Bug 315163

Summary: NetworkConnectionToWebProcess::createSocketChannel should reject requests with an invalid URL
Product: WebKit Reporter: Kristian Monsen <k_monsen>
Component: WebKit Process ModelAssignee: Kristian Monsen <k_monsen>
Status: RESOLVED FIXED    
Severity: Normal CC: nham, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Kristian Monsen
Reported 2026-05-19 22:36:56 PDT
<script> window.testRunner?.waitUntilDone(); (async () => { const { CoreIPC } = await import("./coreipc.js"); const pageID = IPC.pageID; const webPageProxyID = IPC.webPageProxyID; const letterA = "A"; const locationHref = location.href; const longA = "A".repeat(8300); const unicodeBlob = unescape("%u02F4%uCFE5%uD8DE%uF92B%u831D%u8101%u4951%u5564%u7944%u7A2A%uA2DE%u837F%uE886%u0F27%u990C%u8EEB%u4F63%uA060%u4373%u7D96"); const shortBlob = unescape("%uE08C%u8801%uB72A%uBAED%u3BD0"); const httpMethodBlob = unescape("r5%17%05S9l%28XlZ%3Cla%3C%5B%1Ej%7B4%5D%08Chmf6FRG_c%603D%26w%5D%7C%7BTQ%3E%26oE%60%06P%03R@2Z%3B%01%27OU%3DA%0Dp%081%1CV%07/%5C%15z%19%3C/%25i%1D%1ETVW%26/eH%5ES6pwut%29%10z%29%01%3BBr%03%29-+q%01%3F%25%14.%5D%19%04q%2C%0F%28"); const dot = unescape("."); const repeatedLongA = longA.repeat(6); const fullscreenString = "WaitBeforeFinishingFullscreenExit".repeat(4); CoreIPC.Networking.NetworkConnectionToWebProcess.CreateSocketChannel(0, { request: { getRequestDataToSerialize: { variantType: "WebCore::ResourceRequest::RequestData", variant: { m_url: { string: "A" }, m_firstPartyForCookies: { string: fullscreenString }, m_timeoutInterval: 4.88059031996e-313, m_httpMethod: httpMethodBlob, m_httpHeaderFields: { commonHeaders: [{ key: 18, value: locationHref }, { key: 78, value: longA }, { key: 75, value: letterA }, { key: 43, value: letterA }, { key: 96, value: httpMethodBlob }], uncommonHeaders: [{ key: letterA, value: dot }, { key: unicodeBlob, value: unicodeBlob }, { key: locationHref, value: httpMethodBlob }] }, m_responseContentDispositionEncodingFallbackArray: [repeatedLongA, shortBlob, dot, shortBlob, dot, locationHref, repeatedLongA, shortBlob], m_cachePolicy: 5, m_sameSiteDisposition: 2, m_priority: 1, m_requester: 9, m_allowCookies: true, m_isTopSite: true, m_isAppInitiated: true, m_privacyProxyFailClosedForUnreachableNonMainHosts: true, m_useAdvancedPrivacyProtections: true, m_didFilterLinkDecoration: false, m_isPrivateTokenUsageByThirdPartyAllowed: false, m_wasSchemeOptimisticallyUpgraded: false, m_targetAddressSpace: 0 } }, cachePartition: "A", hiddenFromInspector: true }, protocol: fullscreenString, identifier: 393216, webPageProxyID: webPageProxyID, frameID: { optionalValue: 262144 }, pageID: { optionalValue: pageID }, clientOrigin: { topOrigin: { data: { variantType: "WebCore::SecurityOriginData::Tuple", variant: { protocol: longA, host: fullscreenString, port: {} } } }, clientOrigin: { data: { variantType: "WebCore::OpaqueOriginIdentifierProcessQualified", variant: { object: 262145, processIdentifier: 262146 } } } }, hadMainFrameMainResourcePrivateRelayed: false, allowPrivacyProxy: false, protections: 15, storedCredentialsPolicy: 0 }); })(); </script>
Attachments
Add attachment proposed patch, testcase, etc.
Kristian Monsen
Comment 1 2026-05-19 22:37:37 PDT
<rdar://177347637>
Kristian Monsen
Comment 2 2026-05-19 22:39:22 PDT
Pull request: https://github.com/WebKit/WebKit/pull/65258
EWS
Comment 3 2026-05-20 15:45:07 PDT
Committed 313603@main (84a08d4a5ba8): <https://commits.webkit.org/313603@main> Reviewed commits have been landed. Closing PR #65258 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.