Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: c39a83e4b6770926be98c0b420411e1f6d87ea3a
https://github.com/WebKit/WebKit/commit/c39a83e4b6770926be98c0b420411e1f6d87ea3a
Author: Chris Dumez <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/http/tests/workers/service/navigate-client-from-service-worker-expected.txt
A
LayoutTests/http/tests/workers/service/navigate-client-from-service-worker.html
A
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-child.html
A
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-dest.html
A
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-target.html
A
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-worker.js
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
Cherry-pick b401d77db3cf. https://bugs.webkit.org/show_bug.cgi?id=313612
Use-after-free on SecurityOrigin in NavigationScheduler::scheduleLocationChange
https://bugs.webkit.org/show_bug.cgi?id=313612
rdar://175673312
Reviewed by Ryosuke Niwa and Rupin Mittal.
protect the security origin before passing it to scheduleLocationChange().
The Safer CPP bot was reporting this already but we had not ported
Document.cpp yet.
*
LayoutTests/http/tests/workers/service/navigate-client-from-service-worker-expected.txt:
Added.
*
LayoutTests/http/tests/workers/service/navigate-client-from-service-worker.html:
Added.
*
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-child.html:
Added.
*
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-dest.html:
Added.
*
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-target.html:
Added.
*
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-worker.js:
Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::navigateFromServiceWorker):
Identifier: 305413.771@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.844@webkitglib/2.52
Commit: d6dc8ef95ed7fb13ec3c1049520996408a174e5e
https://github.com/WebKit/WebKit/commit/d6dc8ef95ed7fb13ec3c1049520996408a174e5e
Author: Michael Catanzaro <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
M Source/WTF/wtf/CheckedPtr.h
M Source/WTF/wtf/CheckedRef.h
M Source/WTF/wtf/Compiler.h
M Source/WTF/wtf/Ref.h
M Source/WTF/wtf/RefPtr.h
M Source/WTF/wtf/RetainPtr.h
Log Message:
-----------
Cherry-pick 35390.841@webkitglib/2.52-security (2289ff0d3acc).
https://bugs.webkit.org/show_bug.cgi?id=313612
Introduce protect() to webkitglib/2.52 branch
Unreviewed stable branch commit.
This will help reduce conflicts. It is extracted from 306158@main.
Canonical link: https://commits.webkit.org/305877.845@webkitglib/2.52
Commit: f3d61dae1b61dfbd2fc0b01196b63f8769bca77e
https://github.com/WebKit/WebKit/commit/f3d61dae1b61dfbd2fc0b01196b63f8769bca77e
Author: Ryosuke Niwa <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A LayoutTests/fonts/font-face-load-crash-expected.txt
A LayoutTests/fonts/font-face-load-crash.html
M Source/WebCore/css/FontFace.cpp
Log Message:
-----------
Cherry-pick d90247302507. https://bugs.webkit.org/show_bug.cgi?id=313577
Use-after-free in CSSFontFace::setStatus via CSSFontFace::load
https://bugs.webkit.org/show_bug.cgi?id=313577
rdar://175766724
Reviewed by Anne van Kesteren.
Fixed the bug by deploying a smart pointer.
Test: fonts/font-face-load-crash.html
* LayoutTests/fonts/font-face-load-crash-expected.txt: Added.
* LayoutTests/fonts/font-face-load-crash.html: Added.
* Source/WebCore/css/FontFace.cpp:
(WebCore::FontFace::loadForBindings):
Identifier: 305413.775@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.846@webkitglib/2.52
Commit: 12ba4a2a7825cb56371069fd42f0236125d207e6
https://github.com/WebKit/WebKit/commit/12ba4a2a7825cb56371069fd42f0236125d207e6
Author: Ryosuke Niwa <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/navigation-api/navigation-api-fragment-intercept-crash-expected.txt
A LayoutTests/navigation-api/navigation-api-fragment-intercept-crash.html
A
LayoutTests/navigation-api/resources/navigation-api-fragment-intercept-crash-inner.html
M Source/WebCore/page/NavigateEvent.cpp
Log Message:
-----------
Cherry-pick 0e113df3124c. https://bugs.webkit.org/show_bug.cgi?id=313606
Use-after-free in LocalFrameView::scrollToAnchorFragment via
NavigateEvent:finish
https://bugs.webkit.org/show_bug.cgi?id=313606
Reviewed by Anne van Kesteren and Rupin Mittal.
Deployed more smart pointers to fix the bug.
Test: navigation-api/navigation-api-fragment-intercept-crash.html
*
LayoutTests/navigation-api/navigation-api-fragment-intercept-crash-expected.txt:
Added.
* LayoutTests/navigation-api/navigation-api-fragment-intercept-crash.html:
Added.
*
LayoutTests/navigation-api/resources/navigation-api-fragment-intercept-crash-inner.html:
Added.
* Source/WebCore/page/NavigateEvent.cpp:
(WebCore::NavigateEvent::processScrollBehavior):
Identifier: 305413.777@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.847@webkitglib/2.52
Commit: 4263efbf85446c70421a6b73691a29da56b95755
https://github.com/WebKit/WebKit/commit/4263efbf85446c70421a6b73691a29da56b95755
Author: Chris Dumez <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/navigation-api/navigation-navigate-throwing-argument-conversion-expected.txt
A
LayoutTests/navigation-api/navigation-navigate-throwing-argument-conversion.html
M Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
M Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp
M Source/WebCore/bindings/js/JSDOMPromiseDeferred.h
M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
M Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp
Log Message:
-----------
Cherry-pick 332eff8c4870. https://bugs.webkit.org/show_bug.cgi?id=313618
[WebCore][bindings] Empty JSValue returned to script from
callPromisePairFunction when argument conversion throws
https://bugs.webkit.org/show_bug.cgi?id=313618
rdar://175673155
Reviewed by Ryosuke Niwa.
callPromisePairFunction stored the functor's EncodedJSValue and returned it
after passing the catch scope through rejectPromiseWithExceptionIfAny. When the
generated operation body threw during IDL argument conversion, it returned
encodedJSValue() (the empty JSValue sentinel) with a pending exception. The
first rejectPromiseWithExceptionIfAny call cleared that exception to reject the
first promise, so the second call was a no-op — leaving the second promise
unrejected — and RETURN_IF_EXCEPTION did not fire. The empty sentinel was then
returned to JavaScript as a script-visible value.
Fix by:
- Introducing rejectPromisesWithExceptionIfAny, which saves the error value
before clearing the exception and rejects both promises. Shared
takeNonTerminationException helper factors out the check-save-clear logic
from rejectPromiseWithExceptionIfAny.
- Adding a DictionaryType template parameter to callPromisePairFunction. When
the functor returns an empty JSValue (the error-path sentinel),
callPromisePairFunction reconstructs a valid result dictionary from the
rejected promises via convertDictionaryToJS.
- Threading the concrete dictionary type (e.g. Navigation::Result) from the
code generator through callReturningPromisePair to callPromisePairFunction.
Test: navigation-api/navigation-navigate-throwing-argument-conversion.html
*
LayoutTests/navigation-api/navigation-navigate-throwing-argument-conversion-expected.txt:
Added.
*
LayoutTests/navigation-api/navigation-navigate-throwing-argument-conversion.html:
Added.
* Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:
(WebCore::IDLOperationReturningPromise::callReturningPromisePair):
* Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp:
(WebCore::takeNonTerminationException):
(WebCore::rejectPromiseWithExceptionIfAny):
(WebCore::rejectPromisesWithExceptionIfAny):
* Source/WebCore/bindings/js/JSDOMPromiseDeferred.h:
(WebCore::callPromisePairFunction):
* Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:
(GenerateOperationTrampolineDefinition):
* Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp:
(WebCore::JSC_DEFINE_HOST_FUNCTION):
Identifier: 305413.776@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.848@webkitglib/2.52
Commit: 60804c9b8846d1f582d499b6d7108b20c0e12373
https://github.com/WebKit/WebKit/commit/60804c9b8846d1f582d499b6d7108b20c0e12373
Author: Etienne Segonzac <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
M Source/WebCore/rendering/EventRegion.cpp
Log Message:
-----------
Cherry-pick 6ccb8fc1f9e8. https://bugs.webkit.org/show_bug.cgi?id=313618
[WebCore] Heap-use-after-free in
EventRegionContext::shrinkWrapInteractionRegions when
m_interactionRegions.insert reallocates under a held reference
rdar://175331820
Reviewed by Lily Spiniolas and Simon Fraser.
While appending new regions, if we need to modify the current one,
make sure to read back from the vector instead of reusing the reference.
* Source/WebCore/rendering/EventRegion.cpp:
(WebCore::EventRegionContext::shrinkWrapInteractionRegions):
Identifier: 305413.780@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.849@webkitglib/2.52
Commit: 6e4b6b63350cb6bc585f5c8ddb2ece86abdc1e2b
https://github.com/WebKit/WebKit/commit/6e4b6b63350cb6bc585f5c8ddb2ece86abdc1e2b
Author: Youenn Fablet <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A LayoutTests/webrtc/transceiver-setCodecPreferences-closed-expected.txt
A LayoutTests/webrtc/transceiver-setCodecPreferences-closed.html
M Source/WebCore/Modules/mediastream/RTCRtpTransceiver.cpp
Log Message:
-----------
Cherry-pick 456c1826db44. https://bugs.webkit.org/show_bug.cgi?id=313618
Safari & Chrome for iOS: Use-after-free in WebKit libwebrtc `RtpTransceiver`
codec state reachable via `RTCRtpTransceiver.setCodecPreferences` after
garbage-collected `RTCPeerConnection`
rdar://175625015
Reviewed by Jean-Yves Avenard.
While we should fix the RtpTransceiver/PeerConnection relationship in
libwebrtc, we instead do a short term fix in WebCore layer by making
RTCRtpTransceiver.setCodecPreferences a no-op when peer connection is destroyed
or closed.
Test: webrtc/transceiver-setCodecPreferences-closed.html
* LayoutTests/webrtc/transceiver-setCodecPreferences-closed-expected.txt: Added.
* LayoutTests/webrtc/transceiver-setCodecPreferences-closed.html: Added.
* Source/WebCore/Modules/mediastream/RTCRtpTransceiver.cpp:
(WebCore::RTCRtpTransceiver::setCodecPreferences):
Identifier: 305413.781@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.850@webkitglib/2.52
Commit: d2315c8e12127bb26e2e4589508f90b50d100877
https://github.com/WebKit/WebKit/commit/d2315c8e12127bb26e2e4589508f90b50d100877
Author: Youenn Fablet <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event-sw.js
A
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event.window-expected.txt
A
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event.window.html
A
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event.window.js
M
Source/WebCore/workers/service/background-fetch/BackgroundFetchRegistration.cpp
Log Message:
-----------
Cherry-pick 1b0af7fe2393. https://bugs.webkit.org/show_bug.cgi?id=313618
[WebCore] heap use-after-free in
SWClientConnection::updateBackgroundFetchRegistration due to live HashTable
iterator invalidation during synchronous progress event dispatch
rdar://175673953
Reviewed by Chris Dumez.
Firing an event synchronously while iterating through documents is unsafe.
Instead we queue a task to fire the events in their own task.
This way we can iterate through documents without risking to mutate documents.
Test: http/wpt/background-fetch/change-documents-in-progress-event.window.html
*
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event-sw.js:
Added.
*
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event.window-expected.txt:
Added.
*
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event.window.html:
Added.
*
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event.window.js:
Added.
(promise_test.async t):
*
Source/WebCore/workers/service/background-fetch/BackgroundFetchRegistration.cpp:
(WebCore::BackgroundFetchRegistration::updateInformation):
Identifier: 305413.782@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.851@webkitglib/2.52
Commit: 6ff35b81990813ff233a057af05ea8175bc4586f
https://github.com/WebKit/WebKit/commit/6ff35b81990813ff233a057af05ea8175bc4586f
Author: Kai Tamkun <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A JSTests/stress/typedarray-from-oob.js
M Source/JavaScriptCore/builtins/TypedArrayConstructor.js
Log Message:
-----------
Cherry-pick e99a325bb9b8. https://bugs.webkit.org/show_bug.cgi?id=312513
[JSC] TypedArray.from() Out-of-Bounds Read via Resizable ArrayBuffer
resize/transfer in mapFn callback.
https://bugs.webkit.org/show_bug.cgi?id=312513
rdar://174428778
Reviewed by Yusuke Suzuki.
Adjusts TypedArray.from to properly handle cases where the map function changes
the bounds of the arraylike input.
Test: JSTests/stress/typedarray-from-oob.js
* JSTests/stress/typedarray-from-oob.js: Added.
(testResize):
(testDetach):
* Source/JavaScriptCore/builtins/TypedArrayConstructor.js:
(from):
Identifier: 305413.702@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.852@webkitglib/2.52
Commit: a059fc1ff7ac819428e87f1082efe528baf58e70
https://github.com/WebKit/WebKit/commit/a059fc1ff7ac819428e87f1082efe528baf58e70
Author: Basuke Suzuki <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.h
M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm
Log Message:
-----------
Cherry-pick 3dad3d258fe6. https://bugs.webkit.org/show_bug.cgi?id=312513
Validate EncodedFileData filenames in decidePolicyForNavigationAction
rdar://174662982
Reviewed by Chris Dumez.
A compromised WebContent process can inject arbitrary file paths in
EncodedFileData within the HTTP body of DecidePolicyForNavigationActionAsync,
causing the UIProcess to mint sandbox extension tokens for those paths during
PSON. Add MESSAGE_CHECK_COMPLETION to validate each EncodedFileData filename
against hasGrantedSandboxExtensionForFile().
Register user-selected file paths via addPreviouslyApprovedFileURL() in
didChooseFilesForOpenPanel (3 variants) and performDragOperation (covers
both macOS and iOS drag-and-drop). Use URL::fileURLWithFileSystemPath()
since these parameters are file system paths, not file URLs.
The API test is a regression test verifying that cross-site form submission
with file upload succeeds after the fix — it does not test the negative
(MESSAGE_CHECK failure) path.
Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::performDragOperation):
(WebKit::WebPageProxy::decidePolicyForNavigationAction):
(WebKit::WebPageProxy::didChooseFilesForOpenPanelWithDisplayStringAndIcon):
(WebKit::WebPageProxy::didChooseFilesForOpenPanelWithImageTranscoding):
(WebKit::WebPageProxy::didChooseFilesForOpenPanel):
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::hasGrantedSandboxExtensionForFile const):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:
(-[FileUploadPSONUIDelegate
webView:runOpenPanelWithParameters:initiatedByFrame:completionHandler:]):
((ProcessSwap, SwapOnFormSubmissionWithFileUpload)):
Identifier: 305413.699@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.853@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/d4581721a2ea...a059fc1ff7ac
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications