Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 972966afe6de9b139ab0d53809b9eb5dbcedb69b
https://github.com/WebKit/WebKit/commit/972966afe6de9b139ab0d53809b9eb5dbcedb69b
Author: Alex Christensen <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
M Source/WebKit/Shared/API/Cocoa/RemoteObjectRegistry.h
M Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm
M Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm
M Source/WebKit/UIProcess/PageClient.h
M Source/WebKit/UIProcess/WebPageProxy.h
M Source/WebKit/UIProcess/WebProcessProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.h
M Source/WebKit/UIProcess/mac/PageClientImplMac.h
M Source/WebKit/UIProcess/mac/PageClientImplMac.mm
M Source/WebKit/UIProcess/mac/WebPageProxyMac.mm
M Source/WebKit/UIProcess/mac/WebViewImpl.mm
Log Message:
-----------
Only allow sending to _WKRemoteObjectRegistry of a page in the sending process
rdar://176912453
Reviewed by Chris Dumez.
If a compromised web content process somehow gets the identifier of another
WebPageProxy
in the same WebProcessPool, it could send messages to that page's
_WKRemoteObjectRegistry.
This reconfigures the registration and message dispatching so that only a page
that is
known to be used by the current WebProcessProxy can receive IPC to its
_WKRemoteObjectRegistry.
* Source/WebKit/Shared/API/Cocoa/RemoteObjectRegistry.h:
* Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:
(-[WKWebView dealloc]):
(-[WKWebView _remoteObjectRegistry]):
* Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm:
(WebKit::WebPageProxy::remoteObjectRegistry):
(WebKit::WebPageProxy::uiRemoteObjectRegistry):
* Source/WebKit/UIProcess/PageClient.h:
* Source/WebKit/UIProcess/WebPageProxy.h:
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::handleRemoteObjectRegistryMessage):
(WebKit::WebProcessProxy::dispatchMessage):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Source/WebKit/UIProcess/mac/PageClientImplMac.h:
* Source/WebKit/UIProcess/mac/PageClientImplMac.mm:
(WebKit::PageClientImpl::remoteObjectRegistry): Deleted.
* Source/WebKit/UIProcess/mac/WebPageProxyMac.mm:
(WebKit::WebPageProxy::remoteObjectRegistry): Deleted.
* Source/WebKit/UIProcess/mac/WebViewImpl.mm:
(WebKit::WebViewImpl::~WebViewImpl):
(WebKit::WebViewImpl::remoteObjectRegistry):
Originally-landed-as: 305413.962@safari-7624-branch (dcf51f6e5ef7).
rdar://180437303
Canonical link: https://commits.webkit.org/316400@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications