Diff
Modified: branches/safari-613-branch/Source/WebKit/ChangeLog (293178 => 293179)
--- branches/safari-613-branch/Source/WebKit/ChangeLog 2022-04-21 17:51:08 UTC (rev 293178)
+++ branches/safari-613-branch/Source/WebKit/ChangeLog 2022-04-21 20:11:46 UTC (rev 293179)
@@ -333,64 +333,6 @@
2022-04-19 Alan Coon <alanc...@apple.com>
- Cherry-pick r291371. rdar://problem/72058321
-
- CoreIPC Hardening: Add user gesture check when saving images
- https://bugs.webkit.org/show_bug.cgi?id=237839
- <rdar://72058321>
-
- Reviewed by Chris Dumez.
-
- Add check to confirm that attempts to store images in the user's Photo
- Library and attempts to store data in the pasteboard were triggered by
- a user gesture.
-
- * UIProcess/WebPageProxy.cpp:
- (WebKit::WebPageProxy::writePromisedAttachmentToPasteboard): Message check the authorization token before
- performing the write.
- * UIProcess/WebPageProxy.h:
- * UIProcess/WebPageProxy.messages.in:
- * UIProcess/ios/WebPageProxyIOS.mm:
- (WebKit::WebPageProxy::isValidPerformActionOnElementAuthorizationToken const): Added.
- (WebKit::WebPageProxy::performActionOnElement): Added.
- (WebKit::WebPageProxy::saveImageToLibrary): Message check the authorization token before
- performing the save.
- * WebProcess/WebPage/WebPage.h:
- * WebProcess/WebPage/WebPage.messages.in:
- * WebProcess/WebPage/ios/WebPageIOS.mm:
- (WebKit::WebPage::performActionOnElement):
-
- git-svn-id: https://svn.webkit.org/repository/webkit/trunk@291371 268f45cc-cd09-0410-ab3c-d52691b4dbfc
-
- 2022-03-16 Brent Fulgham <bfulg...@apple.com>
-
- CoreIPC Hardening: Add user gesture check when saving images
- https://bugs.webkit.org/show_bug.cgi?id=237839
- <rdar://72058321>
-
- Reviewed by Chris Dumez.
-
- Add check to confirm that attempts to store images in the user's Photo
- Library and attempts to store data in the pasteboard were triggered by
- a user gesture.
-
- * UIProcess/WebPageProxy.cpp:
- (WebKit::WebPageProxy::writePromisedAttachmentToPasteboard): Message check the authorization token before
- performing the write.
- * UIProcess/WebPageProxy.h:
- * UIProcess/WebPageProxy.messages.in:
- * UIProcess/ios/WebPageProxyIOS.mm:
- (WebKit::WebPageProxy::isValidPerformActionOnElementAuthorizationToken const): Added.
- (WebKit::WebPageProxy::performActionOnElement): Added.
- (WebKit::WebPageProxy::saveImageToLibrary): Message check the authorization token before
- performing the save.
- * WebProcess/WebPage/WebPage.h:
- * WebProcess/WebPage/WebPage.messages.in:
- * WebProcess/WebPage/ios/WebPageIOS.mm:
- (WebKit::WebPage::performActionOnElement):
-
-2022-04-19 Alan Coon <alanc...@apple.com>
-
Cherry-pick r290874. rdar://problem/84869202
Push HTMLMediaElement renderer's contentBox rect to GPU process
Modified: branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.cpp (293178 => 293179)
--- branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.cpp 2022-04-21 17:51:08 UTC (rev 293178)
+++ branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.cpp 2022-04-21 20:11:46 UTC (rev 293179)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2022 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2021 Apple Inc. All rights reserved.
* Copyright (C) 2012 Intel Corporation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -10145,16 +10145,9 @@
#if ENABLE(ATTACHMENT_ELEMENT)
-void WebPageProxy::writePromisedAttachmentToPasteboard(WebCore::PromisedAttachmentInfo&& info, const String& authorizationToken)
+void WebPageProxy::writePromisedAttachmentToPasteboard(WebCore::PromisedAttachmentInfo&& info)
{
-#if PLATFORM(IOS_FAMILY)
- MESSAGE_CHECK(m_process, isValidPerformActionOnElementAuthorizationToken(authorizationToken));
-
pageClient().writePromisedAttachmentToPasteboard(WTFMove(info));
-#else
- UNUSED_PARAM(info);
- UNUSED_PARAM(authorizationToken);
-#endif
}
RefPtr<API::Attachment> WebPageProxy::attachmentForIdentifier(const String& identifier) const
Modified: branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.h (293178 => 293179)
--- branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.h 2022-04-21 17:51:08 UTC (rev 293178)
+++ branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.h 2022-04-21 20:11:46 UTC (rev 293179)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2022 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -876,7 +876,7 @@
void startInteractionWithPositionInformation(const InteractionInformationAtPosition&);
void stopInteraction();
void performActionOnElement(uint32_t action);
- void saveImageToLibrary(const SharedMemory::IPCHandle& imageHandle, const String& authorizationToken);
+ void saveImageToLibrary(const SharedMemory::IPCHandle& imageHandle);
void focusNextFocusedElement(bool isForward, CompletionHandler<void()>&& = [] { });
void setFocusedElementValue(const WebCore::ElementContext&, const String&);
void setFocusedElementSelectedIndex(const WebCore::ElementContext&, uint32_t index, bool allowMultipleSelection = false);
@@ -2357,8 +2357,6 @@
void showPlaybackTargetPicker(bool hasVideo, const WebCore::IntRect& elementRect, WebCore::RouteSharingPolicy, const String&);
void updateStringForFind(const String&);
-
- bool isValidPerformActionOnElementAuthorizationToken(const String& authorizationToken) const;
#endif
void focusedFrameChanged(const std::optional<WebCore::FrameIdentifier>&);
@@ -2506,7 +2504,7 @@
Ref<API::Attachment> ensureAttachment(const String& identifier);
void invalidateAllAttachments();
- void writePromisedAttachmentToPasteboard(WebCore::PromisedAttachmentInfo&&, const String& authorizationToken);
+ void writePromisedAttachmentToPasteboard(WebCore::PromisedAttachmentInfo&&);
#endif
void reportPageLoadResult(const WebCore::ResourceError& = { });
@@ -3026,7 +3024,6 @@
Function<bool()> m_deviceOrientationUserPermissionHandlerForTesting;
bool m_waitingForPostLayoutEditorStateUpdateAfterFocusingElement { false };
bool m_lastObservedStateWasBackground { false };
- HashSet<String> m_performActionOnElementAuthTokens;
#endif
std::optional<WebCore::FontAttributes> m_cachedFontAttributesAtSelectionStart;
Modified: branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.messages.in (293178 => 293179)
--- branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.messages.in 2022-04-21 17:51:08 UTC (rev 293178)
+++ branches/safari-613-branch/Source/WebKit/UIProcess/WebPageProxy.messages.in 2022-04-21 20:11:46 UTC (rev 293179)
@@ -1,4 +1,4 @@
-# Copyright (C) 2010-2022 Apple Inc. All rights reserved.
+# Copyright (C) 2010-2020 Apple Inc. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
@@ -160,7 +160,7 @@
#if PLATFORM(IOS_FAMILY)
InterpretKeyEvent(struct WebKit::EditorState state, bool isCharEvent) -> (bool handled) Synchronous
DidReceivePositionInformation(struct WebKit::InteractionInformationAtPosition information)
- SaveImageToLibrary(WebKit::SharedMemory::IPCHandle handle, String authorizationToken)
+ SaveImageToLibrary(WebKit::SharedMemory::IPCHandle handle)
ShowPlaybackTargetPicker(bool hasVideo, WebCore::IntRect elementRect, enum:uint8_t WebCore::RouteSharingPolicy policy, String routingContextUID)
CommitPotentialTapFailed()
DidNotHandleTapAsClick(WebCore::IntPoint point)
@@ -525,7 +525,7 @@
DidInsertAttachmentWithIdentifier(String identifier, String source, bool hasEnclosingImage)
DidRemoveAttachmentWithIdentifier(String identifier)
SerializedAttachmentDataForIdentifiers(Vector<String> identifiers) -> (Vector<WebCore::SerializedAttachmentData> seralizedData) Synchronous
- WritePromisedAttachmentToPasteboard(struct WebCore::PromisedAttachmentInfo info, String authorizationToken)
+ WritePromisedAttachmentToPasteboard(struct WebCore::PromisedAttachmentInfo info)
#endif
#if ENABLE(APP_HIGHLIGHTS)
Modified: branches/safari-613-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm (293178 => 293179)
--- branches/safari-613-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm 2022-04-21 17:51:08 UTC (rev 293178)
+++ branches/safari-613-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm 2022-04-21 20:11:46 UTC (rev 293179)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2022 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -562,30 +562,14 @@
m_process->send(Messages::WebPage::StopInteraction(), m_webPageID);
}
-bool WebPageProxy::isValidPerformActionOnElementAuthorizationToken(const String& authorizationToken) const
-{
- return !authorizationToken.isNull() && m_performActionOnElementAuthTokens.contains(authorizationToken);
-}
-
void WebPageProxy::performActionOnElement(uint32_t action)
{
- auto authorizationToken = createVersion4UUIDString();
-
- m_performActionOnElementAuthTokens.add(authorizationToken);
-
- sendWithAsyncReply(Messages::WebPage::PerformActionOnElement(action, authorizationToken), [weakThis = WeakPtr { *this }, authorizationToken] () mutable {
- if (!weakThis)
- return;
-
- ASSERT(weakThis->isValidPerformActionOnElementAuthorizationToken(authorizationToken));
- weakThis->m_performActionOnElementAuthTokens.remove(authorizationToken);
- });
+ m_process->send(Messages::WebPage::PerformActionOnElement(action), m_webPageID);
}
-void WebPageProxy::saveImageToLibrary(const SharedMemory::IPCHandle& imageHandle, const String& authorizationToken)
+void WebPageProxy::saveImageToLibrary(const SharedMemory::IPCHandle& imageHandle)
{
MESSAGE_CHECK(!imageHandle.handle.isNull());
- MESSAGE_CHECK(isValidPerformActionOnElementAuthorizationToken(authorizationToken));
auto sharedMemoryBuffer = SharedMemory::map(imageHandle.handle, SharedMemory::Protection::ReadOnly);
if (!sharedMemoryBuffer)
Modified: branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/WebPage.h (293178 => 293179)
--- branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/WebPage.h 2022-04-21 17:51:08 UTC (rev 293178)
+++ branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/WebPage.h 2022-04-21 20:11:46 UTC (rev 293179)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2022 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -807,7 +807,7 @@
void requestPositionInformation(const InteractionInformationRequest&);
void startInteractionWithElementContextOrPosition(std::optional<WebCore::ElementContext>&&, WebCore::IntPoint&&);
void stopInteraction();
- void performActionOnElement(uint32_t action, const String& authorizationToken, CompletionHandler<void()>&&);
+ void performActionOnElement(uint32_t action);
void focusNextFocusedElement(bool isForward, CompletionHandler<void()>&&);
void autofillLoginCredentials(const String&, const String&);
void setFocusedElementValue(const WebCore::ElementContext&, const String&);
Modified: branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/WebPage.messages.in (293178 => 293179)
--- branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/WebPage.messages.in 2022-04-21 17:51:08 UTC (rev 293178)
+++ branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/WebPage.messages.in 2022-04-21 20:11:46 UTC (rev 293179)
@@ -1,4 +1,4 @@
-# Copyright (C) 2010-2022 Apple Inc. All rights reserved.
+# Copyright (C) 2010-2021 Apple Inc. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
@@ -90,7 +90,7 @@
RequestPositionInformation(struct WebKit::InteractionInformationRequest request)
StartInteractionWithElementContextOrPosition(std::optional<WebCore::ElementContext> elementContext, WebCore::IntPoint point)
StopInteraction()
- PerformActionOnElement(uint32_t action, String authenticationToken) -> ()
+ PerformActionOnElement(uint32_t action)
FocusNextFocusedElement(bool isForward) -> () Async
AutofillLoginCredentials(String username, String password)
SetFocusedElementValue(struct WebCore::ElementContext context, String value)
Modified: branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm (293178 => 293179)
--- branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm 2022-04-21 17:51:08 UTC (rev 293178)
+++ branches/safari-613-branch/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm 2022-04-21 20:11:46 UTC (rev 293179)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2022 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -3173,10 +3173,8 @@
m_interactionNode = nullptr;
}
-void WebPage::performActionOnElement(uint32_t action, const String& authorizationToken, CompletionHandler<void()>&& completionHandler)
+void WebPage::performActionOnElement(uint32_t action)
{
- CompletionHandlerCallingScope callCompletionHandler(WTFMove(completionHandler));
-
if (!is<HTMLElement>(m_interactionNode))
return;
@@ -3202,7 +3200,7 @@
m_interactionNode->document().editor().copyURL(element.document().completeURL(stripLeadingAndTrailingHTMLSpaces(element.attributeWithoutSynchronization(HTMLNames::hrefAttr))), element.textContent());
#if ENABLE(ATTACHMENT_ELEMENT)
else if (auto attachmentInfo = element.document().editor().promisedAttachmentInfo(element))
- send(Messages::WebPageProxy::WritePromisedAttachmentToPasteboard(WTFMove(attachmentInfo), authorizationToken));
+ send(Messages::WebPageProxy::WritePromisedAttachmentToPasteboard(WTFMove(attachmentInfo)));
#endif
} else if (static_cast<SheetAction>(action) == SheetAction::SaveImage) {
if (!is<RenderImage>(*element.renderer()))
@@ -3218,7 +3216,7 @@
return;
SharedMemory::Handle handle;
sharedMemoryBuffer->createHandle(handle, SharedMemory::Protection::ReadOnly);
- send(Messages::WebPageProxy::SaveImageToLibrary(SharedMemory::IPCHandle { WTFMove(handle), buffer->size() }, authorizationToken));
+ send(Messages::WebPageProxy::SaveImageToLibrary(SharedMemory::IPCHandle { WTFMove(handle), buffer->size() }));
}
}
