[webkit-changes] [WebKit/WebKit] 0429bb: Cherry-pick 289651.561@safari-7621-branch (79d73e8...

Thu, 31 Jul 2025 19:27:47 -0700 

  Branch: refs/heads/webkitglib/2.48
  Home:   https://github.com/WebKit/WebKit
  Commit: 0429bb40ea0f3df54da26a59b52682bf04df0f98
      
https://github.com/WebKit/WebKit/commit/0429bb40ea0f3df54da26a59b52682bf04df0f98
  Author: Rupin Mittal <ru...@apple.com>
  Date:   2025-07-31 (Thu, 31 Jul 2025)

  Changed paths:
    M Source/WebKit/UIProcess/API/APINavigationResponse.cpp
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/Download.mm

  Log Message:
  -----------
  Cherry-pick 289651.561@safari-7621-branch (79d73e8fd28f). 
https://bugs.webkit.org/show_bug.cgi?id=287662

    Download Origin Spoof via Back Navigation Triggers Automatic Download
    https://bugs.webkit.org/show_bug.cgi?id=293994
    rdar://150453890

    Reviewed by Brady Eidson.

    When a download is triggered, WebKit calls the delegate function:
    download:decideDestinationUsingResponse:suggestedFilename:completionHandler
    and passes in a WKDownload object. The client may use the originatingFrame
    property of the WKDownload to show which domain is asking for a download.

    In the case where the download is started as a result of a back-forward
    navigation, WebKit currently says the originatingFrame is the frame that
    is currently displayed in the WebView that is on the screen. Which means
    the following sequence of events is possible:

    1. Navigate to site1.com
    2. Navigate to site2.com
    3. Go back <--- somehow this starts a download
                    (maybe a malicicous script intervenes)
    4. A prompt may show saying that "site2.com wants to start a download"

    But site2 did not start the download. This message is misleading.

    We fix this by ensuring that if a back-forward navigation is converted
    to a download, the originating frame information is empty, rather than
    being the information of the site currently displayed in the WebView.

    A second scenario is also possible:

    1. Navigate to site1.com
    2. User types in site2.com to navigate there <--- somehow starting a 
download
                                                      (maybe a malicicous 
script intervenes)
    3. A prompt may show saying that "site1.com wants to start a download"

    Again, the download should not be attributed to site1.

    We make the same change here--if a client initiated navigation starts a
    download, the originating frame information is empty, rather than
    being the information of the site currently displayed in the WebView.

    This is tested by two new API tests.

    * Source/WebKit/UIProcess/API/APINavigation.h:
    (API::Navigation::originatingFrameInfo const):
    * Source/WebKit/UIProcess/API/APINavigationResponse.cpp:
    (API::NavigationResponse::navigationInitiatingFrame):
    * Source/WebKit/UIProcess/Downloads/DownloadProxy.cpp:
    (WebKit::legacyEmptyFrameInfo):
    (WebKit::DownloadProxy::DownloadProxy):
    * Source/WebKit/UIProcess/Downloads/DownloadProxy.h:
    * Source/WebKit/UIProcess/Downloads/DownloadProxyMap.cpp:
    (WebKit::DownloadProxyMap::createDownloadProxy):
    * Source/WebKit/UIProcess/Downloads/DownloadProxyMap.h:
    * Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp:
    (WebKit::NetworkProcessProxy::createDownloadProxy):
    * Source/WebKit/UIProcess/Network/NetworkProcessProxy.h:
    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::downloadOriginatingPage):

    (WebKit::WebPageProxy::receivedPolicyDecision):
    (WebKit::WebPageProxy::receivedNavigationResponsePolicyDecision):

    A DownloadProxy is created in receivedPolicyDecision and in
    receivedNavigationResponsePolicyDecision. This will contain the
    originating frame information that could be used later to attribute
    the download to a site.

    Here, we'll check if the download began a result of a back-forward
    navigation (true if there is a 'targetItem') or if it began as a
    result of a 'ClientOrUserInput' which signifies UI in the client being
    used to programmatically trigger a navigation (typing in the search bar,
    using the browser back button, etc).

    In both cases, we set the originating frame information to be empty.

    (WebKit::WebPageProxy::decidePolicyForNavigationAction):
    * Source/WebKit/UIProcess/WebProcessPool.cpp:
    (WebKit::WebProcessPool::createDownloadProxy):
    * Source/WebKit/UIProcess/WebProcessPool.h:
    * Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.cpp:
    (WebKit::WebsiteDataStore::createDownloadProxy):
    * Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.h:
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/Download.mm:
    (TestWebKitAPI::OriginatingFrameAndUserGesture)):
    (TestWebKitAPI::OriginatingFrameWhenConvertingNavigationInNewWindow)):
    (TestWebKitAPI::OriginatingFrameHostWhenDownloadComesFromGoBackNavigation)):
    
(TestWebKitAPI::OriginatingFrameHostWhenDownloadComesFromClientInputNavigation)):

    Canonical link: https://commits.webkit.org/289651.561@safari-7621-branch

Canonical link: https://commits.webkit.org/290945.338@webkitglib/2.48



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to