[webkit-changes] [WebKit/WebKit] f0fba7: Prevent SVG filters from leaking the background of...

Tue, 21 May 2024 21:19:22 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f0fba73ace0f5a4e31e0a16d3b824af0a396a6e9
      
https://github.com/WebKit/WebKit/commit/f0fba73ace0f5a4e31e0a16d3b824af0a396a6e9
  Author: Said Abou-Hallawa <s...@apple.com>
  Date:   2024-05-21 (Tue, 21 May 2024)

  Changed paths:
    M LayoutTests/css3/filters/filter-visited-links-expected.html
    M LayoutTests/css3/filters/filter-visited-links.html
    M Source/WebCore/rendering/InlineBoxPainter.cpp

  Log Message:
  -----------
  Prevent SVG filters from leaking the background of visited hyperlinks
https://bugs.webkit.org/show_bug.cgi?id=262337
rdar://116206368

Reviewed by Simon Fraser.

We should prevent websites from learning which sites have been visited via SVG
filters on hyperlinks, per the attack described in 
https://arxiv.org/abs/2305.12784.

This is a follow up for 266683@main. The background color of the visited links
should be ignored when an SVG filter is applied.

* LayoutTests/css3/filters/filter-visited-links-expected.html:
* LayoutTests/css3/filters/filter-visited-links.html:
* Source/WebCore/rendering/InlineBoxPainter.cpp:
(WebCore::InlineBoxPainter::paintDecorations):

Originally-landed-as: 272448.560@safari-7618-branch (36df2fc04fb9). 
rdar://128502129
Canonical link: https://commits.webkit.org/279104@main


  Commit: 05b6b1285a302f82a9c133577cfad7433090f9b6
      
https://github.com/WebKit/WebKit/commit/05b6b1285a302f82a9c133577cfad7433090f9b6
  Author: Scott Marcy <msc...@apple.com>
  Date:   2024-05-21 (Tue, 21 May 2024)

  Changed paths:
    A LayoutTests/fast/svg/mutual-recursion-test-expected.txt
    A LayoutTests/fast/svg/mutual-recursion-test.html
    M Source/WebCore/rendering/svg/legacy/SVGResources.cpp
    M Source/WebCore/rendering/svg/legacy/SVGResources.h

  Log Message:
  -----------
  Break a mutual recursion cycle laying out SVG elements.
https://bugs.webkit.org/show_bug.cgi?id=268556
rdar://118510445

Reviewed by shallawa (Said Abou-Hallawa).

Breaks the recursion cycle by having the SVGResource object track if it is 
already doing layout for a different root.

* LayoutTests/fast/svg/mutual-recursion-test-expected.txt: Added.
* LayoutTests/fast/svg/mutual-recursion-test.html: Added.
* Source/WebCore/rendering/svg/SVGResources.cpp:
(WebCore::SVGResources::layoutDifferentRootIfNeeded):
* Source/WebCore/rendering/svg/SVGResources.h:

Originally-landed-as: 272448.561@safari-7618-branch (e14592228595). 
rdar://128502330
Canonical link: https://commits.webkit.org/279105@main


  Commit: c02295c8ab22b97721478d9e0abeb5c647ad29aa
      
https://github.com/WebKit/WebKit/commit/c02295c8ab22b97721478d9e0abeb5c647ad29aa
  Author: Keith Miller <keith_mil...@apple.com>
  Date:   2024-05-21 (Tue, 21 May 2024)

  Changed paths:
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

  Log Message:
  -----------
  [JSC] presenceConditionIfConsistent should check knownBase's structure is in 
the structure set
https://bugs.webkit.org/show_bug.cgi?id=269220
rdar://122171551

Reviewed by Yusuke Suzuki.

This patch rewrites ByteCodeParser::presenceConditionIfConsistent. Now it just 
checks that the presence condition
we're trying to create is possible for the knownBase. Additionally, we have to 
check that the knownBase's structure
was executed at least once before. This allows us to know if GetOwnPropertySlot 
ran successfully at least once for
this structure.

* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::presenceConditionIfConsistent):

Originally-landed-as: 272448.563@safari-7618-branch (630351ee51ab). 
rdar://128502736
Canonical link: https://commits.webkit.org/279106@main


  Commit: a3161bf52b5e86b7a2acc0c8c196f918e0b4d902
      
https://github.com/WebKit/WebKit/commit/a3161bf52b5e86b7a2acc0c8c196f918e0b4d902
  Author: David Kilzer <ddkil...@apple.com>
  Date:   2024-05-21 (Tue, 21 May 2024)

  Changed paths:
    M Source/WebCore/PAL/ThirdParty/libavif/ThirdParty/dav1d/src/thread_task.c

  Log Message:
  -----------
  OSV-2022-674: dav1d: use of uninitialized value in cdef_filter_block_c
https://bugs.webkit.org/show_bug.cgi?id=269405
<rdar://122849398>

Reviewed by Youenn Fablet.

Merge dav1d upstream commit a3a55b18494f5dd1e34f289298f78ffa4f32a25d.

* Source/WebCore/PAL/ThirdParty/libavif/ThirdParty/dav1d/src/thread_task.c:
(create_filter_sbrow):

Originally-landed-as: 272448.565@safari-7618-branch (8547ba181fbb). 
rdar://128502897
Canonical link: https://commits.webkit.org/279107@main


Compare: https://github.com/WebKit/WebKit/compare/00222bd02ce4...a3161bf52b5e

To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to