Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ebeb54525a799f353a717f2492acf7066433efbc
https://github.com/WebKit/WebKit/commit/ebeb54525a799f353a717f2492acf7066433efbc
Author: Timothy Hatcher <[email protected]>
Date: 2026-05-01 (Fri, 01 May 2026)
Changed paths:
M Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm
M Source/WebKit/UIProcess/API/Cocoa/WKWebViewPrivate.h
M
Source/WebKit/UIProcess/Extensions/Cocoa/API/WebExtensionContextAPIPortCocoa.mm
M
Source/WebKit/UIProcess/Extensions/Cocoa/API/WebExtensionContextAPIRuntimeCocoa.mm
M
Source/WebKit/UIProcess/Extensions/Cocoa/API/WebExtensionContextAPIScriptingCocoa.mm
M
Source/WebKit/UIProcess/Extensions/Cocoa/API/WebExtensionContextAPITabsCocoa.mm
M
Source/WebKit/UIProcess/Extensions/Cocoa/WebExtensionDynamicScriptsCocoa.mm
M Source/WebKit/UIProcess/Extensions/Cocoa/WebExtensionMessagePortCocoa.mm
M Source/WebKit/UIProcess/Extensions/WebExtensionContext.h
M Source/WebKit/UIProcess/Extensions/WebExtensionContext.messages.in
M Source/WebKit/UIProcess/Extensions/WebExtensionDynamicScripts.h
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIPortCocoa.mm
M
Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIRuntimeCocoa.mm
M
Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIScriptingCocoa.mm
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPITabsCocoa.mm
M Source/WebKit/WebProcess/Extensions/API/WebExtensionAPIPort.h
M Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.h
M Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.messages.in
M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtensionAPIRuntime.mm
M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtensionAPIScripting.mm
M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtensionAPITabs.mm
Log Message:
-----------
Web Extensions: Propagate user gestures through sendMessage(), connect(),
postMessage(), and executeScript().
https://webkit.org/b/313797
rdar://175797617
Reviewed by Brian Weinstein and Kiara Rose.
This fixes the following WECG issue:
https://github.com/w3c/webextensions/issues/919
When an extension responds to a user action — action.onClicked,
commands.onCommand, or
menus.onClicked — the gesture should carry through any subsequent
sendMessage(), connect(),
port.postMessage(), or executeScript() call so that privileged DOM operations
like video.play()
succeed on the receiving end. The gesture was previously dropped at each IPC
boundary, leaving
content scripts and background pages with no knowledge that the original call
came from deliberate
user interaction with the extension.
The fix threads a bool userGesture flag, captured via processingUserGesture()
at each call site,
through the relevant IPC messages. On the receiving end, a
std::optional<UserGestureIndicator>
reinstates the gesture only when the flag is set — using std::optional rather
than constructing
the indicator unconditionally is required because the destructor always calls
resetShouldPropagateToMicroTask() even with nullopt, which silently breaks
async promise resolution
in listeners that use await.
Gestures from content scripts and web pages (externally_connectable) are
intentionally not
propagated to extension pages. A user clicking anywhere on a web page can
trivially generate a
gesture, so currying that signal to the background would degrade the quality of
the gesture as an
indicator of user intent toward the extension — and could be abused to trigger
restricted APIs like
permissions.request() without the user explicitly interacting with the
extension UI. Only gestures
originating from extension-initiated events carry sufficient signal to be
trusted.
* Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:
(-[WKWebView
_callAsyncJavaScript:arguments:inFrame:inContentWorld:withUserGesture:completionHandler:]):
* Source/WebKit/UIProcess/API/Cocoa/WKWebViewPrivate.h:
*
Source/WebKit/UIProcess/Extensions/Cocoa/API/WebExtensionContextAPIPortCocoa.mm:
(WebKit::WebExtensionContext::portPostMessage):
(WebKit::WebExtensionContext::addPorts):
(WebKit::WebExtensionContext::portQueuedMessages):
(WebKit::WebExtensionContext::firePortMessageEventsIfNeeded):
(WebKit::WebExtensionContext::fireQueuedPortMessageEventsIfNeeded):
(WebKit::WebExtensionContext::sendQueuedNativePortMessagesIfNeeded):
*
Source/WebKit/UIProcess/Extensions/Cocoa/API/WebExtensionContextAPIRuntimeCocoa.mm:
(WebKit::WebExtensionContext::runtimeSendMessage):
(WebKit::WebExtensionContext::runtimeConnect):
(WebKit::WebExtensionContext::runtimeWebPageSendMessage):
(WebKit::WebExtensionContext::runtimeWebPageConnect):
*
Source/WebKit/UIProcess/Extensions/Cocoa/API/WebExtensionContextAPIScriptingCocoa.mm:
(WebKit::WebExtensionContext::scriptingExecuteScript):
*
Source/WebKit/UIProcess/Extensions/Cocoa/API/WebExtensionContextAPITabsCocoa.mm:
(WebKit::WebExtensionContext::tabsSendMessage):
(WebKit::WebExtensionContext::tabsConnect):
(WebKit::WebExtensionContext::tabsExecuteScript):
* Source/WebKit/UIProcess/Extensions/Cocoa/WebExtensionDynamicScriptsCocoa.mm:
(WebKit::WebExtensionDynamicScripts::executeScript):
* Source/WebKit/UIProcess/Extensions/Cocoa/WebExtensionMessagePortCocoa.mm:
(WebKit::WebExtensionMessagePort::sendMessage):
* Source/WebKit/UIProcess/Extensions/WebExtensionContext.h:
* Source/WebKit/UIProcess/Extensions/WebExtensionContext.messages.in:
* Source/WebKit/UIProcess/Extensions/WebExtensionDynamicScripts.h:
* Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIPortCocoa.mm:
(WebKit::WebExtensionAPIPort::postMessage):
(WebKit::WebExtensionAPIPort::fireMessageEventIfNeeded):
(WebKit::WebExtensionContextProxy::dispatchPortMessageEvent):
* Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIRuntimeCocoa.mm:
(WebKit::WebExtensionAPIRuntime::sendMessage):
(WebKit::WebExtensionAPIRuntime::connect):
(WebKit::WebExtensionContextProxy::internalDispatchRuntimeMessageEvent):
(WebKit::WebExtensionContextProxy::dispatchRuntimeMessageEvent):
(WebKit::WebExtensionContextProxy::internalDispatchRuntimeConnectEvent):
(WebKit::WebExtensionContextProxy::dispatchRuntimeConnectEvent):
*
Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIScriptingCocoa.mm:
(WebKit::WebExtensionAPIScripting::executeScript):
* Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPITabsCocoa.mm:
(WebKit::WebExtensionAPITabs::sendMessage):
(WebKit::WebExtensionAPITabs::connect):
(WebKit::WebExtensionAPITabs::executeScript):
* Source/WebKit/WebProcess/Extensions/API/WebExtensionAPIPort.h:
* Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.h:
* Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.messages.in:
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtensionAPIRuntime.mm:
(TestWebKitAPI::TEST(WKWebExtensionAPIRuntime,
SendMessageGestureFromContentScriptIsNotPropagated)):
(TestWebKitAPI::TEST(WKWebExtensionAPIRuntime,
SendMessageGestureFromPopupIsPropagated)):
(TestWebKitAPI::TEST(WKWebExtensionAPIRuntime,
SendMessageWithoutUserGestureFromContentScript)):
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtensionAPIScripting.mm:
(TestWebKitAPI::TEST(WKWebExtensionAPIScripting, ExecuteScriptWithDocumentIds)):
(TestWebKitAPI::TEST(WKWebExtensionAPIScripting, ExecuteScriptWithUserGesture)):
(TestWebKitAPI::TEST(WKWebExtensionAPIScripting,
ExecuteScriptWithoutUserGesture)):
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtensionAPITabs.mm:
Canonical link: https://commits.webkit.org/979c7ec417cb
(TestWebKitAPI::TEST(WKWebExtensionAPITabs, SendMessageWithUserGesture)):
(TestWebKitAPI::TEST(WKWebExtensionAPITabs, SendMessageWithoutUserGesture)):
(TestWebKitAPI::TEST(WKWebExtensionAPITabs, ConnectWithUserGesture)):
(TestWebKitAPI::TEST(WKWebExtensionAPITabs, ConnectWithoutUserGesture)):
(TestWebKitAPI::TEST(WKWebExtensionAPITabs, PortPostMessageWithUserGesture)):
(TestWebKitAPI::TEST(WKWebExtensionAPITabs, PortPostMessageWithoutUserGesture)):
(TestWebKitAPI::TEST(WKWebExtensionAPITabs,
PortPostMessageGestureFromContentScriptIsNotPropagated)):
(TestWebKitAPI::TEST(WKWebExtensionAPITabs, ExecuteScriptWithUserGesture)):
(TestWebKitAPI::TEST(WKWebExtensionAPITabs, ExecuteScriptWithoutUserGesture)):
Canonical link: https://commits.webkit.org/312463@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
