[webkit-changes] [WebKit/WebKit] 67f6b8: Block fetch and XHR requests coming from tainted s...

Wed, 21 Jan 2026 12:42:21 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 67f6b8d3867e7f20922ebd332882d7dd063d0f0d
      
https://github.com/WebKit/WebKit/commit/67f6b8d3867e7f20922ebd332882d7dd063d0f0d
  Author: Charlie Wolfe <[email protected]>
  Date:   2026-01-21 (Wed, 21 Jan 2026)

  Changed paths:
    M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
    M Source/WebCore/Modules/fetch/FetchLoader.cpp
    M Source/WebCore/dom/ScriptExecutionContext.cpp
    M Source/WebCore/page/ScriptTrackingPrivacyCategory.cpp
    M Source/WebCore/page/ScriptTrackingPrivacyCategory.h
    M Source/WebCore/xml/XMLHttpRequest.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ScriptTrackingPrivacyTests.mm

  Log Message:
  -----------
  Block fetch and XHR requests coming from tainted scripts
https://bugs.webkit.org/show_bug.cgi?id=305876
rdar://168542075

Reviewed by Wenson Hsieh and Matthew Finkel.

This change begins implementing a feature to block network requests coming from 
tainted scripts. For now,
this only affects fetch and XHR and will prevent the request from being sent.

This is controlled by the `ScriptTrackingPrivacyNetworkRequestBlockingEnabled` 
setting, which is off by
default.

Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/ScriptTrackingPrivacyTests.mm
* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
* Source/WebCore/Modules/fetch/FetchLoader.cpp:
(WebCore::FetchLoader::start):
* Source/WebCore/dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::requiresScriptTrackingPrivacyProtection):
* Source/WebCore/page/ScriptTrackingPrivacyCategory.cpp:
(WebCore::description):
(WebCore::scriptCategoryAsFlag):
(WebCore::shouldEnableScriptTrackingPrivacy):
* Source/WebCore/page/ScriptTrackingPrivacyCategory.h:
* Source/WebCore/xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::prepareToSend):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ScriptTrackingPrivacyTests.mm:
(TestWebKitAPI::setUpWebViewForFingerprintingTests):
(TestWebKitAPI::(ScriptTrackingPrivacyTests, FetchBlocked)):
(TestWebKitAPI::(ScriptTrackingPrivacyTests, XHRBlocked)):
(TestWebKitAPI::(ScriptTrackingPrivacyTests, SyncXHRBlocked)):

Canonical link: https://commits.webkit.org/305956@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to