This Week in WebKit — April 25 – May 1, 2026

DocumentWriter chose the policy container source by asking "is there a history one?" instead of "is this a back/forward navigation?" So a script-driven srcdoc mutation on a sandboxed iframe gives the new document whatever the iframe's history item carried — usually nothing — in place of the parent's strict CSP. The patch narrows the trigger to BackForward navigations only. In the same commit, four WPT cases (location change, window.open, two form submissions) flip from FAIL to PASS — strongly suggesting the same line had been silently neutralising CSP inheritance for an entire family of fresh-navigation forms.

When a BoundsChecking Wasm memory grows, JSC has to repoint everything that cached a raw pointer into the old base. refreshAfterWasmMemoryGrow was the function meant to do that — but it left ArrayBufferContents::m_data and every JSArrayBufferView::m_vector stranded at the previous base. Grow once to free the old pages, spray 64 KiB ArrayBuffers to reclaim them, and the original Uint32Array becomes a typed-array window into a sibling allocation. The regression test reads 0xDEADBEEF back through a view that wrote 0xCAFEBABE.

ANGLE's Metal index-rewrite kernel compared every index against 0xFFFFFFFF — a value zero-extended uint16 indices can never equal. The legitimate 0xFFFF restart marker therefore got treated as a real vertex index, and the GPU dutifully fetched vertex attributes at offset 0xFFFF * stride, far past the bound buffers. Metal Shader Validation surfaces it as a deterministic crash; without MSV the OOB read flows silently into the shader and back out to JS via readPixels for any attacker-designed shader. The fix derives the sentinel from the same function-constant that already selects index width.

The HTML spec gates event.intercept() on equality of scheme, userinfo, host, and port. WebCore wrote it as if (!isSameSite && !isSameOrigin) reject — which by De Morgan means "accept if either same-site or same-origin." The stale inline comment about document.domain reveals the author intended a tight check, but the boolean shape relaxed it to the entire eTLD+1. A page on one subdomain could navigate to a sibling, intercept the navigation, and run its handler in the source realm while the user-visible navigation was suspended.

canShowMIMEType admitted video/mp2t because the MSE engine had registered it. createDocument then asked MediaPlayer::supportsType the same question with bare-URL semantics, got "not supported," and execution slid past every MediaDocument/ImageDocument/PDFDocument branch to the HTMLDocument tail. A data:video/mp2t,<script>...</script> iframe parsed the body as HTML and ran the script in the response's origin. The fix realigns the dispatch oracle to the registry and stops the MSE-only engine polluting that registry with types only it can play.

ConstExprGenerator has two construction modes — Validate and Evaluate — sharing a fail() helper that formats "WebAssembly.Module doesn't parse at byte N" using m_parser->offset() + m_offsetInSource. Only the Validate-mode constructor initialised m_offsetInSource; the Evaluate-mode ctor stack-allocated the generator with whatever the prior frame had left at that slot. Trigger an extended-const-expr failure (an array.new with negative size will do), catch the RuntimeError, parse one uninitialised 64-bit stack word out of error.message as decimal. Repeat with controlled stack priming to bias which prior-frame slot lands at the leak.