[webkit-changes] [WebKit/WebKit] 50abb5: Clicking Edit > Paste in the in-page menu on Googl...

Tue Jun 18 18:23:20 PDT 2024

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 50abb533176213b4ecf8d0e9f749d1ee15cc43ca
      https://github.com/WebKit/WebKit/commit/50abb533176213b4ecf8d0e9f749d1ee15cc43ca
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2024-06-18 (Tue, 18 Jun 2024)

  Changed paths:
    A LayoutTests/editing/pasteboard/dom-paste/dom-paste-in-child-frame-does-not-crash-expected.txt
    A LayoutTests/editing/pasteboard/dom-paste/dom-paste-in-child-frame-does-not-crash.html
    M Source/WebCore/dom/DOMPasteAccess.h
    M Source/WebKit/UIProcess/API/gtk/PageClientImpl.cpp
    M Source/WebKit/UIProcess/API/gtk/PageClientImpl.h
    M Source/WebKit/UIProcess/API/wpe/PageClientImpl.cpp
    M Source/WebKit/UIProcess/API/wpe/PageClientImpl.h
    M Source/WebKit/UIProcess/PageClient.h
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/ios/PageClientImplIOS.h
    M Source/WebKit/UIProcess/ios/PageClientImplIOS.mm
    M Source/WebKit/UIProcess/ios/WKContentViewInteraction.h
    M Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm
    M Source/WebKit/UIProcess/mac/PageClientImplMac.h
    M Source/WebKit/UIProcess/mac/PageClientImplMac.mm
    M Source/WebKit/UIProcess/mac/WebViewImpl.h
    M Source/WebKit/UIProcess/mac/WebViewImpl.mm
    M Source/WebKit/UIProcess/playstation/PageClientImpl.cpp
    M Source/WebKit/UIProcess/playstation/PageClientImpl.h
    M Source/WebKit/UIProcess/win/PageClientImpl.cpp
    M Source/WebKit/UIProcess/win/PageClientImpl.h

  Log Message:
  -----------
  Clicking Edit > Paste in the in-page menu on Google Docs results in a failed MESSAGE_CHECK
https://bugs.webkit.org/show_bug.cgi?id=275608
rdar://130078654

Reviewed by Abrar Rahman Protyasha.

The security hardening in https://commits.webkit.org/279133@main introduced a `MESSAGE_CHECK` to
verify that the ID of the frame requesting access to the pasteboard matches the security origin used
as the document's `originIdentifierForPasteboard()` (which is either a security origin string, or a
randomly-generated UUID in the case of a null origin).

```
auto originFromFrame = SecurityOrigin::create(frame->url());
MESSAGE_CHECK_COMPLETION(m_legacyMainFrameProcess, origin->isSameOriginDomain(originFromFrame),
    completionHandler(DOMPasteAccessResponse::DeniedForGesture));
```

Importantly, note that this uses the given frame ID to find the corresponding `WebFrameProxy`, get
the frame's URL in the UI process, and check whether the origins match using that URL.

This check (unintentionally) fails in the case where a `src`-less frame, whose security origin
matches that of the `Document` that created it, triggers programmatic paste and sends a frame ID
corresponding to the subframe (which doesn't have a source). We'll end up getting an opaque security
origin for the frame above (based on its URL), which causes the `isSameOriginDomain` check to return
`false` even though the subframe's document actually has the same security origin. Subsequently, the
failed message check results in the web process crashing.

To address this crash and prevent simimlar bugs from causing the web process to terminate without
regressing the security guarantees of the original fix, we take the following approach instead:

(1) Relax the check so that we allow the `originIdentifier` as long as the frame, or one of its
    parent frames have the same origin.

(2) Instead of `MESSAGE_CHECK`-ing and terminating the web process, simply fall back on showing the
    paste prompt instead, regardless of whether the given `originIdentifier` matches the identifier
    on the pasteboard. This turns a would-be crash into a much-less-egregious bug where the paste
    prompt might show up unnecessarily.

* LayoutTests/editing/pasteboard/dom-paste/dom-paste-in-child-frame-does-not-crash-expected.txt: Added.
* LayoutTests/editing/pasteboard/dom-paste/dom-paste-in-child-frame-does-not-crash.html: Added.

Add a layout test to exercise the crash.

* Source/WebCore/dom/DOMPasteAccess.h:

Add a new `enum class` flag to indicate whether or not `requestDOMPasteAccess` should be allowed to
proceed without explicit user interaction, in the case where the origins match (e.g. copying and
pasting across tabs of the same origin).

* Source/WebKit/UIProcess/API/gtk/PageClientImpl.cpp:
(WebKit::PageClientImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/API/gtk/PageClientImpl.h:
* Source/WebKit/UIProcess/API/wpe/PageClientImpl.cpp:

Plumb the new `DOMPasteRequiresInteraction` flag through all codepaths that trigger DOM a paste
access request.

(WebKit::PageClientImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/API/wpe/PageClientImpl.h:
* Source/WebKit/UIProcess/PageClient.h:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::requestDOMPasteAccess):

Implement the main fix here; see comments above for more details.

* Source/WebKit/UIProcess/ios/PageClientImplIOS.h:
* Source/WebKit/UIProcess/ios/PageClientImplIOS.mm:
(WebKit::PageClientImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/ios/WKContentViewInteraction.h:
* Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm:
(-[WKContentView _requestDOMPasteAccessForCategory:requiresInteraction:elementRect:originIdentifier:completionHandler:]):
(-[WKContentView _requestDOMPasteAccessForCategory:elementRect:originIdentifier:completionHandler:]): Deleted.
* Source/WebKit/UIProcess/mac/PageClientImplMac.h:
* Source/WebKit/UIProcess/mac/PageClientImplMac.mm:
(WebKit::PageClientImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/mac/WebViewImpl.h:
* Source/WebKit/UIProcess/mac/WebViewImpl.mm:
(WebKit::WebViewImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/playstation/PageClientImpl.cpp:
(WebKit::PageClientImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/playstation/PageClientImpl.h:
* Source/WebKit/UIProcess/win/PageClientImpl.cpp:
(WebKit::PageClientImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/win/PageClientImpl.h:

Canonical link: https://commits.webkit.org/280149@main

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications