Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 972966afe6de9b139ab0d53809b9eb5dbcedb69b
      
https://github.com/WebKit/WebKit/commit/972966afe6de9b139ab0d53809b9eb5dbcedb69b
  Author: Alex Christensen <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WebKit/Shared/API/Cocoa/RemoteObjectRegistry.h
    M Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm
    M Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm
    M Source/WebKit/UIProcess/PageClient.h
    M Source/WebKit/UIProcess/WebPageProxy.h
    M Source/WebKit/UIProcess/WebProcessProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Source/WebKit/UIProcess/mac/PageClientImplMac.h
    M Source/WebKit/UIProcess/mac/PageClientImplMac.mm
    M Source/WebKit/UIProcess/mac/WebPageProxyMac.mm
    M Source/WebKit/UIProcess/mac/WebViewImpl.mm

  Log Message:
  -----------
  Only allow sending to _WKRemoteObjectRegistry of a page in the sending process
rdar://176912453

Reviewed by Chris Dumez.

If a compromised web content process somehow gets the identifier of another 
WebPageProxy
in the same WebProcessPool, it could send messages to that page's 
_WKRemoteObjectRegistry.
This reconfigures the registration and message dispatching so that only a page 
that is
known to be used by the current WebProcessProxy can receive IPC to its 
_WKRemoteObjectRegistry.

* Source/WebKit/Shared/API/Cocoa/RemoteObjectRegistry.h:
* Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:
(-[WKWebView dealloc]):
(-[WKWebView _remoteObjectRegistry]):
* Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm:
(WebKit::WebPageProxy::remoteObjectRegistry):
(WebKit::WebPageProxy::uiRemoteObjectRegistry):
* Source/WebKit/UIProcess/PageClient.h:
* Source/WebKit/UIProcess/WebPageProxy.h:
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::handleRemoteObjectRegistryMessage):
(WebKit::WebProcessProxy::dispatchMessage):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Source/WebKit/UIProcess/mac/PageClientImplMac.h:
* Source/WebKit/UIProcess/mac/PageClientImplMac.mm:
(WebKit::PageClientImpl::remoteObjectRegistry): Deleted.
* Source/WebKit/UIProcess/mac/WebPageProxyMac.mm:
(WebKit::WebPageProxy::remoteObjectRegistry): Deleted.
* Source/WebKit/UIProcess/mac/WebViewImpl.mm:
(WebKit::WebViewImpl::~WebViewImpl):
(WebKit::WebViewImpl::remoteObjectRegistry):

Originally-landed-as: 305413.962@safari-7624-branch (dcf51f6e5ef7). 
rdar://180437303
Canonical link: https://commits.webkit.org/316400@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to