Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 841ad59485b9991f47dd40dc1c9652bc714f7231
https://github.com/WebKit/WebKit/commit/841ad59485b9991f47dd40dc1c9652bc714f7231
Author: Chris Dumez <[email protected]>
Date: 2026-06-05 (Fri, 05 Jun 2026)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in
M Source/WebKit/NetworkProcess/NetworkProcess.cpp
M Source/WebKit/NetworkProcess/NetworkProcess.h
M Source/WebKit/NetworkProcess/NetworkProcess.messages.in
M Source/WebKit/Shared/NetworkProcessConnectionParameters.h
M Source/WebKit/Shared/NetworkProcessConnectionParameters.serialization.in
M Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebPageProxy.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.h
M Source/WebKit/WebProcess/WebProcess.cpp
Log Message:
-----------
WebKit NetworkProcess: CORS bypass via unvalidated SetCORSDisablingPatterns
IPC
https://bugs.webkit.org/show_bug.cgi?id=314378
rdar://173180461
Reviewed by Per Arne Vollan.
Previously, _corsDisablingPatterns flowed from UIProcess through the
WebContent process to the NetworkProcess via
Messages::NetworkConnectionToWebProcess::SetCORSDisablingPatterns. A
compromised WebContent process could send that IPC with attacker-chosen
patterns (e.g. "*://*/*") to disable CORS for arbitrary cross-origin URLs
and read the content of any site the user was authenticated to.
This patch routes the patterns directly from the trusted UIProcess to the
NetworkProcess, removing the WebContent process from the trust path:
- WebPageProxy sends Messages::NetworkProcess::SetCORSDisablingPatternsForPage
directly to the NetworkProcess (in addition to
Messages::WebPage::UpdateCORSDisablingPatterns which is still used so the
WebContent process can populate its own OriginAccessPatternsForWebProcess
singleton for WebCore-side same-origin checks).
- WebPageProxy::finishAttachingToWebProcess replays the patterns after the
page attaches to a WebProcess, covering process swaps.
- When the NetworkProcess has not yet been launched, the patterns are
delivered as part of NetworkProcessConnectionParameters when the
per-WebProcess connection is created.
The WebProcess-side IPC and synchronization code is removed:
NetworkConnectionToWebProcess::SetCORSDisablingPatterns and its handler,
WebPage::synchronizeCORSDisablingPatternsWithNetworkProcess, and its callers
in WebPage and WebProcess.
WebExtensions continue to work unchanged — the SPI still accepts the same
patterns.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::setCORSDisablingPatterns): Deleted.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h:
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in:
* Source/WebKit/NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::createNetworkConnectionToWebProcess):
(WebKit::NetworkProcess::setCORSDisablingPatternsForPage):
(WebKit::NetworkProcess::setCORSDisablingPatterns): Deleted.
* Source/WebKit/NetworkProcess/NetworkProcess.h:
* Source/WebKit/NetworkProcess/NetworkProcess.messages.in:
* Source/WebKit/Shared/NetworkProcessConnectionParameters.h:
* Source/WebKit/Shared/NetworkProcessConnectionParameters.serialization.in:
* Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp:
(WebKit::NetworkProcessProxy::getNetworkProcessConnection):
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::finishAttachingToWebProcess):
(WebKit::WebPageProxy::setCORSDisablingPatterns):
(WebKit::WebPageProxy::sendCORSDisablingPatternsToNetworkProcessIfNecessary):
* Source/WebKit/UIProcess/WebPageProxy.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::m_allowsImmersiveEnvironments):
(WebKit::WebPage::~WebPage):
(WebKit::WebPage::updateCORSDisablingPatterns):
(WebKit::WebPage::synchronizeCORSDisablingPatternsWithNetworkProcess): Deleted.
* Source/WebKit/WebProcess/WebPage/WebPage.h:
* Source/WebKit/WebProcess/WebProcess.cpp:
(WebKit::WebProcess::ensureNetworkProcessConnection):
Originally-landed-as: 305413.866@safari-7624-branch (916c2fe83dd8).
rdar://173180461
Canonical link: https://commits.webkit.org/314644@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
