Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6aa96bce5d11350a8e088781eede139a860d8bb6
https://github.com/WebKit/WebKit/commit/6aa96bce5d11350a8e088781eede139a860d8bb6
Author: Rupin Mittal <[email protected]>
Date: 2026-06-30 (Tue, 30 Jun 2026)
Changed paths:
M LayoutTests/ipc/coreipc.js
A LayoutTests/ipc/loadping-firstpartyforcookies-message-check-expected.txt
A LayoutTests/ipc/loadping-firstpartyforcookies-message-check.html
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
Log Message:
-----------
Missing allowsFirstPartyForCookies check in loadPing() IPC may lead to
cross-origin cookie access
https://bugs.webkit.org/show_bug.cgi?id=313496
rdar://174708224
Reviewed by Charlie Wolfe and Sihui Liu.
A web process could send an IPC message containing a cross-site origin and
loadPing() would then send the request to the cross-site origin which would
respond with its cookies.
To prevent this, add a MESSAGE_CHECK in loadPing() which will check if the
web process has first party cookie access to the origin in the request and
terminate the web process if not.
New layout test confirms that we hit the message check:
loadping-firstpartyforcookies-message-check.html
* LayoutTests/ipc/coreipc.js:
(export.ArgumentSerializer):
* LayoutTests/ipc/loadping-firstpartyforcookies-message-check-expected.txt:
Added.
* LayoutTests/ipc/loadping-firstpartyforcookies-message-check.html: Added.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::loadPing):
Originally-landed-as: 305413.799@safari-7624-branch (fd5906672902).
rdar://180435156
Canonical link: https://commits.webkit.org/316167@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications