Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 73645abad282e4903019e36d01c753145fd79a14
      
https://github.com/WebKit/WebKit/commit/73645abad282e4903019e36d01c753145fd79a14
  Author: Chris Dumez <[email protected]>
  Date:   2026-07-01 (Wed, 01 Jul 2026)

  Changed paths:
    M 
LayoutTests/editing/async-clipboard/clipboard-change-data-while-getting-type.html
    M LayoutTests/editing/async-clipboard/clipboard-get-type-with-old-items.html
    M LayoutTests/editing/async-clipboard/resources/async-clipboard-helpers.js
    A 
LayoutTests/http/tests/security/clipboard/clipboard-access-in-cross-origin-iframe-denied-expected.txt
    A 
LayoutTests/http/tests/security/clipboard/clipboard-access-in-cross-origin-iframe-denied.html
    A 
LayoutTests/http/tests/security/clipboard/resources/clipboard-access-from-iframe.html
    M 
LayoutTests/imported/w3c/web-platform-tests/clipboard-apis/async-navigator-clipboard-basics.https-expected.txt
    M 
LayoutTests/imported/w3c/web-platform-tests/clipboard-apis/async-navigator-clipboard-basics.https.html
    M 
LayoutTests/imported/w3c/web-platform-tests/clipboard-apis/resources/user-activation.js
    M Source/WebCore/Modules/async-clipboard/Clipboard.cpp

  Log Message:
  -----------
  Cross-Origin Iframe Can Read Clipboard via Top-Level User Interaction in 
Safari
https://bugs.webkit.org/show_bug.cgi?id=314806
rdar://176023893

Reviewed by Ryosuke Niwa.

navigator.clipboard.readText(), read(), writeText(), and write() relied on 
WebKit's
legacy UserGestureIndicator for activation checks (directly for writes, via
LocalFrame::requestDOMPasteAccess() for reads). 
LocalDOMWindow::processPostMessage
explicitly forwards the active UserGestureToken into the receiving iframe's 
event
handler, so a user click on a top-level page let a cross-origin iframe see 
"processing
a user gesture" and access the clipboard. This violates the W3C Clipboard API 
spec,
which requires transient activation on the relevant global object.

Fix this by checking LocalDOMWindow::hasTransientActivation() at the entry 
point of
each clipboard method. Transient activation is a property of the window and only
propagates to ancestor frames and same-origin descendant frames -- it is never
propagated to cross-origin descendants via postMessage. This matches the 
behavior of
Blink and Firefox.

Test: 
http/tests/security/clipboard/clipboard-access-in-cross-origin-iframe-denied.html

* 
LayoutTests/editing/async-clipboard/clipboard-change-data-while-getting-type.html:
* LayoutTests/editing/async-clipboard/clipboard-get-type-with-old-items.html:
* LayoutTests/editing/async-clipboard/resources/async-clipboard-helpers.js:
Fix existing tests so they keep passing.

* 
LayoutTests/http/tests/security/clipboard/clipboard-access-in-cross-origin-iframe-denied-expected.txt:
 Added.
* 
LayoutTests/http/tests/security/clipboard/clipboard-access-in-cross-origin-iframe-denied.html:
 Added.
* 
LayoutTests/http/tests/security/clipboard/resources/clipboard-access-from-iframe.html:
 Added.
New test coverage.

* 
LayoutTests/imported/w3c/web-platform-tests/clipboard-apis/async-navigator-clipboard-basics.https-expected.txt:
* 
LayoutTests/imported/w3c/web-platform-tests/clipboard-apis/async-navigator-clipboard-basics.https.html:
* 
LayoutTests/imported/w3c/web-platform-tests/clipboard-apis/resources/user-activation.js:
Resync existing WPT test so it keeps passing.

* Source/WebCore/Modules/async-clipboard/Clipboard.cpp:
(WebCore::frameHasTransientActivation):
(WebCore::shouldProceedWithClipboardWrite):
(WebCore::Clipboard::readText):
(WebCore::Clipboard::read):

Originally-landed-as: 305413.908@safari-7624-branch (526ac3579021). 
rdar://180436853
Canonical link: https://commits.webkit.org/316338@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to