Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 675c62d66e3cfa45f2a6206bdd5f1ca9fd59cc09
https://github.com/WebKit/WebKit/commit/675c62d66e3cfa45f2a6206bdd5f1ca9fd59cc09
Author: Brady Eidson <[email protected]>
Date: 2026-06-03 (Wed, 03 Jun 2026)
Changed paths:
M Source/WebKit/UIProcess/WebFrameProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.h
M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/Badging.mm
Log Message:
-----------
App Badge origin spoofing from `window` contexts
rdar://173194716
Reviewed by Anne van Kesteren.
A compromised web process can send an arbitrary message to the UI process to
change
the app badge from page domain.
This is similar to 305413.558@safari-7624-branch but a different message to
spoof the
origin and different code path to receive it.
The fix is basically the same - message check that the requested origin is
allowed to
come from both the web process in consideration.
Also comes with a test crafting this attack message.
Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/Badging.mm
* Source/WebKit/UIProcess/WebFrameProxy.cpp:
(WebKit::WebFrameProxy::setAppBadge):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/Badging.mm:
((Badging, SetAppBadgeFromWorkerOriginSpoof)):
((Badging, SetAppBadgeFromFrameOriginSpoof)):
Originally-landed-as: 305413.573@rapid/safari-7624.2.5.110-branch
(3654a1bdf8a2). rdar://176062366
Canonical link: https://commits.webkit.org/314468@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
