Summary: | WKUserScripts injecting into all frames seem to violate app-bound domains | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Kate Cheney <katherine_cheney> | ||||||
Component: | WebKit Misc. | Assignee: | Kate Cheney <katherine_cheney> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | beidson, bfulgham, wilander | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Kate Cheney
2020-06-30 14:22:23 PDT
Created attachment 403244 [details]
Patch
Comment on attachment 403244 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=403244&action=review Other than rebasing first and adding a test, looks good. > Source/WebKit/WebProcess/WebPage/WebPage.cpp:3461 > - if (shouldEnableInAppBrowserPrivacyProtections()) { > + if (frame->shouldEnableInAppBrowserPrivacyProtections()) { > send(Messages::WebPageProxy::ScriptValueCallback({ }, ExceptionDetails { "Unable to execute JavaScript"_s }, callbackID)); You will have to rebase before this lands. Also, this is an interesting new case that now needs to be tested (as of https://trac.webkit.org/changeset/263727/webkit) - Could you add to the API test an attempt to evaluate javascript to the non app-bound domain should fail? > Tools/TestWebKitAPI/Tests/WebKitCocoa/InAppBrowserPrivacy.mm:113 > + else if ([task.request.URL.path isEqualToString:@"/should-load-for-main-frame-only"]) > + countInjectedScriptSource++; Another way to do this is checking the WKFrameInfo on the WKURLSchemeHandlerTask and see if it's the main frame, and get its URL, etc. Created attachment 403250 [details]
Patch
Committed r263806: <https://trac.webkit.org/changeset/263806> All reviewed patches have been landed. Closing bug and clearing flags on attachment 403250 [details]. |