Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: f0913bc0f604324954feb7df2f7d23092219cdc2
https://github.com/WebKit/WebKit/commit/f0913bc0f604324954feb7df2f7d23092219cdc2
Author: Kai Tamkun <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
A JSTests/stress/regress-168411205.js
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
M Source/JavaScriptCore/dfg/DFGValidate.cpp
Log Message:
-----------
Cherry-pick 305413.542@safari-7624-branch (5fbe988916b7).
https://bugs.webkit.org/show_bug.cgi?id=305732
[JSC] DFG object allocation sinking shouldn't insert a check when given a
PutByVal node
https://bugs.webkit.org/show_bug.cgi?id=305732
rdar://168411205
Reviewed by Yijia Huang.
The if statement that this change removes was originally added as a fix
for an old, now-replaced array allocation sinking method. Now, it runs
the risk of invalidating the DFG graph. Because it doesn't otherwise
serve any purpose now, it should just be removed.
Test: JSTests/stress/regress-168411205.js
* JSTests/stress/regress-168411205.js: Added.
(f):
* Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp: Remove
special case for PutByVal
* Source/JavaScriptCore/dfg/DFGValidate.cpp:
Identifier: 305413.542@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.602@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: 8d15e0f70fea433977b5b3182927e87d81722770
https://github.com/WebKit/WebKit/commit/8d15e0f70fea433977b5b3182927e87d81722770
Author: Chris Dumez <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.h
M Source/WebKit/WebProcess/WebPage/WebPage.messages.in
Log Message:
-----------
Cherry-pick 305413.544@safari-7624-branch (1c245d737355).
https://bugs.webkit.org/show_bug.cgi?id=310078
Cross-Process Page Identity Confusion in didPostMessage
https://bugs.webkit.org/show_bug.cgi?id=310078
rdar://172392170
Reviewed by Brady Eidson and Ryosuke Niwa.
WebProcessProxy::didPostMessage() may look up a WebPageProxy belonging
to another web process if given a bad WebPageProxyIdentifier from a
compromised WebProcess.
Address the issue by adding a MESSAGE_CHECK that checks that the page
is associated with the current WebProcess, using the pre-existing
WebProcessProxy::isAssociatedWithPage() utility function. Note that I
had to tweak isAssociatedWithPage() to also check m_remotePages to keep
site isolation tests working.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::commitProvisionalPage):
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::addPagePendingClose):
(WebKit::WebProcessProxy::removePagePendingClose):
(WebKit::WebProcessProxy::isAssociatedWithPage const):
(WebKit::WebProcessProxy::didPostMessage):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::closeWithReply):
* Source/WebKit/WebProcess/WebPage/WebPage.h:
* Source/WebKit/WebProcess/WebPage/WebPage.messages.in:
Identifier: 305413.544@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.603@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: 830aee8b056c3090f5e36bd84376c9508e679e27
https://github.com/WebKit/WebKit/commit/830aee8b056c3090f5e36bd84376c9508e679e27
Author: Roberto Rodriguez <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
A
LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-blob-url-inherits-csp-importScripts-blocked-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-blob-url-inherits-csp-importScripts-blocked.html
A
LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-data-url-inherits-csp-importScripts-blocked-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-data-url-inherits-csp-importScripts-blocked.html
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-data-set-timeout.sub-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/iframe-blank-inherit.meta/upgrade/sharedworker-import-data.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-classic-data.http-rp/upgrade/fetch.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-classic-data.http-rp/upgrade/websocket.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-classic-data.http-rp/upgrade/xhr.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-classic-data.meta/upgrade/fetch.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-classic-data.meta/upgrade/websocket.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-classic-data.meta/upgrade/xhr.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-module-data.http-rp/upgrade/fetch.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-module-data.http-rp/upgrade/websocket.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-module-data.http-rp/upgrade/xhr.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-module-data.meta/upgrade/fetch.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-module-data.meta/upgrade/websocket.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-module-data.meta/upgrade/xhr.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/srcdoc-inherit.meta/upgrade/sharedworker-import-data.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/top.http-rp/upgrade/sharedworker-import-data.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/top.meta/upgrade/sharedworker-import-data.https-expected.txt
M Source/WebCore/workers/shared/SharedWorkerScriptLoader.cpp
Log Message:
-----------
Cherry-pick 305413.556@safari-7624-branch (7bbbcf272dea).
https://bugs.webkit.org/show_bug.cgi?id=308765
Inherit creating document's CSP for SharedWorkers loaded from headerless
URLs
https://bugs.webkit.org/show_bug.cgi?id=308765
rdar://171287542
Reviewed by Ryan Reno.
SharedWorkerScriptLoader::notifyFinished() does not inherit the creating
document's CSP when the worker URL carries no HTTP headers.
Worker::didReceiveResponse() already handles this for DedicatedWorkers by
checking for blob:, file:, and opaque-origin URLs.
Apply the same check in SharedWorkerScriptLoader so that the creating
context's CSP flows into the WorkerFetchResult before it reaches
SharedWorkerGlobalScope.
Tests:
http/tests/security/contentSecurityPolicy/shared-worker-blob-url-inherits-csp-importScripts-blocked.html
http/tests/security/contentSecurityPolicy/shared-worker-data-url-inherits-csp-importScripts-blocked.html
*
LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-blob-url-inherits-csp-importScripts-blocked-expected.txt:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-blob-url-inherits-csp-importScripts-blocked.html:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-data-url-inherits-csp-importScripts-blocked-expected.txt:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-data-url-inherits-csp-importScripts-blocked.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-data-set-timeout.sub-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-classic-data.http-rp/upgrade/fetch.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-classic-data.http-rp/upgrade/websocket.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-classic-data.http-rp/upgrade/xhr.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-classic-data.meta/upgrade/fetch.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-classic-data.meta/upgrade/websocket.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-classic-data.meta/upgrade/xhr.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-module-data.http-rp/upgrade/fetch.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-module-data.http-rp/upgrade/websocket.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-module-data.http-rp/upgrade/xhr.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-module-data.meta/upgrade/fetch.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-module-data.meta/upgrade/websocket.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/upgrade-insecure-requests/gen/sharedworker-module-data.meta/upgrade/xhr.https-expected.txt:
* Source/WebCore/workers/shared/SharedWorkerScriptLoader.cpp:
(WebCore::SharedWorkerScriptLoader::notifyFinished):
Identifier: 305413.556@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.604@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: 6eef706d1a6ed7668ee0dfbf62c1890fa3b3ac86
https://github.com/WebKit/WebKit/commit/6eef706d1a6ed7668ee0dfbf62c1890fa3b3ac86
Author: Kai Tamkun <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
A JSTests/stress/regress-172736082.js
M Source/JavaScriptCore/bytecode/AccessCase.cpp
Log Message:
-----------
Cherry-pick 305413.557@safari-7624-branch (9431ad8551c6).
https://bugs.webkit.org/show_bug.cgi?id=310293
[JSC] Track customSlotBase for CustomAccessorGetter/CustomAccessorSetter
https://bugs.webkit.org/show_bug.cgi?id=310293
rdar://172736082
Reviewed by Yusuke Suzuki.
This ensures that CustomAccessorGetter/CustomAccessorSetter will track
customSlotBase.
Test: JSTests/stress/regress-172736082.js
* JSTests/stress/regress-172736082.js: Added.
(main.createPoly.f):
(main.createPoly):
(main.opt):
(main):
* Source/JavaScriptCore/bytecode/AccessCase.cpp:
(JSC::AccessCase::forEachDependentCell const): Track customSlotBase
Identifier: 305413.557@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.605@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: c5e7e6d3bbbfed38aec819f2a25ff89b7c5da60c
https://github.com/WebKit/WebKit/commit/c5e7e6d3bbbfed38aec819f2a25ff89b7c5da60c
Author: Brady Eidson <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.cpp
M Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.h
M Source/WebKit/NetworkProcess/NetworkProcess.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm
Log Message:
-----------
Cherry-pick 305413.560@safari-7624-branch (e1706a288fb5).
https://bugs.webkit.org/show_bug.cgi?id=310293
BroadcastChannel cross-origin spoof
rdar://172230453
Reviewed by Charlie Wolfe.
A compromised web content process can send a malicious message to the
Networking process
to register for broadcast channel messages it should not have access to.
This adds message checks to validate that the IPC::Connection these
messages are
coming from has access to the top security origin claimed.
Tests: Tools/TestWebKitAPI/Tests/WebKitCocoa/BroadcastChannelOriginSpoof.mm
* Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.cpp:
(WebKit::NetworkBroadcastChannelRegistry::isOriginAllowedForConnection
const):
(WebKit::NetworkBroadcastChannelRegistry::registerChannel):
(WebKit::NetworkBroadcastChannelRegistry::unregisterChannel):
(WebKit::NetworkBroadcastChannelRegistry::postMessage):
* Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.h:
* Source/WebKit/NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::allowsFirstPartyForCookies): Remove an unnecessary
ASSERT that prevents
this from being tested in the debug configuration.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm:
(-[BroadcastChannelSpoofMessageHandler
userContentController:didReceiveScriptMessage:]):
((NetworkProcess, BroadcastChannelOriginSpoof)):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/PasteHTML.mm:
Identifier: 305413.560@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.606@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: 113bf5d87b08dad73739045d1cc8f828ebf088fc
https://github.com/WebKit/WebKit/commit/113bf5d87b08dad73739045d1cc8f828ebf088fc
Author: Youenn Fablet <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
A LayoutTests/http/wpt/webcodecs/h264_bad_avc-expected.txt
A LayoutTests/http/wpt/webcodecs/h264_bad_avc.html
M
Source/ThirdParty/libwebrtc/Source/webrtc/webkit_sdk/objc/components/video_codec/nalu_rewriter.cc
Log Message:
-----------
Cherry-pick 305413.562@safari-7624-branch (5f19c89ea2f0).
https://bugs.webkit.org/show_bug.cgi?id=310293
Integer underflow leads to crash in ComputeH264InfoFromAVC
rdar://171989035
Reviewed by Andy Estes.
We add a check to validate that the size of an encoded sequence parameter
set NALU is greater than the NALU prefix.
Test: http/wpt/webcodecs/h264_bad_avc.html
* LayoutTests/http/wpt/webcodecs/h264_bad_avc-expected.txt: Added.
* LayoutTests/http/wpt/webcodecs/h264_bad_avc.html: Added.
*
Source/ThirdParty/libwebrtc/Source/webrtc/webkit_sdk/objc/components/video_codec/nalu_rewriter.cc:
Identifier: 305413.562@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.607@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: d225093a758840b2eeaca588f38080f3825acc7f
https://github.com/WebKit/WebKit/commit/d225093a758840b2eeaca588f38080f3825acc7f
Author: Kimmo Kinnunen <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M Source/ThirdParty/ANGLE/ANGLE.xcodeproj/project.pbxproj
M Source/ThirdParty/ANGLE/src/common/mathutil.h
M Source/ThirdParty/ANGLE/src/common/utilities_unittest.cpp
M Source/ThirdParty/ANGLE/src/tests/gl_tests/WebGLCompatibilityTest.cpp
Log Message:
-----------
Cherry-pick 305413.563@safari-7624-branch (b0e22543a19b).
https://bugs.webkit.org/show_bug.cgi?id=310535
ANGLE: IndexRange integer overflow bypasses vertex index validation
https://bugs.webkit.org/show_bug.cgi?id=310535
rdar://173006046
Reviewed by Dan Glastonbury.
IndexRange would mark up index range with uint32_t start, uint32_t count
which can not easily represent range [0, 0xFFFFFFFF].
Switch to start, end markup, with start > end marking empty range.
* Source/ThirdParty/ANGLE/ANGLE.xcodeproj/project.pbxproj:
* Source/ThirdParty/ANGLE/src/common/mathutil.h:
(gl::IndexRange::IndexRange):
(gl::IndexRange::isEmpty const):
(gl::IndexRange::end const):
(gl::IndexRange::vertexCount const):
(gl::operator==): Deleted.
* Source/ThirdParty/ANGLE/src/common/utilities_unittest.cpp:
* Source/ThirdParty/ANGLE/src/tests/gl_tests/WebGLCompatibilityTest.cpp:
Identifier: 305413.563@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.608@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: 19c689a799985683f23e1b4ff66c8de17a39b20d
https://github.com/WebKit/WebKit/commit/19c689a799985683f23e1b4ff66c8de17a39b20d
Author: Shu-yu Guo <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
A JSTests/stress/dfg-ensure-absence-own-then-property.js
M Source/JavaScriptCore/dfg/DFGGraph.cpp
Log Message:
-----------
Cherry-pick 305413.567@safari-7624-branch (eaf1fed3279c).
https://bugs.webkit.org/show_bug.cgi?id=310578
[JSC] Check initial object structure in tryEnsureAbsence in DFG
https://bugs.webkit.org/show_bug.cgi?id=310578
rdar://173052986
Reviewed by Yijia Huang.
In DFG, tryEnsureAbsence currently does not check the structure of the
object
on which it's trying to generate the conditions that a property remains
absent.
It only checks the structures of the objects on the prototype chain. This is
incorrect in the case where object itself contains the property we're
trying to
ensure absence of.
Test: JSTests/stress/dfg-ensure-absence-own-then-property.js
* JSTests/stress/dfg-ensure-absence-own-then-property.js: Added.
(createObject1):
(createObject2):
(opt):
(main):
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryEnsureAbsence):
Identifier: 305413.567@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.609@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: e62f2ed3eca37a70151b9c553de3b902c139fa61
https://github.com/WebKit/WebKit/commit/e62f2ed3eca37a70151b9c553de3b902c139fa61
Author: Tim Nguyen <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/fast/forms/ios/select-open-pseudo-class-expected.txt
A LayoutTests/fast/forms/ios/select-open-pseudo-class.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-pseudo/input-element-pseudo-open-click.optional-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/css/css-pseudo/input-element-pseudo-open-click.optional.html
M
LayoutTests/imported/w3c/web-platform-tests/css/css-pseudo/input-element-pseudo-open.optional-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/css/css-pseudo/input-element-pseudo-open.optional.html
A
LayoutTests/imported/w3c/web-platform-tests/css/selectors/invalidation/open-pseudo-class-in-has-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/css/selectors/invalidation/open-pseudo-class-in-has.html
M
LayoutTests/imported/w3c/web-platform-tests/css/selectors/open-pseudo-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-accessibility-minimum-target-size-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-dialog-mode-focus.optional-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-events-2.optional-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-events.optional-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-focus-visible-with-mouse-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-home-end-pagedown-pageup-detailed.optional-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-home-end-pagedown-pageup.optional-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-inside-top-layer-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-keyboard-behavior.optional-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-keyboard-focus-change-for-hidden-options.optional-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-mouse-behavior-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-picker-exit-animation-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-picker-interactive-element-focus.optional-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-picker-starting-style-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-pseudo-light-dismiss-invalidation-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-synthetic-events-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-type-to-search.tentative-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/switch-picker-appearance-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/select-many-options.tentative-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/select-option-focusable.tentative-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/select-popover-position-with-zoom.tentative-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/show-picker-cross-origin-iframe-expected.txt
M LayoutTests/platform/glib/TestExpectations
A
LayoutTests/platform/glib/imported/w3c/web-platform-tests/css/selectors/open-pseudo-expected.txt
A
LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/select-option-focusable.tentative-expected.txt
M LayoutTests/platform/ios/TestExpectations
A
LayoutTests/platform/ios/imported/w3c/web-platform-tests/css/css-pseudo/input-element-pseudo-open.optional-expected.txt
A
LayoutTests/platform/ios/imported/w3c/web-platform-tests/css/selectors/invalidation/open-pseudo-class-in-has-expected.txt
A
LayoutTests/platform/ios/imported/w3c/web-platform-tests/css/selectors/open-pseudo-expected.txt
A
LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/button-in-popover-expected.txt
A
LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-iterate-before-beginning.optional-expected.txt
A
LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-keyboard-behavior.optional-expected.txt
A
LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-mouse-behavior-expected.txt
A
LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-option-hover-styles-expected.txt
A
LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-pseudo-open-expected.txt
M LayoutTests/platform/win/TestExpectations
M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
M Source/WebCore/SaferCPPExpectations/UncheckedCallArgsCheckerExpectations
M Source/WebCore/SaferCPPExpectations/UncountedCallArgsCheckerExpectations
M Source/WebCore/accessibility/AccessibilityMenuList.cpp
M Source/WebCore/css/CSSPseudoSelectors.json
M Source/WebCore/css/SelectorChecker.cpp
M Source/WebCore/css/SelectorCheckerTestFunctions.h
M Source/WebCore/css/parser/CSSParserContext.cpp
M Source/WebCore/css/parser/CSSParserContext.h
M Source/WebCore/css/parser/CSSSelectorParserContext.cpp
M Source/WebCore/css/parser/CSSSelectorParserContext.h
M Source/WebCore/cssjit/SelectorCompiler.cpp
M Source/WebCore/html/BaseDateAndTimeInputType.cpp
M Source/WebCore/html/BaseDateAndTimeInputType.h
M Source/WebCore/html/ColorInputType.cpp
M Source/WebCore/html/ColorInputType.h
M Source/WebCore/html/HTMLDetailsElement.cpp
M Source/WebCore/html/HTMLDetailsElement.h
M Source/WebCore/html/HTMLDialogElement.cpp
M Source/WebCore/html/HTMLDialogElement.h
M Source/WebCore/html/HTMLOptGroupElement.cpp
M Source/WebCore/html/HTMLOptionElement.cpp
M Source/WebCore/html/HTMLSelectElement.cpp
M Source/WebCore/html/HTMLSelectElement.h
M Source/WebCore/html/TextFieldInputType.cpp
M Source/WebCore/html/TextFieldInputType.h
M Source/WebCore/rendering/RenderMenuList.cpp
M Source/WebCore/rendering/RenderMenuList.h
M Source/WebCore/testing/Internals.cpp
M Source/WebKit/UIProcess/WebPageProxy.h
M Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm
M Source/WebKit/UIProcess/ios/forms/WKFormSelectPicker.mm
M Source/WebKit/WebProcess/WebPage/WebPage.h
M Source/WebKit/WebProcess/WebPage/WebPage.messages.in
M Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm
Log Message:
-----------
Cherry-pick 305413.571@safari-7624-branch (f76d6df54e60).
https://bugs.webkit.org/show_bug.cgi?id=310578
Implement CSS :open pseudo-class
rdar://173253012
Reviewed by Ryosuke Niwa, Anne van Kesteren, Aditya Keerthi and Simon
Fraser.
Cherry-pick 305917@main (842e79a7f433).
https://bugs.webkit.org/show_bug.cgi?id=284398
Cherry-pick 306546@main (c74593b7f29a). rdar://169307251
Cherry-pick 307253@main (af169a2af053). rdar://170088926
Cherry-pick 307294@main (6e1bf0271cf0). rdar://170091970
Cherry-pick 308148@main (1fc35e3d7b6a).
https://bugs.webkit.org/show_bug.cgi?id=307798
Cherry-pick 307295@main (2e0a18f). rdar://170108337
Co-authored-by: Luke Warlow <[email protected]>
Co-authored-by: Anne van Kesteren <[email protected]>
* LayoutTests/TestExpectations:
* LayoutTests/fast/forms/ios/select-open-pseudo-class-expected.txt: Added.
* LayoutTests/fast/forms/ios/select-open-pseudo-class.html: Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-pseudo/input-element-pseudo-open-click.optional-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-pseudo/input-element-pseudo-open-click.optional.html:
Copied from
LayoutTests/imported/w3c/web-platform-tests/css/css-pseudo/input-element-pseudo-open.optional.html.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-pseudo/input-element-pseudo-open.optional-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/css/css-pseudo/input-element-pseudo-open.optional.html:
*
LayoutTests/imported/w3c/web-platform-tests/css/selectors/invalidation/open-pseudo-class-in-has-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/selectors/invalidation/open-pseudo-class-in-has.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/selectors/open-pseudo-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-accessibility-minimum-target-size-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-dialog-mode-focus.optional-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-events-2.optional-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-events.optional-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-focus-visible-with-mouse-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-home-end-pagedown-pageup-detailed.optional-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-home-end-pagedown-pageup.optional-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-inside-top-layer-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-keyboard-behavior.optional-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-keyboard-focus-change-for-hidden-options.optional-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-mouse-behavior-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-picker-exit-animation-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-picker-interactive-element-focus.optional-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-picker-starting-style-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-pseudo-light-dismiss-invalidation-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-synthetic-events-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-type-to-search.tentative-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/switch-picker-appearance-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/select-many-options.tentative-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/select-option-focusable.tentative-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/select-popover-position-with-zoom.tentative-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/show-picker-cross-origin-iframe-expected.txt:
* LayoutTests/platform/glib/TestExpectations:
*
LayoutTests/platform/glib/imported/w3c/web-platform-tests/css/selectors/open-pseudo-expected.txt:
Added.
*
LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/select-option-focusable.tentative-expected.txt:
Added.
* LayoutTests/platform/ios/TestExpectations:
*
LayoutTests/platform/ios/imported/w3c/web-platform-tests/css/css-pseudo/input-element-pseudo-open.optional-expected.txt:
Added.
*
LayoutTests/platform/ios/imported/w3c/web-platform-tests/css/selectors/invalidation/open-pseudo-class-in-has-expected.txt:
Added.
*
LayoutTests/platform/ios/imported/w3c/web-platform-tests/css/selectors/open-pseudo-expected.txt:
Added.
*
LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/button-in-popover-expected.txt:
Added.
*
LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-iterate-before-beginning.optional-expected.txt:
Added.
*
LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-keyboard-behavior.optional-expected.txt:
Added.
*
LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-mouse-behavior-expected.txt:
Added.
*
LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-option-hover-styles-expected.txt:
Added.
*
LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/forms/the-select-element/customizable-select/select-pseudo-open-expected.txt:
Added.
* LayoutTests/platform/win/TestExpectations:
* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
* Source/WebCore/SaferCPPExpectations/UncheckedCallArgsCheckerExpectations:
* Source/WebCore/SaferCPPExpectations/UncountedCallArgsCheckerExpectations:
* Source/WebCore/accessibility/AccessibilityMenuList.cpp:
(WebCore::AccessibilityMenuList::press):
(WebCore::AccessibilityMenuList::isCollapsed const):
* Source/WebCore/css/CSSPseudoSelectors.json:
* Source/WebCore/css/SelectorChecker.cpp:
(WebCore::SelectorChecker::checkOne const):
* Source/WebCore/css/SelectorCheckerTestFunctions.h:
(WebCore::matchesOpenPseudoClass):
* Source/WebCore/css/parser/CSSParserContext.cpp:
(WebCore::add):
* Source/WebCore/css/parser/CSSParserContext.h:
* Source/WebCore/css/parser/CSSSelectorParserContext.cpp:
(WebCore::CSSSelectorParserContext::CSSSelectorParserContext):
(WebCore::add):
* Source/WebCore/css/parser/CSSSelectorParserContext.h:
* Source/WebCore/cssjit/SelectorCompiler.cpp:
(WebCore::SelectorCompiler::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
(WebCore::SelectorCompiler::addPseudoClassType):
* Source/WebCore/html/BaseDateAndTimeInputType.cpp:
(WebCore::BaseDateAndTimeInputType::showPicker):
(WebCore::BaseDateAndTimeInputType::setPopupIsVisible):
(WebCore::BaseDateAndTimeInputType::showDateTimeChooser):
(WebCore::BaseDateAndTimeInputType::didChangeValueFromControl):
(WebCore::BaseDateAndTimeInputType::didReceiveSpaceKeyFromControl):
(WebCore::BaseDateAndTimeInputType::didEndChooser):
(WebCore::BaseDateAndTimeInputType::closeDateTimeChooser):
(WebCore::BaseDateAndTimeInputType::supportsReadOnly const): Deleted.
(WebCore::BaseDateAndTimeInputType::shouldRespectListAttribute): Deleted.
(WebCore::BaseDateAndTimeInputType::isPresentingAttachedView const):
Deleted.
* Source/WebCore/html/BaseDateAndTimeInputType.h:
* Source/WebCore/html/ColorInputType.cpp:
(WebCore::ColorInputType::setPopupIsVisible):
(WebCore::ColorInputType::showPicker):
(WebCore::ColorInputType::didEndChooser):
(WebCore::ColorInputType::endColorChooser):
(WebCore::ColorInputType::isPresentingAttachedView const): Deleted.
(WebCore::ColorInputType::supportsRequired const): Deleted.
(WebCore::ColorInputType::allowsShowPickerAcrossFrames): Deleted.
(WebCore::ColorInputType::shouldRespectListAttribute): Deleted.
(WebCore::ColorInputType::shouldResetOnDocumentActivation): Deleted.
* Source/WebCore/html/ColorInputType.h:
* Source/WebCore/html/HTMLDetailsElement.cpp:
(WebCore::HTMLDetailsElement::attributeChanged):
(WebCore::HTMLDetailsElement::isOpen const):
* Source/WebCore/html/HTMLDetailsElement.h:
* Source/WebCore/html/HTMLDialogElement.cpp:
(WebCore::HTMLDialogElement::attributeChanged):
(WebCore::HTMLDialogElement::isOpen const):
* Source/WebCore/html/HTMLDialogElement.h:
* Source/WebCore/html/HTMLOptGroupElement.cpp:
* Source/WebCore/html/HTMLOptionElement.cpp:
* Source/WebCore/html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::didDetachRenderers):
(WebCore::HTMLSelectElement::setOptionsChangedOnRenderer):
(WebCore::HTMLSelectElement::platformHandleKeydownEvent):
(WebCore::HTMLSelectElement::menuListDefaultEventHandler):
(WebCore::HTMLSelectElement::showPopup):
(WebCore::HTMLSelectElement::hidePopup):
(WebCore::HTMLSelectElement::setPopupIsVisible):
(WebCore::HTMLSelectElement::isOpen const):
(WebCore::HTMLSelectElement::showPicker):
(WebCore::HTMLSelectElement::itemStyle const):
(WebCore::HTMLSelectElement::menuStyle const):
(WebCore::HTMLSelectElement::popupDidHide):
* Source/WebCore/html/HTMLSelectElement.h:
(WebCore::HTMLSelectElement::size const): Deleted.
(WebCore::HTMLSelectElement::multiple const): Deleted.
(WebCore::HTMLSelectElement::allowsNonContiguousSelection const): Deleted.
* Source/WebCore/html/TextFieldInputType.cpp:
(WebCore::TextFieldInputType::isKeyboardFocusable const):
(WebCore::TextFieldInputType::didCloseSuggestions):
(WebCore::TextFieldInputType::displaySuggestions):
(WebCore::TextFieldInputType::closeSuggestions):
(WebCore::TextFieldInputType::setPopupIsVisible):
(WebCore::TextFieldInputType::needsContainer const): Deleted.
(WebCore::TextFieldInputType::supportsReadOnly const): Deleted.
(WebCore::TextFieldInputType::shouldUseInputMethod const): Deleted.
(WebCore::TextFieldInputType::isPresentingAttachedView const): Deleted.
(WebCore::TextFieldInputType::isFocusingWithDataListDropdown const):
Deleted.
* Source/WebCore/html/TextFieldInputType.h:
(WebCore::TextFieldInputType::needsContainer const):
* Source/WebCore/rendering/RenderMenuList.cpp:
(WebCore::RenderMenuList::RenderMenuList):
(RenderMenuList::updateFromElement):
(WebCore::RenderMenuList::willBeDestroyed): Deleted.
(WebCore::RenderMenuList::popupMenuSize): Deleted.
(WebCore::RenderMenuList::hostWindow const): Deleted.
(RenderMenuList::showPopup): Deleted.
(RenderMenuList::hidePopup): Deleted.
(RenderMenuList::popupDidHide): Deleted.
* Source/WebCore/rendering/RenderMenuList.h:
* Source/WebCore/testing/Internals.cpp:
(WebCore::Internals::isSelectPopupVisible):
* Source/WebKit/UIProcess/WebPageProxy.h:
* Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm:
(WebKit::WebPageProxy::setSelectElementIsOpen):
* Source/WebKit/UIProcess/ios/forms/WKFormSelectPicker.mm:
(-[WKSelectPicker
contextMenuInteraction:willDisplayMenuForConfiguration:animator:]):
(-[WKSelectPicker
contextMenuInteraction:willEndForConfiguration:animator:]):
(-[WKSelectPicker resetContextMenuPresenter]):
* Source/WebKit/WebProcess/WebPage/WebPage.h:
* Source/WebKit/WebProcess/WebPage/WebPage.messages.in:
* Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm:
(WebKit::WebPage::setSelectElementIsOpen):
Identifier: 305413.571@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.610@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: f85e703ff591279331105e48908936783055766c
https://github.com/WebKit/WebKit/commit/f85e703ff591279331105e48908936783055766c
Author: Vignesh Rao <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M Source/JavaScriptCore/bytecode/GetByStatus.cpp
M Source/JavaScriptCore/bytecode/GetByStatus.h
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
M Source/JavaScriptCore/dfg/DFGNode.h
Log Message:
-----------
Cherry-pick 305413.572@safari-7624-branch (2f13ea25a5fe).
https://bugs.webkit.org/show_bug.cgi?id=309519
[JSC] GetByStatus::computeFor should not walk proto chain for direct
property access
https://bugs.webkit.org/show_bug.cgi?id=309519
rdar://171512268
Reviewed by Keith Miller.
When computing the GetByStatus, we should check if the property lookup is a
direct property access before doing a prototype walk since direct accesses
are
not supposed to consult the prototype.
* Source/JavaScriptCore/bytecode/GetByStatus.cpp:
(JSC::GetByStatus::computeFor):
* Source/JavaScriptCore/bytecode/GetByStatus.h:
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* Source/JavaScriptCore/dfg/DFGNodeType.h:
(JSC::DFG::propertyLookupMode):
Identifier: 305413.572@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.611@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: 06cb742addd8da94a8403583b854a15d4f3c5a92
https://github.com/WebKit/WebKit/commit/06cb742addd8da94a8403583b854a15d4f3c5a92
Author: Elika Etemad <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M LayoutTests/TestExpectations
M Source/WebCore/rendering/RenderBlockFlow.cpp
Log Message:
-----------
Revert "column-count: 1 should create a multi-column container"
rdar://172306151
Reviewed by Alan Baradlay.
There are some iBooks that set `column-count: 1` where they probably
should use `column-count: auto`, and this is creating nested multicol
situations that are behaving badly. Reverting the fix where we made
`column-count: 1` be a multi-column container (per spec) on the branch
for now, while we follow up with a hopefully more correct fix on trunk.
This reverts commit e10b646accd306950141c89cbd4ef2697e44d6f8.
* LayoutTests/TestExpectations:
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::willCreateColumns const):
Identifier: 305413.580@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.612@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: eecf3a1a45e36288742acf797f9f0e6a72cb0f0d
https://github.com/WebKit/WebKit/commit/eecf3a1a45e36288742acf797f9f0e6a72cb0f0d
Author: Roberto Rodriguez <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
A
LayoutTests/http/wpt/content-security-policy/base-uri/base-uri-self-sandboxed-srcdoc-expected.txt
A
LayoutTests/http/wpt/content-security-policy/base-uri/base-uri-self-sandboxed-srcdoc.html
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/sandbox-iframe-expected.txt
M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
M Source/WebCore/page/csp/ContentSecurityPolicySource.cpp
Log Message:
-----------
Cherry-pick 305413.582@safari-7624-branch (8ed9a1e4e1e0).
https://bugs.webkit.org/show_bug.cgi?id=308756
Fix CSP 'self' source matching for opaque-origin documents
https://bugs.webkit.org/show_bug.cgi?id=308756
rdar://171275989
Reviewed by Ryan Reno.
WebKit fails to enforce base-uri 'self' inside sandboxed srcdoc iframes
because the origin that 'self' resolves to (inherited from the parent)
gets reset to the opaque origin when a <meta> CSP tag is processed, and
schemeMatches() incorrectly allows HTTPS URLs to match when that origin
has an empty scheme (opaque origins lack scheme/host/port tuple fields).
Preserve the inherited self-origin for opaque-origin documents by
skipping updateSourceSelf() when the security origin is opaque. Guard
the 'self' scheme upgrade in schemeMatches() to require a non-empty
scheme, preventing any URL from matching an opaque 'self'.
Test:
http/wpt/content-security-policy/base-uri/base-uri-self-sandboxed-srcdoc.html
*
LayoutTests/http/wpt/content-security-policy/base-uri/base-uri-self-sandboxed-srcdoc-expected.txt:
Added.
*
LayoutTests/http/wpt/content-security-policy/base-uri/base-uri-self-sandboxed-srcdoc.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/sandbox-iframe-expected.txt:
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext):
* Source/WebCore/page/csp/ContentSecurityPolicySource.cpp:
(WebCore::isSelfSourceSchemeUpgrade):
(WebCore::ContentSecurityPolicySource::schemeMatches const):
Identifier: 305413.582@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.613@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: c726aaceacf09a478c01c45d4fe2435932660780
https://github.com/WebKit/WebKit/commit/c726aaceacf09a478c01c45d4fe2435932660780
Author: Vignesh Rao <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp
Log Message:
-----------
Cherry-pick 305413.583@safari-7624-branch (3288160b72d5).
https://bugs.webkit.org/show_bug.cgi?id=307669
[JSC] BBQCallee should be kept alive between callsite collection and repatch
https://bugs.webkit.org/show_bug.cgi?id=307669
rdar://170223517
Reviewed by Keith Miller.
OMGOSREntryCallee is owned by BBQCallee, hence keeping the BBQCallee alive
when we collect callsites to it should keep the OMGOSREntryCallee alive as
well. We have to handle the edge case where there is an OMGOSREntryCallee
alive without having a BBQCallee hence in such a case store a ref to this
OMGOSREntryCallee in a separate vector.
* Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp:
(JSC::Wasm::CalleeGroup::updateCallsitesToCallUs):
Identifier: 305413.583@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.614@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: 3e87d5e89cde296a2938a48f8cb443ac31acface
https://github.com/WebKit/WebKit/commit/3e87d5e89cde296a2938a48f8cb443ac31acface
Author: Sihui Liu <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
A
LayoutTests/storage/indexeddb/index-unique-negative-zero-private-expected.txt
A LayoutTests/storage/indexeddb/index-unique-negative-zero-private.html
A LayoutTests/storage/indexeddb/resources/index-unique-negative-zero.js
M Source/WebCore/Modules/indexeddb/IDBKeyData.h
M Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp
M Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp
M Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.h
M Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseConnection.h
M Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseTransaction.cpp
M Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseTransaction.h
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp
Log Message:
-----------
Cherry-pick 305413.585@safari-7624-branch (95b97d3d6fc0).
https://bugs.webkit.org/show_bug.cgi?id=307669
[IndexedDB] Use-After-Free caused by use of `-0.0` for HashMap Key
rdar://172834266
Reviewed by Brady Eidson.
IndexValueStore uses HashMap with key type IDBKeyData to store index
records. For IDBKeyData, when its type is Number
or Date, the value passed to Hasher is a double. Since Hasher uses the raw
bits to create the hash, -0.0 and +0.0
produce different hashes, meaning the HashMap can have two separate entries
for IDBKeyData values of -0.0 and +0.0.
However, IDBKeyData::operator== returns true for -0.0 and +0.0 because it
uses IEEE 754 comparison. This inconsistency
can corrupt the map: for example, an attempt to remove the entry for +0.0
can match and destroy the entry for -0.0
instead, leaving a cursor still referencing the freed entry (see the new
test). To fix this, normalize -0.0 to +0.0
before passing to Hasher.
This patch also fixes two other issues. First,
MemoryIndex::transactionAborted does not invalidate existing cursors when
a transaction is aborted, so a cursor may hold a reference to an index
record that is destroyed during the rollback.
This patch fixes that by calling notifyCursorsOfAllRecordsChanged() before
replaying the rollback.
Second, the network process does not validate the
DidFinishHandlingVersionChangeTransaction message. An uncompromised
web content process will not send this message while the version change
transaction is still in progress (i.e. before it
is committed or aborted). The network process should verify this before
proceeding, as the handler resets internal state
such as UniqueIDBDatabase::m_versionChangeTransaction, which could lead to
unexpected behavior.
Test: storage/indexeddb/index-unique-negative-zero-private.html
*
LayoutTests/storage/indexeddb/index-unique-negative-zero-private-expected.txt:
Added.
* LayoutTests/storage/indexeddb/index-unique-negative-zero-private.html:
Added.
* LayoutTests/storage/indexeddb/resources/index-unique-negative-zero.js:
Added.
(prepareDatabase):
(onOpenSuccess.transaction.onabort):
(onOpenSuccess):
(insertSecondRecord):
(secondRecordFailed):
(testCount.request.onsuccess):
(testCount):
(testCursor.request.onsuccess):
(testCursor):
* Source/WebCore/Modules/indexeddb/IDBKeyData.h:
(WebCore::add):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp:
(WebCore::IDBServer::MemoryIndex::transactionAborted):
* Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp:
(WebCore::IDBServer::UniqueIDBDatabase::isVersionChangeTransactionFinishingOrFinished
const):
* Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.h:
* Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseConnection.h:
* Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseTransaction.cpp:
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::abort):
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::abortWithoutCallback):
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::commit):
* Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseTransaction.h:
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::isFinishingOrFinished
const):
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::setIsFinishingOrFinished):
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp:
(WebKit::NetworkStorageManager::didFinishHandlingVersionChangeTransaction):
Identifier: 305413.585@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.615@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: 184b2f63a5a19c775dbf24738841ddac043a7e31
https://github.com/WebKit/WebKit/commit/184b2f63a5a19c775dbf24738841ddac043a7e31
Author: Brady Eidson <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/coreipc.js
Log Message:
-----------
Cherry-pick 305413.590@safari-7624-branch (d9af1bf8d315).
https://bugs.webkit.org/show_bug.cgi?id=307669
DeclarativeWebPush-related message handlers accept arbitrary scopeURL
rdar://172230225
Reviewed by Simon Fraser.
For declarative web push, web content processes message the networking
process for
4 different push related operations.
As part of the message they include a scope URL for the push operation.
A compromised web process can craft a message to spoof any scope URL.
The fix is to have Networking validate the passed in scope URL to make sure
the
web process in question has access.
Tests: Tools/TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::navigatorSubscribeToPushService):
(WebKit::NetworkConnectionToWebProcess::navigatorUnsubscribeFromPushService):
(WebKit::NetworkConnectionToWebProcess::navigatorGetPushSubscription):
(WebKit::NetworkConnectionToWebProcess::navigatorGetPushPermissionState):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm:
((NetworkProcess, PushSubscribeOriginSpoof)):
((NetworkProcess, PushUnsubscribeOriginSpoof)):
((NetworkProcess, PushGetSubscriptionOriginSpoof)):
((NetworkProcess, PushGetPermissionStateOriginSpoof)):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/coreipc.js:
(ArgumentSerializer):
Identifier: 305413.590@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.616@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: 38452931a228829e430a6e72931784bd3867875c
https://github.com/WebKit/WebKit/commit/38452931a228829e430a6e72931784bd3867875c
Author: Ryosuke Niwa <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
A
LayoutTests/fast/events/popup-blocked-after-user-gesture-is-expired-after-post-message-expected.txt
A
LayoutTests/fast/events/popup-blocked-after-user-gesture-is-expired-after-post-message.html
M Source/WebCore/page/LocalDOMWindow.cpp
Log Message:
-----------
Cherry-pick 305413.591@safari-7624-branch (cb335a3aea4b).
https://bugs.webkit.org/show_bug.cgi?id=310863
postMessage can indefinitely extend the lifetime of a user gesture token
https://bugs.webkit.org/show_bug.cgi?id=310863
rdar://173355201
Reviewed by Chris Dumez.
Clear the user gesture token if it has been expired after postMessage.
Test:
fast/events/popup-blocked-after-user-gesture-is-expired-after-post-message.html
*
LayoutTests/fast/events/popup-blocked-after-user-gesture-is-expired-after-post-message-expected.txt:
Added.
*
LayoutTests/fast/events/popup-blocked-after-user-gesture-is-expired-after-post-message.html:
Added.
* Source/WebCore/page/LocalDOMWindow.cpp:
(WebCore::LocalDOMWindow::processPostMessage):
Identifier: 305413.591@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.617@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: fbf00c5754e28ba62528527f8fc5f517144f3f69
https://github.com/WebKit/WebKit/commit/fbf00c5754e28ba62528527f8fc5f517144f3f69
Author: Chris Dumez <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M Source/WebCore/bindings/js/JSAttrCustom.cpp
M Source/WebCore/dom/Attr.cpp
M Source/WebCore/dom/Attr.h
Log Message:
-----------
Cherry-pick 305413.607@safari-7624-branch (58480401ef67).
https://bugs.webkit.org/show_bug.cgi?id=311242
Potential use-after-free under JSAttr::visitAdditionalChildren()
https://bugs.webkit.org/show_bug.cgi?id=311242
rdar://173693441
Reviewed by Ryosuke Niwa.
The GC thread was dereferncing Attr::m_element to call opaqueRoot() on
it. This could lead to use-after-free when the Attr's element gets
destroyed concurrently by the main thread.
Address the issue by making the following two changes:
- Make Attr::m_element a CheckedPtr instead of a WeakPtr, to make it clear
it only gets nulled out by Attr::detachFromElementWithValue().
- Introduce a Lock that gets acquired by m_element gets updated on the
main thread and then the GC thread is accessing it.
* Source/WebCore/bindings/js/JSAttrCustom.cpp:
(WebCore::JSAttr::visitAdditionalChildren):
* Source/WebCore/dom/Attr.cpp:
(WebCore::Attr::detachFromElementWithValue):
(WebCore::Attr::attachToElement):
(WebCore::Attr::visitOwnerElementInGCThread):
* Source/WebCore/dom/Attr.h:
Identifier: 305413.607@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.618@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: 29dca252e7e2404c46ae7b02337091bd94b3944c
https://github.com/WebKit/WebKit/commit/29dca252e7e2404c46ae7b02337091bd94b3944c
Author: Anand Srinivasan <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
A JSTests/wasm/stress/wasm-imported-string-oom-exception.js
M Source/JavaScriptCore/wasm/js/WebAssemblyCompileOptions.cpp
Log Message:
-----------
Cherry-pick 305413.610@safari-7624-branch (5a151853d699).
https://bugs.webkit.org/show_bug.cgi?id=310576
WebAssemblyCompileOptions::tryCreate should throw on OOM
https://bugs.webkit.org/show_bug.cgi?id=310576
rdar://173135164
Reviewed by Yusuke Suzuki, Yijia Huang, and Dan Hecht.
When importing string constants, WebAssemblyCompileOptions::tryCreate
may run out of memory when trying to convert a big enough rope to a
string, in which case it should throw an out of memory exception,
which is not currently done.
Test: JSTests/wasm/stress/wasm-imported-string-oom-exception.js
* JSTests/wasm/stress/wasm-imported-string-oom-exception.js: Added.
(main):
(catch):
* Source/JavaScriptCore/wasm/js/WebAssemblyCompileOptions.cpp:
(JSC::WebAssemblyCompileOptions::tryCreate):
Identifier: 305413.610@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.619@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: 795fb96f9d3692e627de8bf0f78f264061d0547b
https://github.com/WebKit/WebKit/commit/795fb96f9d3692e627de8bf0f78f264061d0547b
Author: Yusuke Suzuki <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M Source/JavaScriptCore/runtime/JSLock.cpp
M Source/JavaScriptCore/runtime/JSLock.h
Log Message:
-----------
Cherry-pick 305413.611@safari-7624-branch (729df7fb2917).
https://bugs.webkit.org/show_bug.cgi?id=311431
[JSC] JSLock m_hasOwnerThread has concurrency issue
https://bugs.webkit.org/show_bug.cgi?id=311431
rdar://173797266
Reviewed by Dan Hecht.
JSLock::lock is storing `true` flag to JSLock::m_hasOwnerThread after
store-store-barrier. However loading this is not having a brrier. This
is problemtic since JSLock is keeping two fields in sync: m_hasOwnerThread
and m_ownerThread. But ordering of stores to them and visibility of the
state of them must be strongly controlled, otherwise, random thread
accidentlly think that "we are already taking a lock" while it is not.
In particular, currentThreadIsHoldingLock has a bug that we are loading
these two fields without any barriers. So CPU can freely change the
visibility of the other thread's store to them. We may see a state that
m_hasOwnerThread is true, but m_ownerThread is not stored yet.
This patch fixes this issue by using release-acquire load/store for
m_hasOwnerThread. This ensures the load and store ordering before and
after this variable. So we can guarantee that m_ownerThread is not a
stale state.
* Source/JavaScriptCore/runtime/JSLock.cpp:
* Source/JavaScriptCore/runtime/JSLock.h:
(JSC::JSLock::ownerThread const):
(JSC::JSLock::ownerThreadUID const):
(JSC::JSLock::currentThreadIsHoldingLock):
Identifier: 305413.611@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.620@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Commit: 41a81774ad6a4b59c55699dadc1838c6c198ef6e
https://github.com/WebKit/WebKit/commit/41a81774ad6a4b59c55699dadc1838c6c198ef6e
Author: Vignesh Rao <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M Source/JavaScriptCore/runtime/StringPrototypeInlines.h
Log Message:
-----------
Cherry-pick 305413.612@safari-7624-branch (967ea3fc3a3a).
https://bugs.webkit.org/show_bug.cgi?id=310901
replaceAllWithCacheUsingRegExpSearchThreeArguments fails to throw exception
in string resolution
https://bugs.webkit.org/show_bug.cgi?id=310901
rdar://173300626
Reviewed by Keith Miller.
String resolution in replaceAllWithCacheUsingRegExpSearchThreeArguments can
OOM and set an exception. Hence we should check for exception after the
resolution finishes.
* Source/JavaScriptCore/runtime/StringPrototypeInlines.h:
(JSC::replaceAllWithCacheUsingRegExpSearchThreeArguments):
Identifier: 305413.612@safari-7624-branch
Canonical link:
https://commits.webkit.org/305877.621@eng/backports-01KS12QJPYYAXWGD596DRZ4Z89
Compare: https://github.com/WebKit/WebKit/compare/4f541fa63f96...41a81774ad6a
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
