[webkit-changes] [WebKit/WebKit] c78c21: [Lockdown Mode] Make sure Accept Header matches LD...

Wed, 18 Jun 2025 13:02:29 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c78c210e4b41d758d26bb05c56f51bbbd60823ed
      
https://github.com/WebKit/WebKit/commit/c78c210e4b41d758d26bb05c56f51bbbd60823ed
  Author: Brent Fulgham <[email protected]>
  Date:   2025-06-18 (Wed, 18 Jun 2025)

  Changed paths:
    A 
LayoutTests/http/tests/lockdown-mode/heic-shown-in-lockdown-mode.http-expected.txt
    A LayoutTests/http/tests/lockdown-mode/heic-shown-in-lockdown-mode.http.html
    A 
LayoutTests/http/tests/lockdown-mode/no-heic-in-lockdown-mode.https-expected.txt
    A LayoutTests/http/tests/lockdown-mode/no-heic-in-lockdown-mode.https.html
    M LayoutTests/platform/glib/TestExpectations
    M LayoutTests/platform/mac-wk1/TestExpectations
    M LayoutTests/platform/win/TestExpectations
    M LayoutTests/platform/wpe/TestExpectations
    M Source/WTF/wtf/PlatformEnableCocoa.h
    M Source/WTF/wtf/URL.cpp
    M Source/WTF/wtf/URL.h
    M Source/WebCore/PAL/pal/cocoa/LockdownModeCocoa.h
    M Source/WebCore/PAL/pal/cocoa/LockdownModeCocoa.mm
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/loader/cache/CachedResourceRequest.cpp
    M Source/WebCore/loader/cache/CachedResourceRequest.h
    M Source/WebCore/platform/graphics/cg/UTIRegistry.mm
    M Source/WebKit/UIProcess/API/Cocoa/_WKSystemPreferences.mm
    M Source/WebKit/WebProcess/WebProcess.cpp
    M Tools/TestRunnerShared/TestFeatures.cpp
    M Tools/TestWebKitAPI/Tests/WTF/URL.cpp
    M Tools/WebKitTestRunner/TestOptions.h
    M Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm

  Log Message:
  -----------
  [Lockdown Mode] Make sure Accept Header matches LDM capabilities
https://bugs.webkit.org/show_bug.cgi?id=293385
<rdar://problem/151333451>

Reviewed by Pascoe.

(Relanding PR-45722)

We recently discovered that in Lockdown Mode WebKit generates an AcceptHeader 
containing image
types that are disabled. There is no security issue from this, but it's 
annoying to LDM users
who may end up downloading unusable images, etc.

This patch causes the Accept Header logic to check for Lockdown Mode state, and 
only emit
relevant types when communicating with a secure server.

This patch also updates WebKitTestRunner with the ability to activate Lockdown 
Mode for tests in
the 'lockdown-mode' directory.

It also disambiguates checks for the enablement of the Lockdown Mode feature 
from the specific
use of the Lockdown Mode framework, which only exists on some systems at 
present. This allows
Open Source builds to activate the feature in WebKit and test it.

Tests:
    LayoutTests/http/tests/lockdown-mode/heic-shown-in-lockdown-mode.http.html
    LayoutTests/http/tests/lockdown-mode/no-heic-in-lockdown-mode.https.html

* Source/WTF/wtf/PlatformHave.h: Disambiguate the Lockdown Mode feature from 
the Lockdown Mode
framework.
* Source/WTF/wtf/URL.cpp:
(WTF::URL::protocolIsSecure const): Added.
* Source/WTF/wtf/URL.h:
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::updateRequestAndAddExtraFields): Pass new argument.
* Source/WebCore/loader/cache/CachedResourceRequest.cpp:
(WebCore::acceptHeaderValueForImageResource): Only send Lockdown-supported 
image types
to secure servers when in lockdown mode.
(WebCore::CachedResourceRequest::acceptHeaderValueFromType):
(WebCore::CachedResourceRequest::setAcceptHeaderIfNone):
* Source/WebCore/loader/cache/CachedResourceRequest.h:
* Tools/TestRunnerShared/TestFeatures.cpp:
(WTR::shouldEnableLockdownMode): Add Lockdown Mode test feature.
(WTR::hardcodedFeaturesBasedOnPathForTest): Add check for 'lockdown-mode' 
directory.
* Tools/TestWebKitAPI/Tests/WTF/URL.cpp:
(TestWebKitAPI::TEST_F(WTF_URL, ProtocolIsSecure)):
* Tools/WebKitTestRunner/TestOptions.h:
(WTR::TestOptions::lockdownModeEnabled const):
* Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm:
(WTR::TestController::configureWebpagePreferences): Set lockdown mode when 
appropriate.

Canonical link: https://commits.webkit.org/296396@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to