Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ee2072d3d9d0bb6e4b0517410b24e95fa0f030c1
https://github.com/WebKit/WebKit/commit/ee2072d3d9d0bb6e4b0517410b24e95fa0f030c1
Author: Pascoe <[email protected]>
Date: 2026-03-20 (Fri, 20 Mar 2026)
Changed paths:
M
Source/WebKit/UIProcess/Cocoa/SOAuthorization/NavigationSOAuthorizationSession.h
M
Source/WebKit/UIProcess/Cocoa/SOAuthorization/NavigationSOAuthorizationSession.mm
M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.h
M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/SOAuthorizationTests.mm
Log Message:
-----------
Move SO authorization window check from shouldStartInternal to
beginAuthorizationIfReady
https://bugs.webkit.org/show_bug.cgi?id=310054
rdar://89821910
Reviewed by Abrar Rahman Protyasha and Brent Fulgham.
When a web view was not in a window, shouldStartInternal() entered Waiting
state before calling start(). This meant decidePolicyForSOAuthorizationLoad
never fired while the web view was detached — so clients had no way to learn
that SO authorization was pending. To work around this, clients were forced to
call _web_canPerformAuthorizationWithURL: synchronously in
decidePolicyForNavigationAction to detect AppSSO-eligible URLs and attach the
web view preemptively. This synchronous XPC call to the AppSSO daemon can block
the main thread indefinitely under system pressure.
This patch fires decidePolicyForSOAuthorizationLoad regardless of window state,
letting clients handle SO authorization through the proper async policy
delegate instead of synchronous URL sniffing.
Changes:
- shouldStartInternal() always calls start(). Hints are fetched and the policy
delegate fires even when detached.
- New beginAuthorizationIfReady() override in NavigationSOAuthorizationSession
checks isInWindow() after the policy decision. If the delegate returned Allow
and attached the web view, authorization proceeds immediately. Otherwise the
session enters Waiting and resumes when the web view is later attached. If
the delegate returned Ignore, the session falls back to the web path.
- webViewDidMoveToWindow() calls beginAuthorizationIfReady() instead of
start(), avoiding redundant hints fetching and policy re-evaluation on
resume.
- Hints completion now calls fallBackToWebPath() on nil/error hints instead of
silently returning, which leaked the session and hung the navigation.
Updated three existing waiting-session tests to expect
policyForAppSSOPerformed before window attachment (previously policy never
fired while detached). Added five new tests:
- InterceptionSucceedWithWaitingSessionPolicyIgnore: policy returns Ignore
while detached, session falls back to web path without entering Waiting.
- InterceptionSucceedAsyncPolicyWindowAttachedBeforeResponse: async policy
delegate, window attached before response completes, authorization proceeds
directly without Waiting. This is the primary client use case — attaching the
web view during the policy callback.
- InterceptionSucceedAsyncPolicyEntersWaiting: async policy returns Allow while
still detached, session enters Waiting, resumes on window attachment.
- InterceptionSucceedWindowAttachedDuringHints: window attached between
navigation policy and SO authorization start, authorization proceeds directly.
- InterceptionNilHintsFallsBackToWebPath: nil hints trigger fallBackToWebPath,
navigation completes normally.
*
Source/WebKit/UIProcess/Cocoa/SOAuthorization/NavigationSOAuthorizationSession.h:
*
Source/WebKit/UIProcess/Cocoa/SOAuthorization/NavigationSOAuthorizationSession.mm:
(WebKit::NavigationSOAuthorizationSession::shouldStartInternal):
(WebKit::NavigationSOAuthorizationSession::beginAuthorizationIfReady):
(WebKit::NavigationSOAuthorizationSession::webViewDidMoveToWindow):
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.h:
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm:
(WebKit::SOAuthorizationSession::start):
(WebKit::SOAuthorizationSession::continueStartAfterDecidePolicy):
(WebKit::SOAuthorizationSession::beginAuthorizationIfReady):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/SOAuthorizationTests.mm:
(overrideGetAuthorizationHintsWithURLNil):
(TestWebKitAPI::TEST(SOAuthorizationRedirect,
InterceptionSucceedWithWaitingSession)):
(TestWebKitAPI::TEST(SOAuthorizationRedirect,
InterceptionAbortedWithWaitingSession)):
(TestWebKitAPI::TEST(SOAuthorizationRedirect,
InterceptionSucceedSuppressWaitingSession)):
(TestWebKitAPI::TEST(SOAuthorizationRedirect,
InterceptionSucceedWithWaitingSessionPolicyIgnore)):
(TestWebKitAPI::TEST(SOAuthorizationRedirect,
InterceptionSucceedAsyncPolicyWindowAttachedBeforeResponse)):
(TestWebKitAPI::TEST(SOAuthorizationRedirect,
InterceptionSucceedAsyncPolicyEntersWaiting)):
(TestWebKitAPI::TEST(SOAuthorizationRedirect,
InterceptionSucceedWindowAttachedDuringHints)):
(TestWebKitAPI::TEST(SOAuthorizationRedirect,
InterceptionNilHintsFallsBackToWebPath)):
Canonical link: https://commits.webkit.org/309630@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
