Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 261b24ff1774bf055cd4378f1bd12ca926417b35
https://github.com/WebKit/WebKit/commit/261b24ff1774bf055cd4378f1bd12ca926417b35
Author: Ronan Turner <[email protected]>
Date: 2025-07-24 (Thu, 24 Jul 2025)
Changed paths:
A LayoutTests/dom/xsl/lockdown-mode/XSLT-disabled-expected.txt
A LayoutTests/dom/xsl/lockdown-mode/XSLT-disabled.html
A LayoutTests/dom/xsl/lockdown-mode/resources/XSLT-disabled.xml
A LayoutTests/dom/xsl/lockdown-mode/resources/XSLT-disabled.xsl
A LayoutTests/js/dom/lockdown-mode/XSLTProcessor-disabled-expected.txt
A LayoutTests/js/dom/lockdown-mode/XSLTProcessor-disabled.html
M LayoutTests/platform/glib/TestExpectations
M LayoutTests/platform/mac-wk1/TestExpectations
M LayoutTests/platform/win/TestExpectations
M LayoutTests/platform/wpe/TestExpectations
M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
M Source/WebCore/bindings/js/WebCoreBuiltinNames.h
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/ProcessingInstruction.cpp
M Source/WebCore/xml/XSLTProcessor.idl
Log Message:
-----------
[Lockdown Mode] Disable XSLT parsing for WebKit in Lockdown Mode
https://bugs.webkit.org/show_bug.cgi?id=295107
<rdar://problem/151845594>
Reviewed by Ryosuke Niwa.
This patch disables XSLT support when in Lockdown Mode by removing
access to the XSLTProcessor constructor to prevent JavaScript usage,
and preventing detection of a stylesheet as XSL unless a newly
introduced feature flag is enabled.
The feature flag is enabled by default and disabled in LDM to prevent
any change in current behaviour.
Added LayoutTests that ensure XSLTProcessor is inaccessible, and suitably
check an XML document with a stylesheet is not processed when in LDM.
* LayoutTests/dom/xsl/lockdown-mode/XSLT-disabled-expected.txt: Added.
* LayoutTests/dom/xsl/lockdown-mode/XSLT-disabled.html: Added.
* LayoutTests/dom/xsl/lockdown-mode/resources/XSLT-disabled.xml: Added.
* LayoutTests/dom/xsl/lockdown-mode/resources/XSLT-disabled.xsl: Added.
* LayoutTests/js/dom/lockdown-mode/XSLTProcessor-disabled-expected.txt: Added.
* LayoutTests/js/dom/lockdown-mode/XSLTProcessor-disabled.html: Added.
* LayoutTests/platform/glib/TestExpectations:
* LayoutTests/platform/mac-wk1/TestExpectations:
* LayoutTests/platform/win/TestExpectations:
* LayoutTests/platform/wpe/TestExpectations:
* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
* Source/WebCore/bindings/js/WebCoreBuiltinNames.h:
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::scheduleToApplyXSLTransforms):
(WebCore::Document::applyPendingXSLTransformsTimerFired):
* Source/WebCore/dom/ProcessingInstruction.cpp:
(WebCore::ProcessingInstruction::checkStyleSheet):
* Source/WebCore/xml/XSLTProcessor.idl:
Canonical link: https://commits.webkit.org/297851@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
