Skip to content

Cherry-pick 301765.417@safari-7623-branch (75bcb9f43cbe). rdar://169213380#61371

Merged
webkit-commit-queue merged 1 commit intoWebKit:mainfrom
basuke:eng/basuke/r/169213380
Mar 27, 2026
Merged

Cherry-pick 301765.417@safari-7623-branch (75bcb9f43cbe). rdar://169213380#61371
webkit-commit-queue merged 1 commit intoWebKit:mainfrom
basuke:eng/basuke/r/169213380

Conversation

@basuke
Copy link
Copy Markdown
Contributor

@basuke basuke commented Mar 26, 2026
edited by webkit-early-warning-system
Loading

279154a

Cherry-pick 301765.417@safari-7623-branch (75bcb9f43cbe). rdar://169213380

    Block text fragments in cross-origin window.open() popups.
    rdar://163804356

    Reviewed by Chris Dumez.

    This implements a security defense against timing side-channel attacks
    using Text Fragments in cross-origin popups.

    The exploit pattern:
    w = window.open("attacker.com");
    w.location = "victim.com";
    w.location = "victim.com#:~:text=secret";
    w.location = "about:blank";
    // Measure timing to detect if text was found

    Defense mechanism:
    - Add checkTextFragmentSecurity() in LocalFrameView.cpp
    - Block text fragments when opener origin ≠ current document origin
    - Allow text fragments in same-origin popups (legitimate use)
    - Allow text fragments in top-level navigation (no opener)

    This aligns with Chrome's 2019 defense (commit c0d3c4cca8b16),
    which uses RelatedPages().size() check. WebKit uses a simpler
    cross-origin check that achieves the same security goal.

    The fix does not affect about:blank origin inheritance or WPT tests,
    as those don't use text fragments.

    Tests: http/tests/security/text-fragment/popup-cross-origin-blocked.html
           http/tests/security/text-fragment/popup-same-origin-allowed.html
    * LayoutTests/http/tests/security/resources/page-with-text.html: Added.
    * LayoutTests/http/tests/security/text-fragment/popup-cross-origin-blocked-expected.txt: Added.
    * LayoutTests/http/tests/security/text-fragment/popup-cross-origin-blocked.html: Added.
    * LayoutTests/http/tests/security/text-fragment/popup-same-origin-allowed-expected.txt: Added.
    * LayoutTests/http/tests/security/text-fragment/popup-same-origin-allowed.html: Added.
    * Source/WebCore/page/LocalFrameView.cpp:
    (WebCore::checkTextFragmentSecurity):
    (WebCore::LocalFrameView::scrollToTextFragment):

    Identifier: 301765.417@safari-7623-branch

Identifier: 305413.221@safari-7624-branch
Canonical link: https://commits.webkit.org/310046@main

fd1caf7

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows Apple Internal
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win loading 🛠 ios-apple
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ❌ 🧪 win-tests ✅ 🛠 mac-apple
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe loading 🛠 vision-apple
✅ 🧪 ios-wk2-wpt ✅ 🧪 api-mac-debug ✅ 🛠 gtk3-libwebrtc
✅ 🧪 api-ios ✅ 🧪 mac-wk1 ✅ 🛠 gtk
loading 🛠 🧪 jsc-debug-arm64 ✅ 🛠 ios-safer-cpp ✅ 🧪 mac-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🛠 playstation
✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2
✅ 🛠 tv ✅ 🛠 mac-safer-cpp
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@basuke basuke requested a review from cdumez as a code owner March 26, 2026 03:22
@basuke basuke self-assigned this Mar 26, 2026
@webkit-early-warning-system
Copy link
Copy Markdown
Collaborator

webkit-early-warning-system commented Mar 26, 2026
edited
Loading

EWS run on previous version of this PR (hash 249828e)

Details

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows Apple Internal
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe 🛠 win ✅ 🛠 ios-apple
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ❌ 🧪 wpe-wk2 🧪 win-tests ✅ 🛠 mac-apple
✅ 🧪 webkitperl 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe ❌ 🛠 vision-apple
🧪 ios-wk2-wpt 🧪 api-mac-debug ✅ 🛠 gtk3-libwebrtc
🧪 api-ios ✅ 🧪 mac-wk1 ✅ 🛠 gtk
✅ 🛠 ios-safer-cpp ✅ 🧪 mac-wk2 ❌ 🧪 gtk-wk2
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 api-gtk
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🛠 playstation
✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2
✅ 🛠 tv ❌ 🛠 mac-safer-cpp
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Mar 26, 2026
@basuke basuke removed the merging-blocked Applied to prevent a change from being merged label Mar 26, 2026
@basuke basuke force-pushed the eng/basuke/r/169213380 branch from 249828e to 4cb277e Compare March 26, 2026 06:01
@webkit-early-warning-system
Copy link
Copy Markdown
Collaborator

webkit-early-warning-system commented Mar 26, 2026
edited
Loading

EWS run on previous version of this PR (hash 4cb277e)

Details

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows Apple Internal
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win ⏳ 🛠 ios-apple
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 🧪 win-tests ✅ 🛠 mac-apple
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe loading 🛠 vision-apple
✅ 🧪 ios-wk2-wpt ✅ 🧪 api-mac-debug ✅ 🛠 gtk3-libwebrtc
✅ 🧪 api-ios ✅ 🧪 mac-wk1 ✅ 🛠 gtk
✅ 🛠 ios-safer-cpp ✅ 🧪 mac-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 api-gtk
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🛠 playstation
✅ 🧪 vision-wk2 ❌ 🧪 mac-intel-wk2
✅ 🛠 tv ❌ 🛠 mac-safer-cpp
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@webkit-ews-buildbot
Copy link
Copy Markdown
Collaborator

webkit-ews-buildbot commented Mar 26, 2026

macOS Safer C++ Build #88800 (249828e)

❌ Found 1 failing file with 4 issues. Please address these issues before landing. See WebKit Guidelines for Safer C++ Programming.
(cc @rniwa)

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Mar 26, 2026
@webkit-ews-buildbot
Copy link
Copy Markdown
Collaborator

webkit-ews-buildbot commented Mar 26, 2026

macOS Safer C++ Build #88814 (4cb277e)

❌ Found 1 failing file with 4 issues. Please address these issues before landing. See WebKit Guidelines for Safer C++ Programming.
(cc @rniwa)

@basuke basuke removed the merging-blocked Applied to prevent a change from being merged label Mar 26, 2026
@basuke basuke force-pushed the eng/basuke/r/169213380 branch from 4cb277e to fd1caf7 Compare March 26, 2026 14:05
@webkit-early-warning-system
Copy link
Copy Markdown
Collaborator

webkit-early-warning-system commented Mar 26, 2026
edited
Loading

EWS run on current version of this PR (hash fd1caf7)

Details

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows Apple Internal
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win loading 🛠 ios-apple
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ❌ 🧪 win-tests ✅ 🛠 mac-apple
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe loading 🛠 vision-apple
✅ 🧪 ios-wk2-wpt ✅ 🧪 api-mac-debug ✅ 🛠 gtk3-libwebrtc
✅ 🧪 api-ios ✅ 🧪 mac-wk1 ✅ 🛠 gtk
loading 🛠 🧪 jsc-debug-arm64 ✅ 🛠 ios-safer-cpp ✅ 🧪 mac-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🛠 playstation
✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2
✅ 🛠 tv ✅ 🛠 mac-safer-cpp
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@robert-jenner robert-jenner added the safe-merge-queue Applied to automatically send a pull-request to merge-queue after passing EWS checks label Mar 26, 2026
@basuke basuke added merge-queue Applied to send a pull request to merge-queue and removed safe-merge-queue Applied to automatically send a pull-request to merge-queue after passing EWS checks labels Mar 27, 2026
@basuke
Cherry-pick 301765.417@safari-7623-branch (75bcb9f43cbe). rdar://1692…
279154a 
…13380

    Block text fragments in cross-origin window.open() popups.
    rdar://163804356

    Reviewed by Chris Dumez.

    This implements a security defense against timing side-channel attacks
    using Text Fragments in cross-origin popups.

    The exploit pattern:
    w = window.open("attacker.com");
    w.location = "victim.com";
    w.location = "victim.com#:~:text=secret";
    w.location = "about:blank";
    // Measure timing to detect if text was found

    Defense mechanism:
    - Add checkTextFragmentSecurity() in LocalFrameView.cpp
    - Block text fragments when opener origin ≠ current document origin
    - Allow text fragments in same-origin popups (legitimate use)
    - Allow text fragments in top-level navigation (no opener)

    This aligns with Chrome's 2019 defense (commit c0d3c4cca8b16),
    which uses RelatedPages().size() check. WebKit uses a simpler
    cross-origin check that achieves the same security goal.

    The fix does not affect about:blank origin inheritance or WPT tests,
    as those don't use text fragments.

    Tests: http/tests/security/text-fragment/popup-cross-origin-blocked.html
           http/tests/security/text-fragment/popup-same-origin-allowed.html
    * LayoutTests/http/tests/security/resources/page-with-text.html: Added.
    * LayoutTests/http/tests/security/text-fragment/popup-cross-origin-blocked-expected.txt: Added.
    * LayoutTests/http/tests/security/text-fragment/popup-cross-origin-blocked.html: Added.
    * LayoutTests/http/tests/security/text-fragment/popup-same-origin-allowed-expected.txt: Added.
    * LayoutTests/http/tests/security/text-fragment/popup-same-origin-allowed.html: Added.
    * Source/WebCore/page/LocalFrameView.cpp:
    (WebCore::checkTextFragmentSecurity):
    (WebCore::LocalFrameView::scrollToTextFragment):

    Identifier: 301765.417@safari-7623-branch

Identifier: 305413.221@safari-7624-branch
Canonical link: https://commits.webkit.org/310046@main
@webkit-commit-queue
Copy link
Copy Markdown
Collaborator

webkit-commit-queue commented Mar 27, 2026

Committed 310046@main (279154a): https://commits.webkit.org/310046@main

Reviewed commits have been landed. Closing PR #61371 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit 279154a into WebKit:main Mar 27, 2026
@webkit-commit-queue webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cdumez cdumez Awaiting requested review from cdumez cdumez is a code owner

Assignees

@basuke basuke

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@basuke @webkit-early-warning-system @webkit-ews-buildbot @webkit-commit-queue @robert-jenner @vipulkhandelwal01