graphics/ImageSource.cpp
    M Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp
    M Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp
    M Source/WebCore/svg/graphics/SVGImage.cpp
    M Source/WebCore/svg/graphics/SVGImageClients.h
    M Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp

  Log Message:
  -----------
  Cherry-pick 265870.5 at safari-7616-branch (a06556a11b58). https://bugs.webkit.org/show_bug.cgi?id=258712

    Crash under SVGImageChromeClient::invalidateContentsAndRootView()
    https://bugs.webkit.org/show_bug.cgi?id=258992
    rdar://111456803

    Reviewed by David Kilzer.

    Do hardening by deploying WeakPtr instead of raw pointers for
    SVGImage and ImageObserver. Also make it so that we can ref
    an ImageObserver.

    * Source/WebCore/html/ImageBitmap.cpp:
    * Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
    (WebCore::CanvasRenderingContext2DBase::drawImage):
    * Source/WebCore/loader/cache/CachedImage.h:
    * Source/WebCore/platform/graphics/BitmapImage.cpp:
    (WebCore::BitmapImage::draw):
    (WebCore::BitmapImage::drawPattern):
    (WebCore::BitmapImage::internalAdvanceAnimation):
    (WebCore::BitmapImage::imageFrameAvailableAtIndex):
    * Source/WebCore/platform/graphics/GraphicsContextGL.cpp:
    (WebCore::GraphicsContextGL::packImageData):
    * Source/WebCore/platform/graphics/Image.cpp:
    (WebCore::Image::imageObserver const):
    (WebCore::Image::setImageObserver):
    (WebCore::Image::drawPattern):
    * Source/WebCore/platform/graphics/Image.h:
    (WebCore::Image::imageObserver const): Deleted.
    (WebCore::Image::setImageObserver): Deleted.
    * Source/WebCore/platform/graphics/ImageObserver.h:
    (WebCore::ImageObserver::ref):
    (WebCore::ImageObserver::deref):
    * Source/WebCore/platform/graphics/ImageSource.cpp:
    (WebCore::ImageSource::encodedDataStatusChanged):
    (WebCore::ImageSource::decodedSizeChanged):
    * Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp:
    (WebCore::PDFDocumentImage::decodedSizeChanged):
    (WebCore::PDFDocumentImage::draw):
    * Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp:
    (WebCore::TextureMapperTiledBackingStore::updateContentsFromImageIfNeeded):
    * Source/WebCore/svg/graphics/SVGImage.cpp:
    (WebCore::SVGImage::drawForContainer):
    (WebCore::SVGImage::nativeImage):
    (WebCore::SVGImage::draw):
    (WebCore::SVGImage::dataChanged):
    * Source/WebCore/svg/graphics/SVGImageClients.h:
    * Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp:
    (TestWebKitAPI::TestImageObserver::create):
    (TestWebKitAPI::TEST):

    Canonical link: https://commits.webkit.org/265870.5@safari-7616-branch


  Commit: 54e418233bd6cd115d56650109dfee8861ea3ac7
      https://github.com/WebKit/WebKit/commit/54e418233bd6cd115d56650109dfee8861ea3ac7
  Author: Jer Noble <jer.noble at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/iso/ISOVTTCue.cpp

  Log Message:
  -----------
  Cherry-pick 265870.7 at safari-7616-branch (591d9d68abe9). https://bugs.webkit.org/show_bug.cgi?id=258677

    Crash due to massive allocation in ISOStringBox::parse()
    https://bugs.webkit.org/show_bug.cgi?id=258677
    rdar://111171885

    Reviewed by Eric Carlson.

    A malformed or malicious box may report a m_size larger than
    the memory passed into the parser. In this case, do not attempt
    to create a larger destination than is available in the source
    buffer.

    * Source/WebCore/platform/graphics/iso/ISOVTTCue.cpp:

    Canonical link: https://commits.webkit.org/265870.7@safari-7616-branch


  Commit: a209cbf453978e3ea809d36f684a36f36ff301c5
      https://github.com/WebKit/WebKit/commit/a209cbf453978e3ea809d36f684a36f36ff301c5
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    M Source/WebCore/fileapi/BlobURL.cpp
    M Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp

  Log Message:
  -----------
  Cherry-pick 265870.8 at safari-7616-branch (551b1fd24102). https://bugs.webkit.org/show_bug.cgi?id=258712

    Fix stack-overflow when dealing with blobURL(s)
    https://bugs.webkit.org/show_bug.cgi?id=258895
    rdar://111440239

    Reviewed by Chris Dumez.

    This change fixes the stack overflow when checking for whether a blobURL
    is secure.

    * Source/WebCore/fileapi/BlobURL.cpp:
    (WebCore::BlobURL::isSecureBlobURL):
    * Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp:
    (TestWebKitAPI::TEST_F):

    Canonical link: https://commits.webkit.org/265870.8@safari-7616-branch


  Commit: a1b5274d71894ff84cc2bb0348f298d449e853a9
      https://github.com/WebKit/WebKit/commit/a1b5274d71894ff84cc2bb0348f298d449e853a9
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    A LayoutTests/storage/indexeddb/memory-backing-store-crash-expected.txt
    A LayoutTests/storage/indexeddb/memory-backing-store-crash.html
    M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp

  Log Message:
  -----------
  Cherry-pick 265870.9 at safari-7616-branch (d372d5ed86fe). https://bugs.webkit.org/show_bug.cgi?id=258583

    Fix heap-use-after-free MemoryIDBBackingStore
    https://bugs.webkit.org/show_bug.cgi?id=258583
    rdar://109095466

    Reviewed by Brady Eidson.

    We delete the object store in MemoryIDBBackingStore::deleteObjectStore
    but can still end up dereferencing the dangling pointer in
    MemoryBackingStoreTransaction::abort when going through
    m_originalObjectStoreNames. This change removes the deleted object
    store's pointer from m_originalObjectStoreNames so we don't hold on to
    anything we shouldn't de-reference, and hence fixes the heap
    use-after-free.

    * Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp:
    (WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted):
    * LayoutTests/storage/indexeddb/memory-backing-store-crash-expected.txt: Added.
    * LayoutTests/storage/indexeddb/memory-backing-store-crash.html: Added.

    Canonical link: https://commits.webkit.org/265870.9@safari-7616-branch


  Commit: c7ccfd79e9f0876f38dd0254e12d0d56c38291e8
      https://github.com/WebKit/WebKit/commit/c7ccfd79e9f0876f38dd0254e12d0d56c38291e8
  Author: Charlie Wolfe <charliew at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  Cherry-pick 265870.10 at safari-7616-branch (b5aa6d4342b7). https://bugs.webkit.org/show_bug.cgi?id=257732

    Data Isolation/PSON bypass due to UI-side PageLoadState state-machine relying on data which is distinct from that used to make Policy/Network Load decisions
    https://bugs.webkit.org/show_bug.cgi?id=257732
    rdar://107186055

    Reviewed by Chris Dumez.

    When `didStartProvisionalLoadForFrame` is called, pageLoadState is updated to store the provisional URL
    with a value passed from the web process. This URL is later consulted in `processForNavigationInternal`
    when determining if the navigation is same-site. Since this URL is coming from the web process, we
    should verify that the URL has not been changed from when it was set on the navigation object in
    `decidePolicyForNavigationAction`.

    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::didStartProvisionalLoadForFrameShared):

    Canonical link: https://commits.webkit.org/265870.10@safari-7616-branch


  Commit: 49fd39707ef6baa9813429ae65b8dd90bf63235c
      https://github.com/WebKit/WebKit/commit/49fd39707ef6baa9813429ae65b8dd90bf63235c
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  Cherry-pick 265870.12 at safari-7616-branch (3f548e40249b). https://bugs.webkit.org/show_bug.cgi?id=259111

    MESSAGE_CHECK() originalURLString in WebPageProxy::backForwardAddItemShared()
    https://bugs.webkit.org/show_bug.cgi?id=259111
    rdar://112058151

    Reviewed by Brent Fulgham.

    MESSAGE_CHECK() originalURLString in WebPageProxy::backForwardAddItemShared()
    as hardening, the same way we already do for urlString.

    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::backForwardAddItemShared):

    Canonical link: https://commits.webkit.org/265870.12@safari-7616-branch


  Commit: a9b939ea6c6bf2128ef67b017b9298efa3e17137
      https://github.com/WebKit/WebKit/commit/a9b939ea6c6bf2128ef67b017b9298efa3e17137
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    A LayoutTests/fast/multicol/crash-when-legend-is-present-expected.txt
    A LayoutTests/fast/multicol/crash-when-legend-is-present.html
    M Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp

  Log Message:
  -----------
  Cherry-pick 265870.61 at safari-7616-branch (9ff2ba06a74f). https://bugs.webkit.org/show_bug.cgi?id=258675

    Legends could be valid non-spanner siblings of RenderMultiColumnSet
    https://bugs.webkit.org/show_bug.cgi?id=258675
    <rdar://111221306>

    Reviewed by Antti Koivisto.

    We usually construct one RenderMultiColumnSet renderer for a multi-column context.

    e.g:
    <div style="column-count: 2">
      <div></div>
      <div></div>
      <div></div>
    </div>

    generates the following render tree structure:

    DIV RenderBlockFlow
      RenderMultiColumnFlowThread
        DIV RenderBlockFlow
        DIV RenderBlockFlow
        DIV RenderBlockFlow
      RenderMultiColumnSet

    We also construct RenderMultiColumnSets for column spanners
    e.g.
    <div style="column-count: 2">
      <div style="column-span: all"></div>
      <div></div>
      <div></div>
    </div>

    where the spanner is moved out of the column context indicating it spans all the columns

    DIV RenderBlockFlow
      RenderMultiColumnFlowThread
        RenderMultiColumnSpannerPlaceholder (this is the <div>'s original insertion point)
        DIV RenderBlockFlow
        DIV RenderBlockFlow
      RenderMultiColumnSet
      DIV RenderBlockFlow (moved out column spanner)
      RenderMultiColumnSet

    However since <legend> does not participate in multi-column, it does _not_ get moved under RenderMultiColumnFlowThread when constructing the multi-column context
    and ends up being a sibling of the RenderMultiColumnSet.

    e.g.

    FIELDSET RenderFieldSet
      RenderMultiColumnFlowThread
        RenderBlock
      RenderMultiColumnSet
      LEGEND RenderBlock

    and later it gets mistaken for a column spanner and as the result we construct a redundant RenderMultiColumnSet.

    This patch handles this case by checking against legend siblings.

    * LayoutTests/fast/multicol/crash-when-legend-is-present-expected.txt: Added.
    * LayoutTests/fast/multicol/crash-when-legend-is-present.html: Added.
    * Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp:
    (WebCore::RenderTreeBuilder::MultiColumn::processPossibleSpannerDescendant):

    Canonical link: https://commits.webkit.org/265870.61@safari-7616-branch


  Commit: 6d8e0fd1a83ae35c994de35823d47ccb10b5252f
      https://github.com/WebKit/WebKit/commit/6d8e0fd1a83ae35c994de35823d47ccb10b5252f
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox-expected.txt
    A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox.html
    A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/frame-posting-messages.html
    A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/only-same-origin-allowed.py
    M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt
    M Source/WebCore/loader/DocumentLoader.cpp
    M Source/WebCore/loader/DocumentLoader.h

  Log Message:
  -----------
  Cherry-pick 265870.62 at safari-7616-branch (4fc1843e1263). https://bugs.webkit.org/show_bug.cgi?id=259099

    WebKit applies dynamic sandbox flags on failed navigation
    https://bugs.webkit.org/show_bug.cgi?id=259099
    rdar://112044768

    Reviewed by Alex Christensen.

    In case of stopped navigation or failed navigation, we were sandboxing the current document.
    The current document was thus running but in a different configuration.
    Other browsers create a new document in that case, Firefox with the request URL and Chrome with a special error scheme URL.
    To limit the scope of changes, we are now creating a new error document, which is empty, and are sandboxing this new document.
    This gets us closer to Firefox and Safari.
    We are still calling the fail delegate in case the application wants to do additional handling on this document.

    * LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox-expected.txt: Added.
    * LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox.html: Added.
    * LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/frame-posting-messages.html: Added.
    * LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/only-same-origin-allowed.py: Added.
    (main):
    * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt:
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt:
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt:
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt:
    * Source/WebCore/loader/DocumentLoader.cpp:
    (WebCore::DocumentLoader::willSendRequest):
    (WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied):
    (WebCore::DocumentLoader::loadErrorDocument):
    * Source/WebCore/loader/DocumentLoader.h:

    Canonical link: https://commits.webkit.org/265870.62@safari-7616-branch


  Commit: 207618aee18e51c952e967096ad6dcaee0bb3f75
      https://github.com/WebKit/WebKit/commit/207618aee18e51c952e967096ad6dcaee0bb3f75
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/referer-header-stripped.js
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html
    A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-expected.txt
    A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-expected.txt
    A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-noopener-expected.txt
    A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-noopener.html
    A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup.html
    A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed.html
    A LayoutTests/http/tests/download/sandboxed-iframe-download-not-allowed-expected.txt
    A LayoutTests/http/tests/download/sandboxed-iframe-download-not-allowed.html
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_anchor_download_block_downloads.tentative-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigation_download_block_downloads.sub.tentative-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_window_open_download_allow_downloads.tentative-expected.txt
    R LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigation_download_block_downloads.sub.tentative-expected.txt
    M LayoutTests/platform/mac-wk1/TestExpectations
    M Source/WebCore/dom/SecurityContext.cpp
    M Source/WebCore/dom/SecurityContext.h
    M Source/WebCore/loader/DocumentLoader.cpp
    M Source/WebCore/loader/PolicyChecker.cpp
    M Tools/WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl
    M Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp
    M Tools/WebKitTestRunner/InjectedBundle/TestRunner.h
    M Tools/WebKitTestRunner/TestController.cpp
    M Tools/WebKitTestRunner/TestController.h
    M Tools/WebKitTestRunner/TestInvocation.cpp

  Log Message:
  -----------
  Cherry-pick 265870.84 at safari-7616-branch (9d46b7777bca). https://bugs.webkit.org/show_bug.cgi?id=259155

    Add support for the `allow-downloads` iframe sandbox attribute
    https://bugs.webkit.org/show_bug.cgi?id=259155
    rdar://109414664

    Reviewed by Brent Fulgham.

    Add support for the `allow-downloads` iframe sandbox attribute so that downloads
    are now forbidden by default in sandboxed iframes and this attribute is required
    to allow them. This aligns our behavior with Chrome and Firefox.

    * LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-expected.txt: Added.
    * LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-expected.txt: Added.
    * LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-noopener-expected.txt: Added.
    * LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-noopener.html: Added.
    * LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup.html: Added.
    * LayoutTests/http/tests/download/sandboxed-iframe-download-allowed.html: Added.
    * LayoutTests/http/tests/download/sandboxed-iframe-download-not-allowed-expected.txt: Added.
    * LayoutTests/http/tests/download/sandboxed-iframe-download-not-allowed.html: Added.
    Add layout test coverage.

    * LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_anchor_download_block_downloads.tentative-expected.txt:
    Rebaseline due to more PASS lines. I investigated the remaining failure and confirmed that no download is actually occurring for any of the subtests, as expected.
    I see our code cancelling the NetworkDataTask. However, the test doesn't seem to detect the stream closing. It may be an issue as CFNetwork level.

    * Source/WebCore/dom/SecurityContext.cpp:
    (WebCore::SecurityContext::isSupportedSandboxPolicy):
    (WebCore::SecurityContext::parseSandboxPolicy):
    * Source/WebCore/dom/SecurityContext.h:
    * Source/WebCore/loader/DocumentLoader.cpp:
    (WebCore::DocumentLoader::continueAfterContentPolicy):
    * Source/WebCore/loader/PolicyChecker.cpp:
    (WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy):
    (WebCore::FrameLoader::PolicyChecker::checkNewWindowPolicy):

    * Tools/WebKitTestRunner/TestController.cpp:
    (WTR::TestController::decidePolicyForNavigationResponse):
    Update WebKitTestRunner to trigger a download when a resource response contains
    `Content-Disposition: attachment`, similarly to what a browser would do and what
    WPT tests expect. By default, we would only trigger a download if the mime type
    couldn't be displayed. However, iframe_sandbox_anchor_download_block_downloads.tentative.html
    WPT test uses both a `Content-Disposition: attachment` HTTP header and a displayable
    MIME type and rightly expects a download.

    Canonical link: https://commits.webkit.org/265870.84@safari-7616-branch


  Commit: 7984be29dfb9e4f20572eccf5e812aefe8a56667
      https://github.com/WebKit/WebKit/commit/7984be29dfb9e4f20572eccf5e812aefe8a56667
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    A JSTests/stress/typed-array-extends.js
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

  Log Message:
  -----------
  Cherry-pick 265870.128 at safari-7616-branch (e4cc04578783). https://bugs.webkit.org/show_bug.cgi?id=258712

    [JSC] TypedArray setFromArrayLike condition is wrong
    https://bugs.webkit.org/show_bug.cgi?id=259268
    rdar://112387533

    Reviewed by Mark Lam.

    The condition is opposite. This patch fixes it with the test.

    * JSTests/stress/typed-array-extends.js: Added.
    * Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
    (JSC::JSGenericTypedArrayView<Adaptor>::setFromArrayLike):

    Canonical link: https://commits.webkit.org/265870.128@safari-7616-branch


  Commit: 03827035b5e4448ddae0b01feba08639763e569e
      https://github.com/WebKit/WebKit/commit/03827035b5e4448ddae0b01feba08639763e569e
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    A LayoutTests/workers/empty-post-message-service-workers-crash-expected.txt
    A LayoutTests/workers/empty-post-message-service-workers-crash.html
    A LayoutTests/workers/empty-post-message-service-workers-crash.js
    M Source/WebCore/workers/WorkerScriptLoader.h
    M Source/WebCore/workers/WorkerScriptLoaderClient.h

  Log Message:
  -----------
  Cherry-pick 265870.130 at safari-7616-branch (6b1737e3545c). https://bugs.webkit.org/show_bug.cgi?id=259278

    Fix UAF in WorkerScriptLoader::didReceiveResponse
    https://bugs.webkit.org/show_bug.cgi?id=259278
    rdar://109722407

    Reviewed by Chris Dumez and David Kilzer.

    This change adopts WeakPtrs for WorkerScriptLoaderClient, thereby fixing
    the UAF which happens when m_client goes away when the callback passed
    to swConnection.matchRegistration is invoked.

    * LayoutTests/workers/empty-post-message-service-workers-crash-expected.txt: Added.
    * LayoutTests/workers/empty-post-message-service-workers-crash.html: Added.
    * LayoutTests/workers/empty-post-message-service-workers-crash.js: Added.
    (onmessage):
    * Source/WebCore/workers/WorkerScriptLoader.h:
    * Source/WebCore/workers/WorkerScriptLoaderClient.h:

    Canonical link: https://commits.webkit.org/265870.130@safari-7616-branch


  Commit: 731e3fb276b2880c24886b548a4fe2606ac35f16
      https://github.com/WebKit/WebKit/commit/731e3fb276b2880c24886b548a4fe2606ac35f16
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    A LayoutTests/http/tests/security/resources/xslt-external-entity.svg
    A LayoutTests/http/tests/security/resources/xslt2.py
    A LayoutTests/http/tests/security/xslt-external-entity-expected.txt
    A LayoutTests/http/tests/security/xslt-external-entity.html
    A LayoutTests/platform/mac-monterey-wk1/http/tests/security/xss-DENIED-xsl-external-entity-no-logging-expected.txt
    A LayoutTests/platform/mac-monterey/http/tests/security/xslt-external-entity-expected.txt
    M LayoutTests/platform/mac-monterey/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

  Log Message:
  -----------
  Cherry-pick 265870.131 at safari-7616-branch (d2e39548861d). https://bugs.webkit.org/show_bug.cgi?id=259235

    Check if external entity loads from libxslt are allowed before loading them
    https://bugs.webkit.org/show_bug.cgi?id=259235
    rdar://111457167

    Reviewed by David Kilzer.

    Otherwise tricky use of libxslt can make arbitrary file loads to files allowed by the
    web content process's sandbox.  We should limit it to what the current security origin
    can request.

    Monterey has an older version of libxml2 which fails differently in this case.
    Tests exist that verify that allowed external entities are still allowed.
    The important thing is that the contents of the files are not in the Monterey test expectations.

    * LayoutTests/http/tests/security/resources/xslt-external-entity.svg: Added.
    * LayoutTests/http/tests/security/resources/xslt2.py: Added.
    * LayoutTests/http/tests/security/xslt-external-entity-expected.txt: Added.
    * LayoutTests/http/tests/security/xslt-external-entity.html: Added.
    * Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:
    (WebCore::shouldAllowExternalLoad):
    (WebCore::entityLoader):
    (WebCore::initializeXMLParser):

    Canonical link: https://commits.webkit.org/265870.131@safari-7616-branch


  Commit: f292e4f73cee297bfe465b613b63e4c23a933553
      https://github.com/WebKit/WebKit/commit/f292e4f73cee297bfe465b613b63e4c23a933553
  Author: Richard Robinson <richard_robinson2 at apple.com>
  Date:   2023-09-26 (Tue, 26 Sep 2023)

  Changed paths:
    M Source/WebKit/Shared/EditorState.cpp

  Log Message:
  -----------
  Cherry-pick 265870.310 at safari-7616.1.27.10-branch (02e340d59353). https://bugs.webkit.org/show_bug.cgi?id=259888

    Cherry-pick bfc6efd0dc4e. rdar://problem/113287677

        REGRESSION: WebKit provides rectilinear selection rects for rotated text in images
        https://bugs.webkit.org/show_bug.cgi?id=259888
        rdar://113287677

        Reviewed by Wenson Hsieh.

        `EditorState::clipOwnedRectExtentsToNumericLimits` was erroneously converting some selection
        geometries from quads to rects.

        Fix by removing these conversions. Since `FloatQuad`s have no notion of validity, there is no
        need to clip them to numeric limits.

        * Source/WebKit/Shared/EditorState.cpp:
        (WebKit::EditorState::clipOwnedRectExtentsToNumericLimits):

        Canonical link: https://commits.webkit.org/265870.235@safari-7616-branch

    Identifier: 265870.310 at safari-7616.1.27.10-branch


Compare: https://github.com/WebKit/WebKit/compare/e960cdca5447...f292e4f73cee


More information about the webkit-changes mailing list