[webkit-changes] [WebKit/WebKit] fbbc43: Cherry-pick 280938.4 at safari-7619-branch (96ca9f967...
Jer Noble
noreply at github.com
Mon Sep 16 13:04:56 PDT 2024
Branch: refs/heads/webkitglib/2.46
Home: https://github.com/WebKit/WebKit
Commit: fbbc43fc9234e061d811b5402000cf201c4b8c87
https://github.com/WebKit/WebKit/commit/fbbc43fc9234e061d811b5402000cf201c4b8c87
Author: Nitin Mahendru <nitinmahendru at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
A LayoutTests/security/decode-buffer-size-expected.txt
A LayoutTests/security/decode-buffer-size.html
A LayoutTests/security/text-decode-long-strings-expected.txt
A LayoutTests/security/text-decode-long-strings.html
M Source/WebCore/dom/TextDecoder.cpp
M Source/WebCore/dom/TextDecoder.h
Log Message:
-----------
Cherry-pick 280938.4 at safari-7619-branch (96ca9f96746c). rdar://130960796
Limit TextDecoder input to 2GB
rdar://130960796
Reviewed by John Wilander.
Rebasing Alex Christensen's change in
https://github.com/apple/WebKit/pull/1360 on the new security branch.
This basically matches the behavior of other browsers and prevents us from creating a string
longer than String::MaxLength.
* LayoutTests/security/decode-buffer-size-expected.txt: Added.
* LayoutTests/security/decode-buffer-size.html: Added.
* LayoutTests/security/text-decode-long-strings-expected.txt: Added.
* LayoutTests/security/text-decode-long-strings.html: Added.
* Source/WebCore/dom/TextDecoder.cpp:
(WebCore::TextDecoder::decode):
* Source/WebCore/dom/TextDecoder.h:
Co-authored-by: Alex Christensen <achristensen at apple.com>
Canonical link: https://commits.webkit.org/282416.83@webkitglib/2.46
Commit: 3c8f3cd86fa62678c3b830c6bfc4b261a2ea8a47
https://github.com/WebKit/WebKit/commit/3c8f3cd86fa62678c3b830c6bfc4b261a2ea8a47
Author: Abrar Rahman Protyasha <a_protyasha at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
A LayoutTests/fast/forms/datalist/suggestions-list-outside-of-visual-viewport-expected.txt
A LayoutTests/fast/forms/datalist/suggestions-list-outside-of-visual-viewport.html
M Source/WebKit/WebProcess/WebCoreSupport/WebDataListSuggestionPicker.cpp
Log Message:
-----------
Cherry-pick 280938.5 at safari-7619-branch (46af4f50bd12). rdar://115912814
Websites can spoof the contents of the address bar using <datalist>
rdar://115912814
Reviewed by Wenson Hsieh.
<input> elements positioned outside of the visual viewport are never
visible, since they are rendered in the page. On the contrary, it is
possible for a <datalist> suggestions list to seemingly hover freely in
space while its associated <input> is not visible in the page content.
This is because our datalist presentation logic anchors said lists (in
their own NSWindow) to the inputs.
This style of presentation makes us susceptible to free-floating
<datalist> elements, which, if positioned with the right margins and
contents, may resemble a UA's address bar!
To fix this vulnerability, we harden our datalist presentation logic by
asking the UI process to _not_ `ShowDataListSuggestions` if the associated
input element is (completely) absent from the visual viewport.
* LayoutTests/fast/forms/datalist/suggestions-list-outside-of-visual-viewport-expected.txt: Added.
* LayoutTests/fast/forms/datalist/suggestions-list-outside-of-visual-viewport.html: Added.
* Source/WebKit/WebProcess/WebCoreSupport/WebDataListSuggestionPicker.cpp:
(WebKit::WebDataListSuggestionPicker::displayWithActivationType):
Canonical link: https://commits.webkit.org/282416.84@webkitglib/2.46
Commit: 9f14dc7e2b8976b41e78c6e83483b4c70e2d2d89
https://github.com/WebKit/WebKit/commit/9f14dc7e2b8976b41e78c6e83483b4c70e2d2d89
Author: Jer Noble <jer.noble at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
M Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
Log Message:
-----------
Cherry-pick 280938.8 at safari-7619-branch (252fb2fc9cfd). https://bugs.webkit.org/show_bug.cgi?id=276645
Add check in AudioBufferSourceNode::renderFromBuffer() when pitchRate == -1 && !needsInterpolation
https://bugs.webkit.org/show_bug.cgi?id=276645
rdar://130939143
Reviewed by Andy Estes.
Add a boundary check to renderFromBuffer() to ensure we don't read off the end of the buffer.
* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
(WebCore::AudioBufferSourceNode::renderFromBuffer):
Canonical link: https://commits.webkit.org/282416.85@webkitglib/2.46
Commit: fcf3c8d3be36b7b3ab208474544257eef186bb91
https://github.com/WebKit/WebKit/commit/fcf3c8d3be36b7b3ab208474544257eef186bb91
Author: Jer Noble <jer.noble at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
M Source/WebCore/Modules/remoteplayback/RemotePlayback.cpp
Log Message:
-----------
Cherry-pick 280938.10 at safari-7619-branch (ae96f3eb69a4). https://bugs.webkit.org/show_bug.cgi?id=276675
RemotePlayback::cancelWatchAvailability should check if id is a valid key
https://bugs.webkit.org/show_bug.cgi?id=276675
rdar://131818994
Reviewed by Brent Fulgham.
* Source/WebCore/Modules/remoteplayback/RemotePlayback.cpp:
(WebCore::RemotePlayback::cancelWatchAvailability):
Canonical link: https://commits.webkit.org/282416.86@webkitglib/2.46
Commit: d8780fd1c0dec611f15117bd548d2fb9f0f59d23
https://github.com/WebKit/WebKit/commit/d8780fd1c0dec611f15117bd548d2fb9f0f59d23
Author: Nitin Mahendru <nitinmahendru at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
A LayoutTests/http/tests/download/anchor-download-redirect-cross-origin-expected.txt
A LayoutTests/http/tests/download/anchor-download-redirect-cross-origin.html
A LayoutTests/http/tests/download/anchor-download-redirect-same-origin-expected.txt
A LayoutTests/http/tests/download/anchor-download-redirect-same-origin.html
A LayoutTests/http/tests/download/resources/iframe-anchor-cross-origin-redirect-download.html
A LayoutTests/http/tests/download/resources/iframe-anchor-same-origin-redirect-download.html
M LayoutTests/platform/mac-wk1/TestExpectations
M Source/WebCore/loader/EmptyClients.cpp
M Source/WebCore/loader/EmptyFrameLoaderClient.h
M Source/WebCore/loader/LocalFrameLoaderClient.h
M Source/WebCore/loader/PolicyChecker.cpp
M Source/WebKit/NetworkProcess/Downloads/DownloadManager.cpp
M Source/WebKit/NetworkProcess/Downloads/DownloadManager.h
M Source/WebKit/NetworkProcess/Downloads/PendingDownload.cpp
M Source/WebKit/NetworkProcess/Downloads/PendingDownload.h
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in
M Source/WebKit/Scripts/webkit/messages.py
M Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp
M Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.h
M Source/WebKit/WebProcess/WebPage/WebFrame.cpp
M Source/WebKit/WebProcess/WebPage/WebFrame.h
M Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.h
M Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm
Log Message:
-----------
Cherry-pick 280938.23 at safari-7619-branch (de194eeed8a1). https://bugs.webkit.org/show_bug.cgi?id=276675
Block cross origin redirect downloads in iframe.
rdar://130901951
Reviewed by Matthew Finkel.
With this change, we are trying to block downloads triggered due to navigation
to an anchor element inside an iframe where the redirect is cross origin.
This could lead to attacker controlled javascript get access to cross origin cookies which should
not be.
Tests have been added to check the positive and negative scenarios for the same.
* LayoutTests/http/tests/download/anchor-download-redirect-cross-origin-expected.txt: Added.
* LayoutTests/http/tests/download/anchor-download-redirect-cross-origin.html: Added.
* LayoutTests/http/tests/download/anchor-download-redirect-same-origin-expected.txt: Added.
* LayoutTests/http/tests/download/anchor-download-redirect-same-origin.html: Added.
* LayoutTests/http/tests/download/resources/iframe-anchor-cross-origin-redirect-download.html: Added.
* LayoutTests/http/tests/download/resources/iframe-anchor-same-origin-redirect-download.html: Added.
* Source/WebCore/loader/EmptyClients.cpp:
(WebCore::EmptyFrameLoaderClient::startDownload):
* Source/WebCore/loader/EmptyFrameLoaderClient.h:
* Source/WebCore/loader/LocalFrameLoaderClient.h:
* Source/WebCore/loader/PolicyChecker.cpp:
(WebCore::PolicyChecker::checkNavigationPolicy):
* Source/WebKit/NetworkProcess/Downloads/DownloadManager.cpp:
(WebKit::DownloadManager::startDownload):
* Source/WebKit/NetworkProcess/Downloads/DownloadManager.h:
(WebKit::DownloadManager::startDownload):
* Source/WebKit/NetworkProcess/Downloads/PendingDownload.cpp:
(WebKit::PendingDownload::PendingDownload):
(WebKit::PendingDownload::isDownloadTriggeredWithDownloadAttribute):
(WebKit::isRedirectCrossOrigin):
(WebKit::PendingDownload::willSendRedirectedRequest):
(WebKit::PendingDownload::didFailLoading):
* Source/WebKit/NetworkProcess/Downloads/PendingDownload.h:
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::startDownload):
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h:
(WebKit::NetworkConnectionToWebProcess::startDownload):
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in:
* Source/WebKit/Scripts/webkit/messages.py:
(headers_for_type):
* Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp:
(WebKit::WebLocalFrameLoaderClient::startDownload):
* Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.h:
* Source/WebKit/WebProcess/WebPage/WebFrame.cpp:
(WebKit::WebFrame::startDownload):
* Source/WebKit/WebProcess/WebPage/WebFrame.h:
(WebKit::WebFrame::startDownload):
* Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.h:
* Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm:
(WebFrameLoaderClient::startDownload):
Canonical link: https://commits.webkit.org/282416.87@webkitglib/2.46
Commit: 99a713b6aab91841d5534d0b9263246bcae279e8
https://github.com/WebKit/WebKit/commit/99a713b6aab91841d5534d0b9263246bcae279e8
Author: Jer Noble <jer.noble at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
M Source/WebCore/Modules/webaudio/BaseAudioContext.cpp
Log Message:
-----------
Cherry-pick 280938.25 at safari-7619-branch (7397c4cb81b3). https://bugs.webkit.org/show_bug.cgi?id=276728
Race condition in BaseAudioContext::decodeAudioData leading to a use-after-free
https://bugs.webkit.org/show_bug.cgi?id=276728
rdar://131528607
Reviewed by Andy Estes.
Pin the ArrayBuffer passed into decodeAudioData(), so that a call to transfer()
will result in the buffer being copied, not moved.
* Source/WebCore/Modules/webaudio/BaseAudioContext.cpp:
(WebCore::BaseAudioContext::decodeAudioData):
Canonical link: https://commits.webkit.org/282416.88@webkitglib/2.46
Commit: d1c28c48c3d9085361e29ac30dcb65bcbc1ea6e5
https://github.com/WebKit/WebKit/commit/d1c28c48c3d9085361e29ac30dcb65bcbc1ea6e5
Author: Wenson Hsieh <wenson_hsieh at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
A LayoutTests/fast/events/no-crash-when-removing-focused-subframe-expected.txt
A LayoutTests/fast/events/no-crash-when-removing-focused-subframe.html
M Source/WebCore/html/HTMLFrameElementBase.cpp
Log Message:
-----------
Cherry-pick 280938.62 at safari-7619-branch (0748b3747d97). rdar://129233812
Security assertion in `Document::dispatchWindowEvent` while disconnecting a focused iframe
rdar://129233812
Reviewed by Abrar Rahman Protyasha and Ryosuke Niwa.
This fixes a `ScriptDisallowedScope` assertion that's hit in the following chain of events:
(1) Suppose the document contains two subframes: `A` and `B`.
(2) We set `innerHTML` (or `outerHTML`) on the body, replacing the entire document's content. This
begins the process of removing `A` and `B` from the DOM.
(3) In doing so, `WebCore::disconnectSubframes` iterates over `A` and `B`, detaching them one at a
time (let's say it detaches `A` first, followed by `B`).
(4) While disconnecting `B` in `disconnectSubframes`, we dispatch a `load` event on the page, due to
the fact that disconnecting a subframe stopping the subframe load, causing us to tell
`FrameLoader` to `checkCompleted()`.
(5) In the `load` event, we tell `A` to begin loading again by setting `src` or `srcdoc` to
anything; this reinitializes the content window and content document. At this point, we now have
a frame `A` that's attempting to load content, even though it's in the middle of being
disconnected.
(6) Still in the `load` event handler, we tell `A` to `focus()` — it now becomes the focused
element, and also contains the focused frame. Note that it has a content frame at this point
because we were able to re-trigger a load in step (5).
(7) Exiting the `load` event handler, we now continue on with the rest of `set{Inner|Outer}HTML`,
which now tries to `adjustFocusedNodeOnNodeRemoval`.
(8) Because we made `A`'s frame the focused frame in step (6) and it has a non-null content window
from step (5), we try to dispatch a blur event on the content window, when calling
`FocusController::setFocusedFrame(nullptr)`.
Because (8) happens underneath the script not allowed assertion inside of
`ContainerNode::replaceChild` (or really, any one of the similar "script not allowed" assertions),
we crash.
There are multiple approaches we could use to fix this, including:
a. Deferring `load` until after frames are done disconnecting.
b. Making it so that `adjustFocusedNodeOnNodeRemoval` avoids dispatching `blur` on a focused
frame's content window.
c. Don't allow a subframe to load if it is in a DOM subtree that is being disconnected.
I'm taking approach (c) above in this patch, since it is (i) sufficient to resolve this bug, (ii)
necessary in order to avoid other debug assertions that arise in the test case, and (iii) likely the
least risky change to address this in the short term.
* LayoutTests/fast/events/no-crash-when-removing-focused-subframe-expected.txt: Added.
* LayoutTests/fast/events/no-crash-when-removing-focused-subframe.html: Added.
* Source/WebCore/html/HTMLFrameElementBase.cpp:
(WebCore::HTMLFrameElementBase::setLocation):
Canonical link: https://commits.webkit.org/282416.89@webkitglib/2.46
Commit: 12908846e6bd59fd8976d462bcbda18913c46b87
https://github.com/WebKit/WebKit/commit/12908846e6bd59fd8976d462bcbda18913c46b87
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
M Source/JavaScriptCore/inspector/remote/RemoteConnectionToTarget.cpp
M Source/JavaScriptCore/inspector/remote/RemoteConnectionToTarget.h
M Source/JavaScriptCore/inspector/remote/RemoteControllableTarget.h
M Source/JavaScriptCore/inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm
M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.h
M Source/JavaScriptCore/runtime/JSGlobalObjectDebuggable.cpp
M Source/JavaScriptCore/runtime/JSGlobalObjectDebuggable.h
M Source/WebCore/page/Page.cpp
M Source/WebCore/page/Page.h
M Source/WebCore/page/PageDebuggable.cpp
M Source/WebCore/page/PageDebuggable.h
M Source/WebCore/workers/service/context/ServiceWorkerDebuggable.cpp
M Source/WebCore/workers/service/context/ServiceWorkerDebuggable.h
M Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.cpp
M Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.h
M Source/WebKit/UIProcess/Automation/WebAutomationSession.cpp
M Source/WebKit/UIProcess/Automation/WebAutomationSession.h
M Source/WebKit/UIProcess/Inspector/WebPageDebuggable.cpp
M Source/WebKit/UIProcess/Inspector/WebPageDebuggable.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebPageProxy.h
Log Message:
-----------
Cherry-pick 280938.63 at safari-7619-branch (996e25f1fd95). https://bugs.webkit.org/show_bug.cgi?id=276192
Web Inspector: UAF needs to be prevented for RemoteConnectionToTarget::m_target member variable
https://bugs.webkit.org/show_bug.cgi?id=276192
rdar://129782183
Reviewed by Geoffrey Garen.
`RemoteConnectionToTarget::m_target` was a raw pointer and used from multiple thread.
We have evidence from the radar that `m_target` could be used-after-free in
`RemoteConnectionToTarget::close()`.
To address the issue, I am updating `m_target` to use a ThreadSafeWeakPtr instead
of a raw pointer so that it gets nulled out on target destruction, and still safe
to use from multiple thread.
Of course, using ThreadSafeWeakPtr required updating `RemoteControllableTarget` to
subclass `ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr` and be refcounted. This
required a decent amount of refactoring.
I am also adding WTF_GUARDED_BY_LOCK for the m_target so that the compiler tells
us when we're using it without a lock. It did find a few problems which I fixed.
* Source/JavaScriptCore/inspector/remote/RemoteConnectionToTarget.cpp:
(Inspector::RemoteConnectionToTarget::setup):
(Inspector::RemoteConnectionToTarget::sendMessageToTarget): Deleted.
(Inspector::RemoteConnectionToTarget::close): Deleted.
(Inspector::RemoteConnectionToTarget::targetClosed): Deleted.
(Inspector::RemoteConnectionToTarget::targetIdentifier const): Deleted.
(Inspector::RemoteConnectionToTarget::sendMessageToFrontend): Deleted.
* Source/JavaScriptCore/inspector/remote/RemoteConnectionToTarget.h:
* Source/JavaScriptCore/inspector/remote/RemoteControllableTarget.h:
* Source/JavaScriptCore/inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
(Inspector::RemoteConnectionToTarget::targetIdentifier const):
(Inspector::RemoteConnectionToTarget::setup):
(Inspector::RemoteConnectionToTarget::close):
(Inspector::RemoteConnectionToTarget::sendMessageToTarget):
(Inspector::RemoteConnectionToTarget::sendMessageToFrontend):
(Inspector::RemoteConnectionToTarget::setupRunLoop):
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::~JSGlobalObject):
(JSC::JSGlobalObject::init):
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::inspectorDebuggable):
* Source/JavaScriptCore/runtime/JSGlobalObjectDebuggable.cpp:
(JSC::JSGlobalObjectDebuggable::create):
(JSC::JSGlobalObjectDebuggable::JSGlobalObjectDebuggable):
(JSC::JSGlobalObjectDebuggable::name const):
(JSC::JSGlobalObjectDebuggable::connect):
(JSC::JSGlobalObjectDebuggable::disconnect):
(JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemote):
(JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
(JSC::JSGlobalObjectDebuggable::globalObjectDestroyed):
* Source/JavaScriptCore/runtime/JSGlobalObjectDebuggable.h:
* Source/WebCore/page/Page.cpp:
(WebCore::Page::Page):
(WebCore::Page::~Page):
* Source/WebCore/page/Page.h:
* Source/WebCore/page/PageDebuggable.cpp:
(WebCore::PageDebuggable::create):
(WebCore::PageDebuggable::PageDebuggable):
(WebCore::PageDebuggable::name const):
(WebCore::PageDebuggable::url const):
(WebCore::PageDebuggable::hasLocalDebugger const):
(WebCore::PageDebuggable::connect):
(WebCore::PageDebuggable::disconnect):
(WebCore::PageDebuggable::dispatchMessageFromRemote):
(WebCore::PageDebuggable::setIndicating):
(WebCore::PageDebuggable::detachFromPage):
* Source/WebCore/page/PageDebuggable.h:
* Source/WebCore/workers/service/context/ServiceWorkerDebuggable.cpp:
(WebCore::ServiceWorkerDebuggable::create):
(WebCore::ServiceWorkerDebuggable::connect):
(WebCore::ServiceWorkerDebuggable::disconnect):
(WebCore::ServiceWorkerDebuggable::dispatchMessageFromRemote):
* Source/WebCore/workers/service/context/ServiceWorkerDebuggable.h:
* Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.cpp:
(WebCore::ServiceWorkerThreadProxy::ServiceWorkerThreadProxy):
* Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.h:
* Source/WebKit/UIProcess/Automation/WebAutomationSession.cpp:
(WebKit::WebAutomationSession::Debuggable::create):
(WebKit::WebAutomationSession::Debuggable::Debuggable):
(WebKit::WebAutomationSession::Debuggable::sessionDestroyed):
(WebKit::WebAutomationSession::Debuggable::name const):
(WebKit::WebAutomationSession::Debuggable::dispatchMessageFromRemote):
(WebKit::WebAutomationSession::Debuggable::connect):
(WebKit::WebAutomationSession::Debuggable::disconnect):
(WebKit::WebAutomationSession::WebAutomationSession):
(WebKit::WebAutomationSession::~WebAutomationSession):
(WebKit::WebAutomationSession::connect):
(WebKit::WebAutomationSession::init):
(WebKit::WebAutomationSession::isPaired const):
(WebKit::WebAutomationSession::isPendingTermination const):
(WebKit::WebAutomationSession::terminate):
* Source/WebKit/UIProcess/Automation/WebAutomationSession.h:
* Source/WebKit/UIProcess/Inspector/WebPageDebuggable.cpp:
(WebKit::WebPageDebuggable::create):
(WebKit::WebPageDebuggable::WebPageDebuggable):
(WebKit::WebPageDebuggable::detachFromPage):
(WebKit::WebPageDebuggable::name const):
(WebKit::WebPageDebuggable::url const):
(WebKit::WebPageDebuggable::hasLocalDebugger const):
(WebKit::WebPageDebuggable::connect):
(WebKit::WebPageDebuggable::disconnect):
(WebKit::WebPageDebuggable::dispatchMessageFromRemote):
(WebKit::WebPageDebuggable::setIndicating):
* Source/WebKit/UIProcess/Inspector/WebPageDebuggable.h:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::~WebPageProxy):
(WebKit::WebPageProxy::close):
* Source/WebKit/UIProcess/WebPageProxy.h:
Canonical link: https://commits.webkit.org/282416.90@webkitglib/2.46
Commit: a108bcec93d7e7e76f150b8dd65a67705c61f981
https://github.com/WebKit/WebKit/commit/a108bcec93d7e7e76f150b8dd65a67705c61f981
Author: Nitin Mahendru <nitinmahendru at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
M Source/WTF/wtf/text/StringView.h
Log Message:
-----------
Cherry-pick 280938.89 at safari-7619-branch (8a58c365d508). https://bugs.webkit.org/show_bug.cgi?id=276829
Prevent size overflow in StringView::append
https://bugs.webkit.org/show_bug.cgi?id=276829
rdar://132068335
Reviewed by Darin Adler.
using size_t instead of unsigned will prevent integer addition overflow.
Manually tested.
* Source/WTF/wtf/text/StringView.h:
(WTF::append):
Canonical link: https://commits.webkit.org/282416.91@webkitglib/2.46
Commit: 954392ced0ddeb156c1cc34eb2c557e490061a5b
https://github.com/WebKit/WebKit/commit/954392ced0ddeb156c1cc34eb2c557e490061a5b
Author: Nicole Rosario <nicole_rosario at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
A LayoutTests/fast/html/decrement-subframes-expected.txt
A LayoutTests/fast/html/decrement-subframes.html
M Source/WebCore/html/HTMLFrameOwnerElement.cpp
Log Message:
-----------
Cherry-pick 280938.90 at safari-7619-branch (eb3508a3bd08). https://bugs.webkit.org/show_bug.cgi?id=276637
Hitting RELEASE_ASSERT(amount <= bitfields.connectedSubframeCount) in decrement subframe
https://bugs.webkit.org/show_bug.cgi?id=276637
rdar://130091196
Reviewed by Ryosuke Niwa.
Over decrements connectedSubframeCount (tries to decrease when it's 0)
due to calling `frame->disconnectOwnerElement()` even if it was already
processed
* Source/WebCore/html/HTMLFrameOwnerElement.cpp:
(WebCore::HTMLFrameOwnerElement::disconnectContentFrame):
* LayoutTests/fast/html/decrement-subframes-expected.txt
* LayoutTests/fast/html/decrement-subframes.html
Canonical link: https://commits.webkit.org/282416.92@webkitglib/2.46
Commit: d1f5eaefce27bfb6a01950a5d6df20e5c86cb8f9
https://github.com/WebKit/WebKit/commit/d1f5eaefce27bfb6a01950a5d6df20e5c86cb8f9
Author: Nitin Mahendru <nitinmahendru at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
A LayoutTests/http/tests/download/anchor-download-redirect-cross-origin-top-level-expected.txt
A LayoutTests/http/tests/download/anchor-download-redirect-cross-origin-top-level.html
A LayoutTests/http/tests/download/anchor-download-redirect-same-origin-top-level-expected.txt
A LayoutTests/http/tests/download/anchor-download-redirect-same-origin-top-level.html
A LayoutTests/http/tests/download/resources/sample-render.html
M Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.cpp
M Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h
M Source/WebKit/NetworkProcess/Downloads/DownloadManager.cpp
M Source/WebKit/NetworkProcess/Downloads/DownloadManager.h
M Source/WebKit/NetworkProcess/Downloads/PendingDownload.cpp
M Source/WebKit/NetworkProcess/Downloads/PendingDownload.h
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in
M Source/WebKit/NetworkProcess/NetworkLoad.cpp
M Source/WebKit/NetworkProcess/NetworkLoad.h
M Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp
M Source/WebKit/WebProcess/Network/NetworkProcessConnection.h
M Source/WebKit/WebProcess/Network/NetworkProcessConnection.messages.in
M Source/WebKit/WebProcess/WebPage/WebFrame.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.h
Log Message:
-----------
Cherry-pick 280938.98 at safari-7619-branch (48dd822d88e1). https://bugs.webkit.org/show_bug.cgi?id=276637
For Blocked cross origin redirect downloads, try rendering the page instead.
rdar://131962658
Reviewed by Alex Christensen and Pascoe.
An earlier change introduced in rdar://130901951 correctly blocks cross origin redirect downloads.
With This change, we will instead try to render the page instead.
Manually tested with Safari and layout tests are added to validate the
behavior.
* Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h:
* Source/WebCore/loader/EmptyClients.cpp:
(WebCore::EmptyFrameLoaderClient::startDownload):
* Source/WebCore/loader/EmptyFrameLoaderClient.h:
* Source/WebCore/loader/LocalFrameLoaderClient.h:
* Source/WebCore/loader/PolicyChecker.cpp:
(WebCore::PolicyChecker::checkNavigationPolicy):
* Source/WebKit/NetworkProcess/Downloads/DownloadManager.cpp:
(WebKit::DownloadManager::startDownload):
* Source/WebKit/NetworkProcess/Downloads/DownloadManager.h:
(WebKit::DownloadManager::startDownload):
* Source/WebKit/NetworkProcess/Downloads/PendingDownload.cpp:
(WebKit::PendingDownload::PendingDownload):
(WebKit::PendingDownload::willSendRedirectedRequest):
* Source/WebKit/NetworkProcess/Downloads/PendingDownload.h:
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::startDownload):
(WebKit::NetworkConnectionToWebProcess::loadCancelledDownloadRedirectRequestInFrame):
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h:
(WebKit::NetworkConnectionToWebProcess::startDownload):
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in:
* Source/WebKit/NetworkProcess/NetworkLoad.cpp:
(WebKit::NetworkLoad::willPerformHTTPRedirection):
(WebKit::NetworkLoad::setWebprocessID):
* Source/WebKit/NetworkProcess/NetworkLoad.h:
* Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp:
(WebKit::NetworkProcessConnection::loadCancelledDownloadRedirectRequestInFrame):
* Source/WebKit/WebProcess/Network/NetworkProcessConnection.h:
* Source/WebKit/WebProcess/Network/NetworkProcessConnection.messages.in:
* Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp:
(WebKit::WebLocalFrameLoaderClient::startDownload):
* Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.h:
* Source/WebKit/WebProcess/WebPage/WebFrame.cpp:
(WebKit::WebFrame::startDownload):
* Source/WebKit/WebProcess/WebPage/WebFrame.h:
(WebKit::WebFrame::startDownload):
* Source/WebKit/WebProcess/WebPage/WebPage.h:
* Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.h:
* Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm:
(WebFrameLoaderClient::startDownload):
Canonical link: https://commits.webkit.org/282416.93@webkitglib/2.46
Commit: 8d51b6ce9795fcbfe073e4ec965ee22f11249200
https://github.com/WebKit/WebKit/commit/8d51b6ce9795fcbfe073e4ec965ee22f11249200
Author: Charlie Wolfe <charliew at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
A LayoutTests/ipc/did-destroy-user-gesture-token-invalid-identifier-expected.txt
A LayoutTests/ipc/did-destroy-user-gesture-token-invalid-identifier.html
M Source/WebCore/Headers.cmake
M Source/WebCore/WebCore.xcodeproj/project.pbxproj
A Source/WebCore/page/UserGestureTokenIdentifier.h
M Source/WebKit/Scripts/webkit/messages.py
M Source/WebKit/Scripts/webkit/tests/MessageArgumentDescriptions.cpp
M Source/WebKit/Shared/NavigationActionData.h
M Source/WebKit/Shared/NavigationActionData.serialization.in
M Source/WebKit/Shared/ProcessQualified.serialization.in
M Source/WebKit/Shared/WTFArgumentCoders.serialization.in
M Source/WebKit/UIProcess/WebProcessProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.h
M Source/WebKit/UIProcess/WebProcessProxy.messages.in
M Source/WebKit/WebProcess/WebProcess.cpp
M Source/WebKit/WebProcess/WebProcess.h
Log Message:
-----------
Cherry-pick 280938.111 at safari-7619-branch (5036f12ecddb). https://bugs.webkit.org/show_bug.cgi?id=276982
`WebProcessProxy::didDestroyUserGestureToken` doesn't check whether `identifier` is valid
https://bugs.webkit.org/show_bug.cgi?id=276982
rdar://132297411
Reviewed by Chris Dumez.
Change user gesture token identifiers from a `uint64_t` to an `ObjectIdentifier` to get IPC validation.
Also use `ProcessQualified` so that these tokens do not collide with site isolation enabled.
* LayoutTests/ipc/did-destroy-user-gesture-token-invalid-identifier-expected.txt: Added.
* LayoutTests/ipc/did-destroy-user-gesture-token-invalid-identifier.html: Added.
* Source/WebCore/WebCore.xcodeproj/project.pbxproj:
* Source/WebCore/page/UserGestureTokenIdentifier.h: Added.
* Source/WebKit/Scripts/webkit/messages.py:
(serialized_identifiers):
(types_that_cannot_be_forward_declared):
(headers_for_type):
* Source/WebKit/Scripts/webkit/tests/MessageArgumentDescriptions.cpp:
(IPC::serializedIdentifiers):
* Source/WebKit/Shared/NavigationActionData.h:
* Source/WebKit/Shared/NavigationActionData.serialization.in:
* Source/WebKit/Shared/ProcessQualified.serialization.in:
* Source/WebKit/Shared/WTFArgumentCoders.serialization.in:
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::userInitiatedActivity):
(WebKit::WebProcessProxy::didDestroyUserGestureToken):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Source/WebKit/UIProcess/WebProcessProxy.messages.in:
* Source/WebKit/WebProcess/WebProcess.cpp:
(WebKit::WebProcess::userGestureTokenIdentifier):
(WebKit::nextUserGestureTokenIdentifier): Deleted.
* Source/WebKit/WebProcess/WebProcess.h:
Canonical link: https://commits.webkit.org/282416.94@webkitglib/2.46
Commit: 09c22987a94be59808276cb722c9b79e60b8339a
https://github.com/WebKit/WebKit/commit/09c22987a94be59808276cb722c9b79e60b8339a
Author: Matthew Finkel <m_finkel at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
M Source/WebCore/dom/Document.cpp
M Source/WebCore/loader/DocumentLoader.h
M Source/WebCore/loader/FrameLoadRequest.h
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebKit/Shared/LoadParameters.h
M Source/WebKit/Shared/LoadParameters.serialization.in
M Source/WebKit/Shared/NavigationActionData.h
M Source/WebKit/Shared/NavigationActionData.serialization.in
M Source/WebKit/Shared/WebsitePoliciesData.cpp
M Source/WebKit/UIProcess/API/APINavigation.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/WebProcess/WebPage/Cocoa/WebPageCocoa.mm
M Source/WebKit/WebProcess/WebPage/WebFrame.cpp
M Source/WebKit/WebProcess/WebPage/WebFrame.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Tools/TestWebKitAPI/Tests/WebKit/AdvancedPrivacyProtections.mm
Log Message:
-----------
Cherry-pick 280938.148 at safari-7619-branch (87b599e4c7e3). https://bugs.webkit.org/show_bug.cgi?id=276877
Fallback on current advanced policy protection policy when originator's policy is not set
https://bugs.webkit.org/show_bug.cgi?id=276877
rdar://problem/132225093
Reviewed by Wenson Hsieh.
Currently we're mostly separating the originator's policy from the policy that
was provided when deciding how the navigation should be handled. However, in
some situations those policies would become intertwined and we could apply the
wrong policy. For example, after certain redirect chains, we could start
applying the originator's policy, even if the navigation was user initiated.
Part of the problem stems from the fact that deciding which policy we need to
apply is context-specific, and we often must know both our current policy and
the previous policy.
This patch attempts to reduce the complexity and make clearer which policy
should be applied. In this patch, I'm changing the originator's policy from the
OptionSet to a std::optional. This will tell us whether we have a policy or if
we still need one. Using this information, we can fallback on the current
website policy if needed.
This patch adds a couple new tests for covering some edge cases.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::urlForBindings const):
(WebCore::Document::referrerForBindings):
* Source/WebCore/loader/DocumentLoader.h:
(WebCore::DocumentLoader::navigationalAdvancedPrivacyProtections const):
(WebCore::DocumentLoader::originatorAdvancedPrivacyProtections const):
* Source/WebCore/loader/FrameLoadRequest.h:
(WebCore::FrameLoadRequest::advancedPrivacyProtections const):
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::load):
* Source/WebKit/Shared/LoadParameters.h:
* Source/WebKit/Shared/LoadParameters.serialization.in:
* Source/WebKit/Shared/NavigationActionData.h:
* Source/WebKit/Shared/NavigationActionData.serialization.in:
* Source/WebKit/Shared/WebsitePoliciesData.cpp:
(WebKit::WebsitePoliciesData::applyToDocumentLoader):
* Source/WebKit/UIProcess/API/APINavigation.h:
(API::Navigation::originatorAdvancedPrivacyProtections const):
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::decidePolicyForNavigationAction):
* Source/WebKit/WebProcess/WebPage/Cocoa/WebPageCocoa.mm:
(WebKit::WebPage::applyLinkDecorationFilteringWithResult):
* Source/WebKit/WebProcess/WebPage/WebFrame.cpp:
(WebKit::WebFrame::originatorAdvancedPrivacyProtections const):
* Source/WebKit/WebProcess/WebPage/WebFrame.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::loadRequest):
* Tools/TestWebKitAPI/Tests/WebKit/AdvancedPrivacyProtections.mm:
(TestWebKitAPI::TEST(AdvancedPrivacyProtections, ApplyNavigationalProtectionsAfterMultiplePSON)):
(TestWebKitAPI::webViewAfterCrossSiteNavigationWithReducedPrivacy):
(TestWebKitAPI::TEST(AdvancedPrivacyProtections, HideScreenMetricsFromBindings)):
(TestWebKitAPI::TEST(AdvancedPrivacyProtections, AddNoiseToWebAudioAPIsAfterMultiplePSON)):
(TestWebKitAPI::TEST(AdvancedPrivacyProtections, AddNoiseToWebAudioAPIsAfterReducingPrivacyProtectionsAndMultiplePSON)):
Canonical link: https://commits.webkit.org/282416.95@webkitglib/2.46
Commit: 42cf2c3cbda80ae1c5cb9b4f5f687aa9b374cc03
https://github.com/WebKit/WebKit/commit/42cf2c3cbda80ae1c5cb9b4f5f687aa9b374cc03
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
M Source/JavaScriptCore/runtime/JSGlobalObjectDebuggable.cpp
M Source/JavaScriptCore/runtime/JSGlobalObjectDebuggable.h
Log Message:
-----------
Cherry-pick 6fc69ba54d92. https://bugs.webkit.org/show_bug.cgi?id=277435
Regression(280938.63 at safari-7619-branch) WeChat may hang in callOnGlobalObjectRunLoopAndWait()
https://bugs.webkit.org/show_bug.cgi?id=277435
rdar://132773444
Reviewed by Ryosuke Niwa.
Just doing a partial revert of 280938.63 at safari-7619-branch for now to resolve the issue.
We no longer try to dispatch to the JSGlobalObject's runloop before using the JSGlobalObject.
This should restore shipping behavior.
Based on initial investigation, the app seems to sometimes create a JSGlobalObject on thread
A, then later use that JSGlobalObject on the main thread. This causes us to call
`callOnGlobalObjectRunLoopAndWait()`, which tries to dispatch on thread A's runloop, and waits
on a BinarySemaphore until the task has been processed on the other runloop. However, this task
is sometimes not executed and we just hang on the BinarySemaphore. I suspect thread A may have
exited. Since `callOnGlobalObjectRunLoopAndWait()` seems unreliable, we now stop using it.
* Source/JavaScriptCore/runtime/JSGlobalObjectDebuggable.cpp:
(JSC::JSGlobalObjectDebuggable::JSGlobalObjectDebuggable):
(JSC::JSGlobalObjectDebuggable::name const):
(JSC::JSGlobalObjectDebuggable::connect):
(JSC::JSGlobalObjectDebuggable::disconnect):
(JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemote):
(JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
(JSC::JSGlobalObjectDebuggable::callOnGlobalObjectRunLoopAndWait const): Deleted.
* Source/JavaScriptCore/runtime/JSGlobalObjectDebuggable.h:
Canonical link: https://commits.webkit.org/280938.171@safari-7619-branch
Canonical link: https://commits.webkit.org/282416.96@webkitglib/2.46
Commit: 9e9fade1ca7bd252a11f6c5402fff584ae8fd9d4
https://github.com/WebKit/WebKit/commit/9e9fade1ca7bd252a11f6c5402fff584ae8fd9d4
Author: Jer Noble <jer.noble at apple.com>
Date: 2024-09-16 (Mon, 16 Sep 2024)
Changed paths:
M Source/WebCore/Modules/encryptedmedia/MediaKeySession.cpp
Log Message:
-----------
Cherry-pick 280938.7 at safari-7619-branch (b89347ebdcc1). https://bugs.webkit.org/show_bug.cgi?id=276633
UAF in MediaKeySession::load()
https://bugs.webkit.org/show_bug.cgi?id=276633
rdar://129490880
Reviewed by Andy Estes.
Check nullity of weakThis inside the lamda passed into loadSession() before continuing.
* Source/WebCore/Modules/encryptedmedia/MediaKeySession.cpp:
(WebCore::MediaKeySession::load):
Canonical link: https://commits.webkit.org/280938.7@safari-7619-branch
Canonical link: https://commits.webkit.org/282416.97@webkitglib/2.46
Compare: https://github.com/WebKit/WebKit/compare/74e536eb4785...9e9fade1ca7b
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list