Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 092bf6b43083d87f223ed76ba011cc7153b0c9a2
https://github.com/WebKit/WebKit/commit/092bf6b43083d87f223ed76ba011cc7153b0c9a2
Author: Tyler Wilcock <[email protected]>
Date: 2026-04-15 (Wed, 15 Apr 2026)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/accessibility/aria-owns-deep-chain-no-timeout-expected.txt
A LayoutTests/accessibility/aria-owns-deep-chain-no-timeout.html
M Source/WebCore/accessibility/AXObjectCache.cpp
Log Message:
-----------
AX: aria-owns cycle detection is unbounded, which can cause hangs for deep
aria-owns chains
https://bugs.webkit.org/show_bug.cgi?id=312284
rdar://174753621
Reviewed by Joshua Hoffman.
relationCausesCycle() walks the AX parent chain linearly for each aria-owns
relation.
Through aria-owns chaining (e0 owns e1, e1 owns e2, ...), the AX tree can grow
much
deeper than the DOM, making the total cost of cycle detection O(n^2). Cap the
walk at
1536 (512, the DOM parser limit, * 3) steps and reject the relation if we can't
verify
it is cycle-free within that limit.
This protects user against adversarially authored content, e.g. someone
intentionally trying to create a denial-of-service attack targeted at
assistive technology users, as it's extremely unlikely any web developer
would do something like this legitamately.
* LayoutTests/accessibility/aria-owns-deep-chain-no-timeout-expected.txt: Added.
* LayoutTests/accessibility/aria-owns-deep-chain-no-timeout.html: Added.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::relationCausesCycle):
Canonical link: https://commits.webkit.org/311288@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
