Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 848381b10b131279fad80378f877d50aab8d9036
https://github.com/WebKit/WebKit/commit/848381b10b131279fad80378f877d50aab8d9036
Author: Tyler Wilcock <[email protected]>
Date: 2026-04-16 (Thu, 16 Apr 2026)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/accessibility/aria-owns-deep-chain-no-timeout-expected.txt
A LayoutTests/accessibility/aria-owns-deep-chain-no-timeout.html
M Source/WebCore/accessibility/AXObjectCache.cpp
Log Message:
-----------
Cherry-pick 311288@main (092bf6b43083).
https://bugs.webkit.org/show_bug.cgi?id=312284
AX: aria-owns cycle detection is unbounded, which can cause hangs for deep
aria-owns chains
https://bugs.webkit.org/show_bug.cgi?id=312284
rdar://174753621
Reviewed by Joshua Hoffman.
relationCausesCycle() walks the AX parent chain linearly for each aria-owns
relation.
Through aria-owns chaining (e0 owns e1, e1 owns e2, ...), the AX tree can
grow much
deeper than the DOM, making the total cost of cycle detection O(n^2). Cap
the walk at
1536 (512, the DOM parser limit, * 3) steps and reject the relation if we
can't verify
it is cycle-free within that limit.
This protects user against adversarially authored content, e.g. someone
intentionally trying to create a denial-of-service attack targeted at
assistive technology users, as it's extremely unlikely any web developer
would do something like this legitamately.
* LayoutTests/accessibility/aria-owns-deep-chain-no-timeout-expected.txt:
Added.
* LayoutTests/accessibility/aria-owns-deep-chain-no-timeout.html: Added.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::relationCausesCycle):
Canonical link: https://commits.webkit.org/311288@main
Canonical link: https://commits.webkit.org/305877.439@webkitglib/2.52
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
