235616 – [iOS][macOS] Block access to Icon Services

Bug 235616 - [iOS][macOS] Block access to Icon Services

Summary: [iOS][macOS] Block access to Icon Services

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Per Arne Vollan

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-01-25 15:46 PST by Per Arne Vollan
Modified:	2022-02-16 15:24 PST (History)
CC List:	5 users (show)

See Also:

Attachments
Patch (8.64 KB, patch) 2022-01-25 15:48 PST, Per Arne Vollan	darin: review+	Details \| Formatted Diff \| Diff
Patch (7.55 KB, patch) 2022-01-27 13:36 PST, Per Arne Vollan	no flags	Details \| Formatted Diff \| Diff
Patch (7.55 KB, patch) 2022-01-27 13:37 PST, Per Arne Vollan	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Per Arne Vollan 2022-01-25 15:46:22 PST

Stop creating a sandbox extension for the Icon service when the attachment element is enabled, since local testing indicates that this is not needed.

Comment 1 Per Arne Vollan 2022-01-25 15:48:07 PST

Created attachment 449975 [details]
Patch

Comment 2 Darin Adler 2022-01-25 17:03:30 PST

Comment on attachment 449975 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=449975&action=review

> Source/WebKit/ChangeLog:3
> +        [iOS][macOS] Block access to Icon service

I think it's "Icon Services"

> Source/WebKit/ChangeLog:9
> +        Stop creating a sandbox extension for the Icon service when the attachment element is enabled,
> +        since local testing indicates that this is not needed.

I’m kind of surprised. Maybe we don’t put the icon into <input type=file> element on the webpage any more, like we did in the past. Did you test with a file with an unusual icon to make sure the icon was correct?

Comment 3 Per Arne Vollan 2022-01-27 13:36:58 PST

Created attachment 450172 [details]
Patch

Comment 4 Per Arne Vollan 2022-01-27 13:37:31 PST

Created attachment 450173 [details]
Patch

Comment 5 Per Arne Vollan 2022-01-27 13:42:58 PST

(In reply to Per Arne Vollan from comment #1)
> Created attachment 449975 [details]
> Patch

(In reply to Darin Adler from comment #2)
> Comment on attachment 449975 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=449975&action=review
> 
> > Source/WebKit/ChangeLog:3
> > +        [iOS][macOS] Block access to Icon service
> 
> I think it's "Icon Services"
>

Fixed!
 
> > Source/WebKit/ChangeLog:9
> > +        Stop creating a sandbox extension for the Icon service when the attachment element is enabled,
> > +        since local testing indicates that this is not needed.
> 
> I’m kind of surprised. Maybe we don’t put the icon into <input type=file>
> element on the webpage any more, like we did in the past. Did you test with
> a file with an unusual icon to make sure the icon was correct?

That is a good point. This change should only affect apps that enable the attachment element, like Mail, etc. Based on your comment, I see that the original patch is incorrectly changing the sandbox, since an extension is still in use in file upload dialogs. I have updated the patch.

Thanks for reviewing!

Comment 6 Per Arne Vollan 2022-01-27 16:12:18 PST

<rdar://88158797>

Comment 7 EWS 2022-02-16 15:24:32 PST

Committed r289972 (247358@main): <https://commits.webkit.org/247358@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 450173 [details].