Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c0096fe5c2c78d3ee76778eeddf0066b7de2b526
https://github.com/WebKit/WebKit/commit/c0096fe5c2c78d3ee76778eeddf0066b7de2b526
Author: Antti Koivisto <[email protected]>
Date: 2026-03-30 (Mon, 30 Mar 2026)
Changed paths:
M
LayoutTests/imported/w3c/web-platform-tests/css/css-values/attr-security-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/css/css-values/attr-security.html
M
LayoutTests/imported/w3c/web-platform-tests/css/css-values/attr-universal-selector-expected.txt
M Source/WebCore/css/CSSVariableData.cpp
M Source/WebCore/css/CSSVariableData.h
M Source/WebCore/css/parser/CSSPropertyParser.cpp
M Source/WebCore/css/parser/CSSPropertyParser.h
M Source/WebCore/css/query/ContainerQueryFeatures.cpp
M Source/WebCore/style/StyleBuilder.cpp
M Source/WebCore/style/StyleCustomProperty.cpp
M Source/WebCore/style/StyleCustomProperty.h
M Source/WebCore/style/StyleInterpolation.cpp
M Source/WebCore/style/StyleSubstitutionResolver.cpp
M Source/WebCore/style/StyleSubstitutionResolver.h
Log Message:
-----------
[css-values-5 attr()] <url> security
https://bugs.webkit.org/show_bug.cgi?id=311077
rdar://173674601
Reviewed by Alan Baradlay.
Using attr() in <url>s is not allowed. This is implemented by tainting values
that use attr().
If a tainted value is inserted into <url> then the declaration is invalid at
computed value time.
https://drafts.csswg.org/css-values-5/#attr-security
*
LayoutTests/imported/w3c/web-platform-tests/css/css-values/attr-security-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/css/css-values/attr-security.html:
Add subtests for universal syntax and for the fast path simple case.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-values/attr-universal-selector-expected.txt:
(WebCore::CSSVariableData::operator== const):
(WebCore::CSSVariableData::CSSVariableData):
* Source/WebCore/css/CSSVariableData.h:
(WebCore::CSSVariableData::create):
(WebCore::CSSVariableData::isAttrTainted const):
Track tainting for token bags.
* Source/WebCore/css/parser/CSSPropertyParser.cpp:
(WebCore::CSSPropertyParser::parseTypedCustomPropertyValue):
(WebCore::consumeTypedCustomPropertyValue):
* Source/WebCore/css/parser/CSSPropertyParser.h:
* Source/WebCore/css/query/ContainerQueryFeatures.cpp:
Ignore tainting when comparing for equality.
* Source/WebCore/style/StyleBuilder.cpp:
(WebCore::Style::Builder::resolveCustomPropertyValue):
* Source/WebCore/style/StyleCustomProperty.cpp:
(WebCore::Style::CustomProperty::operator== const):
(WebCore::Style::CustomProperty::valueEquals const):
Add a separate equality function that ignores the tainting bit.
* Source/WebCore/style/StyleCustomProperty.h:
(WebCore::Style::CustomProperty::createForVariableData):
(WebCore::Style::CustomProperty::createForValue):
(WebCore::Style::CustomProperty::createForValueList):
Track tainting for custom property values that may not be tokens.
* Source/WebCore/style/StyleInterpolation.cpp:
(WebCore::Style::Interpolation::interpolatedCustomProperty):
* Source/WebCore/style/StyleSubstitutionResolver.cpp:
(WebCore::Style::containsURLTokens):
(WebCore::Style::SubstitutionResolver::propagateAttrTaint):
Taint propagation on URL invalidation.
(WebCore::Style::SubstitutionResolver::substituteVariableFunction):
(WebCore::Style::SubstitutionResolver::substituteTokenRange):
(WebCore::Style::SubstitutionResolver::updateURLContext):
Track if we are inside <url>.
(WebCore::Style::SubstitutionResolver::substitute):
(WebCore::Style::SubstitutionResolver::substituteAndParse):
Return null (invalid at computed value time) if we have seen tained urls.
(WebCore::Style::SubstitutionResolver::substituteAndParseShorthand):
* Source/WebCore/style/StyleSubstitutionResolver.h:
(WebCore::Style::SubstitutionResolver::isInURLContext const):
Canonical link: https://commits.webkit.org/310241@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
