Site Isolation: UIProcess routing for same-site child frame back/forward navigations

212c74a

Source/WebKit/UIProcess/WebPageProxy.cpp

+ RefPtr<WebBackForwardListFrameItem> WebPageProxy::frameStateForBackForwardChildFrame(...)
+ {
+     auto* currentItem = m_backForwardList->currentItem();
+     ...
+     auto siblingIndex = frame.indexInFrameTreeSiblings();
+     return currentItem->findFrameStateInItem([&](auto& item) {
+         return item.childItemAtIndex(siblingIndex);
+     });
+ }

Source/WebKit/WebProcess/WebPage/WebFrame.cpp

 void WebFrame::didReceivePolicyDecision(...)
 {
+    if (policyDecision.backForwardFrameState) {
+        setHistoryItemForBackForwardNavigation(
+            HistoryItem::create(*policyDecision.backForwardFrameState));
+    }
     ...
+    if (navigationAction.policyAlreadyDecided())
+        frameLoader->loadRequestedHistoryItem(PolicyAlreadyDecided::Yes);
 }

WebKit의 Site Isolation 모델은 사이트별로 WebProcess 인스턴스를 분리하며, UIProcess가 전체 구조를 조율하는 신뢰된 조정자 역할을 맡습니다. Back/forward navigation은 frame이 history에서 로드할 URL을 결정하는 보안에 민감한 영역으로, 손상된 WebProcess가 이를 단독으로 결정하는 구조는 허용될 수 없습니다. BackForwardList는 UIProcess에 위치하는데, 기존 경로에서는 WebProcess가 loadURLIntoChildFrame을 통해 직접 child-item을 조회했습니다. 이 방식은 UIProcess의 권한을 우회할 뿐 아니라, Site Isolation 환경에서도 올바르게 동작하지 않았습니다.

이 commit은 UseUIProcessForBackForwardItemLoading이 활성화된 경우, same-site child frame의 back/forward navigation 처리 경로를 변경했습니다. 기존에는 WebProcess가 직접 처리했지만, 이제는 decidePolicyForNavigationAction IPC를 통해 UIProcess를 경유하도록 수정되었습니다. UIProcess는 BackForwardList에서 sibling index를 기준으로 올바른 FrameState를 조회하고, 요청 URL을 재작성한 뒤 PolicyDecision에 FrameState를 포함해 반환합니다.

Before (broken path):
  WebProcess: FrameLoader::loadURLIntoChildFrame
    └─► legacy loadChildHistoryItemIntoFrame
          └─► loads URL  [UIProcess not involved]

After (new path):
  WebProcess: loadURLIntoChildFrame
    └─► dispatchBackForwardItemLoading
          └─► decidePolicyForNavigationAction IPC ──► UIProcess
                                                       └─► frameStateForBackForwardChildFrame
                                                             └─► siblingIndex → BackForwardList lookup
                                                                   └─► PolicyDecision (FrameState attached)
                                                                         │
                                                                         ▼
                                                                   WebProcess: didReceivePolicyDecision
                                                                     └─► HistoryItem::create(FrameState)
                                                                           └─► loadRequestedHistoryItem

Significance

child frame의 history navigation이 UIProcess의 감독을 우회하던 Site Isolation 취약점이 수정되었습니다. 기존에는 WebProcess가 단독으로 frame에 로드할 history URL을 결정할 수 있었습니다.

Audit directions

Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaa Aaaaa Aa Aaaaa Aaaa Aa Aaaaa Aaaaa Aaaaaaaaaaaaaaa Aaaaa Aaaaa Aa Aa Aaa Aaaaaaaaa Aaa Aaaa Aaaaa Aaaaaaa Aaaaa Aaa Aaaaaaa Aaaa Aaaaaaa Aaa Aaaa Aaaaa

Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaa Aaaaaaaaaa Aaaaaaaaaaaa Aaaa Aaaaaa Aaaaaa Aaaaaaaa Aa Aaa Aaaaa Aaaaaaaaa Aaa Aaa Aaaaaaaaa Aaaa Aaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa a Aaa Aa Aaaaaaaaaaaa Aa Aaa Aaaa Aaaa Aaaa

Aaaaaaaaaaaa Aaaa Aa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa a Aaaaaaaaaaaaaaa Aaa Aaa Aaaa Aaaa Aaaa Aaaaaaaa Aaaaaaaa Aa Aaa Aaaaaaaaaaaaaaa Aaaaaaaaaaa Aaa Aaaa Aaaaaaa Aaaaaa Aaa Aaaaaaaa Aa Aaaa Aaaa Aa a Aaaa Aaa Aaa Aaaaaa

🔒

Frame-tree/BackForwardList sync assumptions and the new PolicyAlreadyDecided bypass create audit-worthy edge cases in this site isolation path.

더 확인하려면 구독해 주세요