Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c312747ab66d89c767c51172ca1eab0b9de5d288
      
https://github.com/WebKit/WebKit/commit/c312747ab66d89c767c51172ca1eab0b9de5d288
  Author: Chris Dumez <[email protected]>
  Date:   2026-06-30 (Tue, 30 Jun 2026)

  Changed paths:
    A 
LayoutTests/ipc/use-redirection-for-current-navigation-message-check-expected.txt
    A LayoutTests/ipc/use-redirection-for-current-navigation-message-check.html
    M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
    M Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp

  Log Message:
  -----------
  [WebKit Networking] continueWillSendRequest m_redirectionForCurrentNavigation 
early-return reaches Cache::storeRedirect with unrestored cachePartition
https://bugs.webkit.org/show_bug.cgi?id=314862
rdar://176914483

Reviewed by Alex Christensen.

A compromised WebContent process can poison the Network Process persistent
disk cache for an arbitrary cross-origin partition.

NetworkConnectionToWebProcess::useRedirectionForCurrentNavigation accepts a
WebContent-supplied ResourceResponse with no validation and stashes it on the
loader as m_redirectionForCurrentNavigation. When the loader's WillSendRequest
async reply later delivers a WebContent-supplied ResourceRequest,
NetworkResourceLoader::continueWillSendRequest takes the
m_redirectionForCurrentNavigation early-return into willSendRedirectedRequest
*before* the setCachePartition(originalRequest().cachePartition()) restore,
so NetworkCache::Cache::storeRedirect keys the on-disk record by the
unvalidated WebContent-chosen {cachePartition, url} and persists the
WebContent-supplied 301 with WebContent-chosen Location:.

Fix this by:
  1. Hoisting the setCachePolicy/setCachePartition restore to the top of
     continueWillSendRequest so every path through the function — including the
     m_redirectionForCurrentNavigation, service-worker and m_shouldRestartLoad
     early returns — uses the original (Network-Process-side) cache partition,
     never the value round-tripped through the WebContent process.
  2. Promoting the debug ASSERT(isMainFrameLoad()) and
     ASSERT(response.isRedirection()) at the
     NetworkConnectionToWebProcess::useRedirectionForCurrentNavigation IPC
     entry point to MESSAGE_CHECKs. The legitimate sender
     (WebPage::useRedirectionForCurrentNavigation, driven by
     RedirectSOAuthorizationSession in the UI process) only ever targets the
     main-frame main-resource loader with a redirection response; anything else
     is a compromised WebContent process.

Test: ipc/use-redirection-for-current-navigation-message-check.html

* 
LayoutTests/ipc/use-redirection-for-current-navigation-message-check-expected.txt:
 Added.
* LayoutTests/ipc/use-redirection-for-current-navigation-message-check.html: 
Added.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::useRedirectionForCurrentNavigation):
* Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::continueWillSendRequest):

Originally-landed-as: 305413.915@safari-7624-branch (a547e707161f). 
rdar://180438355
Canonical link: https://commits.webkit.org/316193@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to