Branch: refs/heads/webkitglib/2.48
Home: https://github.com/WebKit/WebKit
Commit: 0429bb40ea0f3df54da26a59b52682bf04df0f98
https://github.com/WebKit/WebKit/commit/0429bb40ea0f3df54da26a59b52682bf04df0f98
Author: Rupin Mittal <[email protected]>
Date: 2025-07-31 (Thu, 31 Jul 2025)
Changed paths:
M Source/WebKit/UIProcess/API/APINavigationResponse.cpp
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/Download.mm
Log Message:
-----------
Cherry-pick 289651.561@safari-7621-branch (79d73e8fd28f).
https://bugs.webkit.org/show_bug.cgi?id=287662
Download Origin Spoof via Back Navigation Triggers Automatic Download
https://bugs.webkit.org/show_bug.cgi?id=293994
rdar://150453890
Reviewed by Brady Eidson.
When a download is triggered, WebKit calls the delegate function:
download:decideDestinationUsingResponse:suggestedFilename:completionHandler
and passes in a WKDownload object. The client may use the originatingFrame
property of the WKDownload to show which domain is asking for a download.
In the case where the download is started as a result of a back-forward
navigation, WebKit currently says the originatingFrame is the frame that
is currently displayed in the WebView that is on the screen. Which means
the following sequence of events is possible:
1. Navigate to site1.com
2. Navigate to site2.com
3. Go back <--- somehow this starts a download
(maybe a malicicous script intervenes)
4. A prompt may show saying that "site2.com wants to start a download"
But site2 did not start the download. This message is misleading.
We fix this by ensuring that if a back-forward navigation is converted
to a download, the originating frame information is empty, rather than
being the information of the site currently displayed in the WebView.
A second scenario is also possible:
1. Navigate to site1.com
2. User types in site2.com to navigate there <--- somehow starting a
download
(maybe a malicicous
script intervenes)
3. A prompt may show saying that "site1.com wants to start a download"
Again, the download should not be attributed to site1.
We make the same change here--if a client initiated navigation starts a
download, the originating frame information is empty, rather than
being the information of the site currently displayed in the WebView.
This is tested by two new API tests.
* Source/WebKit/UIProcess/API/APINavigation.h:
(API::Navigation::originatingFrameInfo const):
* Source/WebKit/UIProcess/API/APINavigationResponse.cpp:
(API::NavigationResponse::navigationInitiatingFrame):
* Source/WebKit/UIProcess/Downloads/DownloadProxy.cpp:
(WebKit::legacyEmptyFrameInfo):
(WebKit::DownloadProxy::DownloadProxy):
* Source/WebKit/UIProcess/Downloads/DownloadProxy.h:
* Source/WebKit/UIProcess/Downloads/DownloadProxyMap.cpp:
(WebKit::DownloadProxyMap::createDownloadProxy):
* Source/WebKit/UIProcess/Downloads/DownloadProxyMap.h:
* Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp:
(WebKit::NetworkProcessProxy::createDownloadProxy):
* Source/WebKit/UIProcess/Network/NetworkProcessProxy.h:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::downloadOriginatingPage):
(WebKit::WebPageProxy::receivedPolicyDecision):
(WebKit::WebPageProxy::receivedNavigationResponsePolicyDecision):
A DownloadProxy is created in receivedPolicyDecision and in
receivedNavigationResponsePolicyDecision. This will contain the
originating frame information that could be used later to attribute
the download to a site.
Here, we'll check if the download began a result of a back-forward
navigation (true if there is a 'targetItem') or if it began as a
result of a 'ClientOrUserInput' which signifies UI in the client being
used to programmatically trigger a navigation (typing in the search bar,
using the browser back button, etc).
In both cases, we set the originating frame information to be empty.
(WebKit::WebPageProxy::decidePolicyForNavigationAction):
* Source/WebKit/UIProcess/WebProcessPool.cpp:
(WebKit::WebProcessPool::createDownloadProxy):
* Source/WebKit/UIProcess/WebProcessPool.h:
* Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.cpp:
(WebKit::WebsiteDataStore::createDownloadProxy):
* Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/Download.mm:
(TestWebKitAPI::OriginatingFrameAndUserGesture)):
(TestWebKitAPI::OriginatingFrameWhenConvertingNavigationInNewWindow)):
(TestWebKitAPI::OriginatingFrameHostWhenDownloadComesFromGoBackNavigation)):
(TestWebKitAPI::OriginatingFrameHostWhenDownloadComesFromClientInputNavigation)):
Canonical link: https://commits.webkit.org/289651.561@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.338@webkitglib/2.48
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
