Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6e9e17c1ad698a1bd5cb4989dc395f55df73f426
https://github.com/WebKit/WebKit/commit/6e9e17c1ad698a1bd5cb4989dc395f55df73f426
Author: Tyler Wilcock <[email protected]>
Date: 2025-07-22 (Tue, 22 Jul 2025)
Changed paths:
A LayoutTests/accessibility/mac/invalid-tree-root-at-iframe-expected.txt
A LayoutTests/accessibility/mac/invalid-tree-root-at-iframe.html
M Source/WebCore/accessibility/AXObjectCache.cpp
M Source/WebCore/accessibility/AXObjectCache.h
M Source/WebCore/accessibility/AccessibilityObject.h
M Source/WebCore/accessibility/AccessibilityScrollView.cpp
M Source/WebCore/accessibility/AccessibilityScrollView.h
M Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp
M Source/WebKit/WebProcess/InjectedBundle/API/c/WKBundleFrame.cpp
M Source/WebKit/WebProcess/InjectedBundle/API/c/WKBundleFramePrivate.h
M Tools/WebKitTestRunner/InjectedBundle/AccessibilityController.cpp
M
Tools/WebKitTestRunner/InjectedBundle/atspi/AccessibilityControllerAtspi.cpp
M Tools/WebKitTestRunner/InjectedBundle/ios/AccessibilityControllerIOS.mm
M Tools/WebKitTestRunner/InjectedBundle/mac/AccessibilityControllerMac.mm
Log Message:
-----------
AX: Dynamic page changes to iframes can cause their scroll-view to be set as
the root, blocking assistive technologies from accessing the rest of the page
content
https://bugs.webkit.org/show_bug.cgi?id=296298
rdar://156348748
Reviewed by Joshua Hoffman.
Prior to https://commits.webkit.org/297651@main, it was possible for an
iframe's scroll-area child to be set as the
root of the isolated tree, preventing assistive technologies from accessing
content outside of the iframe. This was
the sequence that caused this to happen:
1. The iframe initially has a renderer, and is added to the isolated tree
through normal means
2. The iframe loses its renderer, e.g. via dynamic `display` change to
`contents` or `none`
3. Immediately after, something causes the scroll view child of the iframe to
be queued up for a full isolated node
update. One way this could happen is aria-hidden becoming false on the
iframe, which would cause some or all descendants
of the iframe to become unignored, which currently queues a full node
update.
4. Something initiates a flush of queued isolated tree updates, e.g. we are
about to post a notification and need to
flush queued updates to ensure we serve the request with an up-to-date
tree.
5. We run AXIsolatedTree::nodeChangeForObject. Because
AccessibilityScrollView::parentObject used to return nullptr
whenever its associated m_frameOwnerElement had no renderer, our
scroll-view node change queued in step 3 thinks
it has no parent. Prior to this commit, nodeChangeForObject used this as a
signal that this was the root object,
and set this iframe scroll-view as the root.
https://commits.webkit.org/297651@main fixed this by making
AccessibilityScrollView::parentObject more resilient. This
commit further strengthens our logic here by creating an explicit
AccessibilityScrollView::isRoot() function, and using
that in nodeChangeForObject.
In order to test this, WKAccessibilityRootObject needed changes, as it always
used the main-thread to get the root object,
meaning it wasn't ever actually testing the root that real clients see. This
commit makes WKAccessibilityRootObject
threadsafe, and updates AccessibilityController::rootElement to call that
function on the AX thread when available.
This commit also makes the fact that WKAccessibilityRootObject should only be
used for testing explicit by renaming it
to _WKAccessibilityRootObjectForTesting. I did this because making this
function threadsafe requires a synchronous main-thread
hit to use the AXObjectCache. Synchronous main-thread hits are OK for testing,
but not for real clients, so this renaming
makes it clear that we don't need to try to move this usage off the main-thread.
With this new testing fixture in place, the added layout test
(accessibility/mac/invalid-tree-root-at-iframe.html)
reproduced the bug 100% of the time.
This commit also cleans up a couple incorrect comments that confused me while
debugging this issue (one in
AXObjectCache::handleRoleChanged and another in AXIsolatedTree::storeTree).
* LayoutTests/accessibility/mac/invalid-tree-root-at-iframe-expected.txt: Added.
* LayoutTests/accessibility/mac/invalid-tree-root-at-iframe.html: Added.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::handleRoleChanged):
* Source/WebCore/accessibility/AXObjectCache.h:
* Source/WebCore/accessibility/AccessibilityObject.h:
(WebCore::AccessibilityObject::isRoot const):
* Source/WebCore/accessibility/AccessibilityScrollView.cpp:
(WebCore::AccessibilityScrollView::AccessibilityScrollView):
(WebCore::AccessibilityScrollView::isRoot const):
(WebCore::AccessibilityScrollView::ownerDebugDescription const):
* Source/WebCore/accessibility/AccessibilityScrollView.h:
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::storeTree):
(WebCore::AXIsolatedTree::nodeChangeForObject):
* Source/WebKit/WebProcess/InjectedBundle/API/c/WKBundleFrame.cpp:
(_WKAccessibilityRootObjectForTesting):
(WKAccessibilityRootObject): Deleted.
* Source/WebKit/WebProcess/InjectedBundle/API/c/WKBundleFramePrivate.h:
* Tools/WebKitTestRunner/InjectedBundle/AccessibilityController.cpp:
(WTR::AccessibilityController::rootElement):
* Tools/WebKitTestRunner/InjectedBundle/atspi/AccessibilityControllerAtspi.cpp:
(WTR::AccessibilityController::accessibleElementById):
(WTR::AccessibilityController::rootElement):
(WTR::AccessibilityController::focusedElement):
* Tools/WebKitTestRunner/InjectedBundle/ios/AccessibilityControllerIOS.mm:
(WTR::AccessibilityController::focusedElement):
(WTR::AccessibilityController::accessibleElementById):
* Tools/WebKitTestRunner/InjectedBundle/mac/AccessibilityControllerMac.mm:
(WTR::AccessibilityController::focusedElement):
(WTR::AccessibilityController::accessibleElementById):
(WTR::AccessibilityController::printTrees):
Canonical link: https://commits.webkit.org/297755@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
