NEW 296770
NotificationJSONParser::parseNotificationPayload gets mutable from wrong object 
https://bugs.webkit.org/show_bug.cgi?id=296770
Summary NotificationJSONParser::parseNotificationPayload gets mutable from wrong object
Kagami Sascha Rosylight
Reported 2025-07-31 15:04:23 PDT
https://searchfox.org/wubkat/rev/c46918d1cba365017d1df98e3d14f04db42320bc/Source/WebCore/Modules/notifications/NotificationJSONParser.cpp#112-113,142-143 ```cpp bool isMutable = false; if (auto value = protectedObject->getValue(mutableKey)) { ``` But `protectedObject` is for `notification` object, while the proposed PR puts it in the top level push payload. See also https://github.com/w3c/push-api/pull/385#issuecomment-3141427555
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2025-08-02 11:55:28 PDT
Thank you for the report! To clarify, are you intending to post a PR? It sounded like perhaps you already did, but I cannot find it on https://github.com/WebKit/WebKit/pulls
Kagami Sascha Rosylight
Comment 2 2025-08-02 11:57:56 PDT
No, I just found it while evaluating web specification implementation.
Anne van Kesteren
Comment 3 2025-08-04 05:45:22 PDT
It seems that app_badge is retrieved from the outerObject though? This seems straightforward to fix, but we probably need to continue to support it on "protectedObject" as well for a while to aid in migration.
Radar WebKit Bug Importer
Comment 4 2025-08-04 07:34:35 PDT
<rdar://problem/157475553>
Anne van Kesteren
Comment 5 2025-08-04 07:37:08 PDT
Pull request: https://github.com/WebKit/WebKit/pull/48896
Kagami Sascha Rosylight
Comment 6 2025-08-05 08:06:38 PDT
Ah, I see https://github.com/WebKit/WebKit/pull/45798 fixed it for badge.
Note You need to log in before you can comment on or make changes to this bug.