[webkit-reviews] review denied: [Bug 211446] [Cocoa] Block preference services without using CFPrefs direct mode : [Attachment 398516] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat May 9 17:14:34 PDT 2020

Darin Adler <darin at apple.com> has denied Per Arne Vollan <pvollan at apple.com>'s
request for review:
Bug 211446: [Cocoa] Block preference services without using CFPrefs direct mode

Attachment 398516: Patch


--- Comment #6 from Darin Adler <darin at apple.com> ---
Comment on attachment 398516
  --> https://bugs.webkit.org/attachment.cgi?id=398516

View in context: https://bugs.webkit.org/attachment.cgi?id=398516&action=review

>>> Source/WebKit/ChangeLog:10
>>> +	     extensions, then perform a dummy preference request to map
preferences into memory, and finally revoke the extensions. The WebContent
>> How does revoking the extension achieve our security goal? 
>> My understanding is that, if we consume a sandbox extension to
"com.apple.cfprefsd.agent" and "com.apple.cfprefsd.daemon", and then connect to
them, and then revoke the extension, we will end up with an open connection to
these daemons. If so, revoking the extensions will prevent new connections from
being made, but will not close the existing connections, which can still be
used to send malicious messages.
> Ah, good catch! This patch is invalid, then.

Setting review- based on this exchange.

More information about the webkit-reviews mailing list