[webkit-changes] [WebKit/WebKit] dcc6d9: Out-of-flow line break box does not initiate rende...

Fri Mar 15 12:02:51 PDT 2024

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: dcc6d93e7de6f6071d50e6a234011970deb40154
      https://github.com/WebKit/WebKit/commit/dcc6d93e7de6f6071d50e6a234011970deb40154
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2024-03-15 (Fri, 15 Mar 2024)

  Changed paths:
    A LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break-expected.txt
    A LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break.html
    M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp

  Log Message:
  -----------
  Out-of-flow line break box does not initiate render layer
https://bugs.webkit.org/show_bug.cgi?id=267270
rdar://120662818

Reviewed by Antti Koivisto.

1. Let's not assume that an out-of-flow box is a type of RenderBox (e.g. line break)
2. Not all out-of-flow positioned boxes trigger layers.

* LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break-expected.txt: Added.
* LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break.html: Added.
* Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:
(WebCore::LayoutIntegration::LineLayout::shiftLinesBy):

Originally-landed-as: 272448.26 at safari-7618-branch (6eed83460548). rdar://124557101
Canonical link: https://commits.webkit.org/276181@main

  Commit: 186349180de5ef6858ef0e0318a4dddb75be1fdf
      https://github.com/WebKit/WebKit/commit/186349180de5ef6858ef0e0318a4dddb75be1fdf
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-03-15 (Fri, 15 Mar 2024)

  Changed paths:
    A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https-expected.html
    A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html
    A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html.headers
    A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https-expected.html
    A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html
    A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html.headers
    A LayoutTests/http/wpt/content-security-policy/resources/dummy.js
    M Source/WebCore/html/parser/HTMLConstructionSite.cpp

  Log Message:
  -----------
  Bug in the HTML parser makes it possible to bypass `nonce` attribute hiding
https://bugs.webkit.org/show_bug.cgi?id=267241
rdar://120056084

Reviewed by Ryosuke Niwa.

Per the HTML specification [1], the `nonce` attribute is supposed to get hidden by
the user agent once the element gets connected to the document. This means that we
remove the `nonce` attribute and store its value in an internal field.

The intention is that elements only expose their nonce via their `nonce` property
to scripts, and not to side-channels like CSS attribute selectors.

The HTML specification [2] also says that when encountering a duplicate <body> or
<html> tag, we should merge the attributes from the duplicate element to the original
once. When this happened, we could move the `nonce` attribute from a duplicate <body>
/ <html> to the original element and it would not get hidden since the original element
is already connected to the document.

To address the issue, we now add special handling for the `nonce` attribute upon merging:
1. We discard the duplicate element's `nonce` attribute if the original element [[nonce]]
internal field is already set (meaning the element already has a nonce).
2. If the original element doesn't have a `nonce` we do merge the attribute and then call
the logic to hide the `nonce` right away.

[1] https://html.spec.whatwg.org/multipage/urls-and-fetching.html#nonce-attributes:include-2
[2] https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inbody

* LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https-expected.html: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html.headers: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https-expected.html: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html.headers: Added.
* LayoutTests/http/wpt/content-security-policy/resources/dummy.js: Added.
Add test coverage.

* Source/WebCore/html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):

Originally-landed-as: 272448.25 at safari-7618-branch (d43f7eafe9c4). rdar://124557137
Canonical link: https://commits.webkit.org/276182@main

  Commit: f6f701549769c32ed976dbef8ed6f08d46c9d98c
      https://github.com/WebKit/WebKit/commit/f6f701549769c32ed976dbef8ed6f08d46c9d98c
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2024-03-15 (Fri, 15 Mar 2024)

  Changed paths:
    A JSTests/stress/attribute-custom-accessor.js
    M Source/JavaScriptCore/bytecode/PropertyCondition.cpp

  Log Message:
  -----------
  [JSC] PropertyCondition::isValidValueForAttributes should handle custom accessor and custom value
https://bugs.webkit.org/show_bug.cgi?id=266695
rdar://119854137

Reviewed by Mark Lam.

PropertyCondition::isValidValueForAttributes only handled accessors and values. And it
didn't handle custom accessor / custom values. This patch changes it so that we can
check custom accessor / custom value cases correctly.

* JSTests/stress/attribute-custom-accessor.js: Added.
(async asyncSleep):
(setHasBeenDictionary):
(watchToJSONForReplacements):
(async watchLastMatchForReplacements.getLastMatch):
(async watchLastMatchForReplacements):
(const.target.toJSON):
(opt):
(async main):
* Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isValidValueForAttributes):

Originally-landed-as: 272448.6 at safari-7618-branch (24d1c08b9dfa). rdar://124557469
Canonical link: https://commits.webkit.org/276183@main

  Commit: 17c0ad98bb1ce2d5df631bca49e13809b9ecf03b
      https://github.com/WebKit/WebKit/commit/17c0ad98bb1ce2d5df631bca49e13809b9ecf03b
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2024-03-15 (Fri, 15 Mar 2024)

  Changed paths:
    A LayoutTests/http/tests/security/file-system-access-via-dataTransfer-expected.txt
    A LayoutTests/http/tests/security/file-system-access-via-dataTransfer.html
    M Source/WebCore/Modules/entriesapi/DOMFileSystem.cpp

  Log Message:
  -----------
  Ensure Filesystem root path is not empty
https://bugs.webkit.org/show_bug.cgi?id=266703
rdar://119813501

Reviewed by Chris Dumez.

When the root path is empty, then the file's name can define an arbitrary
filesystem path. This change ensures that the path is non-empty, therefore the
virtual filesystem must be defined under a directory that the user selected.

* LayoutTests/http/tests/security/file-system-access-via-dataTransfer-expected.txt: Added.
* LayoutTests/http/tests/security/file-system-access-via-dataTransfer.html: Added.
* Source/WebCore/Modules/entriesapi/DOMFileSystem.cpp:
(WebCore::DOMFileSystem::getEntry):
(WebCore::DOMFileSystem::getFile):

Originally-landed-as: 272448.2 at safari-7618-branch (18fd76f8a016). rdar://124557625
Canonical link: https://commits.webkit.org/276184@main

  Commit: 5fb50e505ac984aa68a54d087bc762ab72c8e127
      https://github.com/WebKit/WebKit/commit/5fb50e505ac984aa68a54d087bc762ab72c8e127
  Author: Jean-Yves Avenard <jya at apple.com>
  Date:   2024-03-15 (Fri, 15 Mar 2024)

  Changed paths:
    M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp

  Log Message:
  -----------
  Block "setMediaOverridesForTesting" media IPC endpoints when not testing and instead reset values
https://bugs.webkit.org/show_bug.cgi?id=268731
rdar://122218365

Reviewed by Youenn Fablet.

The fix in https://commits.webkit.org/272448.445@safari-7618-branch was insufficient as
the setMediaOverridesForTesting IPC endpoints is also used to reset the flags to their default.

So rather than disabling the IPC endpoints altogether we restrict its use to only reset
the default values (which are all unset).

* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp:
(WebKit::GPUConnectionToWebProcess::setMediaOverridesForTesting):
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in:

Originally-landed-as: 272448.473 at safari-7618-branch (00b3f3ccf06e). rdar://124557967
Canonical link: https://commits.webkit.org/276185@main

Compare: https://github.com/WebKit/WebKit/compare/6f20a053abaf...5fb50e505ac9

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications