[webkit-changes] [WebKit/WebKit] 1ad0d2: Cross-Process Page Identity Confusion in didPostMe...

Fri, 29 May 2026 14:19:19 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1ad0d2a7c3b7af30ae4b1baf4fdd544d52276b53
      
https://github.com/WebKit/WebKit/commit/1ad0d2a7c3b7af30ae4b1baf4fdd544d52276b53
  Author: Chris Dumez <[email protected]>
  Date:   2026-05-29 (Fri, 29 May 2026)

  Changed paths:
    M Source/WebKit/UIProcess/ProvisionalPageProxy.cpp
    M Source/WebKit/UIProcess/RemotePageProxy.cpp
    M Source/WebKit/UIProcess/SuspendedPageProxy.cpp
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h

  Log Message:
  -----------
  Cross-Process Page Identity Confusion in didPostMessage
https://bugs.webkit.org/show_bug.cgi?id=310078
rdar://172392170

Reviewed by Brady Eidson and Ryosuke Niwa.

WebProcessProxy::didPostMessage() may look up a WebPageProxy belonging
to another web process if given a bad WebPageProxyIdentifier from a
compromised WebProcess.

Address the issue by adding a MESSAGE_CHECK that checks that the page
is associated with the current WebProcess, using the pre-existing
WebProcessProxy::isAssociatedWithPage() utility function. Note that I
had to tweak isAssociatedWithPage() to also check m_remotePages to keep
site isolation tests working.

* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::commitProvisionalPage):
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::addPagePendingClose):
(WebKit::WebProcessProxy::removePagePendingClose):
(WebKit::WebProcessProxy::isAssociatedWithPage const):
(WebKit::WebProcessProxy::didPostMessage):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::closeWithReply):
* Source/WebKit/WebProcess/WebPage/WebPage.h:
* Source/WebKit/WebProcess/WebPage/WebPage.messages.in:

Originally-landed-as: 305413.544@rapid/safari-7624.2.5.110-branch 
(1c245d737355). rdar://176061205
Canonical link: https://commits.webkit.org/314178@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to