Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c312747ab66d89c767c51172ca1eab0b9de5d288
https://github.com/WebKit/WebKit/commit/c312747ab66d89c767c51172ca1eab0b9de5d288
Author: Chris Dumez <[email protected]>
Date: 2026-06-30 (Tue, 30 Jun 2026)
Changed paths:
A
LayoutTests/ipc/use-redirection-for-current-navigation-message-check-expected.txt
A LayoutTests/ipc/use-redirection-for-current-navigation-message-check.html
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
Log Message:
-----------
[WebKit Networking] continueWillSendRequest m_redirectionForCurrentNavigation
early-return reaches Cache::storeRedirect with unrestored cachePartition
https://bugs.webkit.org/show_bug.cgi?id=314862
rdar://176914483
Reviewed by Alex Christensen.
A compromised WebContent process can poison the Network Process persistent
disk cache for an arbitrary cross-origin partition.
NetworkConnectionToWebProcess::useRedirectionForCurrentNavigation accepts a
WebContent-supplied ResourceResponse with no validation and stashes it on the
loader as m_redirectionForCurrentNavigation. When the loader's WillSendRequest
async reply later delivers a WebContent-supplied ResourceRequest,
NetworkResourceLoader::continueWillSendRequest takes the
m_redirectionForCurrentNavigation early-return into willSendRedirectedRequest
*before* the setCachePartition(originalRequest().cachePartition()) restore,
so NetworkCache::Cache::storeRedirect keys the on-disk record by the
unvalidated WebContent-chosen {cachePartition, url} and persists the
WebContent-supplied 301 with WebContent-chosen Location:.
Fix this by:
1. Hoisting the setCachePolicy/setCachePartition restore to the top of
continueWillSendRequest so every path through the function — including the
m_redirectionForCurrentNavigation, service-worker and m_shouldRestartLoad
early returns — uses the original (Network-Process-side) cache partition,
never the value round-tripped through the WebContent process.
2. Promoting the debug ASSERT(isMainFrameLoad()) and
ASSERT(response.isRedirection()) at the
NetworkConnectionToWebProcess::useRedirectionForCurrentNavigation IPC
entry point to MESSAGE_CHECKs. The legitimate sender
(WebPage::useRedirectionForCurrentNavigation, driven by
RedirectSOAuthorizationSession in the UI process) only ever targets the
main-frame main-resource loader with a redirection response; anything else
is a compromised WebContent process.
Test: ipc/use-redirection-for-current-navigation-message-check.html
*
LayoutTests/ipc/use-redirection-for-current-navigation-message-check-expected.txt:
Added.
* LayoutTests/ipc/use-redirection-for-current-navigation-message-check.html:
Added.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::useRedirectionForCurrentNavigation):
* Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::continueWillSendRequest):
Originally-landed-as: 305413.915@safari-7624-branch (a547e707161f).
rdar://180438355
Canonical link: https://commits.webkit.org/316193@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications