[webkit-changes] [256455] trunk

[pvollan]

Title: [256455] trunk

Revision

256455

Author

pvol...@apple.com

Date

2020-02-12 10:49:42 -0800 (Wed, 12 Feb 2020)

Log Message

Source/WebKit:
Pages that trigger a redirect will sometimes be left blank
https://bugs.webkit.org/show_bug.cgi?id=207614
rdar://problem/59077740

Patch by Simon Fraser <simon.fra...@apple.com> on 2020-02-12
Reviewed by Tim Horton.

TiledCoreAnimationDrawingArea::setRootCompositingGraphicsLayer() can be called when the layer tree
is frozen, in which case we stash away the layer in m_pendingRootLayer to be parented later at flush
time. However, this sequence of calls had a bug:

setRootCompositingGraphicsLayer() when frozen
    -> stash in m_pendingRootLayer
setRootCompositingGraphicsLayer() when not frozen
    -> set the root layer
flushLayers()
    -> set the root layer to the (old) m_pendingRootLayer

So we need to clear m_pendingRootLayer at step 2.

Very timing dependent, hard to test.

* WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:
(WebKit::TiledCoreAnimationDrawingArea::setRootCompositingLayer):

LayoutTests:
[iOS] Deny mach lookup access to analytics service in the WebContent process
https://bugs.webkit.org/show_bug.cgi?id=207482

Reviewed by Darin Adler.

* fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
* fast/sandbox/ios/sandbox-mach-lookup.html:

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt
• trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html
• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

Diff

Modified: trunk/LayoutTests/ChangeLog (256454 => 256455)

--- trunk/LayoutTests/ChangeLog	2020-02-12 18:48:24 UTC (rev 256454)
+++ trunk/LayoutTests/ChangeLog	2020-02-12 18:49:42 UTC (rev 256455)
@@ -1,3 +1,13 @@
+2020-02-12  Per Arne Vollan  <pvol...@apple.com>
+
+        [iOS] Deny mach lookup access to analytics service in the WebContent process
+        https://bugs.webkit.org/show_bug.cgi?id=207482
+
+        Reviewed by Darin Adler.
+
+        * fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
+        * fast/sandbox/ios/sandbox-mach-lookup.html:
+
 2020-02-12  Jacob Uphoff  <jacob_uph...@apple.com>
 
         [ iOS ] http/tests/security/strip-referrer-to-origin-for-third-party-redirects-in-private-mode.html is flaky timing out

Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt (256454 => 256455)

--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt	2020-02-12 18:48:24 UTC (rev 256454)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt	2020-02-12 18:49:42 UTC (rev 256455)
@@ -19,3 +19,4 @@
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.aggregated") is false
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.tccd") is false
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.uikit.viewservice") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.analyticsd") is false

Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html (256454 => 256455)

--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html	2020-02-12 18:48:24 UTC (rev 256454)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html	2020-02-12 18:49:42 UTC (rev 256455)
@@ -22,6 +22,7 @@
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.aggregated\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.tccd\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.uikit.viewservice\")");
+    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.analyticsd\")");
 }
 </script>
 </head>

Modified: trunk/Source/WebKit/ChangeLog (256454 => 256455)

--- trunk/Source/WebKit/ChangeLog	2020-02-12 18:48:24 UTC (rev 256454)
+++ trunk/Source/WebKit/ChangeLog	2020-02-12 18:49:42 UTC (rev 256455)
@@ -26,6 +26,19 @@
 
 2020-02-12  Per Arne Vollan  <pvol...@apple.com>
 
+        [iOS] Deny mach lookup access to analytics service in the WebContent process
+        https://bugs.webkit.org/show_bug.cgi?id=207482
+
+        Reviewed by Darin Adler.
+
+        As part of sandbox hardening work, this service should be denied in the WebContent process' sandbox.
+
+        Test: fast/sandbox/ios/sandbox-mach-lookup.html
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
+2020-02-12  Per Arne Vollan  <pvol...@apple.com>
+
         [iOS] Deny mach lookup access to view service in the WebContent process
         https://bugs.webkit.org/show_bug.cgi?id=207487
         <rdar://problem/56995704>

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (256454 => 256455)

--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2020-02-12 18:48:24 UTC (rev 256454)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2020-02-12 18:49:42 UTC (rev 256455)
@@ -897,10 +897,6 @@
 (allow mach-lookup
        (global-name "com.apple.webinspector"))
 
-;; Various services required by CFNetwork and other frameworks
-(allow mach-lookup
-    (global-name "com.apple.analyticsd"))
-
 (allow mach-lookup (with report) (with telemetry)
     (global-name "com.apple.PowerManagement.control"))
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes