[webkit-changes] [WebKit/WebKit] ba6276: Versioning.
Charlie Wolfe
noreply at github.com
Wed Dec 11 11:11:04 PST 2024
Branch: refs/heads/safari-7620.1.16.111-branch
Home: https://github.com/WebKit/WebKit
Commit: ba62765bc58834464b9e6bb8eb41d8ed2c7801f5
https://github.com/WebKit/WebKit/commit/ba62765bc58834464b9e6bb8eb41d8ed2c7801f5
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-06 (Wed, 06 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.11.1
Canonical link: https://commits.webkit.org/283286.442@safari-7620.1.16.11-branch
Commit: aec835ed87c3136635bba7c94c049eb3ace3469e
https://github.com/WebKit/WebKit/commit/aec835ed87c3136635bba7c94c049eb3ace3469e
Author: Kiet Ho <kiet.ho at apple.com>
Date: 2024-11-07 (Thu, 07 Nov 2024)
Changed paths:
A LayoutTests/fast/dom/view-transition-lifetime-crash-expected.txt
A LayoutTests/fast/dom/view-transition-lifetime-crash.html
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.cpp
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.h
M Source/WebCore/Modules/screen-wake-lock/WakeLockSentinel.cpp
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/ViewTransition.cpp
M Source/WebCore/dom/ViewTransition.h
M Source/WebCore/dom/VisibilityChangeClient.h
Log Message:
-----------
Cherry-pick c8d323b1851e. rdar://138799302
REGRESSION (283084 at main): Document::visibilityStateChanged does not hold reference to callback clients
rdar://138799302
https://bugs.webkit.org/show_bug.cgi?id=282360
Reviewed by Tim Nguyen, Ryosuke Niwa, and Chris Dumez.
Document::visibilityStateChanged() invokes visibility state callback clients, but does not
hold a reference to them before invoking. The client could then accidentally free itself
and cause an UAF. One possible route that leads to an UAF is through ViewTransition,
which the test case demonstrates:
* The ViewTransition C++ objects are allocated by document.startViewTransition().
After the call, each object has a ref count of at least 2 (one in the JS wrapper
that wraps the C++ object, one in Document::m_activeViewTransition)
* The GC is invoked, which releases the JS wrappers and decreases the ref count to 1
* The document visibility state is changed. This invokes ViewTransition::visibilityStateChanged
on each object, which calls ::skipViewTransition, which calls ::clearViewTransition.
::clearViewTransition sets Document::m_activeViewTransition to null, so the object ref
count is 0 and it's deallocated. ::clearViewTransition then continues to modify the
(already deallocated) object, leading to an UAF.
Fix this by holding a reference to the callback clients before invoking it. This involves
making VisibilityChangeClient ref counted. Then Document::visibilityStateChanged()
would hold a reference to the client before invoking it. As WakeLockManager
(which inherits VisibilityChangeClient) wasn't ref counted, this patch also makes it
ref counted.
It's also observed that the JS wrapper should not be deallocated by the GC before the
view transition has completed. This commit fixes this by implementing
ViewTransition::virtualHasPendingActivity(), which the GC consults to determine whether
to deallocate the wrapper or not.
* LayoutTests/fast/dom/view-transition-lifetime-crash-expected.txt: Added.
* LayoutTests/fast/dom/view-transition-lifetime-crash.html: Added.
* Source/WebCore/Modules/screen-wake-lock/WakeLockManager.cpp:
(WebCore::WakeLockManager::ref const): Delegated ref() to the document.
(WebCore::WakeLockManager::deref const): Delegated deref() to the document.
* Source/WebCore/Modules/screen-wake-lock/WakeLockManager.h: Made WakeLockManager ref counted by declaring ref() and deref().
* Source/WebCore/Modules/screen-wake-lock/WakeLockSentinel.cpp:
(WebCore::WakeLockSentinel::release): Hold a reference to the document's WakeLockManager before using it.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::visibilityStateChanged): Hold a reference to the visibility state callback client before calling it.
(WebCore::Document::wakeLockManager): Used makeUniqueWithoutRefCountedCheck to create new WakeLockManager.
* Source/WebCore/dom/ViewTransition.cpp:
(WebCore::ViewTransition::virtualHasPendingActivity const): Added implementation.
* Source/WebCore/dom/ViewTransition.h:
* Source/WebCore/dom/VisibilityChangeClient.h: Made VisibilityChangeClient ref counted.
Canonical link: https://commits.webkit.org/286136@main
Commit: b2a99507e10567f3d706cb3b1a73caf017a71670
https://github.com/WebKit/WebKit/commit/b2a99507e10567f3d706cb3b1a73caf017a71670
Author: Dan Hecht <dan.hecht at apple.com>
Date: 2024-11-07 (Thu, 07 Nov 2024)
Changed paths:
M Source/JavaScriptCore/wasm/WasmModuleInformation.h
M Source/JavaScriptCore/wasm/WasmParser.h
M Source/JavaScriptCore/wasm/WasmSectionParser.cpp
M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp
M Source/JavaScriptCore/wasm/WasmTypeDefinition.h
M Source/JavaScriptCore/wasm/WasmTypeDefinitionInlines.h
Log Message:
-----------
Cherry-pick 3ec2959867b0. rdar://139266352
[JSC] Fix ref-counting issues with Wasm GC types
https://bugs.webkit.org/show_bug.cgi?id=282576
rdar://139244985
Reviewed by Yusuke Suzuki.
While parsing the wasm type section there are windows where
reference counts to a Wasm GC TypeDefinitions are not held
by the parser. During these windows, a
TypeInformation::tryCleanup() could free these
types out from under the parser. Close these windows.
Also add asserts to help verify and document.
The windows were:
1. parseRecursionGroup() needs to hold ref counts to each
element until it constructs the recursion group, which
takes ownership.
2. parseRecursionGroup() needs to create its projections
and hold references while they are being linked together.
3. While replacing placeholders, we need to be careful to
continue holding a ref count until the unrolling cache
takes ownership.
Also, RTT::tryCreateRTT() was missing an adoptRef which
I think would cause these to leak.
After parsing, everythng is owned by the parser's
WasmModuleInformation either directly, indirectly through
the TypeDefinition tree of (manual kept) ref counts, or
indirectly via the TypeInformation caches (which tie the
lifetime of the value to the key).
In addition to the added asserts, I also ran the
javascriptcore test with more instrumentation added
to TypeDefinition::deref() to help ensure references are no
longer dropped at the wrong times.
* Source/JavaScriptCore/wasm/WasmModuleInformation.h:
* Source/JavaScriptCore/wasm/WasmParser.h:
(JSC::Wasm::ParserBase::parseValueType):
* Source/JavaScriptCore/wasm/WasmSectionParser.cpp:
(JSC::Wasm::SectionParser::parseType):
(JSC::Wasm::SectionParser::parseRecursionGroup):
(JSC::Wasm::SectionParser::parseSubtype):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:
(JSC::Wasm::TypeDefinition::substitute):
(JSC::Wasm::substituteParent):
(JSC::Wasm::TypeDefinition::replacePlaceholders const):
(JSC::Wasm::TypeDefinition::unroll const):
(JSC::Wasm::RTT::tryCreateRTT):
(JSC::Wasm::TypeInformation::addCachedUnrolling):
(JSC::Wasm::TypeInformation::tryCleanup):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
(JSC::Wasm::TypeDefinition::unownedIndex const):
(JSC::Wasm::TypeDefinition::index const): Deleted.
* Source/JavaScriptCore/wasm/WasmTypeDefinitionInlines.h:
(JSC::Wasm::TypeDefinition::index const):
(JSC::Wasm::TypeInformation::get):
Canonical link: https://commits.webkit.org/286140@main
Commit: 073e87b34d69d1e182cea7d5c3ad7cda407bef0a
https://github.com/WebKit/WebKit/commit/073e87b34d69d1e182cea7d5c3ad7cda407bef0a
Author: Daniel Liu <danlliu at umich.edu>
Date: 2024-11-07 (Thu, 07 Nov 2024)
Changed paths:
A JSTests/stress/string-add-conversion-unused.js
M Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
Log Message:
-----------
Cherry-pick 299278ffc3f1. rdar://139373680
DFG ToString should only care about Other uses when it can be Other
https://bugs.webkit.org/show_bug.cgi?id=282661
rdar://138325184
Reviewed by Yusuke Suzuki.
DFG's ToString should only backpropagate a UseAsOther when the use
has the potential to be Other. Otherwise, we end up with a mismatch
in expected value formats.
* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
Canonical link: https://commits.webkit.org/283286.438@safari-7620-branch
Commit: a6c6ef1383732db2475c9ecf88f2c572d8106058
https://github.com/WebKit/WebKit/commit/a6c6ef1383732db2475c9ecf88f2c572d8106058
Author: Timothy Hatcher <timothy at apple.com>
Date: 2024-11-07 (Thu, 07 Nov 2024)
Changed paths:
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIEventCocoa.mm
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWebNavigationEventCocoa.mm
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWebRequestEventCocoa.mm
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWindowsEventCocoa.mm
M Source/WebKit/WebProcess/Extensions/Cocoa/_WKWebExtensionWebRequestFilter.h
M Source/WebKit/WebProcess/Extensions/Cocoa/_WKWebExtensionWebRequestFilter.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIAlarms.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWebNavigation.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWebRequest.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWindows.mm
Log Message:
-----------
Cherry-pick 0628c831bdfb. rdar://139395506
Crash under WebExtensionCallbackHandler::call() when removing event listener.
https://webkit.org/b/282723
rdar://139326901
Reviewed by Brian Weinstein.
Make a copy of the listeners vector before iterating over it.
* Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIEventCocoa.mm:
(WebKit::WebExtensionAPIEvent::invokeListeners):
(WebKit::WebExtensionAPIEvent::invokeListenersWithArgument):
* Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWebNavigationEventCocoa.mm:
(WebKit::WebExtensionAPIWebNavigationEvent::invokeListenersWithArgument):
* Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWebRequestEventCocoa.mm:
(WebKit::WebExtensionAPIWebRequestEvent::invokeListenersWithArgument):
* Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWindowsEventCocoa.mm:
(WebKit::WebExtensionAPIWindowsEvent::invokeListenersWithArgument):
* Source/WebKit/WebProcess/Extensions/Cocoa/_WKWebExtensionWebRequestFilter.h:
* Source/WebKit/WebProcess/Extensions/Cocoa/_WKWebExtensionWebRequestFilter.mm:
(toWebExtensionWebRequestResourceType): Drive-by rename.
(_WKWebExtensionWebRequestResourceTypeFromResourceLoadInfo): Deleted.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIAlarms.mm:
(TestWebKitAPI::TEST(WKWebExtensionAPIAlarms, RemoveListenerDuringEvent)): Added.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWebNavigation.mm:
(TestWebKitAPI::TEST(WKWebExtensionAPIWebNavigation, RemoveListenerDuringEvent)): Added.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWebRequest.mm:
(TestWebKitAPI::TEST(WKWebExtensionAPIWebRequest, RemoveListenerDuringEvent)): Added.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWindows.mm:
(TestWebKitAPI::TEST(WKWebExtensionAPIWindows, RemoveListenerDuringEvent)): Added.
Canonical link: https://commits.webkit.org/286260@main
Commit: d634e43de620b758c033c3abd87bfa8598463423
https://github.com/WebKit/WebKit/commit/d634e43de620b758c033c3abd87bfa8598463423
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-07 (Thu, 07 Nov 2024)
Changed paths:
R LayoutTests/fast/dom/view-transition-lifetime-crash-expected.txt
R LayoutTests/fast/dom/view-transition-lifetime-crash.html
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.cpp
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.h
M Source/WebCore/Modules/screen-wake-lock/WakeLockSentinel.cpp
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/ViewTransition.cpp
M Source/WebCore/dom/ViewTransition.h
M Source/WebCore/dom/VisibilityChangeClient.h
Log Message:
-----------
Revert c8d323b1851e. rdar://138799302
This reverts commit aec835ed87c3136635bba7c94c049eb3ace3469e.
Commit: 7d4cc3e9870f53d1ecdd39cdaf98f2473ac927f3
https://github.com/WebKit/WebKit/commit/7d4cc3e9870f53d1ecdd39cdaf98f2473ac927f3
Author: Kiet Ho <kiet.ho at apple.com>
Date: 2024-11-07 (Thu, 07 Nov 2024)
Changed paths:
A LayoutTests/fast/dom/view-transition-lifetime-crash-expected.txt
A LayoutTests/fast/dom/view-transition-lifetime-crash.html
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.cpp
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.h
M Source/WebCore/Modules/screen-wake-lock/WakeLockSentinel.cpp
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/ViewTransition.cpp
M Source/WebCore/dom/ViewTransition.h
M Source/WebCore/dom/VisibilityChangeClient.h
Log Message:
-----------
Cherry-pick 430e2dd31ad1. rdar://138799302
Cherry-pick c8d323b1851e. rdar://139301982
REGRESSION (283084 at main): Document::visibilityStateChanged does not hold reference to callback clients
rdar://138799302
https://bugs.webkit.org/show_bug.cgi?id=282360
Reviewed by Tim Nguyen, Ryosuke Niwa, and Chris Dumez.
Document::visibilityStateChanged() invokes visibility state callback clients, but does not
hold a reference to them before invoking. The client could then accidentally free itself
and cause an UAF. One possible route that leads to an UAF is through ViewTransition,
which the test case demonstrates:
* The ViewTransition C++ objects are allocated by document.startViewTransition().
After the call, each object has a ref count of at least 2 (one in the JS wrapper
that wraps the C++ object, one in Document::m_activeViewTransition)
* The GC is invoked, which releases the JS wrappers and decreases the ref count to 1
* The document visibility state is changed. This invokes ViewTransition::visibilityStateChanged
on each object, which calls ::skipViewTransition, which calls ::clearViewTransition.
::clearViewTransition sets Document::m_activeViewTransition to null, so the object ref
count is 0 and it's deallocated. ::clearViewTransition then continues to modify the
(already deallocated) object, leading to an UAF.
Fix this by holding a reference to the callback clients before invoking it. This involves
making VisibilityChangeClient ref counted. Then Document::visibilityStateChanged()
would hold a reference to the client before invoking it. As WakeLockManager
(which inherits VisibilityChangeClient) wasn't ref counted, this patch also makes it
ref counted.
It's also observed that the JS wrapper should not be deallocated by the GC before the
view transition has completed. This commit fixes this by implementing
ViewTransition::virtualHasPendingActivity(), which the GC consults to determine whether
to deallocate the wrapper or not.
* LayoutTests/fast/dom/view-transition-lifetime-crash-expected.txt: Added.
* LayoutTests/fast/dom/view-transition-lifetime-crash.html: Added.
* Source/WebCore/Modules/screen-wake-lock/WakeLockManager.cpp:
(WebCore::WakeLockManager::ref const): Delegated ref() to the document.
(WebCore::WakeLockManager::deref const): Delegated deref() to the document.
* Source/WebCore/Modules/screen-wake-lock/WakeLockManager.h: Made WakeLockManager ref counted by declaring ref() and deref().
* Source/WebCore/Modules/screen-wake-lock/WakeLockSentinel.cpp:
(WebCore::WakeLockSentinel::release): Hold a reference to the document's WakeLockManager before using it.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::visibilityStateChanged): Hold a reference to the visibility state callback client before calling it.
(WebCore::Document::wakeLockManager): Used makeUniqueWithoutRefCountedCheck to create new WakeLockManager.
* Source/WebCore/dom/ViewTransition.cpp:
(WebCore::ViewTransition::virtualHasPendingActivity const): Added implementation.
* Source/WebCore/dom/ViewTransition.h:
* Source/WebCore/dom/VisibilityChangeClient.h: Made VisibilityChangeClient ref counted.
Canonical link: https://commits.webkit.org/286136@main
Canonical link: https://commits.webkit.org/283286.444@safari-7620-branch
Commit: 4ed5c0896493d248f4f26f6fd9da7f5b1eed6e79
https://github.com/WebKit/WebKit/commit/4ed5c0896493d248f4f26f6fd9da7f5b1eed6e79
Author: Richard Robinson <richard_robinson2 at apple.com>
Date: 2024-11-07 (Thu, 07 Nov 2024)
Changed paths:
M Source/WebKit/UIProcess/API/mac/WKWebViewMac.mm
M Source/WebKit/UIProcess/mac/WebViewImpl.h
M Source/WebKit/UIProcess/mac/WebViewImpl.mm
M Source/WebKit/WebKitSwift/WritingTools/WKIntelligenceTextEffectCoordinator.h
M Source/WebKit/WebKitSwift/WritingTools/WKIntelligenceTextEffectCoordinator.swift
Log Message:
-----------
Cherry-pick cd0b50ca7cce. rdar://139445053
[Intelligence Effects] Scrolling during a proofreading animation causes overlapping text on macOS
https://bugs.webkit.org/show_bug.cgi?id=282712
rdar://139246952
Reviewed by Abrar Rahman Protyasha.
Stop any ongoing intelligence effects if a scroll/resize/zoom happens.
* Source/WebKit/UIProcess/API/mac/WKWebViewMac.mm:
(-[WKWebView _web_hasActiveIntelligenceTextEffects]):
(-[WKWebView _web_suppressContentRelativeChildViews]):
(-[WKWebView _web_restoreContentRelativeChildViews]):
* Source/WebKit/UIProcess/mac/WebViewImpl.h:
* Source/WebKit/UIProcess/mac/WebViewImpl.mm:
(WebKit::WebViewImpl::hasContentRelativeChildViews const):
(WebKit::WebViewImpl::suppressContentRelativeChildViews):
(WebKit::WebViewImpl::restoreContentRelativeChildViews):
* Source/WebKit/WebKitSwift/WritingTools/WKIntelligenceTextEffectCoordinator.h:
* Source/WebKit/WebKitSwift/WritingTools/WKIntelligenceTextEffectCoordinator.swift:
(hasActiveEffects):
(hideEffects):
(showEffects):
(setupViewIfNeeded):
(reset):
(WKIntelligenceTextEffectCoordinator.updateTextChunkVisibility(_:visible:force:)):
(textVisibilityRegionIdentifiers): Deleted.
Canonical link: https://commits.webkit.org/286254@main
Canonical link: https://commits.webkit.org/283286.449@safari-7620.1.16.11-branch
Commit: e47795bdb5f9d89681fd193962cc5f9833ff63d1
https://github.com/WebKit/WebKit/commit/e47795bdb5f9d89681fd193962cc5f9833ff63d1
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2024-11-07 (Thu, 07 Nov 2024)
Changed paths:
A JSTests/stress/oom-test-for-replace-all.js
A JSTests/wasm/stress/omg-tail-call-clobber-pinned-registers.js
M Source/JavaScriptCore/wasm/WasmFunctionParser.h
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
M Source/JavaScriptCore/wasm/WasmOMGPlan.cpp
M Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp
Log Message:
-----------
Cherry-pick 91c5b2e06b9c. rdar://139362369
Cherry-pick f35184a412c9. rdar://139362369
[JSC] Wasm TailCall should say "pinned registers can be clobbered" in OMG https://bugs.webkit.org/show_bug.cgi?id=282635 rdar://138178964
Reviewed by Keith Miller and David Degazio.
We need to say that pinned registers are clobbered for transitive tail-calls
in OMG to correctly restore wasm instance.
* JSTests/wasm/stress/omg-tail-call-clobber-pinned-registers.js: Added.
* Source/JavaScriptCore/wasm/WasmFunctionParser.h:
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::addCall):
(JSC::Wasm::OMGIRGenerator::addCallRef):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp:
(JSC::Wasm::OMGIRGenerator::addCall):
* Source/JavaScriptCore/wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::dumpDisassembly):
* Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp:
(JSC::Wasm::OSREntryPlan::dumpDisassembly):
Canonical link: https://commits.webkit.org/286193@main
Canonical link: https://commits.webkit.org/283286.450@safari-7620.1.16.10-branch
Canonical link: https://commits.webkit.org/283286.450@safari-7620.1.16.11-branch
Commit: be1c62fc4f701c578f7e052bd61dc782d30a2c5e
https://github.com/WebKit/WebKit/commit/be1c62fc4f701c578f7e052bd61dc782d30a2c5e
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2024-11-08 (Fri, 08 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.11.2
Canonical link: https://commits.webkit.org/283286.451@safari-7620.1.16.11-branch
Commit: b4b8ac3e73af6260a7a404051705768999c6a144
https://github.com/WebKit/WebKit/commit/b4b8ac3e73af6260a7a404051705768999c6a144
Author: Tim Nguyen <ntim at apple.com>
Date: 2024-11-08 (Fri, 08 Nov 2024)
Changed paths:
M Source/WebCore/page/Quirks.cpp
M Source/WebCore/page/Quirks.h
M Source/WebCore/style/StyleAdjuster.cpp
Log Message:
-----------
Cherry-pick 331f6e1deec3. rdar://139523759
REGRESSION(282068 at main): Flashing scrollbar on Spotify when hovering the fullscreen button
https://bugs.webkit.org/show_bug.cgi?id=282793
rdar://138918575
Reviewed by Simon Fraser.
The temporary glitch is a pre-existing unstable layout bug that was papered over using body::-webkit-scrollbar { display: none } as a workaround.
Spotify also uses body { scrollbar-width: none }, and per-spec, any non-default scrollbar-width value makes ::-webkit-scrollbar styling ineffective, so this workaround no longer works.
While we investigate the root issue further, make a quirk to make `scrollbar-width: none` no-op on body for now, to address the customer issue.
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::needsBodyScrollbarWidthNoneDisabledQuirk const):
* Source/WebCore/page/Quirks.h:
* Source/WebCore/style/StyleAdjuster.cpp:
(WebCore::Style::Adjuster::adjustForSiteSpecificQuirks const):
Canonical link: https://commits.webkit.org/286350@main
Canonical link: https://commits.webkit.org/283286.452@safari-7620.1.16.11-branch
Commit: b38f9b0b453feb4adf9899980a704329ddad29cb
https://github.com/WebKit/WebKit/commit/b38f9b0b453feb4adf9899980a704329ddad29cb
Author: Russell Epstein <repstein at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.11.3
Canonical link: https://commits.webkit.org/283286.453@safari-7620.1.16.11-branch
Commit: 3fc594d6df0d2c9684ea5c51819d37e9f803f31a
https://github.com/WebKit/WebKit/commit/3fc594d6df0d2c9684ea5c51819d37e9f803f31a
Author: Keith Miller <keith_miller at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M Source/WTF/wtf/LockAlgorithm.h
Log Message:
-----------
Cherry-pick 4d456933d70e. rdar://139645285
LockAlgorithm::unlockFast is too fast
https://bugs.webkit.org/show_bug.cgi?id=282865
rdar://139548123
Reviewed by Yusuke Suzuki.
Right now it has relaxed ordering but that's not correct since it means writes to the critical section
could happen after the lock is unlocked. This could lead to arbitrary crashes or other general badness.
* Source/WTF/wtf/LockAlgorithm.h:
(WTF::LockAlgorithm::unlockFast):
Canonical link: https://commits.webkit.org/283286.466@safari-7620-branch
Canonical link: https://commits.webkit.org/283286.454@safari-7620.1.16.11-branch
Commit: cac85ed6ae7ab1c6edea2f214f2172195778c9b8
https://github.com/WebKit/WebKit/commit/cac85ed6ae7ab1c6edea2f214f2172195778c9b8
Author: Nitin Mahendru <nitinmahendru at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt
M LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html
M LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https-expected.txt
M LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html
M Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp
M Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.h
M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp
M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h
Log Message:
-----------
Cherry-pick fbc1283a4a99. rdar://138281493
Unreviewed, reverting "[WebAuthn] Implement batching for checking allowCredentials (48851c3d135a)"
https://bugs.webkit.org/show_bug.cgi?id=282880
rdar://138281493
Fix Login Issues with newer Yubikeys.
Reverted change:
Cherry-pick 52a47cb. rdar://133711978
[WebAuthn] Implement batching for checking allowCredentials
rdar://133711978
https://bugs.webkit.org/show_bug.cgi?id=277979
Reviewed by Brent Fulgham.
This change implements checking the allowCredentials in batches as supported by
the authenticator during getAssertion. This is accomplished with smaller up=0,
get requests to determine if credentials are present on the authenticator.
Then if a credential is detected as present, it is included in the allowCredentials list
in the real request. If no credentials matched, then we already know the call will not
be able to succeed, so we just include the last batch.
Added layout tests for the new behaviors.
* LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt:
* LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html:
* LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https-expected.txt:
* LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html:
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
(WebKit::CtapAuthenticator::makeCredential):
(WebKit::CtapAuthenticator::continueSlientlyCheckCredentials):
(WebKit::CtapAuthenticator::continueMakeCredentialAfterCheckExcludedCredentials):
(WebKit::CtapAuthenticator::getAssertion):
(WebKit::CtapAuthenticator::continueGetAssertionAfterCheckAllowCredentials):
(WebKit::CtapAuthenticator::continueCheckExcludedCredentialsAfterResponseRecieved): Deleted.
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h:
Canonical link: https://commits.webkit.org/282246@main
Canonical link: https://commits.webkit.org/283286.467@safari-7620-branch
Canonical link: https://commits.webkit.org/283286.455@safari-7620.1.16.11-branch
Commit: 9a965a147102c54b906499273147c78a97141fea
https://github.com/WebKit/WebKit/commit/9a965a147102c54b906499273147c78a97141fea
Author: Nitin Mahendru <nitinmahendru at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt
M LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html
M LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https-expected.txt
M LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html
M LayoutTests/http/wpt/webauthn/resources/util.js
M Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.cpp
M Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.h
M Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp
M Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.h
M Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp
M Source/WebCore/Modules/webauthn/fido/FidoConstants.h
M Source/WebCore/testing/MockWebAuthenticationConfiguration.h
M Source/WebCore/testing/MockWebAuthenticationConfiguration.idl
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
M Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp
M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp
M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h
Log Message:
-----------
Cherry-pick aaafcd1e5687. rdar://138281493
Unreviewed, reverting [WebAuthn] Implement batching for checking excludeCredentials
https://bugs.webkit.org/show_bug.cgi?id=282878
rdar://138281493
Revert to Fix rdar://138281493 Unable to enter PIN for Yubikey
Reverted change:
Cherry-pick f56198757e4b. rdar://133307666
[WebAuthn] Implement batching for checking excludeCredentials
rdar://133307666
https://bugs.webkit.org/show_bug.cgi?id=277695
Reviewed by Charlie Wolfe.
This change starts to implement checking the excludeCredential list in batches as
supported by the authenticator during a makeCredential. This is accomplished by using
smaller, up=0, get requests to detect if a credential is present on the authenticator.
Then if a credential is detected, only that credential may be included with the actual
makeCredential request to get the proper error code back from the authenticator. If none
matched, we don't need to include a excludeCredentials list to the authenticator since
we already know those credentials aren't present.
This patch only implements this logic for makeCredential, getAssertion will be done in
another patch.
Added layout tests to test matching exclude list with batching, non-matching exclude list with
batching, and a security key that supports batches greater than 1.
* LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt:
* LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html:
* LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https-expected.txt:
* LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html:
* LayoutTests/http/wpt/webauthn/resources/util.js:
* Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.cpp:
(fido::AuthenticatorGetInfoResponse::setMaxCredentialCountInList):
(fido::AuthenticatorGetInfoResponse::setMaxCredentialIDLength):
(fido::encodeAsCBOR):
* Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.h:
* Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp:
(fido::encodeSilentGetAssertion):
* Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.h:
* Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp:
(fido::readCTAPGetInfoResponse):
* Source/WebCore/Modules/webauthn/fido/FidoConstants.h:
* Source/WebCore/testing/MockWebAuthenticationConfiguration.h:
* Source/WebCore/testing/MockWebAuthenticationConfiguration.idl:
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
* Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp:
(WebKit::MockHidConnection::feedReports):
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
(WebKit::CtapAuthenticator::makeCredential):
(WebKit::CtapAuthenticator::continueCheckExcludedCredentialsAfterResponseRecieved):
(WebKit::CtapAuthenticator::continueMakeCredentialAfterCheckExcludedCredentials):
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h:
Canonical link: https://commits.webkit.org/282019@main
Canonical link: https://commits.webkit.org/280938.236@safari-7619-branch
Canonical link: https://commits.webkit.org/283286.468@safari-7620-branch
Canonical link: https://commits.webkit.org/283286.456@safari-7620.1.16.11-branch
Commit: 2f64bd8a358b70f72e7d67cc5f2ed5fca34b3bb4
https://github.com/WebKit/WebKit/commit/2f64bd8a358b70f72e7d67cc5f2ed5fca34b3bb4
Author: David Kilzer <ddkilzer at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_library_cache.mm
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_utils.mm
Log Message:
-----------
Cherry-pick 8826887be8c6. rdar://139660591
[ANGLE] Fix leaks in NewMetalLibraryFromMetallib() on every call
<https://bugs.webkit.org/show_bug.cgi?id=282890>
<rdar://139586222>
Reviewed by Kimmo Kinnunen.
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_library_cache.mm:
(rx::(anonymous)::NewMetalLibraryFromMetallib):
- Use adoptObjCObj() to fix leak of id<MTLLibrary>.
- Call dispatch_release() to fix leak of dispatch_data_t.
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_utils.mm:
(rx::mtl::CreateShaderLibraryFromBinary):
- Use DISPATCH_DATA_DESTRUCTOR_DEFAULT instead of empty block.
- Replace ANGLE_MTL_AUTORELEASE with adoptObjCObj() to avoid unneeded
autorelease of id<MTLLibrary> object.
Canonical link: https://commits.webkit.org/286425@main
Commit: b129be6b2bab861a33bb8f10bb1ea39f5ce55759
https://github.com/WebKit/WebKit/commit/b129be6b2bab861a33bb8f10bb1ea39f5ce55759
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
A JSTests/wasm/stress/wasm-bbq-catch-unbind.js
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
Log Message:
-----------
Cherry-pick 39727612b542. rdar://139502479
[JSC] Aborted in JSC::Wasm::BBQJITImpl::BBQJIT::bind
https://bugs.webkit.org/show_bug.cgi?id=282825
rdar://139502479
Reviewed by David Degazio.
This patch adds unbinding for all registers for addCatch and addCatchAll
too since they also should not carry any bindings from the other blocks.
* JSTests/wasm/stress/wasm-bbq-catch-unbind.js: Added.
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addCatch):
(JSC::Wasm::BBQJITImpl::BBQJIT::addCatchAll):
Canonical link: https://commits.webkit.org/283286.470@safari-7620-branch
Commit: 19ac7a2e9013b8ed4203d1f67e20383871dd8c18
https://github.com/WebKit/WebKit/commit/19ac7a2e9013b8ed4203d1f67e20383871dd8c18
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_library_cache.mm
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_utils.mm
Log Message:
-----------
Revert 8826887be8c6. rdar://139660591
This reverts commit 2f64bd8a358b70f72e7d67cc5f2ed5fca34b3bb4.
Commit: 6754cfb0feaa583ff7a5775ec7cbcbf3e4e73573
https://github.com/WebKit/WebKit/commit/6754cfb0feaa583ff7a5775ec7cbcbf3e4e73573
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M Source/WTF/wtf/LockAlgorithm.h
Log Message:
-----------
Revert 4d456933d70e. rdar://139645285
This reverts commit 3fc594d6df0d2c9684ea5c51819d37e9f803f31a.
Commit: 57249dce9c755229daa66fd03b1e199b098e2022
https://github.com/WebKit/WebKit/commit/57249dce9c755229daa66fd03b1e199b098e2022
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-12 (Tue, 12 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.11.4
Canonical link: https://commits.webkit.org/283286.459@safari-7620.1.16.11-branch
Commit: 20c01f4ac592127c1a24e4f20bbf6c3e6ba86e83
https://github.com/WebKit/WebKit/commit/20c01f4ac592127c1a24e4f20bbf6c3e6ba86e83
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-12 (Tue, 12 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.111.1
Canonical link: https://commits.webkit.org/283286.462@safari-7620.1.16.111-branch
Commit: 00049fc90028b95a65a2bf5b5a9e3a70377b3ac3
https://github.com/WebKit/WebKit/commit/00049fc90028b95a65a2bf5b5a9e3a70377b3ac3
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-12 (Tue, 12 Nov 2024)
Changed paths:
M Source/WebCore/html/HTMLVideoElement.cpp
M Source/WebCore/html/HTMLVideoElement.h
M Source/WebCore/html/ImageBitmap.cpp
M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
M Source/WebCore/platform/VideoFrame.cpp
M Source/WebCore/platform/VideoFrame.h
M Source/WebCore/platform/graphics/BifurcatedGraphicsContext.cpp
M Source/WebCore/platform/graphics/BifurcatedGraphicsContext.h
M Source/WebCore/platform/graphics/GraphicsContext.cpp
M Source/WebCore/platform/graphics/GraphicsContext.h
M Source/WebCore/platform/graphics/GraphicsContextGL.cpp
M Source/WebCore/platform/graphics/MediaPlayer.cpp
M Source/WebCore/platform/graphics/MediaPlayer.h
M Source/WebCore/platform/graphics/NullGraphicsContext.h
M Source/WebCore/platform/graphics/cv/VideoFrameCV.mm
M Source/WebCore/platform/graphics/displaylists/DisplayListItem.h
M Source/WebCore/platform/graphics/displaylists/DisplayListItems.cpp
M Source/WebCore/platform/graphics/displaylists/DisplayListItems.h
M Source/WebCore/platform/graphics/displaylists/DisplayListRecorder.cpp
M Source/WebCore/platform/graphics/displaylists/DisplayListRecorder.h
M Source/WebCore/platform/graphics/displaylists/DisplayListRecorderImpl.cpp
M Source/WebCore/platform/graphics/displaylists/DisplayListRecorderImpl.h
M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
M Source/WebCore/platform/graphics/gstreamer/VideoFrameGStreamer.cpp
M Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.cpp
M Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.h
M Source/WebCore/rendering/RenderVideo.cpp
M Source/WebKit/GPUProcess/graphics/RemoteDisplayListRecorder.cpp
M Source/WebKit/GPUProcess/graphics/RemoteDisplayListRecorder.h
M Source/WebKit/GPUProcess/graphics/RemoteDisplayListRecorder.messages.in
M Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.h
M Source/WebKit/Shared/DisplayListArgumentCoders.serialization.in
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h
M Source/WebKit/WebProcess/GPU/media/MediaPlayerPrivateRemote.cpp
M Source/WebKit/WebProcess/GPU/media/cocoa/MediaPlayerPrivateRemoteCocoa.mm
Log Message:
-----------
Revert 63ca1cca5ba5. rdar://137001681
Commit: 8cf0ca57a83743227c132a2ca62401afd361b02e
https://github.com/WebKit/WebKit/commit/8cf0ca57a83743227c132a2ca62401afd361b02e
Author: Jason Lee <jlee32 at apple.com>
Date: 2024-11-12 (Tue, 12 Nov 2024)
Changed paths:
M Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h
M Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm
Log Message:
-----------
Cherry-pick b09d78e4a2ec. rdar://139368939
Passkey registration broken on Ventura
https://bugs.webkit.org/show_bug.cgi?id=282732
rdar://139368939
Reviewed by Brent Fulgham.
ASCPlatformPublicKeyCredentialRegistration.transports was changed from an array
of NSNumbers to NSStrings. This change was not reflected in the WebKit legacy
passkey code path.
This patch updates that code to properly convert the strings to enum values.
* Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h:
* Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:
(WebKit::toAuthenticatorTransports):
Canonical link: https://commits.webkit.org/286345@main
Commit: bc9f402a2d26559b2ee0e2fc0f045a0b0f73910d
https://github.com/WebKit/WebKit/commit/bc9f402a2d26559b2ee0e2fc0f045a0b0f73910d
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-13 (Wed, 13 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.111.2
Canonical link: https://commits.webkit.org/283286.465@safari-7620.1.16.111-branch
Commit: 09654c6d87f94c06ff10679a50cf8b17d1e327f7
https://github.com/WebKit/WebKit/commit/09654c6d87f94c06ff10679a50cf8b17d1e327f7
Author: Daniel Liu <danlliu at umich.edu>
Date: 2024-11-13 (Wed, 13 Nov 2024)
Changed paths:
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
Cherry-pick ded4d02c0a93. rdar://139822639
Don't allocate DFG register after a slow path
https://bugs.webkit.org/show_bug.cgi?id=283063
rdar://139747120
Reviewed by Yusuke Suzuki.
Allocating a DFG register after a slow path means that if the slow path
is taken, we end up with an incorrect global state.
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
Canonical link: https://commits.webkit.org/283286.475@safari-7620-branch
Commit: 01f28d4ca10caddd896951b18aa2c78e8afd0463
https://github.com/WebKit/WebKit/commit/01f28d4ca10caddd896951b18aa2c78e8afd0463
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-13 (Wed, 13 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.111.3
Canonical link: https://commits.webkit.org/283286.467@safari-7620.1.16.111-branch
Commit: c40e12e5791a18a133b77b975597d8deb2555e03
https://github.com/WebKit/WebKit/commit/c40e12e5791a18a133b77b975597d8deb2555e03
Author: Charlie Wolfe <charliew at apple.com>
Date: 2024-11-14 (Thu, 14 Nov 2024)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/NetworkProcess/NetworkProcess.cpp
M Source/WebKit/NetworkProcess/NetworkProcess.h
M Source/WebKit/NetworkProcess/NetworkSession.cpp
M Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp
M Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm
Log Message:
-----------
Cherry-pick 2815b4e29829. rdar://139893500
Data Isolation bypass via attacker controlled firstPartyForCookies
https://bugs.webkit.org/show_bug.cgi?id=283095
rdar://139818629
Reviewed by Matthew Finkel and Alex Christensen.
`NetworkProcess::allowsFirstPartyForCookies` unconditionally allows cookie access for about:blank or
empty firstPartyForCookies URLs. We tried to remove this in rdar://105733798 and rdar://107270673, but
we needed to revert both because there were rare and subtle bugs where certain requests would incorrectly
have about:blank set as their firstPartyForCookies, causing us to kill the WCP.
This patch is a lower risk change that removes the unconditional cookie access for requests that have an
empty firstPartyForCookies, but will not kill the WCP that is incorrectly sending an empty
firstPartyForCookies.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::createSocketChannel):
(WebKit::NetworkConnectionToWebProcess::scheduleResourceLoad):
(WebKit::NetworkConnectionToWebProcess::cookiesForDOM):
(WebKit::NetworkConnectionToWebProcess::setCookiesFromDOM):
(WebKit::NetworkConnectionToWebProcess::cookiesEnabled):
(WebKit::NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue):
(WebKit::NetworkConnectionToWebProcess::getRawCookies):
(WebKit::NetworkConnectionToWebProcess::cookiesForDOMAsync):
(WebKit::NetworkConnectionToWebProcess::setCookieFromDOMAsync):
(WebKit::NetworkConnectionToWebProcess::domCookiesForHost):
(WebKit::NetworkConnectionToWebProcess::establishSWContextConnection):
* Source/WebKit/NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::allowsFirstPartyForCookies):
* Source/WebKit/NetworkProcess/NetworkProcess.h:
* Source/WebKit/NetworkProcess/NetworkSession.cpp:
(WebKit::NetworkSession::addAllowedFirstPartyForCookies):
* Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp:
(WebKit::WebSWServerConnection::scheduleJobInServer):
* Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp:
(WebKit::WebSharedWorkerServerConnection::requestSharedWorker):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm:
(EmptyFirstPartyForCookiesCookieRequestHeaderFieldValue)):
Canonical link: https://commits.webkit.org/283286.477@safari-7620-branch
Commit: 34e60a3c673ea6b16712d0181a7f87f0c7e837c1
https://github.com/WebKit/WebKit/commit/34e60a3c673ea6b16712d0181a7f87f0c7e837c1
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-14 (Thu, 14 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.111.4
Canonical link: https://commits.webkit.org/283286.469@safari-7620.1.16.111-branch
Commit: db1c68a39a0271498c7599affc34f2cb304846b9
https://github.com/WebKit/WebKit/commit/db1c68a39a0271498c7599affc34f2cb304846b9
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-21 (Thu, 21 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.111.5
Canonical link: https://commits.webkit.org/283286.470@safari-7620.1.16.111-branch
Commit: 8a3e69ef30be9d2da1c871beca525ddf24d05521
https://github.com/WebKit/WebKit/commit/8a3e69ef30be9d2da1c871beca525ddf24d05521
Author: Matthieu Dubet <m_dubet at apple.com>
Date: 2024-11-21 (Thu, 21 Nov 2024)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-descendant-003-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-descendant-003.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-002-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-002.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-003-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-003.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-004-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-004.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-005-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-005.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-006-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-006.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-not-001-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-not-001.html
M Source/WebCore/css/SelectorChecker.cpp
Log Message:
-----------
Cherry-pick 33507394bab5. rdar://139908140
[CSS] Don't combine :not() with :host
https://bugs.webkit.org/show_bug.cgi?id=282960
rdar://139198548
Reviewed by Tim Nguyen.
As a featureless element, only :host matches the shadow host.
Functional pseudoclasses pass the behavior to their arguments,
so :is(:host) matches the same as :host (the shadow host).
This fixes a regression introduced in 281963 at main.
Before 281963, :host combination with a functional pseudoclass
(or anything but a pseudo-element more generally)
was early returning "not match".
281963 has removed the early return for all functional pseudoclass
(to allow :is() combined with :host, but also :not()).
Properly supporting :host combining with :not() is tricky
and will be handled in a followup patch.
* LayoutTests/TestExpectations:
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-descendant-003-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-descendant-003.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-002-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-002.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-003-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-003.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-004-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-004.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-005-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-005.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-006-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-006.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-not-001-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-not-001.html: Added.
* Source/WebCore/css/SelectorChecker.cpp:
(WebCore::SelectorChecker::checkOne const):
Canonical link: https://commits.webkit.org/286611@main
Commit: a0b2038b34de32bf746ccdfb54a0d7f7f02e20d9
https://github.com/WebKit/WebKit/commit/a0b2038b34de32bf746ccdfb54a0d7f7f02e20d9
Author: Richard Robinson <richard_robinson2 at apple.com>
Date: 2024-11-21 (Thu, 21 Nov 2024)
Changed paths:
M Source/WebKit/WebKitSwift/WritingTools/WKIntelligenceTextEffectCoordinator.swift
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WritingTools.mm
Log Message:
-----------
Cherry-pick dc67c7bd3684. rdar://140223425
[Writing Tools] Can no longer type in compose view after using Writing Tools proofreading in Mail
https://bugs.webkit.org/show_bug.cgi?id=283329
rdar://140133728
Reviewed by Abrar Rahman Protyasha.
This is essentially the same bug as https://commits.webkit.org/283274@main. This time, even though there
was supposed to be logic to ensure that the view got removed when there were no longer any active effects,
the logic was flawed due to the wrong order of operations; the call to remove the view happened prior to
the effects actually being set to `nil`.
Fix by ensuring that the order of operations of when the effects are set to `nil` and when the view is
requested to be removed is correct.
* Source/WebKit/WebKitSwift/WritingTools/WKIntelligenceTextEffectCoordinator.swift:
(setActivePonderingEffect(_:)):
(setActiveReplacementEffect(_:)):
Canonical link: https://commits.webkit.org/286776@main
Commit: 3db615a911d3fbf10086a271b5329eb8c0a2fa67
https://github.com/WebKit/WebKit/commit/3db615a911d3fbf10086a271b5329eb8c0a2fa67
Author: Charlie Wolfe <charliew at apple.com>
Date: 2024-11-21 (Thu, 21 Nov 2024)
Changed paths:
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/loader/FrameLoader.h
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
M Source/WebCore/page/SecurityPolicy.h
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/SOAuthorizationTests.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKHTTPCookieStore.mm
Log Message:
-----------
Cherry-pick b7402f10b17c. rdar://140129837
sameSiteInfo.isSameSite may not match URLs used in Data Isolation checks
https://bugs.webkit.org/show_bug.cgi?id=283309
rdar://140129837
Reviewed by Sihui Liu.
This patch fixes an issue where a WebContent process can send IPC with URLs that are not same-site, but
contains `sameSiteInfo` that indicates that the request is same-site. This can lead to requesting cookies
for a URL that was not considered in the data isolation check.
To lower risk, we reject cookie access instead of terminating the sender process. More details provided
below.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::setOriginalURLForDownloadRequest):
(WebCore::FrameLoader::updateRequestAndAddExtraFields):
(WebCore::FrameLoader::addSameSiteInfoToRequestIfNeeded):
* Source/WebCore/loader/FrameLoader.h:
These quirks were added when cookies were SameSite=Lax by default, which is no longer the case, so it can
be removed. Keeping this would mean certain requests would unexpectedly be considered same-site, and
would fail the check being added in the network process.
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestResource):
This is an existing bug that was revealed by this change, and is needed to fix
`http/tests/cache/disk-cache/disk-cache-vary-cookie.html`.
* Source/WebCore/page/SecurityPolicy.h:
Export `shouldInheritSecurityOriginFromOwner` so that it can be used in the network process.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::shouldTreatAsSameSite const):
Add a network process side same-site check, similar to `FrameLoader::addSameSiteInfoToRequestIfNeeded`.
(WebKit::NetworkConnectionToWebProcess::cookiesForDOM):
(WebKit::NetworkConnectionToWebProcess::setCookiesFromDOM):
(WebKit::NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue):
(WebKit::NetworkConnectionToWebProcess::getRawCookies):
(WebKit::NetworkConnectionToWebProcess::cookiesForDOMAsync):
(WebKit::NetworkConnectionToWebProcess::setCookieFromDOMAsync):
Validate all cookie messages that contain `sameSiteInfo`.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm:
(InvalidSameSiteInfoCookieRequestHeaderFieldValue)):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/SOAuthorizationTests.mm:
(TestWebKitAPI::TEST(SOAuthorizationSubFrame, InterceptionSucceedWithCookie)):
Fix this test, which was trying to a cookie from example.com on a page with an empty main frame URL.
Canonical link: https://commits.webkit.org/283286.501@safari-7620-branch
Compare: https://github.com/WebKit/WebKit/compare/ba62765bc588%5E...3db615a911d3
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list