[webkit-changes] [WebKit/WebKit] 795ef8: UserMessageHandler.postMessage should fail if call...

Wed, 29 Apr 2026 08:08:39 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 795ef8a1ac92461ca5538d06c759700e9fa20540
      
https://github.com/WebKit/WebKit/commit/795ef8a1ac92461ca5538d06c759700e9fa20540
  Author: Alex Christensen <[email protected]>
  Date:   2026-04-29 (Wed, 29 Apr 2026)

  Changed paths:
    M Source/WebCore/page/UserMessageHandler.cpp
    M Source/WebCore/page/UserMessageHandler.h
    M Source/WebKit/WebProcess/InjectedBundle/API/gtk/DOM/WebKitDOMDOMWindow.cpp
    M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebViewEvaluateJavaScript.mm

  Log Message:
  -----------
  UserMessageHandler.postMessage should fail if called from another frame
https://bugs.webkit.org/show_bug.cgi?id=307014
rdar://168617144

Reviewed by Chris Dumez.

Before this fix, a reference to the UserMessageHandler can be stored outside the
frame, then the frame can be navigated, then the stored reference can be used to
post messages that appeared to come from the navigated frame.  This adds a 
restriction
to make it so a UserMessageHandler can only be used by an origin that is the 
same
as the frame's current origin.

I considered an alternative solution where I just make sure the global objects 
are
the same, but that would be more of a restriction than this, and it's normal for
frames to be able to access and use each other's JS objects when they are in 
the same
origin, and this change is less drastic of a change.

Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm

* Source/WebCore/page/UserMessageHandler.cpp:
(WebCore::passesSameOriginCheck):
(WebCore::UserMessageHandler::postMessage):
(WebCore::UserMessageHandler::postLegacySynchronousMessage):
* Source/WebCore/page/UserMessageHandler.h:
(WebCore::UserMessageHandler::descriptor const):
(WebCore::UserMessageHandler::descriptor): Deleted.
* Source/WebKit/WebProcess/InjectedBundle/API/gtk/DOM/WebKitDOMDOMWindow.cpp:
(webkit_dom_dom_window_webkit_message_handlers_post_message):
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebViewEvaluateJavaScript.mm:
(-[ScriptMessageHandlerThatShouldNotReceiveAnything 
userContentController:didReceiveScriptMessage:]):
(TEST(WKWebView, MessageHandlerFromIframe)):

Originally-landed-as: 305413.250@safari-7624-branch (c4006ba4ad2a). 
rdar://173969283
Canonical link: https://commits.webkit.org/312289@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to