Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 73645abad282e4903019e36d01c753145fd79a14
https://github.com/WebKit/WebKit/commit/73645abad282e4903019e36d01c753145fd79a14
Author: Chris Dumez <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
M
LayoutTests/editing/async-clipboard/clipboard-change-data-while-getting-type.html
M LayoutTests/editing/async-clipboard/clipboard-get-type-with-old-items.html
M LayoutTests/editing/async-clipboard/resources/async-clipboard-helpers.js
A
LayoutTests/http/tests/security/clipboard/clipboard-access-in-cross-origin-iframe-denied-expected.txt
A
LayoutTests/http/tests/security/clipboard/clipboard-access-in-cross-origin-iframe-denied.html
A
LayoutTests/http/tests/security/clipboard/resources/clipboard-access-from-iframe.html
M
LayoutTests/imported/w3c/web-platform-tests/clipboard-apis/async-navigator-clipboard-basics.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/clipboard-apis/async-navigator-clipboard-basics.https.html
M
LayoutTests/imported/w3c/web-platform-tests/clipboard-apis/resources/user-activation.js
M Source/WebCore/Modules/async-clipboard/Clipboard.cpp
Log Message:
-----------
Cross-Origin Iframe Can Read Clipboard via Top-Level User Interaction in
Safari
https://bugs.webkit.org/show_bug.cgi?id=314806
rdar://176023893
Reviewed by Ryosuke Niwa.
navigator.clipboard.readText(), read(), writeText(), and write() relied on
WebKit's
legacy UserGestureIndicator for activation checks (directly for writes, via
LocalFrame::requestDOMPasteAccess() for reads).
LocalDOMWindow::processPostMessage
explicitly forwards the active UserGestureToken into the receiving iframe's
event
handler, so a user click on a top-level page let a cross-origin iframe see
"processing
a user gesture" and access the clipboard. This violates the W3C Clipboard API
spec,
which requires transient activation on the relevant global object.
Fix this by checking LocalDOMWindow::hasTransientActivation() at the entry
point of
each clipboard method. Transient activation is a property of the window and only
propagates to ancestor frames and same-origin descendant frames -- it is never
propagated to cross-origin descendants via postMessage. This matches the
behavior of
Blink and Firefox.
Test:
http/tests/security/clipboard/clipboard-access-in-cross-origin-iframe-denied.html
*
LayoutTests/editing/async-clipboard/clipboard-change-data-while-getting-type.html:
* LayoutTests/editing/async-clipboard/clipboard-get-type-with-old-items.html:
* LayoutTests/editing/async-clipboard/resources/async-clipboard-helpers.js:
Fix existing tests so they keep passing.
*
LayoutTests/http/tests/security/clipboard/clipboard-access-in-cross-origin-iframe-denied-expected.txt:
Added.
*
LayoutTests/http/tests/security/clipboard/clipboard-access-in-cross-origin-iframe-denied.html:
Added.
*
LayoutTests/http/tests/security/clipboard/resources/clipboard-access-from-iframe.html:
Added.
New test coverage.
*
LayoutTests/imported/w3c/web-platform-tests/clipboard-apis/async-navigator-clipboard-basics.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/clipboard-apis/async-navigator-clipboard-basics.https.html:
*
LayoutTests/imported/w3c/web-platform-tests/clipboard-apis/resources/user-activation.js:
Resync existing WPT test so it keeps passing.
* Source/WebCore/Modules/async-clipboard/Clipboard.cpp:
(WebCore::frameHasTransientActivation):
(WebCore::shouldProceedWithClipboardWrite):
(WebCore::Clipboard::readText):
(WebCore::Clipboard::read):
Originally-landed-as: 305413.908@safari-7624-branch (526ac3579021).
rdar://180436853
Canonical link: https://commits.webkit.org/316338@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications