Branch: refs/heads/webkitglib/2.52
  Home:   https://github.com/WebKit/WebKit
  Commit: c39a83e4b6770926be98c0b420411e1f6d87ea3a
      
https://github.com/WebKit/WebKit/commit/c39a83e4b6770926be98c0b420411e1f6d87ea3a
  Author: Chris Dumez <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/http/tests/workers/service/navigate-client-from-service-worker-expected.txt
    A 
LayoutTests/http/tests/workers/service/navigate-client-from-service-worker.html
    A 
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-child.html
    A 
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-dest.html
    A 
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-target.html
    A 
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-worker.js
    M Source/WebCore/dom/Document.cpp

  Log Message:
  -----------
  Cherry-pick b401d77db3cf. https://bugs.webkit.org/show_bug.cgi?id=313612

Use-after-free on SecurityOrigin in NavigationScheduler::scheduleLocationChange
https://bugs.webkit.org/show_bug.cgi?id=313612
rdar://175673312

Reviewed by Ryosuke Niwa and Rupin Mittal.

protect the security origin before passing it to scheduleLocationChange().
The Safer CPP bot was reporting this already but we had not ported
Document.cpp yet.

* 
LayoutTests/http/tests/workers/service/navigate-client-from-service-worker-expected.txt:
 Added.
* 
LayoutTests/http/tests/workers/service/navigate-client-from-service-worker.html:
 Added.
* 
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-child.html:
 Added.
* 
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-dest.html:
 Added.
* 
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-target.html:
 Added.
* 
LayoutTests/http/tests/workers/service/resources/navigate-client-from-service-worker-worker.js:
 Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::navigateFromServiceWorker):

Identifier: 305413.771@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.844@webkitglib/2.52


  Commit: d6dc8ef95ed7fb13ec3c1049520996408a174e5e
      
https://github.com/WebKit/WebKit/commit/d6dc8ef95ed7fb13ec3c1049520996408a174e5e
  Author: Michael Catanzaro <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WTF/wtf/CheckedPtr.h
    M Source/WTF/wtf/CheckedRef.h
    M Source/WTF/wtf/Compiler.h
    M Source/WTF/wtf/Ref.h
    M Source/WTF/wtf/RefPtr.h
    M Source/WTF/wtf/RetainPtr.h

  Log Message:
  -----------
  Cherry-pick 35390.841@webkitglib/2.52-security (2289ff0d3acc). 
https://bugs.webkit.org/show_bug.cgi?id=313612

Introduce protect() to webkitglib/2.52 branch

Unreviewed stable branch commit.

This will help reduce conflicts. It is extracted from 306158@main.

Canonical link: https://commits.webkit.org/305877.845@webkitglib/2.52


  Commit: f3d61dae1b61dfbd2fc0b01196b63f8769bca77e
      
https://github.com/WebKit/WebKit/commit/f3d61dae1b61dfbd2fc0b01196b63f8769bca77e
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A LayoutTests/fonts/font-face-load-crash-expected.txt
    A LayoutTests/fonts/font-face-load-crash.html
    M Source/WebCore/css/FontFace.cpp

  Log Message:
  -----------
  Cherry-pick d90247302507. https://bugs.webkit.org/show_bug.cgi?id=313577

Use-after-free in CSSFontFace::setStatus via CSSFontFace::load
https://bugs.webkit.org/show_bug.cgi?id=313577
rdar://175766724

Reviewed by Anne van Kesteren.

Fixed the bug by deploying a smart pointer.

Test: fonts/font-face-load-crash.html

* LayoutTests/fonts/font-face-load-crash-expected.txt: Added.
* LayoutTests/fonts/font-face-load-crash.html: Added.
* Source/WebCore/css/FontFace.cpp:
(WebCore::FontFace::loadForBindings):

Identifier: 305413.775@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.846@webkitglib/2.52


  Commit: 12ba4a2a7825cb56371069fd42f0236125d207e6
      
https://github.com/WebKit/WebKit/commit/12ba4a2a7825cb56371069fd42f0236125d207e6
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/navigation-api/navigation-api-fragment-intercept-crash-expected.txt
    A LayoutTests/navigation-api/navigation-api-fragment-intercept-crash.html
    A 
LayoutTests/navigation-api/resources/navigation-api-fragment-intercept-crash-inner.html
    M Source/WebCore/page/NavigateEvent.cpp

  Log Message:
  -----------
  Cherry-pick 0e113df3124c. https://bugs.webkit.org/show_bug.cgi?id=313606

Use-after-free in LocalFrameView::scrollToAnchorFragment via 
NavigateEvent:finish
https://bugs.webkit.org/show_bug.cgi?id=313606

Reviewed by Anne van Kesteren and Rupin Mittal.

Deployed more smart pointers to fix the bug.

Test: navigation-api/navigation-api-fragment-intercept-crash.html

* 
LayoutTests/navigation-api/navigation-api-fragment-intercept-crash-expected.txt:
 Added.
* LayoutTests/navigation-api/navigation-api-fragment-intercept-crash.html: 
Added.
* 
LayoutTests/navigation-api/resources/navigation-api-fragment-intercept-crash-inner.html:
 Added.
* Source/WebCore/page/NavigateEvent.cpp:
(WebCore::NavigateEvent::processScrollBehavior):

Identifier: 305413.777@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.847@webkitglib/2.52


  Commit: 4263efbf85446c70421a6b73691a29da56b95755
      
https://github.com/WebKit/WebKit/commit/4263efbf85446c70421a6b73691a29da56b95755
  Author: Chris Dumez <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/navigation-api/navigation-navigate-throwing-argument-conversion-expected.txt
    A 
LayoutTests/navigation-api/navigation-navigate-throwing-argument-conversion.html
    M Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
    M Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp
    M Source/WebCore/bindings/js/JSDOMPromiseDeferred.h
    M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
    M Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp

  Log Message:
  -----------
  Cherry-pick 332eff8c4870. https://bugs.webkit.org/show_bug.cgi?id=313618

[WebCore][bindings] Empty JSValue returned to script from 
callPromisePairFunction when argument conversion throws
https://bugs.webkit.org/show_bug.cgi?id=313618
rdar://175673155

Reviewed by Ryosuke Niwa.

callPromisePairFunction stored the functor's EncodedJSValue and returned it
after passing the catch scope through rejectPromiseWithExceptionIfAny. When the
generated operation body threw during IDL argument conversion, it returned
encodedJSValue() (the empty JSValue sentinel) with a pending exception. The
first rejectPromiseWithExceptionIfAny call cleared that exception to reject the
first promise, so the second call was a no-op — leaving the second promise
unrejected — and RETURN_IF_EXCEPTION did not fire. The empty sentinel was then
returned to JavaScript as a script-visible value.

Fix by:
  - Introducing rejectPromisesWithExceptionIfAny, which saves the error value
    before clearing the exception and rejects both promises. Shared
    takeNonTerminationException helper factors out the check-save-clear logic
    from rejectPromiseWithExceptionIfAny.
  - Adding a DictionaryType template parameter to callPromisePairFunction. When
    the functor returns an empty JSValue (the error-path sentinel),
    callPromisePairFunction reconstructs a valid result dictionary from the
    rejected promises via convertDictionaryToJS.
  - Threading the concrete dictionary type (e.g. Navigation::Result) from the
    code generator through callReturningPromisePair to callPromisePairFunction.

Test: navigation-api/navigation-navigate-throwing-argument-conversion.html

* 
LayoutTests/navigation-api/navigation-navigate-throwing-argument-conversion-expected.txt:
 Added.
* 
LayoutTests/navigation-api/navigation-navigate-throwing-argument-conversion.html:
 Added.
* Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:
(WebCore::IDLOperationReturningPromise::callReturningPromisePair):
* Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp:
(WebCore::takeNonTerminationException):
(WebCore::rejectPromiseWithExceptionIfAny):
(WebCore::rejectPromisesWithExceptionIfAny):
* Source/WebCore/bindings/js/JSDOMPromiseDeferred.h:
(WebCore::callPromisePairFunction):
* Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:
(GenerateOperationTrampolineDefinition):
* Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp:
(WebCore::JSC_DEFINE_HOST_FUNCTION):

Identifier: 305413.776@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.848@webkitglib/2.52


  Commit: 60804c9b8846d1f582d499b6d7108b20c0e12373
      
https://github.com/WebKit/WebKit/commit/60804c9b8846d1f582d499b6d7108b20c0e12373
  Author: Etienne Segonzac <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WebCore/rendering/EventRegion.cpp

  Log Message:
  -----------
  Cherry-pick 6ccb8fc1f9e8. https://bugs.webkit.org/show_bug.cgi?id=313618

[WebCore] Heap-use-after-free in 
EventRegionContext::shrinkWrapInteractionRegions when 
m_interactionRegions.insert reallocates under a held reference
rdar://175331820

Reviewed by Lily Spiniolas and Simon Fraser.

While appending new regions, if we need to modify the current one,
make sure to read back from the vector instead of reusing the reference.

* Source/WebCore/rendering/EventRegion.cpp:
(WebCore::EventRegionContext::shrinkWrapInteractionRegions):

Identifier: 305413.780@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.849@webkitglib/2.52


  Commit: 6e4b6b63350cb6bc585f5c8ddb2ece86abdc1e2b
      
https://github.com/WebKit/WebKit/commit/6e4b6b63350cb6bc585f5c8ddb2ece86abdc1e2b
  Author: Youenn Fablet <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A LayoutTests/webrtc/transceiver-setCodecPreferences-closed-expected.txt
    A LayoutTests/webrtc/transceiver-setCodecPreferences-closed.html
    M Source/WebCore/Modules/mediastream/RTCRtpTransceiver.cpp

  Log Message:
  -----------
  Cherry-pick 456c1826db44. https://bugs.webkit.org/show_bug.cgi?id=313618

Safari & Chrome for iOS: Use-after-free in WebKit libwebrtc `RtpTransceiver` 
codec state reachable via `RTCRtpTransceiver.setCodecPreferences` after 
garbage-collected `RTCPeerConnection`
rdar://175625015

Reviewed by Jean-Yves Avenard.

While we should fix the RtpTransceiver/PeerConnection relationship in 
libwebrtc, we instead do a short term fix in WebCore layer by making 
RTCRtpTransceiver.setCodecPreferences a no-op when peer connection is destroyed 
or closed.

Test: webrtc/transceiver-setCodecPreferences-closed.html

* LayoutTests/webrtc/transceiver-setCodecPreferences-closed-expected.txt: Added.
* LayoutTests/webrtc/transceiver-setCodecPreferences-closed.html: Added.
* Source/WebCore/Modules/mediastream/RTCRtpTransceiver.cpp:
(WebCore::RTCRtpTransceiver::setCodecPreferences):

Identifier: 305413.781@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.850@webkitglib/2.52


  Commit: d2315c8e12127bb26e2e4589508f90b50d100877
      
https://github.com/WebKit/WebKit/commit/d2315c8e12127bb26e2e4589508f90b50d100877
  Author: Youenn Fablet <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event-sw.js
    A 
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event.window-expected.txt
    A 
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event.window.html
    A 
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event.window.js
    M 
Source/WebCore/workers/service/background-fetch/BackgroundFetchRegistration.cpp

  Log Message:
  -----------
  Cherry-pick 1b0af7fe2393. https://bugs.webkit.org/show_bug.cgi?id=313618

[WebCore] heap use-after-free in 
SWClientConnection::updateBackgroundFetchRegistration due to live HashTable 
iterator invalidation during synchronous progress event dispatch
rdar://175673953

Reviewed by Chris Dumez.

Firing an event synchronously while iterating through documents is unsafe.
Instead we queue a task to fire the events in their own task.
This way we can iterate through documents without risking to mutate documents.

Test: http/wpt/background-fetch/change-documents-in-progress-event.window.html

* 
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event-sw.js: 
Added.
* 
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event.window-expected.txt:
 Added.
* 
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event.window.html:
 Added.
* 
LayoutTests/http/wpt/background-fetch/change-documents-in-progress-event.window.js:
 Added.
(promise_test.async t):
* 
Source/WebCore/workers/service/background-fetch/BackgroundFetchRegistration.cpp:
(WebCore::BackgroundFetchRegistration::updateInformation):

Identifier: 305413.782@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.851@webkitglib/2.52


  Commit: 6ff35b81990813ff233a057af05ea8175bc4586f
      
https://github.com/WebKit/WebKit/commit/6ff35b81990813ff233a057af05ea8175bc4586f
  Author: Kai Tamkun <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A JSTests/stress/typedarray-from-oob.js
    M Source/JavaScriptCore/builtins/TypedArrayConstructor.js

  Log Message:
  -----------
  Cherry-pick e99a325bb9b8. https://bugs.webkit.org/show_bug.cgi?id=312513

[JSC] TypedArray.from() Out-of-Bounds Read via Resizable ArrayBuffer 
resize/transfer in mapFn callback.
https://bugs.webkit.org/show_bug.cgi?id=312513
rdar://174428778

Reviewed by Yusuke Suzuki.

Adjusts TypedArray.from to properly handle cases where the map function changes 
the bounds of the arraylike input.

Test: JSTests/stress/typedarray-from-oob.js

* JSTests/stress/typedarray-from-oob.js: Added.
(testResize):
(testDetach):
* Source/JavaScriptCore/builtins/TypedArrayConstructor.js:
(from):

Identifier: 305413.702@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.852@webkitglib/2.52


  Commit: a059fc1ff7ac819428e87f1082efe528baf58e70
      
https://github.com/WebKit/WebKit/commit/a059fc1ff7ac819428e87f1082efe528baf58e70
  Author: Basuke Suzuki <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm

  Log Message:
  -----------
  Cherry-pick 3dad3d258fe6. https://bugs.webkit.org/show_bug.cgi?id=312513

Validate EncodedFileData filenames in decidePolicyForNavigationAction
rdar://174662982

Reviewed by Chris Dumez.

A compromised WebContent process can inject arbitrary file paths in
EncodedFileData within the HTTP body of DecidePolicyForNavigationActionAsync,
causing the UIProcess to mint sandbox extension tokens for those paths during
PSON. Add MESSAGE_CHECK_COMPLETION to validate each EncodedFileData filename
against hasGrantedSandboxExtensionForFile().

Register user-selected file paths via addPreviouslyApprovedFileURL() in
didChooseFilesForOpenPanel (3 variants) and performDragOperation (covers
both macOS and iOS drag-and-drop). Use URL::fileURLWithFileSystemPath()
since these parameters are file system paths, not file URLs.

The API test is a regression test verifying that cross-site form submission
with file upload succeeds after the fix — it does not test the negative
(MESSAGE_CHECK failure) path.

Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::performDragOperation):
(WebKit::WebPageProxy::decidePolicyForNavigationAction):
(WebKit::WebPageProxy::didChooseFilesForOpenPanelWithDisplayStringAndIcon):
(WebKit::WebPageProxy::didChooseFilesForOpenPanelWithImageTranscoding):
(WebKit::WebPageProxy::didChooseFilesForOpenPanel):
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::hasGrantedSandboxExtensionForFile const):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:
(-[FileUploadPSONUIDelegate 
webView:runOpenPanelWithParameters:initiatedByFrame:completionHandler:]):
((ProcessSwap, SwapOnFormSubmissionWithFileUpload)):

Identifier: 305413.699@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.853@webkitglib/2.52


Compare: https://github.com/WebKit/WebKit/compare/d4581721a2ea...a059fc1ff7ac

To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to