Created attachment 328214 [details] Needs test

<rdar://problem/35812382>

Is there a direct way to test these? Or do I have to use EventSender?

We usually send WTF objects over CoreIPC. Sending Foundation objects just has too many pitfalls, including correctness, performance and security. I recommend looking into removing the existing code here, not into extending it.

Without even looking at the patch, I agree with Alexey. Attempts to serialize Cocoa types are often wrought with problems and are not entirely within our control. Better to use WTF/WebCore/WebKit types when possible

So it's better to convert to WTF types, send across the wire, then convert back to NS types, rather than just fixing a bug in our existing converters?

Yes. Or better yet, not use NS types in WebCore at all. The security aspect of it is not just about what you do, but also about what malicious code running in WebContent can do to escape the sandbox. Any deserialization of NS types performed in UI process adds a large attack surface.

Oh wait, this doesn't actually use Foundation serialization. What I said is mostly irrelevant, I should have studied the patch more closely. Freaked out because of the recent NSSecureCoding fixes.

Created attachment 329151 [details] Patch

Comment on attachment 329151 [details] Patch Clearing flags on attachment: 329151 Committed r225811: <https://trac.webkit.org/changeset/225811>

All reviewed patches have been landed. Closing bug.