Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 50abb533176213b4ecf8d0e9f749d1ee15cc43ca
https://github.com/WebKit/WebKit/commit/50abb533176213b4ecf8d0e9f749d1ee15cc43ca
Author: Wenson Hsieh <[email protected]>
Date: 2024-06-18 (Tue, 18 Jun 2024)
Changed paths:
A
LayoutTests/editing/pasteboard/dom-paste/dom-paste-in-child-frame-does-not-crash-expected.txt
A
LayoutTests/editing/pasteboard/dom-paste/dom-paste-in-child-frame-does-not-crash.html
M Source/WebCore/dom/DOMPasteAccess.h
M Source/WebKit/UIProcess/API/gtk/PageClientImpl.cpp
M Source/WebKit/UIProcess/API/gtk/PageClientImpl.h
M Source/WebKit/UIProcess/API/wpe/PageClientImpl.cpp
M Source/WebKit/UIProcess/API/wpe/PageClientImpl.h
M Source/WebKit/UIProcess/PageClient.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/ios/PageClientImplIOS.h
M Source/WebKit/UIProcess/ios/PageClientImplIOS.mm
M Source/WebKit/UIProcess/ios/WKContentViewInteraction.h
M Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm
M Source/WebKit/UIProcess/mac/PageClientImplMac.h
M Source/WebKit/UIProcess/mac/PageClientImplMac.mm
M Source/WebKit/UIProcess/mac/WebViewImpl.h
M Source/WebKit/UIProcess/mac/WebViewImpl.mm
M Source/WebKit/UIProcess/playstation/PageClientImpl.cpp
M Source/WebKit/UIProcess/playstation/PageClientImpl.h
M Source/WebKit/UIProcess/win/PageClientImpl.cpp
M Source/WebKit/UIProcess/win/PageClientImpl.h
Log Message:
-----------
Clicking Edit > Paste in the in-page menu on Google Docs results in a failed
MESSAGE_CHECK
https://bugs.webkit.org/show_bug.cgi?id=275608
rdar://130078654
Reviewed by Abrar Rahman Protyasha.
The security hardening in https://commits.webkit.org/279133@main introduced a
`MESSAGE_CHECK` to
verify that the ID of the frame requesting access to the pasteboard matches the
security origin used
as the document's `originIdentifierForPasteboard()` (which is either a security
origin string, or a
randomly-generated UUID in the case of a null origin).
```
auto originFromFrame = SecurityOrigin::create(frame->url());
MESSAGE_CHECK_COMPLETION(m_legacyMainFrameProcess,
origin->isSameOriginDomain(originFromFrame),
completionHandler(DOMPasteAccessResponse::DeniedForGesture));
```
Importantly, note that this uses the given frame ID to find the corresponding
`WebFrameProxy`, get
the frame's URL in the UI process, and check whether the origins match using
that URL.
This check (unintentionally) fails in the case where a `src`-less frame, whose
security origin
matches that of the `Document` that created it, triggers programmatic paste and
sends a frame ID
corresponding to the subframe (which doesn't have a source). We'll end up
getting an opaque security
origin for the frame above (based on its URL), which causes the
`isSameOriginDomain` check to return
`false` even though the subframe's document actually has the same security
origin. Subsequently, the
failed message check results in the web process crashing.
To address this crash and prevent simimlar bugs from causing the web process to
terminate without
regressing the security guarantees of the original fix, we take the following
approach instead:
(1) Relax the check so that we allow the `originIdentifier` as long as the
frame, or one of its
parent frames have the same origin.
(2) Instead of `MESSAGE_CHECK`-ing and terminating the web process, simply fall
back on showing the
paste prompt instead, regardless of whether the given `originIdentifier`
matches the identifier
on the pasteboard. This turns a would-be crash into a much-less-egregious
bug where the paste
prompt might show up unnecessarily.
*
LayoutTests/editing/pasteboard/dom-paste/dom-paste-in-child-frame-does-not-crash-expected.txt:
Added.
*
LayoutTests/editing/pasteboard/dom-paste/dom-paste-in-child-frame-does-not-crash.html:
Added.
Add a layout test to exercise the crash.
* Source/WebCore/dom/DOMPasteAccess.h:
Add a new `enum class` flag to indicate whether or not `requestDOMPasteAccess`
should be allowed to
proceed without explicit user interaction, in the case where the origins match
(e.g. copying and
pasting across tabs of the same origin).
* Source/WebKit/UIProcess/API/gtk/PageClientImpl.cpp:
(WebKit::PageClientImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/API/gtk/PageClientImpl.h:
* Source/WebKit/UIProcess/API/wpe/PageClientImpl.cpp:
Plumb the new `DOMPasteRequiresInteraction` flag through all codepaths that
trigger DOM a paste
access request.
(WebKit::PageClientImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/API/wpe/PageClientImpl.h:
* Source/WebKit/UIProcess/PageClient.h:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::requestDOMPasteAccess):
Implement the main fix here; see comments above for more details.
* Source/WebKit/UIProcess/ios/PageClientImplIOS.h:
* Source/WebKit/UIProcess/ios/PageClientImplIOS.mm:
(WebKit::PageClientImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/ios/WKContentViewInteraction.h:
* Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm:
(-[WKContentView
_requestDOMPasteAccessForCategory:requiresInteraction:elementRect:originIdentifier:completionHandler:]):
(-[WKContentView
_requestDOMPasteAccessForCategory:elementRect:originIdentifier:completionHandler:]):
Deleted.
* Source/WebKit/UIProcess/mac/PageClientImplMac.h:
* Source/WebKit/UIProcess/mac/PageClientImplMac.mm:
(WebKit::PageClientImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/mac/WebViewImpl.h:
* Source/WebKit/UIProcess/mac/WebViewImpl.mm:
(WebKit::WebViewImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/playstation/PageClientImpl.cpp:
(WebKit::PageClientImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/playstation/PageClientImpl.h:
* Source/WebKit/UIProcess/win/PageClientImpl.cpp:
(WebKit::PageClientImpl::requestDOMPasteAccess):
* Source/WebKit/UIProcess/win/PageClientImpl.h:
Canonical link: https://commits.webkit.org/280149@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
