Modified: trunk/Source/WebKit/ChangeLog (285178 => 285179)
--- trunk/Source/WebKit/ChangeLog 2021-11-02 19:57:41 UTC (rev 285178)
+++ trunk/Source/WebKit/ChangeLog 2021-11-02 20:44:33 UTC (rev 285179)
@@ -1,3 +1,19 @@
+2021-11-02 Chris Dumez <cdu...@apple.com>
+
+ Crash under WebPage::sendCOEPCORPViolation()
+ https://bugs.webkit.org/show_bug.cgi?id=232631
+ <rdar://84919898>
+
+ Reviewed by Alex Christensen.
+
+ Add missing null checks for the frame after calling `WebProcess::singleton().webFrame(frameID)`.
+
+ * WebProcess/WebPage/WebPage.cpp:
+ (WebKit::WebPage::sendCOEPPolicyInheritenceViolation):
+ (WebKit::WebPage::sendCOEPCORPViolation):
+ (WebKit::WebPage::sendViolationReportWhenNavigatingToCOOPResponse):
+ (WebKit::WebPage::sendViolationReportWhenNavigatingAwayFromCOOPResponse):
+
2021-11-02 Sihui Liu <sihui_...@apple.com>
Terminate unresponsive network process by crashing it
Modified: trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp (285178 => 285179)
--- trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2021-11-02 19:57:41 UTC (rev 285178)
+++ trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2021-11-02 20:44:33 UTC (rev 285179)
@@ -4319,13 +4319,13 @@
void WebPage::sendCOEPPolicyInheritenceViolation(FrameIdentifier frameID, const SecurityOriginData& embedderOrigin, const String& endpoint, COEPDisposition disposition, const String& type, const URL& blockedURL)
{
- if (auto* frame = WebProcess::singleton().webFrame(frameID); frame->coreFrame())
+ if (auto* frame = WebProcess::singleton().webFrame(frameID); frame && frame->coreFrame())
WebCore::sendCOEPPolicyInheritenceViolation(*frame->coreFrame(), embedderOrigin, endpoint, disposition, type, blockedURL);
}
void WebPage::sendCOEPCORPViolation(FrameIdentifier frameID, const SecurityOriginData& embedderOrigin, const String& endpoint, COEPDisposition disposition, FetchOptions::Destination destination, const URL& blockedURL)
{
- if (auto* frame = WebProcess::singleton().webFrame(frameID); frame->coreFrame())
+ if (auto* frame = WebProcess::singleton().webFrame(frameID); frame && frame->coreFrame())
WebCore::sendCOEPCORPViolation(*frame->coreFrame(), embedderOrigin, endpoint, disposition, destination, blockedURL);
}
@@ -4338,7 +4338,7 @@
if (Page::nonUtilityPageCount() <= 1)
return;
- if (auto* frame = WebProcess::singleton().webFrame(frameID); frame->coreFrame())
+ if (auto* frame = WebProcess::singleton().webFrame(frameID); frame && frame->coreFrame())
WebCore::sendViolationReportWhenNavigatingToCOOPResponse(*frame->coreFrame(), coop, disposition, coopURL, previousResponseURL, coopOrigin.securityOrigin(), previousResponseOrigin.securityOrigin(), referrer, userAgent);
}
@@ -4348,7 +4348,7 @@
if (Page::nonUtilityPageCount() <= 1)
return;
- if (auto* frame = WebProcess::singleton().webFrame(frameID); frame->coreFrame())
+ if (auto* frame = WebProcess::singleton().webFrame(frameID); frame && frame->coreFrame())
WebCore::sendViolationReportWhenNavigatingAwayFromCOOPResponse(*frame->coreFrame(), coop, disposition, coopURL, nextResponseURL, coopOrigin.securityOrigin(), nextResponseOrigin.securityOrigin(), isCOOPResponseNavigationSource, userAgent);
}