[webkit-changes] [WebKit/WebKit] f0fba7: Prevent SVG filters from leaking the background of...

Commit Queue noreply at github.com
Tue May 21 21:19:13 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f0fba73ace0f5a4e31e0a16d3b824af0a396a6e9
      https://github.com/WebKit/WebKit/commit/f0fba73ace0f5a4e31e0a16d3b824af0a396a6e9
  Author: Said Abou-Hallawa <said at apple.com>
  Date:   2024-05-21 (Tue, 21 May 2024)

  Changed paths:
    M LayoutTests/css3/filters/filter-visited-links-expected.html
    M LayoutTests/css3/filters/filter-visited-links.html
    M Source/WebCore/rendering/InlineBoxPainter.cpp

  Log Message:
  -----------
  Prevent SVG filters from leaking the background of visited hyperlinks
https://bugs.webkit.org/show_bug.cgi?id=262337
rdar://116206368

Reviewed by Simon Fraser.

We should prevent websites from learning which sites have been visited via SVG
filters on hyperlinks, per the attack described in https://arxiv.org/abs/2305.12784.

This is a follow up for 266683 at main. The background color of the visited links
should be ignored when an SVG filter is applied.

* LayoutTests/css3/filters/filter-visited-links-expected.html:
* LayoutTests/css3/filters/filter-visited-links.html:
* Source/WebCore/rendering/InlineBoxPainter.cpp:
(WebCore::InlineBoxPainter::paintDecorations):

Originally-landed-as: 272448.560 at safari-7618-branch (36df2fc04fb9). rdar://128502129
Canonical link: https://commits.webkit.org/279104@main


  Commit: 05b6b1285a302f82a9c133577cfad7433090f9b6
      https://github.com/WebKit/WebKit/commit/05b6b1285a302f82a9c133577cfad7433090f9b6
  Author: Scott Marcy <mscott at apple.com>
  Date:   2024-05-21 (Tue, 21 May 2024)

  Changed paths:
    A LayoutTests/fast/svg/mutual-recursion-test-expected.txt
    A LayoutTests/fast/svg/mutual-recursion-test.html
    M Source/WebCore/rendering/svg/legacy/SVGResources.cpp
    M Source/WebCore/rendering/svg/legacy/SVGResources.h

  Log Message:
  -----------
  Break a mutual recursion cycle laying out SVG elements.
https://bugs.webkit.org/show_bug.cgi?id=268556
rdar://118510445

Reviewed by shallawa (Said Abou-Hallawa).

Breaks the recursion cycle by having the SVGResource object track if it is already doing layout for a different root.

* LayoutTests/fast/svg/mutual-recursion-test-expected.txt: Added.
* LayoutTests/fast/svg/mutual-recursion-test.html: Added.
* Source/WebCore/rendering/svg/SVGResources.cpp:
(WebCore::SVGResources::layoutDifferentRootIfNeeded):
* Source/WebCore/rendering/svg/SVGResources.h:

Originally-landed-as: 272448.561 at safari-7618-branch (e14592228595). rdar://128502330
Canonical link: https://commits.webkit.org/279105@main


  Commit: c02295c8ab22b97721478d9e0abeb5c647ad29aa
      https://github.com/WebKit/WebKit/commit/c02295c8ab22b97721478d9e0abeb5c647ad29aa
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2024-05-21 (Tue, 21 May 2024)

  Changed paths:
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

  Log Message:
  -----------
  [JSC] presenceConditionIfConsistent should check knownBase's structure is in the structure set
https://bugs.webkit.org/show_bug.cgi?id=269220
rdar://122171551

Reviewed by Yusuke Suzuki.

This patch rewrites ByteCodeParser::presenceConditionIfConsistent. Now it just checks that the presence condition
we're trying to create is possible for the knownBase. Additionally, we have to check that the knownBase's structure
was executed at least once before. This allows us to know if GetOwnPropertySlot ran successfully at least once for
this structure.

* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::presenceConditionIfConsistent):

Originally-landed-as: 272448.563 at safari-7618-branch (630351ee51ab). rdar://128502736
Canonical link: https://commits.webkit.org/279106@main


  Commit: a3161bf52b5e86b7a2acc0c8c196f918e0b4d902
      https://github.com/WebKit/WebKit/commit/a3161bf52b5e86b7a2acc0c8c196f918e0b4d902
  Author: David Kilzer <ddkilzer at apple.com>
  Date:   2024-05-21 (Tue, 21 May 2024)

  Changed paths:
    M Source/WebCore/PAL/ThirdParty/libavif/ThirdParty/dav1d/src/thread_task.c

  Log Message:
  -----------
  OSV-2022-674: dav1d: use of uninitialized value in cdef_filter_block_c
https://bugs.webkit.org/show_bug.cgi?id=269405
<rdar://122849398>

Reviewed by Youenn Fablet.

Merge dav1d upstream commit a3a55b18494f5dd1e34f289298f78ffa4f32a25d.

* Source/WebCore/PAL/ThirdParty/libavif/ThirdParty/dav1d/src/thread_task.c:
(create_filter_sbrow):

Originally-landed-as: 272448.565 at safari-7618-branch (8547ba181fbb). rdar://128502897
Canonical link: https://commits.webkit.org/279107@main


Compare: https://github.com/WebKit/WebKit/compare/00222bd02ce4...a3161bf52b5e

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list