Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 248f89aa4518e99734efa4e0b897a7def9f2bcfa
      
https://github.com/WebKit/WebKit/commit/248f89aa4518e99734efa4e0b897a7def9f2bcfa
  Author: Chris Dumez <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    A 
LayoutTests/http/tests/ipc/webpageproxy-didfailload-failingurl-message-check-expected.txt
    A 
LayoutTests/http/tests/ipc/webpageproxy-didfailload-failingurl-message-check.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  [WebKit Process Model] missing MESSAGE_CHECK_URL on error.failingURL() in 
WebPageProxy::didFailLoadForFrame
https://bugs.webkit.org/show_bug.cgi?id=314873
rdar://176912820

Reviewed by Ryosuke Niwa.

WebPageProxy::didFailLoadForFrame accepts a WebCore::ResourceError from the 
WebContent
process and forwards it to the embedding client without validating 
error.failingURL()
against the sending process's allowed URL set. The sibling handler
didFailProvisionalLoadForFrameShared already performs this check. On iOS, 
MobileSafari
feeds the unchecked failingURL back into
`-[WKWebView _loadAlternateHTMLString:baseURL:forUnreachableURL:]`, which causes
WebPageProxy::loadAlternateHTML to grant the sending WebContent process read 
access to
an attacker-chosen file:// directory in both the UI process and the Network 
process.

Add MESSAGE_CHECK_URL(process, error.failingURL()) to 
WebPageProxy::didFailLoadForFrame,
mirroring didFailProvisionalLoadForFrameShared, so a compromised WebContent 
process that
forges a file:// failingURL is terminated before the error reaches the 
navigation client.

Test: http/tests/ipc/webpageproxy-didfailload-failingurl-message-check.html

* 
LayoutTests/http/tests/ipc/webpageproxy-didfailload-failingurl-message-check-expected.txt:
 Added.
* 
LayoutTests/http/tests/ipc/webpageproxy-didfailload-failingurl-message-check.html:
 Added.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didFailLoadForFrame):

Originally-landed-as: 305413.916@safari-7624-branch (e6341887dd92). 
rdar://180438310
Canonical link: https://commits.webkit.org/316472@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to