Branch: refs/heads/webkitglib/2.52
  Home:   https://github.com/WebKit/WebKit
  Commit: b5e427226b97fe5d9aa37778760218cac4d292a0
      
https://github.com/WebKit/WebKit/commit/b5e427226b97fe5d9aa37778760218cac4d292a0
  Author: Chris Dumez <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    A 
LayoutTests/navigation-api/navigation-navigate-no-arguments-crash-expected.txt
    A LayoutTests/navigation-api/navigation-navigate-no-arguments-crash.html
    M Source/WebCore/bindings/js/JSDOMPromiseDeferred.h

  Log Message:
  -----------
  Cherry-pick 5977997682c7. https://bugs.webkit.org/show_bug.cgi?id=314944

Type confusion via raw Exception cell returned to script from 
callPromisePairFunction when throwVMError bypasses sentinel check
https://bugs.webkit.org/show_bug.cgi?id=314944
rdar://177031898

Reviewed by Ryosuke Niwa.

callPromisePairFunction's sentinel check `!JSValue::decode(result)` only 
catches the
zero empty-value sentinel returned by IDL argument conversion failures. When a
[ReturnsPromisePair] operation is called with fewer than the mandatory number of
arguments, the generated bindings hit the missing-argument check emitted by
CodeGeneratorJS.pm and `return throwVMError(...)`, which encodes a non-zero
JSC::Exception* cell rather than the empty sentinel. After
rejectPromisesWithExceptionIfAny clears the pending exception, the sentinel 
check
evaluates false and the raw Exception cell is returned to JavaScript.

The Exception cell has JSType=CellType (0), not JSObject. A subsequent property
store such as `victim.foo = 0xdead` goes through JSCell::putInline ->
overridesPut() == false -> asObject(this) -> jsCast<JSObject*>. On production
ARM64 builds, ASSERT_WITH_SECURITY_IMPLICATION compiles to ((void)0), so the 
cast
is a bare static_cast — type confusion. The resulting put allocates a Butterfly,
clobbers Exception::m_value (offset +0x08) with the Butterfly pointer, and
writes the attacker-controlled value into property storage. The next GC then
crashes in Exception::visitChildrenImpl when visitor.append(m_value) treats the
Butterfly as a JSCell and SlotVisitor::drain dereferences an invalid 
StructureID.

This affects all [ReturnsPromisePair] IDL operations with mandatory arguments,
notably Navigation.navigate() / reload() / traverseTo() / back() / forward().

Fix callPromisePairFunction to capture catchScope.exception() before
rejectPromisesWithExceptionIfAny clears it. If the functor threw, always rebuild
a valid result dictionary from the (now rejected) promises via
convertDictionaryToJS rather than returning the functor's return value. This
covers throwVMError, any future throw paths inside the functor, and the existing
empty-sentinel case from IDL argument conversion failures.

The non-pair callPromiseFunction is unaffected: it already discards the 
functor's
return value.

Test: navigation-api/navigation-navigate-no-arguments-crash.html

* 
LayoutTests/navigation-api/navigation-navigate-no-arguments-crash-expected.txt: 
Added.
* LayoutTests/navigation-api/navigation-navigate-no-arguments-crash.html: Added.
* Source/WebCore/bindings/js/JSDOMPromiseDeferred.h:
(WebCore::callPromisePairFunction):

Identifier: 305413.921@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.908@webkitglib/2.52


  Commit: f4bdc9a4c75395f4a30f7921875744677b93bbed
      
https://github.com/WebKit/WebKit/commit/f4bdc9a4c75395f4a30f7921875744677b93bbed
  Author: Anand Srinivasan <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    A JSTests/stress/regexp-many-non-greedy-paren-groups.js
    M Source/JavaScriptCore/runtime/OptionsList.h
    M Source/JavaScriptCore/yarr/YarrJIT.cpp
    M Source/JavaScriptCore/yarr/YarrJIT.h

  Log Message:
  -----------
  Cherry-pick e6d449d59b50. https://bugs.webkit.org/show_bug.cgi?id=314589

Add size limit to Yarr generated code
https://bugs.webkit.org/show_bug.cgi?id=314589
rdar://176137052

Reviewed by Yusuke Suzuki.

Patterns with many sequential non-greedy quantified parenthesized groups
(e.g. (?:a){0,2}? repeated thousands of times) cause O(N^2) code emission
in saveParenContext/restoreParenContext, as each group saves/restores all
frame slots for the entire pattern. This patch adds a code size limit in
VM options above which the code bails out to the interpreter.

Test: JSTests/stress/regexp-many-non-greedy-paren-groups.js

* JSTests/stress/regexp-many-non-greedy-paren-groups.js: Added.
(testLargeNonGreedyParens):
* Source/JavaScriptCore/runtime/OptionsList.h:
* Source/JavaScriptCore/yarr/YarrJIT.cpp:
(JSC::Yarr::dumpCompileFailure):
* Source/JavaScriptCore/yarr/YarrJIT.h:

Identifier: 305413.923@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.909@webkitglib/2.52


  Commit: 2eb2233ab1340d3c8e11d48f70607fa2baaeab9c
      
https://github.com/WebKit/WebKit/commit/2eb2233ab1340d3c8e11d48f70607fa2baaeab9c
  Author: Zak Ridouh <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    A 
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-child.xsl
    A 
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-grandchild.py
    A 
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-root.xsl
    A 
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-target.xml
    A 
LayoutTests/http/tests/xsl/xslt-import-delayed-subresource-crash-expected.txt
    A LayoutTests/http/tests/xsl/xslt-import-delayed-subresource-crash.html
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/xml/XSLStyleSheetLibxslt.cpp
    M Source/WebCore/xml/XSLTProcessorLibxslt.cpp

  Log Message:
  -----------
  Cherry-pick 3d12363860e5. https://bugs.webkit.org/show_bug.cgi?id=312337

Heap use-after-free of XSLStyleSheet::m_stylesheetDoc after libxslt frees 
imported doc on compile failure
<https://bugs.webkit.org/show_bug.cgi?id=312337>
<rdar://174646751>

Reviewed by David Kilzer and Ryosuke Niwa.

When libxslt fails to compile an imported stylesheet, it frees the
imported doc. The child XSLStyleSheet's m_stylesheetDoc becomes
dangling. If a delayed subresource later arrives and triggers
parseString(), it dereferences the freed pointer

Fix with three layers of defense:

1. Call clearDocuments() on the failure path in transformToString(),
  matching the success path, to null out dangling doc pointers.
2. Skip dict-sharing in parseString() when the parent's doc has been
  handed to libxslt (m_stylesheetDocTaken), since libxslt may have
  freed it.
3. Check isLoading() in applyPendingXSLTransformsTimerFired() to
  avoid compiling partially-loaded import chains in the first place.

* 
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-child.xsl: 
Added.
* 
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-grandchild.py:
 Added.
* 
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-root.xsl: 
Added.
* 
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-target.xml:
 Added.
* 
LayoutTests/http/tests/xsl/xslt-import-delayed-subresource-crash-expected.txt: 
Added.
* LayoutTests/http/tests/xsl/xslt-import-delayed-subresource-crash.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::applyPendingXSLTransformsTimerFired):
* Source/WebCore/xml/XSLStyleSheetLibxslt.cpp:
(WebCore::XSLStyleSheet::parseString):
* Source/WebCore/xml/XSLTProcessorLibxslt.cpp:
(WebCore::XSLTProcessor::transformToString):

Identifier: 305413.786@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.910@webkitglib/2.52


  Commit: 33f08e62c4918f25074826d5b2928c8053362a5b
      
https://github.com/WebKit/WebKit/commit/33f08e62c4918f25074826d5b2928c8053362a5b
  Author: Charlie Wolfe <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    A 
LayoutTests/ipc/forged-resource-load-statistics-storage-access-expected.txt
    A LayoutTests/ipc/forged-resource-load-statistics-storage-access.html
    M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp

  Log Message:
  -----------
  Cherry-pick 9d8f969c538a. https://bugs.webkit.org/show_bug.cgi?id=312798

Validate several ITP and storage access IPC messages
https://bugs.webkit.org/show_bug.cgi?id=312798
rdar://174708437

Reviewed by Matthew Finkel.

ResourceLoadStatisticsUpdated, LogUserInteraction, and 
RequestStorageAccessUnderOpener accept
WebContent-supplied data with no validation. A WCP can forge 
storageAccessUnderTopFrameDomains and
isPrevalentResource in the ITP database, then obtain cross-origin cookie access 
without a user
prompt.

Verify that ResourceLoadStatisticsUpdated only contains fields the WebContent 
process legitimately
observes, and that LogUserInteraction and RequestStorageAccessUnderOpener are 
called with domains
the process owns.

Test: ipc/forged-resource-load-statistics-storage-access.html

* LayoutTests/ipc/forged-resource-load-statistics-storage-access-expected.txt: 
Added.
* LayoutTests/ipc/forged-resource-load-statistics-storage-access.html: Added.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::logUserInteraction):
(WebKit::resourceLoadStatisticsContainsOnlyObservableFields):
(WebKit::NetworkConnectionToWebProcess::resourceLoadStatisticsUpdated):
(WebKit::NetworkConnectionToWebProcess::requestStorageAccessUnderOpener):

Identifier: 305413.716@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.911@webkitglib/2.52


  Commit: b577b7842a1f7aa6283503ef0bee37be300cf80c
      
https://github.com/WebKit/WebKit/commit/b577b7842a1f7aa6283503ef0bee37be300cf80c
  Author: Eric Carlson <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    A LayoutTests/ipc/usermedia-capture-start-producing-data-race-expected.txt
    A LayoutTests/ipc/usermedia-capture-start-producing-data-race.html
    M Source/WebKit/GPUProcess/webrtc/UserMediaCaptureManagerProxy.cpp

  Log Message:
  -----------
  Cherry-pick 651097467a79. https://bugs.webkit.org/show_bug.cgi?id=314115

[CoreIPC][GPUProcess] UserMediaCaptureManagerProxy::startProducingData races 
prepareAudioDescription() against audioSamplesAvailable() lead to various 
UAF/write-after-unmap
https://bugs.webkit.org/show_bug.cgi?id=314115
rdar://174411400

Reviewed by Youenn Fablet and Jer Noble.

A compromised WebContent process can send StartProducingData repeatedly
for the same source. After the first call, the source proxy is registered
as an AudioSampleObserver and the capture unit is invoking
audioSamplesAvailable() on a background WorkQueue. On subsequent calls,
prepareAudioDescription() runs on the GPU main thread and reassigns
m_captureSemaphore, m_ringBuffer, m_audioHandle and m_description without
removing the observer or taking any lock, while the capture thread is
concurrently dereferencing them. This leads to heap-use-after-free on the
freed ProducerSharedCARingBuffer / IPC::Semaphore and write-after-unmap
into the old SharedMemory ring buffer.

Make UserMediaCaptureManagerProxySourceProxy::start() a no-op when the
proxy is already observing media. Legitimate stop()/start() sequences are
unaffected since stop() removes the observer.

Test: ipc/usermedia-capture-start-producing-data-race.html

* LayoutTests/ipc/usermedia-capture-start-producing-data-race-expected.txt: 
Added.
* LayoutTests/ipc/usermedia-capture-start-producing-data-race.html: Added.
* Source/WebKit/GPUProcess/webrtc/UserMediaCaptureManagerProxy.cpp:

Identifier: 305413.863@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.912@webkitglib/2.52


  Commit: 927e1206e5b1b53d5694bfdd15940e60ab482278
      
https://github.com/WebKit/WebKit/commit/927e1206e5b1b53d5694bfdd15940e60ab482278
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    A LayoutTests/fast/dom/trusted-types-iframe-removal-crash-expected.txt
    A LayoutTests/fast/dom/trusted-types-iframe-removal-crash.html
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/dom/Element.cpp
    M Source/WebCore/dom/Range.cpp
    M Source/WebCore/dom/ShadowRoot.cpp

  Log Message:
  -----------
  Cherry-pick 64d15c23216d. https://bugs.webkit.org/show_bug.cgi?id=313703

Use-after-free of Document in trustedTypeCompliantString
https://bugs.webkit.org/show_bug.cgi?id=313703
rdar://175673135

Reviewed by Wenson Hsieh and Chris Dumez.

Fixed the bug by deploying more smart pointers.

Test: fast/dom/trusted-types-iframe-removal-crash.html

* LayoutTests/fast/dom/trusted-types-iframe-removal-crash-expected.txt: Added.
* LayoutTests/fast/dom/trusted-types-iframe-removal-crash.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::parseHTMLUnsafe):
(WebCore::Document::write):
(WebCore::Document::execCommand):
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::setHTMLUnsafe):
(WebCore::Element::setOuterHTML):
(WebCore::Element::setInnerHTML):
(WebCore::Element::insertAdjacentHTML):
* Source/WebCore/dom/Range.cpp:
(WebCore::Range::createContextualFragment):
* Source/WebCore/dom/ShadowRoot.cpp:
(WebCore::ShadowRoot::setHTMLUnsafe):
(WebCore::ShadowRoot::setInnerHTML):

Identifier: 305413.805@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.913@webkitglib/2.52


  Commit: c55a7e4e9b52799ecee3074a9e62c7fbc9072fdd
      
https://github.com/WebKit/WebKit/commit/c55a7e4e9b52799ecee3074a9e62c7fbc9072fdd
  Author: Antoine Quint <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    A 
LayoutTests/imported/w3c/web-platform-tests/scroll-animations/css/timeline-offset-keyframes-with-scroll-timeline-expected.txt
    A 
LayoutTests/imported/w3c/web-platform-tests/scroll-animations/css/timeline-offset-keyframes-with-scroll-timeline.html
    M Source/WebCore/animation/KeyframeEffect.cpp
    M Source/WebCore/animation/KeyframeEffect.h

  Log Message:
  -----------
  Cherry-pick 4a52a36ff580. https://bugs.webkit.org/show_bug.cgi?id=314104

[web-animations] accelerated animation with view progress timeline range and a 
scroll time yields a crash
https://bugs.webkit.org/show_bug.cgi?id=314104
rdar://176274648

Reviewed by Anne van Kesteren.

If the timeline associated with an animation is a plain scroll timeline, but 
not a view timeline,
we must resolve any offset using a view progress timeline range by simply 
disregarding the keyword.
This ensures we have resolved computed offsets in such a case, ensuring we do 
not crash when attempting
to create the `AcceleratedEffect` representation for this keyframe effect.

Test: 
imported/w3c/web-platform-tests/scroll-animations/css/timeline-offset-keyframes-with-scroll-timeline.html

* 
LayoutTests/imported/w3c/web-platform-tests/scroll-animations/css/timeline-offset-keyframes-with-scroll-timeline-expected.txt:
 Added.
* 
LayoutTests/imported/w3c/web-platform-tests/scroll-animations/css/timeline-offset-keyframes-with-scroll-timeline.html:
 Added.
* Source/WebCore/animation/KeyframeEffect.cpp:
(WebCore::computedOffset):
(WebCore::computeMissingKeyframeOffsets):
(WebCore::KeyframeEffect::getKeyframes):
(WebCore::KeyframeEffect::processKeyframes):
(WebCore::KeyframeEffect::animationDidTick):
(WebCore::KeyframeEffect::activeScrollTimeline const):
(WebCore::KeyframeEffect::updateComputedKeyframeOffsetsIfNeeded):
(WebCore::KeyframeEffect::activeViewTimeline const): Deleted.
* Source/WebCore/animation/KeyframeEffect.h:

Identifier: 305413.839@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.914@webkitglib/2.52


  Commit: c09e47d8262de61edb965bd2671b5d13aeb40d0b
      
https://github.com/WebKit/WebKit/commit/c09e47d8262de61edb965bd2671b5d13aeb40d0b
  Author: Charlie Wolfe <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    A LayoutTests/ipc/register-file-backed-blob-path-validation-expected.txt
    A LayoutTests/ipc/register-file-backed-blob-path-validation.html
    M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
    M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h
    M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in
    M Source/WebKit/NetworkProcess/storage/IDBStorageConnectionToClient.cpp
    M Source/WebKit/NetworkProcess/storage/IDBStorageConnectionToClient.h
    M Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.cpp
    M Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.h
    M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp
    M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.h

  Log Message:
  -----------
  Cherry-pick defe0187e742. https://bugs.webkit.org/show_bug.cgi?id=313085

Remove blanket storage-root file path allow from blob access enforcement
https://bugs.webkit.org/show_bug.cgi?id=313085
rdar://174405888

Reviewed by Sihui Liu.

isFilePathAllowed() accepted any path under the per-session general storage 
directory or custom IDB
storage path. This allowed a WebContent process to read any origin's persisted 
data via file-backed
blob registration.

Replace the directory-level allow with per-file grants: IDB result handlers now 
call
allowAccessToBlobFilesForProcess() to allow only the specific blob file paths 
being returned to the
WebContent process.

Test: ipc/register-file-backed-blob-path-validation.html

* LayoutTests/ipc/register-file-backed-blob-path-validation-expected.txt: Added.
* LayoutTests/ipc/register-file-backed-blob-path-validation.html: Added.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::isFilePathAllowed):
(WebKit::NetworkConnectionToWebProcess::registerInternalFileBlobURL):
(WebKit::NetworkConnectionToWebProcess::registerInternalBlobURLOptionallyFileBacked):
(WebKit::NetworkConnectionToWebProcess::generalStoragePathForTesting):
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h:
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in:
* Source/WebKit/NetworkProcess/storage/IDBStorageConnectionToClient.cpp:
(WebKit::IDBStorageConnectionToClient::IDBStorageConnectionToClient):
(WebKit::IDBStorageConnectionToClient::allowAccessToResultBlobFiles):
(WebKit::IDBStorageConnectionToClient::didGetRecord):
(WebKit::IDBStorageConnectionToClient::didGetAllRecords):
(WebKit::IDBStorageConnectionToClient::didOpenCursor):
(WebKit::IDBStorageConnectionToClient::didIterateCursor):
(WebKit::IDBStorageConnectionToClient::generateIndexKeyForRecord):
* Source/WebKit/NetworkProcess/storage/IDBStorageConnectionToClient.h:
* Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.cpp:
(WebKit::IDBStorageRegistry::IDBStorageRegistry):
(WebKit::IDBStorageRegistry::ensureConnectionToClient):
* Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.h:
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp:
(WebKit::NetworkStorageManager::NetworkStorageManager):
(WebKit::NetworkStorageManager::allowAccessToBlobFilesForProcess):
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.h:

Identifier: 305413.737@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.915@webkitglib/2.52


  Commit: 036d7bd40f9a65fb0793b454469c543e703b49a7
      
https://github.com/WebKit/WebKit/commit/036d7bd40f9a65fb0793b454469c543e703b49a7
  Author: Kimmo Kinnunen <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    M Source/ThirdParty/ANGLE/src/libANGLE/ErrorStrings.h
    M Source/ThirdParty/ANGLE/src/libANGLE/validationES3.cpp
    M Source/ThirdParty/ANGLE/src/tests/gl_tests/TransformFeedbackTest.cpp

  Log Message:
  -----------
  Cherry-pick 305413.721@safari-7624-branch (146668c5ca43). 
https://bugs.webkit.org/show_bug.cgi?id=312977

ANGLE: ResumeTransformFeedback does not validate the active program
https://bugs.webkit.org/show_bug.cgi?id=312977
<rdar://174740337>

Reviewed by Dan Glastonbury.

ResumeTransformFeedback should succeed only when the current
program is the program of the active transform feedback.

Fix by adding a validation step for this.

* Source/ThirdParty/ANGLE/src/libANGLE/ErrorStrings.h:
* Source/ThirdParty/ANGLE/src/libANGLE/validationES3.cpp:
(gl::ValidateResumeTransformFeedback):
* Source/ThirdParty/ANGLE/src/tests/gl_tests/TransformFeedbackTest.cpp:

Identifier: 305413.721@safari-7624-branch

Canonical link: https://commits.webkit.org/305877.916@webkitglib/2.52


  Commit: f038a7ddceed35ec4ed853492c8ac208e31c3d00
      
https://github.com/WebKit/WebKit/commit/f038a7ddceed35ec4ed853492c8ac208e31c3d00
  Author: Charlie Wolfe <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    A LayoutTests/ipc/load-image-for-decoding-file-url-expected.txt
    A LayoutTests/ipc/load-image-for-decoding-file-url.html
    M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  Cherry-pick f118e35bcfa5. https://bugs.webkit.org/show_bug.cgi?id=312832

Add scheme and cookie access validation to LoadImageForDecoding
https://bugs.webkit.org/show_bug.cgi?id=312832
rdar://174708372

Reviewed by Rupin Mittal.

LoadImageForDecoding accepted arbitrary ResourceRequest fields with only a 
url.isValid() check. This
allowed file:// reads of NetworkProcess-sandbox files and credentialed 
cross-origin body reads via
spoofed firstPartyForCookies.

Restrict the URL to HTTP(S) and enforce allowsFirstPartyForCookies, matching 
every other
cookie-touching IPC entry point.

Test: ipc/load-image-for-decoding-file-url.html

* LayoutTests/ipc/load-image-for-decoding-file-url-expected.txt: Added.
* LayoutTests/ipc/load-image-for-decoding-file-url.html: Added.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::loadImageForDecoding):
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::loadAndDecodeImage):

Identifier: 305413.744@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.917@webkitglib/2.52


Compare: https://github.com/WebKit/WebKit/compare/c0887a6ed84d...f038a7ddceed

To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to