Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Calling evaluateJavaScript enables back-button hijacking
https://bugs.webkit.org/show_bug.cgi?id=261611 rdar://115561250 Reviewed by Ben Nham. In 253405@main, I updated our back/forward list hijacking prevention logic by treating history items added by JS (e.g. via 'history.pushState()`) as having a user gesture if a user gesture had occurred in the last 10 seconds. This was needed for backward compatibility with some legit sites. The issue now is that if the client app has called evaluateJavaScript on the WKWebView in the last 10 seconds, the JS will be able to hijack the back/forward list again. In 265168@main, we did some hardening so that the transient activation gets consumed after the evaluateJavaScript call has completed. However, it didn't fix the back/forward list hijacking prevention logic because it relies on user gesture and not transient activation. To address the issue, I updated out back/forward list hijacking prevention logic to rely on transient user activation rather than whether or not there was a user gesture in the last 10 minutes. * Source/WebCore/dom/Document.cpp: (WebCore::Document::hasRecentUserInteractionForNavigationFromJS const): * Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm: (TEST): Canonical link: https://commits.webkit.org/272448.685@safari-7618-branch
- Loading branch information