Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 248f89aa4518e99734efa4e0b897a7def9f2bcfa
https://github.com/WebKit/WebKit/commit/248f89aa4518e99734efa4e0b897a7def9f2bcfa
Author: Chris Dumez <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
A
LayoutTests/http/tests/ipc/webpageproxy-didfailload-failingurl-message-check-expected.txt
A
LayoutTests/http/tests/ipc/webpageproxy-didfailload-failingurl-message-check.html
M LayoutTests/platform/glib/TestExpectations
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
[WebKit Process Model] missing MESSAGE_CHECK_URL on error.failingURL() in
WebPageProxy::didFailLoadForFrame
https://bugs.webkit.org/show_bug.cgi?id=314873
rdar://176912820
Reviewed by Ryosuke Niwa.
WebPageProxy::didFailLoadForFrame accepts a WebCore::ResourceError from the
WebContent
process and forwards it to the embedding client without validating
error.failingURL()
against the sending process's allowed URL set. The sibling handler
didFailProvisionalLoadForFrameShared already performs this check. On iOS,
MobileSafari
feeds the unchecked failingURL back into
`-[WKWebView _loadAlternateHTMLString:baseURL:forUnreachableURL:]`, which causes
WebPageProxy::loadAlternateHTML to grant the sending WebContent process read
access to
an attacker-chosen file:// directory in both the UI process and the Network
process.
Add MESSAGE_CHECK_URL(process, error.failingURL()) to
WebPageProxy::didFailLoadForFrame,
mirroring didFailProvisionalLoadForFrameShared, so a compromised WebContent
process that
forges a file:// failingURL is terminated before the error reaches the
navigation client.
Test: http/tests/ipc/webpageproxy-didfailload-failingurl-message-check.html
*
LayoutTests/http/tests/ipc/webpageproxy-didfailload-failingurl-message-check-expected.txt:
Added.
*
LayoutTests/http/tests/ipc/webpageproxy-didfailload-failingurl-message-check.html:
Added.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didFailLoadForFrame):
Originally-landed-as: 305413.916@safari-7624-branch (e6341887dd92).
rdar://180438310
Canonical link: https://commits.webkit.org/316472@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications