[webkit-changes] [WebKit/WebKit] cfe162: The lifetime of user gesture authorization tokens ...

Wed, 20 Dec 2023 11:20:45 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cfe162295f279478c8f8e5efdeec930aa6f874ef
      
https://github.com/WebKit/WebKit/commit/cfe162295f279478c8f8e5efdeec930aa6f874ef
  Author: Charlie Wolfe <charl...@apple.com>
  Date:   2023-12-20 (Wed, 20 Dec 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Source/WebKit/UIProcess/WebProcessProxy.messages.in
    M Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp
    M Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp
    M Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp
    M Source/WebKit/WebProcess/WebProcess.cpp
    M Source/WebKit/WebProcess/WebProcess.h
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/VerifyUserGestureFromUIProcess.mm

  Log Message:
  -----------
  The lifetime of user gesture authorization tokens is owned by the WebContent 
process
rdar://117471805
https://bugs.webkit.org/show_bug.cgi?id=266607

Reviewed by Chris Dumez.

Authorization tokens are used to verify that a user gesture originated from the 
UI process. We do this
because we do not want the web process to be able to fake a user gesture to 
perform a privileged action,
like window.open(). Since the lifetime of these tokens is owned by the web 
process, a compromised web
process could choose not to dispatch the `DidDestroyUserGestureToken()` IPC 
messages, and later spend
several of the authorization tokens at the same time. To fix this, we should 
clear the previous
authorization tokens once one is used to perform a privileged action. This will 
make it so a new user
gesture is required for each window.open() call.

Also move a call to `recordUserGestureAuthorizationToken()` to 
`sendMouseEvent()` to match where we
record the user gesture for key events.

The test verifies that if there are two windows backed by the same web process 
that a click in one used
to open a pop-up doesn’t invalidate the click in the other window.

* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::sendMouseEvent):
(WebKit::WebPageProxy::processNextQueuedMouseEvent):
(WebKit::WebPageProxy::sendKeyEvent):
(WebKit::WebPageProxy::createNewPage):
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::recordUserGestureAuthorizationToken):
(WebKit::WebProcessProxy::userInitiatedActivity):
(WebKit::WebProcessProxy::consumeIfNotVerifiablyFromUIProcess):
(WebKit::WebProcessProxy::didDestroyUserGestureToken):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Source/WebKit/UIProcess/WebProcessProxy.messages.in:
* Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp:
(WebKit::WebChromeClient::createWindow):
* Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction):
* Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp:
(WebKit::WebLocalFrameLoaderClient::didSameDocumentNavigationForFrameViaJSHistoryAPI):
(WebKit::WebLocalFrameLoaderClient::dispatchDecidePolicyForNewWindowAction):
* Source/WebKit/WebProcess/WebProcess.cpp:
(WebKit::WebProcess::userGestureTokenIdentifier):
(WebKit::WebProcess::userGestureTokenDestroyed):
* Source/WebKit/WebProcess/WebProcess.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/VerifyUserGestureFromUIProcess.mm:
(TestWebKitAPI::TEST):

Canonical link: https://commits.webkit.org/272361@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to