[webkit-changes] [WebKit/WebKit] a1ba00: Cherry-pick 267558 at main (ade70bdb664e). https://bu...
Richard Robinson
noreply at github.com
Tue Sep 26 11:17:56 PDT 2023
Branch: refs/heads/webkitglib/2.42
Home: https://github.com/WebKit/WebKit
Commit: a1ba00c549074c0bbd4f490be8d70fbac2138c31
https://github.com/WebKit/WebKit/commit/a1ba00c549074c0bbd4f490be8d70fbac2138c31
Author: Michael Catanzaro <mcatanzaro at redhat.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M Tools/Scripts/webkitpy/common/checkout/checkout.py
Log Message:
-----------
Cherry-pick 267558 at main (ade70bdb664e). https://bugs.webkit.org/show_bug.cgi?id=260729
SyntaxWarning when running 'git-webkit pr'
https://bugs.webkit.org/show_bug.cgi?id=260729
Reviewed by Jonathan Bedard.
The backslashes here are python string escapes, but they were intended
to be regex escapes. Each \ would need to be replaced with \\ for them
to function as regex escapes. We can use raw string notation to avoid
this problem.
* Tools/Scripts/webkitpy/common/checkout/checkout.py:
(Checkout):
Canonical link: https://commits.webkit.org/267558@main
Commit: bc7c7e0a9d2b08caf825fe46d1d43fdee9993634
https://github.com/WebKit/WebKit/commit/bc7c7e0a9d2b08caf825fe46d1d43fdee9993634
Author: Jer Noble <jer.noble at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M Source/WebCore/platform/graphics/iso/ISOBox.cpp
Log Message:
-----------
Cherry-pick 265870.2 at safari-7616-branch (dfdca2cf04a5). https://bugs.webkit.org/show_bug.cgi?id=258712
Crash in Vector::expandCapacity; WebCore::ISOFairPlayStreamingKeyContextBox::parse()
https://bugs.webkit.org/show_bug.cgi?id=258712
rdar://111171940
Reviewed by Youenn Fablet.
In a number of cases, malformed or malicious boxes claim to have a size much larger
than the memory passed to the parser. Cap the m_size parameter to the remaining size
of the memory buffer to avoid situations where we attempt to create a vector big
enough to hold MAX_INT entries.
* Source/WebCore/platform/graphics/iso/ISOBox.cpp:
(WebCore::ISOBox::peekBox):
(WebCore::ISOBox::parse):
Canonical link: https://commits.webkit.org/265870.2@safari-7616-branch
Commit: 2a769cb485605844994aef802f032a9bb1dd3690
https://github.com/WebKit/WebKit/commit/2a769cb485605844994aef802f032a9bb1dd3690
Author: Abrar Rahman Protyasha <a_protyasha at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
A LayoutTests/security/clip-invalid-rect-2-expected.txt
A LayoutTests/security/clip-invalid-rect-2.html
A LayoutTests/security/clip-invalid-rect-expected.txt
A LayoutTests/security/clip-invalid-rect.html
M Source/WebCore/platform/graphics/IntRect.cpp
M Source/WebCore/platform/graphics/IntRect.h
M Source/WebKit/Shared/EditorState.cpp
M Source/WebKit/Shared/EditorState.h
M Source/WebKit/Shared/RemoteLayerTree/RemoteScrollingCoordinatorTransaction.cpp
M Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/mac/WebPageMac.mm
Log Message:
-----------
Cherry-pick 265870.4 at safari-7616-branch (cfccd68b8bb2). https://bugs.webkit.org/show_bug.cgi?id=258222
IPC deserialization: Clip IntRect rather than fail to decode entirely
https://bugs.webkit.org/show_bug.cgi?id=258222
rdar://109925899
Reviewed by Chris Dumez.
We hardened IntRect decoding by using IntRect::isValid as a validator in
262412 at main, however this has the inadvertent effect of terminating a
sending process if they send a degenerately large IntRect (i.e. one that
overflows at x + width or y + height and thus fails IntRect::isValid).
The messages with degerate rects reposinble for recently reported
deserialization crashes are namely `WebPageProxy::RootViewToScreen`,
`WebPageProxy::EditorStateChanged`,
`RemoteLayerTreeDrawingAreaProxy::CommitLayerTree`, and
`WebPageProxy::MouseDidMoveOverElement`. In this patch, we suggest
clipping the IntRect at the IPC sender call-site, thereby avoiding
overflow issues and not crashing the sending process. For the
`EditorState` case, it makes more sense to sanitize the owned rects in
`WebPage::editorState()`, which is a layer before the IPC sender
call-site.
* LayoutTests/security/clip-invalid-rect-expected.txt: Added.
* LayoutTests/security/clip-invalid-rect.html: Added.
* LayoutTests/security/clip-invalid-rect-2-expected.txt: Added.
* LayoutTests/security/clip-invalid-rect-2.html: Added.
Layout tests that crash trying to decode degenerate IntRect messages.
* Source/WebCore/platform/graphics/IntRect.cpp:
(WebCore::IntRect::toRectWithExtentsClippedToNumericLimits const):
* Source/WebCore/platform/graphics/IntRect.h:
Add a function that returns an IntRect with clipped size such that there
is no int32_t overflow at x + width or y + height.
* Source/WebKit/Shared/EditorState.cpp:
* Source/WebKit/Shared/EditorState.h:
(WebKit::EditorState::clipOwnedRectExtentsToNumericLimits):
Add a function that performs clipping of the rects owned by an EditorState
object.
* Source/WebKit/Shared/RemoteLayerTree/RemoteScrollingCoordinatorTransaction.cpp:
Drive-by fix to improve readability of a conditional directive.
* Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp:
(WebKit::WebChromeClient::mouseDidMoveOverElement):
Perform `IntRect` clipping before sending a `MouseDidMoveOverElement` IPC
message.
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::editorState const):
Perform `IntRect` clipping for all the rects owned by an EditorState,
thus sanitizing both the `EditorStateChanged` and the `CommitLayerTree`
IPC messages.
(WebKit::WebPage::rootViewToScreen):
Perform `IntRect` clipping before sending a `RootViewToScreen` IPC
message.
* Source/WebKit/WebProcess/WebPage/mac/WebPageMac.mm:
(WebKit::WebPage::performImmediateActionHitTestAtLocation):
Perform `IntRect` clipping before sending a `MouseDidMoveOverElement` IPC
message.
Canonical link: https://commits.webkit.org/265870.4@safari-7616-branch
Commit: 5507f062339a4cc5acfd754ad45d92dc3f72e47b
https://github.com/WebKit/WebKit/commit/5507f062339a4cc5acfd754ad45d92dc3f72e47b
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M Source/WebCore/html/ImageBitmap.cpp
M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
M Source/WebCore/loader/cache/CachedImage.h
M Source/WebCore/platform/graphics/BitmapImage.cpp
M Source/WebCore/platform/graphics/GraphicsContextGL.cpp
M Source/WebCore/platform/graphics/Image.cpp
M Source/WebCore/platform/graphics/Image.h
M Source/WebCore/platform/graphics/ImageObserver.h
M Source/WebCore/platform/graphics/ImageSource.cpp
M Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp
M Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp
M Source/WebCore/svg/graphics/SVGImage.cpp
M Source/WebCore/svg/graphics/SVGImageClients.h
M Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp
Log Message:
-----------
Cherry-pick 265870.5 at safari-7616-branch (a06556a11b58). https://bugs.webkit.org/show_bug.cgi?id=258712
Crash under SVGImageChromeClient::invalidateContentsAndRootView()
https://bugs.webkit.org/show_bug.cgi?id=258992
rdar://111456803
Reviewed by David Kilzer.
Do hardening by deploying WeakPtr instead of raw pointers for
SVGImage and ImageObserver. Also make it so that we can ref
an ImageObserver.
* Source/WebCore/html/ImageBitmap.cpp:
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::drawImage):
* Source/WebCore/loader/cache/CachedImage.h:
* Source/WebCore/platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::draw):
(WebCore::BitmapImage::drawPattern):
(WebCore::BitmapImage::internalAdvanceAnimation):
(WebCore::BitmapImage::imageFrameAvailableAtIndex):
* Source/WebCore/platform/graphics/GraphicsContextGL.cpp:
(WebCore::GraphicsContextGL::packImageData):
* Source/WebCore/platform/graphics/Image.cpp:
(WebCore::Image::imageObserver const):
(WebCore::Image::setImageObserver):
(WebCore::Image::drawPattern):
* Source/WebCore/platform/graphics/Image.h:
(WebCore::Image::imageObserver const): Deleted.
(WebCore::Image::setImageObserver): Deleted.
* Source/WebCore/platform/graphics/ImageObserver.h:
(WebCore::ImageObserver::ref):
(WebCore::ImageObserver::deref):
* Source/WebCore/platform/graphics/ImageSource.cpp:
(WebCore::ImageSource::encodedDataStatusChanged):
(WebCore::ImageSource::decodedSizeChanged):
* Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp:
(WebCore::PDFDocumentImage::decodedSizeChanged):
(WebCore::PDFDocumentImage::draw):
* Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp:
(WebCore::TextureMapperTiledBackingStore::updateContentsFromImageIfNeeded):
* Source/WebCore/svg/graphics/SVGImage.cpp:
(WebCore::SVGImage::drawForContainer):
(WebCore::SVGImage::nativeImage):
(WebCore::SVGImage::draw):
(WebCore::SVGImage::dataChanged):
* Source/WebCore/svg/graphics/SVGImageClients.h:
* Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp:
(TestWebKitAPI::TestImageObserver::create):
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/265870.5@safari-7616-branch
Commit: 54e418233bd6cd115d56650109dfee8861ea3ac7
https://github.com/WebKit/WebKit/commit/54e418233bd6cd115d56650109dfee8861ea3ac7
Author: Jer Noble <jer.noble at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M Source/WebCore/platform/graphics/iso/ISOVTTCue.cpp
Log Message:
-----------
Cherry-pick 265870.7 at safari-7616-branch (591d9d68abe9). https://bugs.webkit.org/show_bug.cgi?id=258677
Crash due to massive allocation in ISOStringBox::parse()
https://bugs.webkit.org/show_bug.cgi?id=258677
rdar://111171885
Reviewed by Eric Carlson.
A malformed or malicious box may report a m_size larger than
the memory passed into the parser. In this case, do not attempt
to create a larger destination than is available in the source
buffer.
* Source/WebCore/platform/graphics/iso/ISOVTTCue.cpp:
Canonical link: https://commits.webkit.org/265870.7@safari-7616-branch
Commit: a209cbf453978e3ea809d36f684a36f36ff301c5
https://github.com/WebKit/WebKit/commit/a209cbf453978e3ea809d36f684a36f36ff301c5
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M Source/WebCore/fileapi/BlobURL.cpp
M Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp
Log Message:
-----------
Cherry-pick 265870.8 at safari-7616-branch (551b1fd24102). https://bugs.webkit.org/show_bug.cgi?id=258712
Fix stack-overflow when dealing with blobURL(s)
https://bugs.webkit.org/show_bug.cgi?id=258895
rdar://111440239
Reviewed by Chris Dumez.
This change fixes the stack overflow when checking for whether a blobURL
is secure.
* Source/WebCore/fileapi/BlobURL.cpp:
(WebCore::BlobURL::isSecureBlobURL):
* Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp:
(TestWebKitAPI::TEST_F):
Canonical link: https://commits.webkit.org/265870.8@safari-7616-branch
Commit: a1b5274d71894ff84cc2bb0348f298d449e853a9
https://github.com/WebKit/WebKit/commit/a1b5274d71894ff84cc2bb0348f298d449e853a9
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
A LayoutTests/storage/indexeddb/memory-backing-store-crash-expected.txt
A LayoutTests/storage/indexeddb/memory-backing-store-crash.html
M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp
Log Message:
-----------
Cherry-pick 265870.9 at safari-7616-branch (d372d5ed86fe). https://bugs.webkit.org/show_bug.cgi?id=258583
Fix heap-use-after-free MemoryIDBBackingStore
https://bugs.webkit.org/show_bug.cgi?id=258583
rdar://109095466
Reviewed by Brady Eidson.
We delete the object store in MemoryIDBBackingStore::deleteObjectStore
but can still end up dereferencing the dangling pointer in
MemoryBackingStoreTransaction::abort when going through
m_originalObjectStoreNames. This change removes the deleted object
store's pointer from m_originalObjectStoreNames so we don't hold on to
anything we shouldn't de-reference, and hence fixes the heap
use-after-free.
* Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp:
(WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted):
* LayoutTests/storage/indexeddb/memory-backing-store-crash-expected.txt: Added.
* LayoutTests/storage/indexeddb/memory-backing-store-crash.html: Added.
Canonical link: https://commits.webkit.org/265870.9@safari-7616-branch
Commit: c7ccfd79e9f0876f38dd0254e12d0d56c38291e8
https://github.com/WebKit/WebKit/commit/c7ccfd79e9f0876f38dd0254e12d0d56c38291e8
Author: Charlie Wolfe <charliew at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 265870.10 at safari-7616-branch (b5aa6d4342b7). https://bugs.webkit.org/show_bug.cgi?id=257732
Data Isolation/PSON bypass due to UI-side PageLoadState state-machine relying on data which is distinct from that used to make Policy/Network Load decisions
https://bugs.webkit.org/show_bug.cgi?id=257732
rdar://107186055
Reviewed by Chris Dumez.
When `didStartProvisionalLoadForFrame` is called, pageLoadState is updated to store the provisional URL
with a value passed from the web process. This URL is later consulted in `processForNavigationInternal`
when determining if the navigation is same-site. Since this URL is coming from the web process, we
should verify that the URL has not been changed from when it was set on the navigation object in
`decidePolicyForNavigationAction`.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didStartProvisionalLoadForFrameShared):
Canonical link: https://commits.webkit.org/265870.10@safari-7616-branch
Commit: 49fd39707ef6baa9813429ae65b8dd90bf63235c
https://github.com/WebKit/WebKit/commit/49fd39707ef6baa9813429ae65b8dd90bf63235c
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 265870.12 at safari-7616-branch (3f548e40249b). https://bugs.webkit.org/show_bug.cgi?id=259111
MESSAGE_CHECK() originalURLString in WebPageProxy::backForwardAddItemShared()
https://bugs.webkit.org/show_bug.cgi?id=259111
rdar://112058151
Reviewed by Brent Fulgham.
MESSAGE_CHECK() originalURLString in WebPageProxy::backForwardAddItemShared()
as hardening, the same way we already do for urlString.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::backForwardAddItemShared):
Canonical link: https://commits.webkit.org/265870.12@safari-7616-branch
Commit: a9b939ea6c6bf2128ef67b017b9298efa3e17137
https://github.com/WebKit/WebKit/commit/a9b939ea6c6bf2128ef67b017b9298efa3e17137
Author: Alan Baradlay <zalan at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
A LayoutTests/fast/multicol/crash-when-legend-is-present-expected.txt
A LayoutTests/fast/multicol/crash-when-legend-is-present.html
M Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp
Log Message:
-----------
Cherry-pick 265870.61 at safari-7616-branch (9ff2ba06a74f). https://bugs.webkit.org/show_bug.cgi?id=258675
Legends could be valid non-spanner siblings of RenderMultiColumnSet
https://bugs.webkit.org/show_bug.cgi?id=258675
<rdar://111221306>
Reviewed by Antti Koivisto.
We usually construct one RenderMultiColumnSet renderer for a multi-column context.
e.g:
<div style="column-count: 2">
<div></div>
<div></div>
<div></div>
</div>
generates the following render tree structure:
DIV RenderBlockFlow
RenderMultiColumnFlowThread
DIV RenderBlockFlow
DIV RenderBlockFlow
DIV RenderBlockFlow
RenderMultiColumnSet
We also construct RenderMultiColumnSets for column spanners
e.g.
<div style="column-count: 2">
<div style="column-span: all"></div>
<div></div>
<div></div>
</div>
where the spanner is moved out of the column context indicating it spans all the columns
DIV RenderBlockFlow
RenderMultiColumnFlowThread
RenderMultiColumnSpannerPlaceholder (this is the <div>'s original insertion point)
DIV RenderBlockFlow
DIV RenderBlockFlow
RenderMultiColumnSet
DIV RenderBlockFlow (moved out column spanner)
RenderMultiColumnSet
However since <legend> does not participate in multi-column, it does _not_ get moved under RenderMultiColumnFlowThread when constructing the multi-column context
and ends up being a sibling of the RenderMultiColumnSet.
e.g.
FIELDSET RenderFieldSet
RenderMultiColumnFlowThread
RenderBlock
RenderMultiColumnSet
LEGEND RenderBlock
and later it gets mistaken for a column spanner and as the result we construct a redundant RenderMultiColumnSet.
This patch handles this case by checking against legend siblings.
* LayoutTests/fast/multicol/crash-when-legend-is-present-expected.txt: Added.
* LayoutTests/fast/multicol/crash-when-legend-is-present.html: Added.
* Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp:
(WebCore::RenderTreeBuilder::MultiColumn::processPossibleSpannerDescendant):
Canonical link: https://commits.webkit.org/265870.61@safari-7616-branch
Commit: 6d8e0fd1a83ae35c994de35823d47ccb10b5252f
https://github.com/WebKit/WebKit/commit/6d8e0fd1a83ae35c994de35823d47ccb10b5252f
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox-expected.txt
A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox.html
A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/frame-posting-messages.html
A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/only-same-origin-allowed.py
M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt
M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt
M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt
M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/loader/DocumentLoader.h
Log Message:
-----------
Cherry-pick 265870.62 at safari-7616-branch (4fc1843e1263). https://bugs.webkit.org/show_bug.cgi?id=259099
WebKit applies dynamic sandbox flags on failed navigation
https://bugs.webkit.org/show_bug.cgi?id=259099
rdar://112044768
Reviewed by Alex Christensen.
In case of stopped navigation or failed navigation, we were sandboxing the current document.
The current document was thus running but in a different configuration.
Other browsers create a new document in that case, Firefox with the request URL and Chrome with a special error scheme URL.
To limit the scope of changes, we are now creating a new error document, which is empty, and are sandboxing this new document.
This gets us closer to Firefox and Safari.
We are still calling the fail delegate in case the application wants to do additional handling on this document.
* LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox-expected.txt: Added.
* LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox.html: Added.
* LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/frame-posting-messages.html: Added.
* LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/only-same-origin-allowed.py: Added.
(main):
* LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt:
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):
(WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied):
(WebCore::DocumentLoader::loadErrorDocument):
* Source/WebCore/loader/DocumentLoader.h:
Canonical link: https://commits.webkit.org/265870.62@safari-7616-branch
Commit: 207618aee18e51c952e967096ad6dcaee0bb3f75
https://github.com/WebKit/WebKit/commit/207618aee18e51c952e967096ad6dcaee0bb3f75
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M LayoutTests/http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html
M LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html
M LayoutTests/http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html
M LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html
M LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html
M LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html
M LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/referer-header-stripped.js
M LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html
M LayoutTests/http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html
A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-expected.txt
A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-expected.txt
A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-noopener-expected.txt
A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-noopener.html
A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup.html
A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed.html
A LayoutTests/http/tests/download/sandboxed-iframe-download-not-allowed-expected.txt
A LayoutTests/http/tests/download/sandboxed-iframe-download-not-allowed.html
M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_anchor_download_block_downloads.tentative-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigation_download_block_downloads.sub.tentative-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_window_open_download_allow_downloads.tentative-expected.txt
R LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigation_download_block_downloads.sub.tentative-expected.txt
M LayoutTests/platform/mac-wk1/TestExpectations
M Source/WebCore/dom/SecurityContext.cpp
M Source/WebCore/dom/SecurityContext.h
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/loader/PolicyChecker.cpp
M Tools/WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl
M Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp
M Tools/WebKitTestRunner/InjectedBundle/TestRunner.h
M Tools/WebKitTestRunner/TestController.cpp
M Tools/WebKitTestRunner/TestController.h
M Tools/WebKitTestRunner/TestInvocation.cpp
Log Message:
-----------
Cherry-pick 265870.84 at safari-7616-branch (9d46b7777bca). https://bugs.webkit.org/show_bug.cgi?id=259155
Add support for the `allow-downloads` iframe sandbox attribute
https://bugs.webkit.org/show_bug.cgi?id=259155
rdar://109414664
Reviewed by Brent Fulgham.
Add support for the `allow-downloads` iframe sandbox attribute so that downloads
are now forbidden by default in sandboxed iframes and this attribute is required
to allow them. This aligns our behavior with Chrome and Firefox.
* LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-expected.txt: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-expected.txt: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-noopener-expected.txt: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-noopener.html: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup.html: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-allowed.html: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-not-allowed-expected.txt: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-not-allowed.html: Added.
Add layout test coverage.
* LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_anchor_download_block_downloads.tentative-expected.txt:
Rebaseline due to more PASS lines. I investigated the remaining failure and confirmed that no download is actually occurring for any of the subtests, as expected.
I see our code cancelling the NetworkDataTask. However, the test doesn't seem to detect the stream closing. It may be an issue as CFNetwork level.
* Source/WebCore/dom/SecurityContext.cpp:
(WebCore::SecurityContext::isSupportedSandboxPolicy):
(WebCore::SecurityContext::parseSandboxPolicy):
* Source/WebCore/dom/SecurityContext.h:
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::continueAfterContentPolicy):
* Source/WebCore/loader/PolicyChecker.cpp:
(WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy):
(WebCore::FrameLoader::PolicyChecker::checkNewWindowPolicy):
* Tools/WebKitTestRunner/TestController.cpp:
(WTR::TestController::decidePolicyForNavigationResponse):
Update WebKitTestRunner to trigger a download when a resource response contains
`Content-Disposition: attachment`, similarly to what a browser would do and what
WPT tests expect. By default, we would only trigger a download if the mime type
couldn't be displayed. However, iframe_sandbox_anchor_download_block_downloads.tentative.html
WPT test uses both a `Content-Disposition: attachment` HTTP header and a displayable
MIME type and rightly expects a download.
Canonical link: https://commits.webkit.org/265870.84@safari-7616-branch
Commit: 7984be29dfb9e4f20572eccf5e812aefe8a56667
https://github.com/WebKit/WebKit/commit/7984be29dfb9e4f20572eccf5e812aefe8a56667
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
A JSTests/stress/typed-array-extends.js
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
Log Message:
-----------
Cherry-pick 265870.128 at safari-7616-branch (e4cc04578783). https://bugs.webkit.org/show_bug.cgi?id=258712
[JSC] TypedArray setFromArrayLike condition is wrong
https://bugs.webkit.org/show_bug.cgi?id=259268
rdar://112387533
Reviewed by Mark Lam.
The condition is opposite. This patch fixes it with the test.
* JSTests/stress/typed-array-extends.js: Added.
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::setFromArrayLike):
Canonical link: https://commits.webkit.org/265870.128@safari-7616-branch
Commit: 03827035b5e4448ddae0b01feba08639763e569e
https://github.com/WebKit/WebKit/commit/03827035b5e4448ddae0b01feba08639763e569e
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
A LayoutTests/workers/empty-post-message-service-workers-crash-expected.txt
A LayoutTests/workers/empty-post-message-service-workers-crash.html
A LayoutTests/workers/empty-post-message-service-workers-crash.js
M Source/WebCore/workers/WorkerScriptLoader.h
M Source/WebCore/workers/WorkerScriptLoaderClient.h
Log Message:
-----------
Cherry-pick 265870.130 at safari-7616-branch (6b1737e3545c). https://bugs.webkit.org/show_bug.cgi?id=259278
Fix UAF in WorkerScriptLoader::didReceiveResponse
https://bugs.webkit.org/show_bug.cgi?id=259278
rdar://109722407
Reviewed by Chris Dumez and David Kilzer.
This change adopts WeakPtrs for WorkerScriptLoaderClient, thereby fixing
the UAF which happens when m_client goes away when the callback passed
to swConnection.matchRegistration is invoked.
* LayoutTests/workers/empty-post-message-service-workers-crash-expected.txt: Added.
* LayoutTests/workers/empty-post-message-service-workers-crash.html: Added.
* LayoutTests/workers/empty-post-message-service-workers-crash.js: Added.
(onmessage):
* Source/WebCore/workers/WorkerScriptLoader.h:
* Source/WebCore/workers/WorkerScriptLoaderClient.h:
Canonical link: https://commits.webkit.org/265870.130@safari-7616-branch
Commit: 731e3fb276b2880c24886b548a4fe2606ac35f16
https://github.com/WebKit/WebKit/commit/731e3fb276b2880c24886b548a4fe2606ac35f16
Author: Alex Christensen <achristensen at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
A LayoutTests/http/tests/security/resources/xslt-external-entity.svg
A LayoutTests/http/tests/security/resources/xslt2.py
A LayoutTests/http/tests/security/xslt-external-entity-expected.txt
A LayoutTests/http/tests/security/xslt-external-entity.html
A LayoutTests/platform/mac-monterey-wk1/http/tests/security/xss-DENIED-xsl-external-entity-no-logging-expected.txt
A LayoutTests/platform/mac-monterey/http/tests/security/xslt-external-entity-expected.txt
M LayoutTests/platform/mac-monterey/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
Log Message:
-----------
Cherry-pick 265870.131 at safari-7616-branch (d2e39548861d). https://bugs.webkit.org/show_bug.cgi?id=259235
Check if external entity loads from libxslt are allowed before loading them
https://bugs.webkit.org/show_bug.cgi?id=259235
rdar://111457167
Reviewed by David Kilzer.
Otherwise tricky use of libxslt can make arbitrary file loads to files allowed by the
web content process's sandbox. We should limit it to what the current security origin
can request.
Monterey has an older version of libxml2 which fails differently in this case.
Tests exist that verify that allowed external entities are still allowed.
The important thing is that the contents of the files are not in the Monterey test expectations.
* LayoutTests/http/tests/security/resources/xslt-external-entity.svg: Added.
* LayoutTests/http/tests/security/resources/xslt2.py: Added.
* LayoutTests/http/tests/security/xslt-external-entity-expected.txt: Added.
* LayoutTests/http/tests/security/xslt-external-entity.html: Added.
* Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::shouldAllowExternalLoad):
(WebCore::entityLoader):
(WebCore::initializeXMLParser):
Canonical link: https://commits.webkit.org/265870.131@safari-7616-branch
Commit: f292e4f73cee297bfe465b613b63e4c23a933553
https://github.com/WebKit/WebKit/commit/f292e4f73cee297bfe465b613b63e4c23a933553
Author: Richard Robinson <richard_robinson2 at apple.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M Source/WebKit/Shared/EditorState.cpp
Log Message:
-----------
Cherry-pick 265870.310 at safari-7616.1.27.10-branch (02e340d59353). https://bugs.webkit.org/show_bug.cgi?id=259888
Cherry-pick bfc6efd0dc4e. rdar://problem/113287677
REGRESSION: WebKit provides rectilinear selection rects for rotated text in images
https://bugs.webkit.org/show_bug.cgi?id=259888
rdar://113287677
Reviewed by Wenson Hsieh.
`EditorState::clipOwnedRectExtentsToNumericLimits` was erroneously converting some selection
geometries from quads to rects.
Fix by removing these conversions. Since `FloatQuad`s have no notion of validity, there is no
need to clip them to numeric limits.
* Source/WebKit/Shared/EditorState.cpp:
(WebKit::EditorState::clipOwnedRectExtentsToNumericLimits):
Canonical link: https://commits.webkit.org/265870.235@safari-7616-branch
Identifier: 265870.310 at safari-7616.1.27.10-branch
Compare: https://github.com/WebKit/WebKit/compare/e960cdca5447...f292e4f73cee
More information about the webkit-changes
mailing list