[webkit-changes] [WebKit/WebKit] dcc6d9: Out-of-flow line break box does not initiate rende...
Jean-Yves Avenard
noreply at github.com
Fri Mar 15 12:02:51 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: dcc6d93e7de6f6071d50e6a234011970deb40154
https://github.com/WebKit/WebKit/commit/dcc6d93e7de6f6071d50e6a234011970deb40154
Author: Alan Baradlay <zalan at apple.com>
Date: 2024-03-15 (Fri, 15 Mar 2024)
Changed paths:
A LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break-expected.txt
A LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break.html
M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp
Log Message:
-----------
Out-of-flow line break box does not initiate render layer
https://bugs.webkit.org/show_bug.cgi?id=267270
rdar://120662818
Reviewed by Antti Koivisto.
1. Let's not assume that an out-of-flow box is a type of RenderBox (e.g. line break)
2. Not all out-of-flow positioned boxes trigger layers.
* LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break-expected.txt: Added.
* LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break.html: Added.
* Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:
(WebCore::LayoutIntegration::LineLayout::shiftLinesBy):
Originally-landed-as: 272448.26 at safari-7618-branch (6eed83460548). rdar://124557101
Canonical link: https://commits.webkit.org/276181@main
Commit: 186349180de5ef6858ef0e0318a4dddb75be1fdf
https://github.com/WebKit/WebKit/commit/186349180de5ef6858ef0e0318a4dddb75be1fdf
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-03-15 (Fri, 15 Mar 2024)
Changed paths:
A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https-expected.html
A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html
A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html.headers
A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https-expected.html
A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html
A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html.headers
A LayoutTests/http/wpt/content-security-policy/resources/dummy.js
M Source/WebCore/html/parser/HTMLConstructionSite.cpp
Log Message:
-----------
Bug in the HTML parser makes it possible to bypass `nonce` attribute hiding
https://bugs.webkit.org/show_bug.cgi?id=267241
rdar://120056084
Reviewed by Ryosuke Niwa.
Per the HTML specification [1], the `nonce` attribute is supposed to get hidden by
the user agent once the element gets connected to the document. This means that we
remove the `nonce` attribute and store its value in an internal field.
The intention is that elements only expose their nonce via their `nonce` property
to scripts, and not to side-channels like CSS attribute selectors.
The HTML specification [2] also says that when encountering a duplicate <body> or
<html> tag, we should merge the attributes from the duplicate element to the original
once. When this happened, we could move the `nonce` attribute from a duplicate <body>
/ <html> to the original element and it would not get hidden since the original element
is already connected to the document.
To address the issue, we now add special handling for the `nonce` attribute upon merging:
1. We discard the duplicate element's `nonce` attribute if the original element [[nonce]]
internal field is already set (meaning the element already has a nonce).
2. If the original element doesn't have a `nonce` we do merge the attribute and then call
the logic to hide the `nonce` right away.
[1] https://html.spec.whatwg.org/multipage/urls-and-fetching.html#nonce-attributes:include-2
[2] https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inbody
* LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https-expected.html: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html.headers: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https-expected.html: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html.headers: Added.
* LayoutTests/http/wpt/content-security-policy/resources/dummy.js: Added.
Add test coverage.
* Source/WebCore/html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
Originally-landed-as: 272448.25 at safari-7618-branch (d43f7eafe9c4). rdar://124557137
Canonical link: https://commits.webkit.org/276182@main
Commit: f6f701549769c32ed976dbef8ed6f08d46c9d98c
https://github.com/WebKit/WebKit/commit/f6f701549769c32ed976dbef8ed6f08d46c9d98c
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2024-03-15 (Fri, 15 Mar 2024)
Changed paths:
A JSTests/stress/attribute-custom-accessor.js
M Source/JavaScriptCore/bytecode/PropertyCondition.cpp
Log Message:
-----------
[JSC] PropertyCondition::isValidValueForAttributes should handle custom accessor and custom value
https://bugs.webkit.org/show_bug.cgi?id=266695
rdar://119854137
Reviewed by Mark Lam.
PropertyCondition::isValidValueForAttributes only handled accessors and values. And it
didn't handle custom accessor / custom values. This patch changes it so that we can
check custom accessor / custom value cases correctly.
* JSTests/stress/attribute-custom-accessor.js: Added.
(async asyncSleep):
(setHasBeenDictionary):
(watchToJSONForReplacements):
(async watchLastMatchForReplacements.getLastMatch):
(async watchLastMatchForReplacements):
(const.target.toJSON):
(opt):
(async main):
* Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isValidValueForAttributes):
Originally-landed-as: 272448.6 at safari-7618-branch (24d1c08b9dfa). rdar://124557469
Canonical link: https://commits.webkit.org/276183@main
Commit: 17c0ad98bb1ce2d5df631bca49e13809b9ecf03b
https://github.com/WebKit/WebKit/commit/17c0ad98bb1ce2d5df631bca49e13809b9ecf03b
Author: Matthew Finkel <sysrqb at apple.com>
Date: 2024-03-15 (Fri, 15 Mar 2024)
Changed paths:
A LayoutTests/http/tests/security/file-system-access-via-dataTransfer-expected.txt
A LayoutTests/http/tests/security/file-system-access-via-dataTransfer.html
M Source/WebCore/Modules/entriesapi/DOMFileSystem.cpp
Log Message:
-----------
Ensure Filesystem root path is not empty
https://bugs.webkit.org/show_bug.cgi?id=266703
rdar://119813501
Reviewed by Chris Dumez.
When the root path is empty, then the file's name can define an arbitrary
filesystem path. This change ensures that the path is non-empty, therefore the
virtual filesystem must be defined under a directory that the user selected.
* LayoutTests/http/tests/security/file-system-access-via-dataTransfer-expected.txt: Added.
* LayoutTests/http/tests/security/file-system-access-via-dataTransfer.html: Added.
* Source/WebCore/Modules/entriesapi/DOMFileSystem.cpp:
(WebCore::DOMFileSystem::getEntry):
(WebCore::DOMFileSystem::getFile):
Originally-landed-as: 272448.2 at safari-7618-branch (18fd76f8a016). rdar://124557625
Canonical link: https://commits.webkit.org/276184@main
Commit: 5fb50e505ac984aa68a54d087bc762ab72c8e127
https://github.com/WebKit/WebKit/commit/5fb50e505ac984aa68a54d087bc762ab72c8e127
Author: Jean-Yves Avenard <jya at apple.com>
Date: 2024-03-15 (Fri, 15 Mar 2024)
Changed paths:
M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp
Log Message:
-----------
Block "setMediaOverridesForTesting" media IPC endpoints when not testing and instead reset values
https://bugs.webkit.org/show_bug.cgi?id=268731
rdar://122218365
Reviewed by Youenn Fablet.
The fix in https://commits.webkit.org/272448.445@safari-7618-branch was insufficient as
the setMediaOverridesForTesting IPC endpoints is also used to reset the flags to their default.
So rather than disabling the IPC endpoints altogether we restrict its use to only reset
the default values (which are all unset).
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp:
(WebKit::GPUConnectionToWebProcess::setMediaOverridesForTesting):
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in:
Originally-landed-as: 272448.473 at safari-7618-branch (00b3f3ccf06e). rdar://124557967
Canonical link: https://commits.webkit.org/276185@main
Compare: https://github.com/WebKit/WebKit/compare/6f20a053abaf...5fb50e505ac9
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list