[webkit-changes] [WebKit/WebKit] 26dd80: Calling evaluateJavaScript enables back-button hij...

Thu, 16 May 2024 12:36:44 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 26dd802ebb28b5acb59ea16b46c85f83fa243cd3
      
https://github.com/WebKit/WebKit/commit/26dd802ebb28b5acb59ea16b46c85f83fa243cd3
  Author: Chris Dumez <[email protected]>
  Date:   2024-05-16 (Thu, 16 May 2024)

  Changed paths:
    M Source/WebCore/dom/Document.cpp
    M Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm

  Log Message:
  -----------
  Calling evaluateJavaScript enables back-button hijacking
https://bugs.webkit.org/show_bug.cgi?id=261611
rdar://115561250

Reviewed by Ben Nham.

In 253405@main, I updated our back/forward list hijacking prevention logic by
treating history items added by JS (e.g. via 'history.pushState()`) as having
a user gesture if a user gesture had occurred in the last 10 seconds. This was
needed for backward compatibility with some legit sites.

The issue now is that if the client app has called evaluateJavaScript on the
WKWebView in the last 10 seconds, the JS will be able to hijack the back/forward
list again.

In 265168@main, we did some hardening so that the transient activation gets
consumed after the evaluateJavaScript call has completed. However, it didn't
fix the back/forward list hijacking prevention logic because it relies on
user gesture and not transient activation.

To address the issue, I updated out back/forward list hijacking prevention logic
to rely on transient user activation rather than whether or not there was a
user gesture in the last 10 minutes.

* Source/WebCore/dom/Document.cpp:
(WebCore::Document::hasRecentUserInteractionForNavigationFromJS const):
* Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm:
(TEST):

Originally-landed-as: 272448.685@safari-7618-branch (028628cff473). 
rdar://128089980
Canonical link: https://commits.webkit.org/278881@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to