Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: dcc6d93e7de6f6071d50e6a234011970deb40154 https://github.com/WebKit/WebKit/commit/dcc6d93e7de6f6071d50e6a234011970deb40154 Author: Alan Baradlay <za...@apple.com> Date: 2024-03-15 (Fri, 15 Mar 2024)
Changed paths: A LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break-expected.txt A LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break.html M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp Log Message: ----------- Out-of-flow line break box does not initiate render layer https://bugs.webkit.org/show_bug.cgi?id=267270 rdar://120662818 Reviewed by Antti Koivisto. 1. Let's not assume that an out-of-flow box is a type of RenderBox (e.g. line break) 2. Not all out-of-flow positioned boxes trigger layers. * LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break-expected.txt: Added. * LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break.html: Added. * Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp: (WebCore::LayoutIntegration::LineLayout::shiftLinesBy): Originally-landed-as: 272448.26@safari-7618-branch (6eed83460548). rdar://124557101 Canonical link: https://commits.webkit.org/276181@main Commit: 186349180de5ef6858ef0e0318a4dddb75be1fdf https://github.com/WebKit/WebKit/commit/186349180de5ef6858ef0e0318a4dddb75be1fdf Author: Chris Dumez <cdu...@apple.com> Date: 2024-03-15 (Fri, 15 Mar 2024) Changed paths: A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https-expected.html A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html.headers A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https-expected.html A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html.headers A LayoutTests/http/wpt/content-security-policy/resources/dummy.js M Source/WebCore/html/parser/HTMLConstructionSite.cpp Log Message: ----------- Bug in the HTML parser makes it possible to bypass `nonce` attribute hiding https://bugs.webkit.org/show_bug.cgi?id=267241 rdar://120056084 Reviewed by Ryosuke Niwa. Per the HTML specification [1], the `nonce` attribute is supposed to get hidden by the user agent once the element gets connected to the document. This means that we remove the `nonce` attribute and store its value in an internal field. The intention is that elements only expose their nonce via their `nonce` property to scripts, and not to side-channels like CSS attribute selectors. The HTML specification [2] also says that when encountering a duplicate <body> or <html> tag, we should merge the attributes from the duplicate element to the original once. When this happened, we could move the `nonce` attribute from a duplicate <body> / <html> to the original element and it would not get hidden since the original element is already connected to the document. To address the issue, we now add special handling for the `nonce` attribute upon merging: 1. We discard the duplicate element's `nonce` attribute if the original element [[nonce]] internal field is already set (meaning the element already has a nonce). 2. If the original element doesn't have a `nonce` we do merge the attribute and then call the logic to hide the `nonce` right away. [1] https://html.spec.whatwg.org/multipage/urls-and-fetching.html#nonce-attributes:include-2 [2] https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inbody * LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https-expected.html: Added. * LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html: Added. * LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html.headers: Added. * LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https-expected.html: Added. * LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html: Added. * LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html.headers: Added. * LayoutTests/http/wpt/content-security-policy/resources/dummy.js: Added. Add test coverage. * Source/WebCore/html/parser/HTMLConstructionSite.cpp: (WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement): Originally-landed-as: 272448.25@safari-7618-branch (d43f7eafe9c4). rdar://124557137 Canonical link: https://commits.webkit.org/276182@main Commit: f6f701549769c32ed976dbef8ed6f08d46c9d98c https://github.com/WebKit/WebKit/commit/f6f701549769c32ed976dbef8ed6f08d46c9d98c Author: Yusuke Suzuki <ysuz...@apple.com> Date: 2024-03-15 (Fri, 15 Mar 2024) Changed paths: A JSTests/stress/attribute-custom-accessor.js M Source/JavaScriptCore/bytecode/PropertyCondition.cpp Log Message: ----------- [JSC] PropertyCondition::isValidValueForAttributes should handle custom accessor and custom value https://bugs.webkit.org/show_bug.cgi?id=266695 rdar://119854137 Reviewed by Mark Lam. PropertyCondition::isValidValueForAttributes only handled accessors and values. And it didn't handle custom accessor / custom values. This patch changes it so that we can check custom accessor / custom value cases correctly. * JSTests/stress/attribute-custom-accessor.js: Added. (async asyncSleep): (setHasBeenDictionary): (watchToJSONForReplacements): (async watchLastMatchForReplacements.getLastMatch): (async watchLastMatchForReplacements): (const.target.toJSON): (opt): (async main): * Source/JavaScriptCore/bytecode/PropertyCondition.cpp: (JSC::PropertyCondition::isValidValueForAttributes): Originally-landed-as: 272448.6@safari-7618-branch (24d1c08b9dfa). rdar://124557469 Canonical link: https://commits.webkit.org/276183@main Commit: 17c0ad98bb1ce2d5df631bca49e13809b9ecf03b https://github.com/WebKit/WebKit/commit/17c0ad98bb1ce2d5df631bca49e13809b9ecf03b Author: Matthew Finkel <sys...@apple.com> Date: 2024-03-15 (Fri, 15 Mar 2024) Changed paths: A LayoutTests/http/tests/security/file-system-access-via-dataTransfer-expected.txt A LayoutTests/http/tests/security/file-system-access-via-dataTransfer.html M Source/WebCore/Modules/entriesapi/DOMFileSystem.cpp Log Message: ----------- Ensure Filesystem root path is not empty https://bugs.webkit.org/show_bug.cgi?id=266703 rdar://119813501 Reviewed by Chris Dumez. When the root path is empty, then the file's name can define an arbitrary filesystem path. This change ensures that the path is non-empty, therefore the virtual filesystem must be defined under a directory that the user selected. * LayoutTests/http/tests/security/file-system-access-via-dataTransfer-expected.txt: Added. * LayoutTests/http/tests/security/file-system-access-via-dataTransfer.html: Added. * Source/WebCore/Modules/entriesapi/DOMFileSystem.cpp: (WebCore::DOMFileSystem::getEntry): (WebCore::DOMFileSystem::getFile): Originally-landed-as: 272448.2@safari-7618-branch (18fd76f8a016). rdar://124557625 Canonical link: https://commits.webkit.org/276184@main Commit: 5fb50e505ac984aa68a54d087bc762ab72c8e127 https://github.com/WebKit/WebKit/commit/5fb50e505ac984aa68a54d087bc762ab72c8e127 Author: Jean-Yves Avenard <j...@apple.com> Date: 2024-03-15 (Fri, 15 Mar 2024) Changed paths: M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp Log Message: ----------- Block "setMediaOverridesForTesting" media IPC endpoints when not testing and instead reset values https://bugs.webkit.org/show_bug.cgi?id=268731 rdar://122218365 Reviewed by Youenn Fablet. The fix in https://commits.webkit.org/272448.445@safari-7618-branch was insufficient as the setMediaOverridesForTesting IPC endpoints is also used to reset the flags to their default. So rather than disabling the IPC endpoints altogether we restrict its use to only reset the default values (which are all unset). * Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp: (WebKit::GPUConnectionToWebProcess::setMediaOverridesForTesting): * Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in: Originally-landed-as: 272448.473@safari-7618-branch (00b3f3ccf06e). rdar://124557967 Canonical link: https://commits.webkit.org/276185@main Compare: https://github.com/WebKit/WebKit/compare/6f20a053abaf...5fb50e505ac9 To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes