Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 315ac3073a08ffac128b256244e4ce12d049d4d1
https://github.com/WebKit/WebKit/commit/315ac3073a08ffac128b256244e4ce12d049d4d1
Author: Pascoe <[email protected]>
Date: 2026-06-16 (Tue, 16 Jun 2026)
Changed paths:
A
LayoutTests/http/tests/ipc/web-authenticator-get-assertion-spoofed-origin-crash-expected.txt
A
LayoutTests/http/tests/ipc/web-authenticator-get-assertion-spoofed-origin-crash.html
A
LayoutTests/http/tests/ipc/web-authenticator-make-credential-spoofed-origin-crash-expected.txt
A
LayoutTests/http/tests/ipc/web-authenticator-make-credential-spoofed-origin-crash.html
M LayoutTests/platform/wk2/TestExpectations
M
Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp
M
Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h
Log Message:
-----------
Message check security origin during webauthn calls
https://bugs.webkit.org/show_bug.cgi?id=311432
rdar://172383653
Reviewed by Charlie Wolfe.
A compromised WebContent process could spoof the securityOrigin in
FrameInfoData or the parentOrigin parameter when sending WebAuthn
MakeCredential/GetAssertion IPC messages to the UI process. This
would let an attacker page impersonate a different origin (e.g.
a bank) for credential creation or assertion.
This patch adds MESSAGE_CHECKs to prevent that.
Tests: http/tests/ipc/web-authenticator-get-assertion-spoofed-origin-crash.html
http/tests/ipc/web-authenticator-make-credential-spoofed-origin-crash.html
*
LayoutTests/http/tests/ipc/web-authenticator-get-assertion-spoofed-origin-crash-expected.txt:
Added.
*
LayoutTests/http/tests/ipc/web-authenticator-get-assertion-spoofed-origin-crash.html:
Added.
*
LayoutTests/http/tests/ipc/web-authenticator-make-credential-spoofed-origin-crash-expected.txt:
Added.
*
LayoutTests/http/tests/ipc/web-authenticator-make-credential-spoofed-origin-crash.html:
Added.
* LayoutTests/platform/wk2/TestExpectations: Skip the WebContent-terminating
origin-spoof tests in Debug, matching the other IPC MESSAGE_CHECK tests that
crash (as expected) in debug.
*
Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp:
(WebKit::WebAuthenticatorCoordinatorProxy::makeCredential):
(WebKit::WebAuthenticatorCoordinatorProxy::getAssertion):
* Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h:
Originally-landed-as: 305413.645@rapid/safari-7624.2.5.110-branch
(b03dc2a73211). rdar://176059128
Canonical link: https://commits.webkit.org/315323@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications