Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: b5e427226b97fe5d9aa37778760218cac4d292a0
https://github.com/WebKit/WebKit/commit/b5e427226b97fe5d9aa37778760218cac4d292a0
Author: Chris Dumez <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
A
LayoutTests/navigation-api/navigation-navigate-no-arguments-crash-expected.txt
A LayoutTests/navigation-api/navigation-navigate-no-arguments-crash.html
M Source/WebCore/bindings/js/JSDOMPromiseDeferred.h
Log Message:
-----------
Cherry-pick 5977997682c7. https://bugs.webkit.org/show_bug.cgi?id=314944
Type confusion via raw Exception cell returned to script from
callPromisePairFunction when throwVMError bypasses sentinel check
https://bugs.webkit.org/show_bug.cgi?id=314944
rdar://177031898
Reviewed by Ryosuke Niwa.
callPromisePairFunction's sentinel check `!JSValue::decode(result)` only
catches the
zero empty-value sentinel returned by IDL argument conversion failures. When a
[ReturnsPromisePair] operation is called with fewer than the mandatory number of
arguments, the generated bindings hit the missing-argument check emitted by
CodeGeneratorJS.pm and `return throwVMError(...)`, which encodes a non-zero
JSC::Exception* cell rather than the empty sentinel. After
rejectPromisesWithExceptionIfAny clears the pending exception, the sentinel
check
evaluates false and the raw Exception cell is returned to JavaScript.
The Exception cell has JSType=CellType (0), not JSObject. A subsequent property
store such as `victim.foo = 0xdead` goes through JSCell::putInline ->
overridesPut() == false -> asObject(this) -> jsCast<JSObject*>. On production
ARM64 builds, ASSERT_WITH_SECURITY_IMPLICATION compiles to ((void)0), so the
cast
is a bare static_cast — type confusion. The resulting put allocates a Butterfly,
clobbers Exception::m_value (offset +0x08) with the Butterfly pointer, and
writes the attacker-controlled value into property storage. The next GC then
crashes in Exception::visitChildrenImpl when visitor.append(m_value) treats the
Butterfly as a JSCell and SlotVisitor::drain dereferences an invalid
StructureID.
This affects all [ReturnsPromisePair] IDL operations with mandatory arguments,
notably Navigation.navigate() / reload() / traverseTo() / back() / forward().
Fix callPromisePairFunction to capture catchScope.exception() before
rejectPromisesWithExceptionIfAny clears it. If the functor threw, always rebuild
a valid result dictionary from the (now rejected) promises via
convertDictionaryToJS rather than returning the functor's return value. This
covers throwVMError, any future throw paths inside the functor, and the existing
empty-sentinel case from IDL argument conversion failures.
The non-pair callPromiseFunction is unaffected: it already discards the
functor's
return value.
Test: navigation-api/navigation-navigate-no-arguments-crash.html
*
LayoutTests/navigation-api/navigation-navigate-no-arguments-crash-expected.txt:
Added.
* LayoutTests/navigation-api/navigation-navigate-no-arguments-crash.html: Added.
* Source/WebCore/bindings/js/JSDOMPromiseDeferred.h:
(WebCore::callPromisePairFunction):
Identifier: 305413.921@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.908@webkitglib/2.52
Commit: f4bdc9a4c75395f4a30f7921875744677b93bbed
https://github.com/WebKit/WebKit/commit/f4bdc9a4c75395f4a30f7921875744677b93bbed
Author: Anand Srinivasan <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
A JSTests/stress/regexp-many-non-greedy-paren-groups.js
M Source/JavaScriptCore/runtime/OptionsList.h
M Source/JavaScriptCore/yarr/YarrJIT.cpp
M Source/JavaScriptCore/yarr/YarrJIT.h
Log Message:
-----------
Cherry-pick e6d449d59b50. https://bugs.webkit.org/show_bug.cgi?id=314589
Add size limit to Yarr generated code
https://bugs.webkit.org/show_bug.cgi?id=314589
rdar://176137052
Reviewed by Yusuke Suzuki.
Patterns with many sequential non-greedy quantified parenthesized groups
(e.g. (?:a){0,2}? repeated thousands of times) cause O(N^2) code emission
in saveParenContext/restoreParenContext, as each group saves/restores all
frame slots for the entire pattern. This patch adds a code size limit in
VM options above which the code bails out to the interpreter.
Test: JSTests/stress/regexp-many-non-greedy-paren-groups.js
* JSTests/stress/regexp-many-non-greedy-paren-groups.js: Added.
(testLargeNonGreedyParens):
* Source/JavaScriptCore/runtime/OptionsList.h:
* Source/JavaScriptCore/yarr/YarrJIT.cpp:
(JSC::Yarr::dumpCompileFailure):
* Source/JavaScriptCore/yarr/YarrJIT.h:
Identifier: 305413.923@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.909@webkitglib/2.52
Commit: 2eb2233ab1340d3c8e11d48f70607fa2baaeab9c
https://github.com/WebKit/WebKit/commit/2eb2233ab1340d3c8e11d48f70607fa2baaeab9c
Author: Zak Ridouh <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
A
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-child.xsl
A
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-grandchild.py
A
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-root.xsl
A
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-target.xml
A
LayoutTests/http/tests/xsl/xslt-import-delayed-subresource-crash-expected.txt
A LayoutTests/http/tests/xsl/xslt-import-delayed-subresource-crash.html
M Source/WebCore/dom/Document.cpp
M Source/WebCore/xml/XSLStyleSheetLibxslt.cpp
M Source/WebCore/xml/XSLTProcessorLibxslt.cpp
Log Message:
-----------
Cherry-pick 3d12363860e5. https://bugs.webkit.org/show_bug.cgi?id=312337
Heap use-after-free of XSLStyleSheet::m_stylesheetDoc after libxslt frees
imported doc on compile failure
<https://bugs.webkit.org/show_bug.cgi?id=312337>
<rdar://174646751>
Reviewed by David Kilzer and Ryosuke Niwa.
When libxslt fails to compile an imported stylesheet, it frees the
imported doc. The child XSLStyleSheet's m_stylesheetDoc becomes
dangling. If a delayed subresource later arrives and triggers
parseString(), it dereferences the freed pointer
Fix with three layers of defense:
1. Call clearDocuments() on the failure path in transformToString(),
matching the success path, to null out dangling doc pointers.
2. Skip dict-sharing in parseString() when the parent's doc has been
handed to libxslt (m_stylesheetDocTaken), since libxslt may have
freed it.
3. Check isLoading() in applyPendingXSLTransformsTimerFired() to
avoid compiling partially-loaded import chains in the first place.
*
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-child.xsl:
Added.
*
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-grandchild.py:
Added.
*
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-root.xsl:
Added.
*
LayoutTests/http/tests/xsl/resources/xslt-import-delayed-subresource-target.xml:
Added.
*
LayoutTests/http/tests/xsl/xslt-import-delayed-subresource-crash-expected.txt:
Added.
* LayoutTests/http/tests/xsl/xslt-import-delayed-subresource-crash.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::applyPendingXSLTransformsTimerFired):
* Source/WebCore/xml/XSLStyleSheetLibxslt.cpp:
(WebCore::XSLStyleSheet::parseString):
* Source/WebCore/xml/XSLTProcessorLibxslt.cpp:
(WebCore::XSLTProcessor::transformToString):
Identifier: 305413.786@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.910@webkitglib/2.52
Commit: 33f08e62c4918f25074826d5b2928c8053362a5b
https://github.com/WebKit/WebKit/commit/33f08e62c4918f25074826d5b2928c8053362a5b
Author: Charlie Wolfe <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
A
LayoutTests/ipc/forged-resource-load-statistics-storage-access-expected.txt
A LayoutTests/ipc/forged-resource-load-statistics-storage-access.html
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
Log Message:
-----------
Cherry-pick 9d8f969c538a. https://bugs.webkit.org/show_bug.cgi?id=312798
Validate several ITP and storage access IPC messages
https://bugs.webkit.org/show_bug.cgi?id=312798
rdar://174708437
Reviewed by Matthew Finkel.
ResourceLoadStatisticsUpdated, LogUserInteraction, and
RequestStorageAccessUnderOpener accept
WebContent-supplied data with no validation. A WCP can forge
storageAccessUnderTopFrameDomains and
isPrevalentResource in the ITP database, then obtain cross-origin cookie access
without a user
prompt.
Verify that ResourceLoadStatisticsUpdated only contains fields the WebContent
process legitimately
observes, and that LogUserInteraction and RequestStorageAccessUnderOpener are
called with domains
the process owns.
Test: ipc/forged-resource-load-statistics-storage-access.html
* LayoutTests/ipc/forged-resource-load-statistics-storage-access-expected.txt:
Added.
* LayoutTests/ipc/forged-resource-load-statistics-storage-access.html: Added.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::logUserInteraction):
(WebKit::resourceLoadStatisticsContainsOnlyObservableFields):
(WebKit::NetworkConnectionToWebProcess::resourceLoadStatisticsUpdated):
(WebKit::NetworkConnectionToWebProcess::requestStorageAccessUnderOpener):
Identifier: 305413.716@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.911@webkitglib/2.52
Commit: b577b7842a1f7aa6283503ef0bee37be300cf80c
https://github.com/WebKit/WebKit/commit/b577b7842a1f7aa6283503ef0bee37be300cf80c
Author: Eric Carlson <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
A LayoutTests/ipc/usermedia-capture-start-producing-data-race-expected.txt
A LayoutTests/ipc/usermedia-capture-start-producing-data-race.html
M Source/WebKit/GPUProcess/webrtc/UserMediaCaptureManagerProxy.cpp
Log Message:
-----------
Cherry-pick 651097467a79. https://bugs.webkit.org/show_bug.cgi?id=314115
[CoreIPC][GPUProcess] UserMediaCaptureManagerProxy::startProducingData races
prepareAudioDescription() against audioSamplesAvailable() lead to various
UAF/write-after-unmap
https://bugs.webkit.org/show_bug.cgi?id=314115
rdar://174411400
Reviewed by Youenn Fablet and Jer Noble.
A compromised WebContent process can send StartProducingData repeatedly
for the same source. After the first call, the source proxy is registered
as an AudioSampleObserver and the capture unit is invoking
audioSamplesAvailable() on a background WorkQueue. On subsequent calls,
prepareAudioDescription() runs on the GPU main thread and reassigns
m_captureSemaphore, m_ringBuffer, m_audioHandle and m_description without
removing the observer or taking any lock, while the capture thread is
concurrently dereferencing them. This leads to heap-use-after-free on the
freed ProducerSharedCARingBuffer / IPC::Semaphore and write-after-unmap
into the old SharedMemory ring buffer.
Make UserMediaCaptureManagerProxySourceProxy::start() a no-op when the
proxy is already observing media. Legitimate stop()/start() sequences are
unaffected since stop() removes the observer.
Test: ipc/usermedia-capture-start-producing-data-race.html
* LayoutTests/ipc/usermedia-capture-start-producing-data-race-expected.txt:
Added.
* LayoutTests/ipc/usermedia-capture-start-producing-data-race.html: Added.
* Source/WebKit/GPUProcess/webrtc/UserMediaCaptureManagerProxy.cpp:
Identifier: 305413.863@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.912@webkitglib/2.52
Commit: 927e1206e5b1b53d5694bfdd15940e60ab482278
https://github.com/WebKit/WebKit/commit/927e1206e5b1b53d5694bfdd15940e60ab482278
Author: Ryosuke Niwa <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
A LayoutTests/fast/dom/trusted-types-iframe-removal-crash-expected.txt
A LayoutTests/fast/dom/trusted-types-iframe-removal-crash.html
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Element.cpp
M Source/WebCore/dom/Range.cpp
M Source/WebCore/dom/ShadowRoot.cpp
Log Message:
-----------
Cherry-pick 64d15c23216d. https://bugs.webkit.org/show_bug.cgi?id=313703
Use-after-free of Document in trustedTypeCompliantString
https://bugs.webkit.org/show_bug.cgi?id=313703
rdar://175673135
Reviewed by Wenson Hsieh and Chris Dumez.
Fixed the bug by deploying more smart pointers.
Test: fast/dom/trusted-types-iframe-removal-crash.html
* LayoutTests/fast/dom/trusted-types-iframe-removal-crash-expected.txt: Added.
* LayoutTests/fast/dom/trusted-types-iframe-removal-crash.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::parseHTMLUnsafe):
(WebCore::Document::write):
(WebCore::Document::execCommand):
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::setHTMLUnsafe):
(WebCore::Element::setOuterHTML):
(WebCore::Element::setInnerHTML):
(WebCore::Element::insertAdjacentHTML):
* Source/WebCore/dom/Range.cpp:
(WebCore::Range::createContextualFragment):
* Source/WebCore/dom/ShadowRoot.cpp:
(WebCore::ShadowRoot::setHTMLUnsafe):
(WebCore::ShadowRoot::setInnerHTML):
Identifier: 305413.805@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.913@webkitglib/2.52
Commit: c55a7e4e9b52799ecee3074a9e62c7fbc9072fdd
https://github.com/WebKit/WebKit/commit/c55a7e4e9b52799ecee3074a9e62c7fbc9072fdd
Author: Antoine Quint <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/scroll-animations/css/timeline-offset-keyframes-with-scroll-timeline-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/scroll-animations/css/timeline-offset-keyframes-with-scroll-timeline.html
M Source/WebCore/animation/KeyframeEffect.cpp
M Source/WebCore/animation/KeyframeEffect.h
Log Message:
-----------
Cherry-pick 4a52a36ff580. https://bugs.webkit.org/show_bug.cgi?id=314104
[web-animations] accelerated animation with view progress timeline range and a
scroll time yields a crash
https://bugs.webkit.org/show_bug.cgi?id=314104
rdar://176274648
Reviewed by Anne van Kesteren.
If the timeline associated with an animation is a plain scroll timeline, but
not a view timeline,
we must resolve any offset using a view progress timeline range by simply
disregarding the keyword.
This ensures we have resolved computed offsets in such a case, ensuring we do
not crash when attempting
to create the `AcceleratedEffect` representation for this keyframe effect.
Test:
imported/w3c/web-platform-tests/scroll-animations/css/timeline-offset-keyframes-with-scroll-timeline.html
*
LayoutTests/imported/w3c/web-platform-tests/scroll-animations/css/timeline-offset-keyframes-with-scroll-timeline-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/scroll-animations/css/timeline-offset-keyframes-with-scroll-timeline.html:
Added.
* Source/WebCore/animation/KeyframeEffect.cpp:
(WebCore::computedOffset):
(WebCore::computeMissingKeyframeOffsets):
(WebCore::KeyframeEffect::getKeyframes):
(WebCore::KeyframeEffect::processKeyframes):
(WebCore::KeyframeEffect::animationDidTick):
(WebCore::KeyframeEffect::activeScrollTimeline const):
(WebCore::KeyframeEffect::updateComputedKeyframeOffsetsIfNeeded):
(WebCore::KeyframeEffect::activeViewTimeline const): Deleted.
* Source/WebCore/animation/KeyframeEffect.h:
Identifier: 305413.839@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.914@webkitglib/2.52
Commit: c09e47d8262de61edb965bd2671b5d13aeb40d0b
https://github.com/WebKit/WebKit/commit/c09e47d8262de61edb965bd2671b5d13aeb40d0b
Author: Charlie Wolfe <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
A LayoutTests/ipc/register-file-backed-blob-path-validation-expected.txt
A LayoutTests/ipc/register-file-backed-blob-path-validation.html
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in
M Source/WebKit/NetworkProcess/storage/IDBStorageConnectionToClient.cpp
M Source/WebKit/NetworkProcess/storage/IDBStorageConnectionToClient.h
M Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.cpp
M Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.h
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.h
Log Message:
-----------
Cherry-pick defe0187e742. https://bugs.webkit.org/show_bug.cgi?id=313085
Remove blanket storage-root file path allow from blob access enforcement
https://bugs.webkit.org/show_bug.cgi?id=313085
rdar://174405888
Reviewed by Sihui Liu.
isFilePathAllowed() accepted any path under the per-session general storage
directory or custom IDB
storage path. This allowed a WebContent process to read any origin's persisted
data via file-backed
blob registration.
Replace the directory-level allow with per-file grants: IDB result handlers now
call
allowAccessToBlobFilesForProcess() to allow only the specific blob file paths
being returned to the
WebContent process.
Test: ipc/register-file-backed-blob-path-validation.html
* LayoutTests/ipc/register-file-backed-blob-path-validation-expected.txt: Added.
* LayoutTests/ipc/register-file-backed-blob-path-validation.html: Added.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::isFilePathAllowed):
(WebKit::NetworkConnectionToWebProcess::registerInternalFileBlobURL):
(WebKit::NetworkConnectionToWebProcess::registerInternalBlobURLOptionallyFileBacked):
(WebKit::NetworkConnectionToWebProcess::generalStoragePathForTesting):
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h:
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in:
* Source/WebKit/NetworkProcess/storage/IDBStorageConnectionToClient.cpp:
(WebKit::IDBStorageConnectionToClient::IDBStorageConnectionToClient):
(WebKit::IDBStorageConnectionToClient::allowAccessToResultBlobFiles):
(WebKit::IDBStorageConnectionToClient::didGetRecord):
(WebKit::IDBStorageConnectionToClient::didGetAllRecords):
(WebKit::IDBStorageConnectionToClient::didOpenCursor):
(WebKit::IDBStorageConnectionToClient::didIterateCursor):
(WebKit::IDBStorageConnectionToClient::generateIndexKeyForRecord):
* Source/WebKit/NetworkProcess/storage/IDBStorageConnectionToClient.h:
* Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.cpp:
(WebKit::IDBStorageRegistry::IDBStorageRegistry):
(WebKit::IDBStorageRegistry::ensureConnectionToClient):
* Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.h:
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp:
(WebKit::NetworkStorageManager::NetworkStorageManager):
(WebKit::NetworkStorageManager::allowAccessToBlobFilesForProcess):
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.h:
Identifier: 305413.737@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.915@webkitglib/2.52
Commit: 036d7bd40f9a65fb0793b454469c543e703b49a7
https://github.com/WebKit/WebKit/commit/036d7bd40f9a65fb0793b454469c543e703b49a7
Author: Kimmo Kinnunen <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/ErrorStrings.h
M Source/ThirdParty/ANGLE/src/libANGLE/validationES3.cpp
M Source/ThirdParty/ANGLE/src/tests/gl_tests/TransformFeedbackTest.cpp
Log Message:
-----------
Cherry-pick 305413.721@safari-7624-branch (146668c5ca43).
https://bugs.webkit.org/show_bug.cgi?id=312977
ANGLE: ResumeTransformFeedback does not validate the active program
https://bugs.webkit.org/show_bug.cgi?id=312977
<rdar://174740337>
Reviewed by Dan Glastonbury.
ResumeTransformFeedback should succeed only when the current
program is the program of the active transform feedback.
Fix by adding a validation step for this.
* Source/ThirdParty/ANGLE/src/libANGLE/ErrorStrings.h:
* Source/ThirdParty/ANGLE/src/libANGLE/validationES3.cpp:
(gl::ValidateResumeTransformFeedback):
* Source/ThirdParty/ANGLE/src/tests/gl_tests/TransformFeedbackTest.cpp:
Identifier: 305413.721@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.916@webkitglib/2.52
Commit: f038a7ddceed35ec4ed853492c8ac208e31c3d00
https://github.com/WebKit/WebKit/commit/f038a7ddceed35ec4ed853492c8ac208e31c3d00
Author: Charlie Wolfe <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
A LayoutTests/ipc/load-image-for-decoding-file-url-expected.txt
A LayoutTests/ipc/load-image-for-decoding-file-url.html
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick f118e35bcfa5. https://bugs.webkit.org/show_bug.cgi?id=312832
Add scheme and cookie access validation to LoadImageForDecoding
https://bugs.webkit.org/show_bug.cgi?id=312832
rdar://174708372
Reviewed by Rupin Mittal.
LoadImageForDecoding accepted arbitrary ResourceRequest fields with only a
url.isValid() check. This
allowed file:// reads of NetworkProcess-sandbox files and credentialed
cross-origin body reads via
spoofed firstPartyForCookies.
Restrict the URL to HTTP(S) and enforce allowsFirstPartyForCookies, matching
every other
cookie-touching IPC entry point.
Test: ipc/load-image-for-decoding-file-url.html
* LayoutTests/ipc/load-image-for-decoding-file-url-expected.txt: Added.
* LayoutTests/ipc/load-image-for-decoding-file-url.html: Added.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::loadImageForDecoding):
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::loadAndDecodeImage):
Identifier: 305413.744@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.917@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/c0887a6ed84d...f038a7ddceed
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications