Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: fe9231d735d0424ee58bdb16066add0ed55c2908
https://github.com/WebKit/WebKit/commit/fe9231d735d0424ee58bdb16066add0ed55c2908
Author: Tyler Wilcock <[email protected]>
Date: 2026-04-15 (Wed, 15 Apr 2026)
Changed paths:
M Source/WebCore/accessibility/AXSearchManager.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebPageProxy.h
Log Message:
-----------
AX: Add IPC validation to cross-process accessibility search handlers
https://bugs.webkit.org/show_bug.cgi?id=312201
rdar://174691168
Reviewed by Joshua Hoffman.
Add FrameIdentifier ownership validation and search text bounds checking to
performAccessibilitySearchInRemoteFrame,
continueAccessibilitySearchFromChildFrame,
and resolveAccessibilityHitTestForTesting.
These handlers previously forwarded data from WebProcess to WebProcess via the
UIProcess
without MESSAGE_CHECK validation, unlike other frame-handling IPC handlers. A
compromised
WebProcess could send bogus FrameIdentifiers without being terminated.
Now each handler validates frame existence and process ownership using
MESSAGE_CHECK_COMPLETION,
matching the pattern used by updateReferrerPolicy and updateSandboxFlags.
Search text length is
bounded to 5000 characters as a defense-in-depth measure, e.g. to prevent an
attacker from passing
along arbitrarily long data in the string.
* Source/WebCore/accessibility/AXSearchManager.h:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::resolveAccessibilityHitTestForTesting):
(WebKit::WebPageProxy::performAccessibilitySearchInRemoteFrame):
(WebKit::WebPageProxy::continueAccessibilitySearchFromChildFrame):
* Source/WebKit/UIProcess/WebPageProxy.h:
Canonical link: https://commits.webkit.org/311336@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
