[LDM] Enforce LDM Font Policy in GPUP & avoid trusted list SFP is ena…

…bled

https://bugs.webkit.org/show_bug.cgi?id=272247
rdar://124235570

Reviewed by Brent Fulgham.

If SafeFontParser is enabled we should use the SFP on both WCP and GPUP sides
and we should not parse trusted fonts with the system font parser.

When SFP is disabled we should switch to using the system parser but only
for trusted fonts, like before.

The difference after this patch is that if the SafeFontParser is enabled
we will no longer check first for trusted fonts that can be parsed
with the system font parser like before.

Canonical link: https://commits.webkit.org/277717@main

Source/WebCore/PAL/pal/cf/CoreTextSoftLink.cpp

@@ -27,11 +27,11 @@
 #include <pal/spi/cf/CoreTextSPI.h>
 #include <wtf/SoftLinking.h>
 
-SOFT_LINK_FRAMEWORK_FOR_SOURCE(PAL, CoreText)
+SOFT_LINK_FRAMEWORK_FOR_SOURCE_WITH_EXPORT(PAL, CoreText, PAL_EXPORT)
 
 // FIXME: Move this to strong linking as soon as people have a chance to update to an SDK that includes it.
 SOFT_LINK_FUNCTION_MAY_FAIL_FOR_SOURCE(PAL, CoreText, CTFontCopyColorGlyphCoverage, CFBitVectorRef, (CTFontRef font), (font))
-SOFT_LINK_FUNCTION_MAY_FAIL_FOR_SOURCE(PAL, CoreText, CTFontManagerCreateMemorySafeFontDescriptorFromData, CTFontDescriptorRef, (CFDataRef data), (data));
+SOFT_LINK_FUNCTION_MAY_FAIL_FOR_SOURCE_WITH_EXPORT(PAL, CoreText, CTFontManagerCreateMemorySafeFontDescriptorFromData, CTFontDescriptorRef, (CFDataRef data), (data), PAL_EXPORT)
 
 SOFT_LINK_PRIVATE_FRAMEWORK_FOR_SOURCE(PAL, OTSVG)
 

Source/WebCore/loader/cache/CachedFont.cpp

@@ -34,6 +34,7 @@
 #include "FontCustomPlatformData.h"
 #include "FontDescription.h"
 #include "FontPlatformData.h"
+#include "Logging.h"
 #include "MemoryCache.h"
 #include "SharedBuffer.h"
 #include "SubresourceLoader.h"
@@ -84,7 +85,7 @@ void CachedFont::finishLoading(const FragmentedSharedBuffer* data, const Network
         Ref dataContiguous = data->makeContiguous();
         m_fontParsingPolicy = policyForCustomFont(dataContiguous);
         if (m_fontParsingPolicy == FontParsingPolicy::Deny) {
-            // fonts are blocked, we set a flag to signal it in CachedFontLoadRequest.h
+            // SafeFontParser failed to parse font, we set a flag to signal it in CachedFontLoadRequest.h
             m_didRefuseToParseCustomFont = true;
             setErrorAndDeleteData();
             return;
@@ -144,14 +145,21 @@ bool CachedFont::ensureCustomFontData(SharedBuffer* data)
             setErrorAndDeleteData();
             return false;
 
-        case FontParsingPolicy::LoadWithSystemFontParser:
+        case FontParsingPolicy::LoadWithSystemFontParser: {
             m_fontCustomPlatformData = createCustomFontData(*data, calculateItemInCollection(), wrapping);
+            if (!m_fontCustomPlatformData)
+                RELEASE_LOG(Fonts, "[Font Parser] A font could not be parsed by system font parser.");
             break;
-
-        case FontParsingPolicy::LoadWithSafeFontParser:
+        }
+        case FontParsingPolicy::LoadWithSafeFontParser: {
             m_fontCustomPlatformData = createCustomFontDataExperimentalParser(*data, calculateItemInCollection(), wrapping);
+            if (!m_fontCustomPlatformData) {
+                m_didRefuseToParseCustomFont = true;
+                RELEASE_LOG(Fonts, "[Font Parser] A font could not be parsed by safe font parser.");
+            }
             break;
         }
+        }
 
         m_hasCreatedFontDataWrappingResource = m_fontCustomPlatformData && wrapping;
         if (!m_fontCustomPlatformData) {

Source/WebCore/loader/cache/CachedFont.h

@@ -61,7 +61,7 @@ class CachedFont : public CachedResource {
 
     virtual RefPtr<Font> createFont(const FontDescription&, bool syntheticBold, bool syntheticItalic, const FontCreationContext&);
 
-    bool didRefuseToParseCustomFont() const { return m_didRefuseToParseCustomFont; }
+    bool didRefuseToParseCustomFontWithSafeFontParser() const { return m_didRefuseToParseCustomFont; }
 
 protected:
     FontPlatformData platformDataFromCustomData(const FontDescription&, bool bold, bool italic, const FontCreationContext&);

Source/WebCore/loader/cache/CachedFontLoadRequest.h

@@ -64,9 +64,9 @@ class CachedFontLoadRequest final : public FontLoadRequest, public CachedFontCli
     bool ensureCustomFontData() final
     {
         bool result = m_font->ensureCustomFontData();
-        if (!result && m_font->didRefuseToParseCustomFont()) {
+        if (!result && m_font->didRefuseToParseCustomFontWithSafeFontParser()) {
             if (RefPtr context = m_context.get()) {
-                auto message = makeString("[Lockdown Mode] This font has been blocked: ", m_font->url().string());
+                auto message = makeString("[Lockdown Mode] This font wasn't parsed: ", m_font->url().string());
                 context->addConsoleMessage(MessageSource::Security, MessageLevel::Info, message);
             }
         }

Source/WebCore/loader/cache/TrustedFonts.cpp

@@ -874,16 +874,15 @@ FontParsingPolicy fontBinaryParsingPolicy(std::span<const uint8_t> data, Downloa
         return FontParsingPolicy::LoadWithSystemFontParser;
     case DownloadableBinaryFontTrustedTypes::None:
         return FontParsingPolicy::Deny;
-    case DownloadableBinaryFontTrustedTypes::Restricted:
-    case DownloadableBinaryFontTrustedTypes::FallbackParser: {
+    case DownloadableBinaryFontTrustedTypes::Restricted: {
         auto sha = hashForFontData(data);
         if (trustedFontHashesInLockdownMode().contains(sha))
             return FontParsingPolicy::LoadWithSystemFontParser;
-        if (trustedType == DownloadableBinaryFontTrustedTypes::FallbackParser)
-            return FontParsingPolicy::LoadWithSafeFontParser;
-        RELEASE_LOG(Fonts, "[Lockdown Mode] A font with a forbidden type has been blocked.");
+        RELEASE_LOG(Fonts, "[Lockdown Mode] A font with a forbidden type has been blocked from being parsed by system font parser.");
         return FontParsingPolicy::Deny;
     }
+    case DownloadableBinaryFontTrustedTypes::FallbackParser:
+        return FontParsingPolicy::LoadWithSafeFontParser;
     }
     ASSERT_NOT_REACHED();
     return FontParsingPolicy::Deny;

Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.cpp

@@ -56,6 +56,9 @@
 #include "SwapBuffersDisplayRequirement.h"
 #include "WebCoreArgumentCoders.h"
 #include "WebPageProxy.h"
+#if PLATFORM(COCOA)
+#include <pal/cf/CoreTextSoftLink.h>
+#endif
 #include <WebCore/HTMLCanvasElement.h>
 #include <WebCore/NullImageBufferBackend.h>
 #include <WebCore/RenderingResourceIdentifier.h>
@@ -371,9 +374,7 @@ void RemoteRenderingBackend::cacheFontCustomPlatformData(WebCore::FontCustomPlat
 {
     ASSERT(!RunLoop::isMain());
 
-    // FIXME: (rdar://124235570) use this->shoulUsedLockdownFontParser instead of hard-coded 'false' at tryMakeFromSerializationData after we deprecate lockdown mode fonts allowed (trusted) list.
-    constexpr bool shouldUseLockdownFontParser { false };
-    auto customPlatformData = FontCustomPlatformData::tryMakeFromSerializationData(WTFMove(fontCustomPlatformSerializedData), shouldUseLockdownFontParser);
+    auto customPlatformData = FontCustomPlatformData::tryMakeFromSerializationData(WTFMove(fontCustomPlatformSerializedData), shouldUseLockdownFontParser());
     MESSAGE_CHECK(customPlatformData.has_value(), "cacheFontCustomPlatformData couldn't deserialize FontCustomPlatformData"_s);
 
     m_remoteResourceCache.cacheFontCustomPlatformData(WTFMove(customPlatformData.value()));
@@ -614,10 +615,12 @@ void RemoteRenderingBackend::terminateWebProcess(ASCIILiteral message)
     }
 }
 
+#if PLATFORM(COCOA)
 bool RemoteRenderingBackend::shouldUseLockdownFontParser() const
 {
-    return m_gpuConnectionToWebProcess->isLockdownSafeFontParserEnabled() && m_gpuConnectionToWebProcess->isLockdownModeEnabled();
+    return m_gpuConnectionToWebProcess->isLockdownSafeFontParserEnabled() && m_gpuConnectionToWebProcess->isLockdownModeEnabled() && PAL::canLoad_CoreText_CTFontManagerCreateMemorySafeFontDescriptorFromData();
 }
+#endif
 
 } // namespace WebKit
 

Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.h

@@ -187,7 +187,9 @@ class RemoteRenderingBackend : private IPC::MessageSender, public IPC::StreamMes
     void createDisplayListRecorder(RefPtr<WebCore::ImageBuffer>, WebCore::RenderingResourceIdentifier);
     void releaseDisplayListRecorder(WebCore::RenderingResourceIdentifier);
 
+#if PLATFORM(COCOA)
     bool shouldUseLockdownFontParser() const;
+#endif
 
     Ref<IPC::StreamConnectionWorkQueue> m_workQueue;
     Ref<IPC::StreamServerConnection> m_streamConnection;

Source/WebKit/WebProcess/WebPage/WebPage.cpp

@@ -340,6 +340,7 @@
 #include "WKStringCF.h"
 #include "WebRemoteObjectRegistry.h"
 #include <WebCore/LegacyWebArchive.h>
+#include <pal/cf/CoreTextSoftLink.h>
 #include <pal/spi/cg/ImageIOSPI.h>
 #include <wtf/MachSendRight.h>
 #include <wtf/spi/darwin/SandboxSPI.h>
@@ -4605,12 +4606,14 @@ void WebPage::adjustSettingsForLockdownMode(Settings& settings, const WebPrefere
 #if ENABLE(WEB_AUDIO)
     settings.setWebAudioEnabled(false);
 #endif
+#if PLATFORM(COCOA)
     if (settings.downloadableBinaryFontTrustedTypes() != DownloadableBinaryFontTrustedTypes::None) {
         settings.setDownloadableBinaryFontTrustedTypes(
-            settings.lockdownFontParserEnabled()
+            (settings.lockdownFontParserEnabled() && PAL::canLoad_CoreText_CTFontManagerCreateMemorySafeFontDescriptorFromData())
                 ? DownloadableBinaryFontTrustedTypes::FallbackParser
                 : DownloadableBinaryFontTrustedTypes::Restricted);
     }
+#endif
 #if ENABLE(WEB_CODECS)
     settings.setWebCodecsVideoEnabled(false);
     settings.setWebCodecsAV1Enabled(false);