Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 1bf1b5844dfcf02db5ae378aedf274146cef4c5a
https://github.com/WebKit/WebKit/commit/1bf1b5844dfcf02db5ae378aedf274146cef4c5a
Author: Chris Dumez <[email protected]>
Date: 2023-01-26 (Thu, 26 Jan 2023)
Changed paths:
M LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back.html
A
LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache-expected.txt
A
LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache.html
R
LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache-expected.txt
R LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache.html
A
LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-1.html
A
LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-2.html
R
LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-1.html
R
LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-2.html
M
LayoutTests/fast/loader/stateobjects/resources/replacestate-in-iframe-window-child.html
M Source/WebCore/history/CachedPage.cpp
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/loader/FrameLoader.h
M Source/WebKit/UIProcess/WebBackForwardList.cpp
M Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm
Log Message:
-----------
Cherry-pick 252432.944@safari-7614-branch (50b1632f78ae). rdar://104656472
Tweak back/forward list hijacking prevention logic
https://bugs.webkit.org/show_bug.cgi?id=248716
rdar://102923240
Reviewed by Geoffrey Garen and Ryan Haddad.
Tweak back/forward list hijacking prevention logic for better protection
and to
align our behavior with Chrome.
In particular, let's consider this example:
Yahoo -> Yahoo#a (no userInteraction) -> Google -> Google#a (no user
interaction) -> Google#b (no user interaction)
If we're currently on Google#b and navigate backwards:
- Old behavior: We load Google
- New behavior: We load Yahoo#a
The new behavior makes sense since the user feels like they are on Google
(since Google#a & Google#b happened without user interaction) and the last
page they viewed before Google was Yahoo#b.
If we're on Yahoo#a and navigate forwards:
- Old behavior: We load Google
- New behavior: We load Google#b
The new behavior makes sense as a symmetry to the case above.
Now let's consider this example:
Yahoo -> Yahoo#a (no userInteraction) -> Google
If we're on Google and navigate backwards:
- Old behavior: we load Yahoo
- New behavior: We load Yahoo#a
Finally, with this example:
Yahoo -> Google -> Google#a (no user interaction) -> Google#b (no user
interaction)
If we're on Yahoo and navigate forwards:
- Old behavior: We load Google
- New behavior: We load Google#b
This patch also changes the behavior of the popstate event. We used to fire
the
popstate event for navigations that were not within the same document.
However,
this behavior wasn't aligned with the specification [1] or with other
browsers.
The exploit attached to the radar was also relying on this event to hijack
the
back/forward navigation and lock the user on a specific site.
I updated our code so that the popstate is now only fired for same-document
navigations and I updated our tests accordingly. I have verified that our
behavior is consistent with Blink on these new test versions.
*
LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back-expected.txt:
*
LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back-with-fragment-scroll-expected.txt:
*
LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back.html:
*
LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache-expected.txt:
Renamed from
LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache-expected.txt.
*
LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache.html:
Renamed from
LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache.html.
* LayoutTests/fast/loader/stateobjects/replacestate-in-iframe-expected.txt:
*
LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-1.html:
Renamed from
LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-1.html.
*
LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-2.html:
Added.
*
LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-2.html:
Removed.
*
LayoutTests/fast/loader/stateobjects/resources/replacestate-in-iframe-window-child.html:
* Source/WebCore/history/CachedPage.cpp:
(WebCore::firePageShowEvent):
(WebCore::CachedPage::restore):
(WebCore::firePageShowAndPopStateEvents): Deleted.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::didBeginDocument):
(WebCore::FrameLoader::transitionToCommitted):
* Source/WebCore/loader/FrameLoader.h:
* Source/WebKit/UIProcess/WebBackForwardList.cpp:
(WebKit::itemSkippingBackForwardItemsAddedByJSWithoutUserGesture):
* Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm:
(runBackForwardNavigationSkipsItemsWithoutUserGestureTest):
(TEST):
(runBackForwardNavigationDoesNotSkipItemsWithUserGestureTest):
Canonical link: https://commits.webkit.org/252432.944@safari-7614-branch
Canonical link: https://commits.webkit.org/259437@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
