Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6767475946c16797002b8fa0e36680e8d6ff97ec
https://github.com/WebKit/WebKit/commit/6767475946c16797002b8fa0e36680e8d6ff97ec
Author: Frédéric Wang Nélar <[email protected]>
Date: 2026-04-17 (Fri, 17 Apr 2026)
Changed paths:
A
LayoutTests/fast/dom/Document/open-triggered-by-mutation-observer-on-element-from-a-parsed-doc-crash-expected.txt
A
LayoutTests/fast/dom/Document/open-triggered-by-mutation-observer-on-element-from-a-parsed-doc-crash.html
Log Message:
-----------
[WebKit][Main+SU?] [a3b9e8b1b7c6c7b7] ASAN_SEGV | WebCore::firstDOMWindow;
WebCore::jsDocumentPrototypeFunction_write; ADDRESS
https://bugs.webkit.org/show_bug.cgi?id=300372
rdar://162173350
Reviewed by Ryosuke Niwa.
Add a regression test for [1], which was later reverted in [2].
[1] https://commits.webkit.org/300757@main
[2] https://commits.webkit.org/300886@main
*
LayoutTests/fast/dom/Document/open-triggered-by-mutation-observer-on-element-from-a-parsed-doc-crash-expected.txt:
Added.
*
LayoutTests/fast/dom/Document/open-triggered-by-mutation-observer-on-element-from-a-parsed-doc-crash.html:
Added.
Originally-landed-as: [email protected] (cb9035f59bbb).
rdar://174959210
Canonical link: https://commits.webkit.org/311483@main
Commit: 389fcd914b790dc05013c66d5bc0d5a32e2ef9ba
https://github.com/WebKit/WebKit/commit/389fcd914b790dc05013c66d5bc0d5a32e2ef9ba
Author: Frédéric Wang Nélar <[email protected]>
Date: 2026-04-17 (Fri, 17 Apr 2026)
Changed paths:
M LayoutTests/TestExpectations
M LayoutTests/platform/glib/TestExpectations
A
LayoutTests/svg/dom/SVGGeometry-isPointInStroke-with-null-path-expected.txt
A LayoutTests/svg/dom/SVGGeometry-isPointInStroke-with-null-path.html
M Source/WebCore/rendering/svg/RenderSVGShape.cpp
M Source/WebCore/rendering/svg/legacy/LegacyRenderSVGShape.cpp
Log Message:
-----------
Crash in shapeDependentStrokeContains() via isPointInStroke()
https://bugs.webkit.org/show_bug.cgi?id=306154
rdar://168055632
Reviewed by Darin Adler.
Ensure the path exists when calling the function with legacy and LSBE code
from isPointInStroke() (which implies pointCoordinateSpace is
LocalCoordinateSpace). This is similar to https://commits.webkit.org/292730@main
Test: svg/dom/SVGGeometry-isPointInStroke-with-null-path.html
* LayoutTests/TestExpectations: Skip the test because it hits an assertion
failure.
* LayoutTests/platform/glib/TestExpectations: Ditto.
* LayoutTests/svg/dom/SVGGeometry-isPointInStroke-with-null-path-expected.txt:
Added.
* LayoutTests/svg/dom/SVGGeometry-isPointInStroke-with-null-path.html: Added.
* Source/WebCore/rendering/svg/RenderSVGShape.cpp:
(WebCore::RenderSVGShape::shapeDependentStrokeContains): Ensure path exists.
* Source/WebCore/rendering/svg/legacy/LegacyRenderSVGShape.cpp:
(WebCore::LegacyRenderSVGShape::shapeDependentStrokeContains): Ditto.
Originally-landed-as: [email protected] (82934b97537c).
rdar://174957149
Canonical link: https://commits.webkit.org/311484@main
Commit: ecde527ba8fbc8ea323542880a066133826ced3f
https://github.com/WebKit/WebKit/commit/ecde527ba8fbc8ea323542880a066133826ced3f
Author: Claudio Saavedra <[email protected]>
Date: 2026-04-17 (Fri, 17 Apr 2026)
Changed paths:
A LayoutTests/fast/reflections/reflection-removed-crash-2-expected.txt
A LayoutTests/fast/reflections/reflection-removed-crash-2.html
M Source/WebCore/rendering/RenderLayer.cpp
Log Message:
-----------
[WebKit][Main] [Fuzz Blocker] [e5518f91af2befa2] WK_SEC |
WebCore::RenderLayerCompositor::repaintInCompositedAncestor;
WebCore::RenderLayerCompositor::layerWillBeRemoved;
WebCore::RenderLayer::removeChild
https://bugs.webkit.org/show_bug.cgi?id=306841
rdar://169436867
Reviewed by Simon Fraser.
When a render layer that contains a reflection layer is deleted, we first
remove that reflection layer. The code path for layer removal causes
the layer to be repainted in its composited ancestor. However, when
the compositor ancestor is the original layer that is being deleted,
we are actually dealing with a layer that is in the process of destruction.
In order to prevent this reentrancy, we can avoid going
down RenderLayerCompositor::layerWillBeRemoved() if the layer being removed
is a reflection layer, since this doesn't seem to be needed in reality (and
all tests involving -webkit-reflect-box pass after this change).
This bug was uncovered in main after 306315@main introduced a checked pointer
for the compositedAncestor variable in
RenderLayerCompositor::repaintInCompositedAncestor(),
which fails an assertion when it goes out of scope, because the underlying
RenderLayer is already in the process of destruction. This doesn't assert
or crash before that change, but assuming that we don't want to take risks
I prefer to land this change in embargoed instead so that it's backported
wherever it's necessary before making this change public in main.
Test: fast/reflections/reflection-removed-crash-2.html
* LayoutTests/fast/reflections/reflection-removed-crash-2-expected.txt: Added.
* LayoutTests/fast/reflections/reflection-removed-crash-2.html: Added.
* Source/WebCore/rendering/RenderLayer.cpp:
(WebCore::RenderLayer::removeChild):
Originally-landed-as: [email protected] (218d25f508a7).
rdar://174957077
Canonical link: https://commits.webkit.org/311485@main
Commit: a9f2dfaaf8a7b81ed38d2d29dcf59bd8c167301e
https://github.com/WebKit/WebKit/commit/a9f2dfaaf8a7b81ed38d2d29dcf59bd8c167301e
Author: Rupin Mittal <[email protected]>
Date: 2026-04-17 (Fri, 17 Apr 2026)
Changed paths:
M Source/WebKit/UIProcess/API/APINavigationResponse.cpp
M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/Navigation.mm
Log Message:
-----------
Download Prompt Origin Spoofing via Back-Forward Navigation
https://bugs.webkit.org/show_bug.cgi?id=308396
rdar://153668219
Reviewed by Brady Eidson.
When a navigation occurs, WebKit calls the delegate function:
webView:decidePolicyForNavigationResponse:decisionHandler: and passes in a
WKNavigationResponse object. The client may use the _navigationInitiatingFrame
property to show which triggered this Navigation (or is requesting a download)
In the case where the navigation is started as a result of a back-forward
navigation, WebKit currently says the initiating frame is the frame that
is currently displayed in the WebView that is on the screen. Which means
the following sequence of events is possible:
1. Navigate to site1.com
2. Navigate to site2.com
3. Go back <--- somehow this starts a download
(maybe a malicicous script intervenes)
4. A prompt may show saying that "site2.com wants to start a download"
But site2 did not start the download. This message is misleading.
We fix this by ensuring that in a back-forward navigation, the initiating
frame information is empty, rather than being the information of the site
currently displayed in the WebView.
A second scenario is also possible:
1. Navigate to site1.com
2. User types in site2.com to navigate there <--- somehow starting a download
(maybe a malicicous script
intervenes)
3. A prompt may show saying that "site1.com wants to start a download"
Again, the download should not be attributed to site1.
We make the same change here--for a client initiated navigation, the
initiating frame information is empty, rather than being the information of
the site currently displayed in the WebView.
This is tested by two new API tests.
A similar fix was made in https://commits.webkit.org/298732@main
* Source/WebKit/UIProcess/API/APINavigationResponse.cpp:
(API::NavigationResponse::navigationInitiatingFrame):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm:
(TEST(Navigation, NavigationInitiatingFrameInGoBackNavigation)):
(TEST(Navigation, NavigationInitiatingFrameInClientInputNavigation)):
Originally-landed-as: 305413.338@safari-7624-branch (816b1f464d4d).
rdar://173973970
Canonical link: https://commits.webkit.org/311486@main
Compare: https://github.com/WebKit/WebKit/compare/59806e5b2a91...a9f2dfaaf8a7
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
