[webkit-changes] [WebKit/WebKit] e30ca2: Add cookie access validation to startDownload() an...

Thu, 04 Jun 2026 15:27:04 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: e30ca29fe97301994a1d6c66ab56fcc1aff66d3f
      
https://github.com/WebKit/WebKit/commit/e30ca29fe97301994a1d6c66ab56fcc1aff66d3f
  Author: Rupin Mittal <[email protected]>
  Date:   2026-06-04 (Thu, 04 Jun 2026)

  Changed paths:
    M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp

  Log Message:
  -----------
  Add cookie access validation to startDownload() and 
convertMainResourceLoadToDownload() to prevent CSRF
https://bugs.webkit.org/show_bug.cgi?id=314298
rdar://173378006

Reviewed by Alex Christensen.

NetworkConnectionToWebProcess::startDownload() and
NetworkConnectionToWebProcess::convertMainResourceLoadToDownload() do not
validate the firstPartyForCookies in the requests sent to them by the web
process. So a web process could send in a cross-site origin, leading to
requests being sent to this cross-site origin that contain the cookies for
this origin. So these requests would be seen as legitimate even though they
did not come from the user. We fix this by adding message checks to confirm
that the web process indeed has cookie access to the origin it is sending
as the firstPartyForCookies.

This breaks a number of tests. For example,
TEST(_WKDownload, DownloadRequestOriginalURLDirectDownload), crashes at the
ASSERT_NOT_REACHED(); in NetworkProcess::allowsFirstPartyForCookies because
the web process hasn't been added to the map (Since the policy decision is
PolicyAction::Download and that codepath doesn't add the web process to the
map. So we modify the MESSAGE_CHECK to only occur if the passed in request
contains a non-empty firstPartyForCookies. That way, we guard against an
arbitrary domain being used.

* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::startDownload):
(WebKit::NetworkConnectionToWebProcess::convertMainResourceLoadToDownload):

Originally-landed-as: 305413.882@safari-7624-branch (12dccb08af3d). 
rdar://173378006
Canonical link: https://commits.webkit.org/314583@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to