[Webkit-unassigned] [Bug 256403] New: Defer AX object cache update as an event loop task instead of a post layout task

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri May 5 17:56:13 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=256403

            Bug ID: 256403
           Summary: Defer AX object cache update as an event loop task
                    instead of a post layout task
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Accessibility
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rniwa at webkit.org
                CC: andresg_22 at apple.com,
                    webkit-bug-importer at group.apple.com

We currently update AX caches as a post layout task.
This is problematic because it can lead to arbitrary script execution:
e.g.

3   0x2836d4250 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&)
4   0x28376d6ac WebCore::Node::dispatchEvent(WebCore::Event&)
5   0x283699750 WebCore::Element::dispatchFocusEvent(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>>&&, WebCore::FocusOptions const&)
6   0x2835c477c WebCore::Document::setFocusedElement(WebCore::Element*, WebCore::FocusOptions const&)
7   0x2843b3b48 WebCore::FocusController::setFocusedElement(WebCore::Element*, WebCore::LocalFrame&, WebCore::FocusOptions const&)
8   0x283698d64 WebCore::Element::focus(WebCore::FocusOptions const&)
9   0x282b8b80c WebCore::AccessibilityNodeObject::setFocused(bool)
10  0x282af3d4c WebCore::AXObjectCache::focusCurrentModal()
11  0x282afeda4 WebCore::AXObjectCache::performDeferredCacheUpdate()
12  0x28441f0c4 WebCore::LocalFrameView::performPostLayoutTasks()
13  0x28442a760 WebCore::LocalFrameViewLayoutContext::runAsynchronousTasks()
14  0x28442b7e8 WebCore::LocalFrameViewLayoutContext::runOrScheduleAsynchronousTasks()
15  0x28442b110 WebCore::LocalFrameViewLayoutContext::performLayout()
16  0x28440969c WebCore::LocalFrameViewLayoutContext::layout()
17  0x28441cbb0 WebCore::LocalFrameView::updateContentsSize()
18  0x2846a2f90 WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&)
19  0x2846a4858 WebCore::ScrollView::setContentsSize(WebCore::IntSize const&)
20  0x28440cafc WebCore::LocalFrameView::setContentsSize(WebCore::IntSize const&)
21  0x284406f7c WebCore::LocalFrameView::adjustViewSize()
22  0x28442afc0 WebCore::LocalFrameViewLayoutContext::performLayout()
23  0x28440969c WebCore::LocalFrameViewLayoutContext::layout()
24  0x2835adde8 WebCore::Document::updateLayout()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230506/f8c928a6/attachment-0001.htm>

More information about the webkit-unassigned mailing list