[12] [LDM] Ensure temporary pages use the correct Font Parser
Severity: Medium | Component: WebCore editing sanitization / SVGImage | 9fe9df5
Rated Medium because the observable effect is Lockdown Mode font-parsing bypass on temporary pages spawned for paste/drag-drop sanitization or SVG image rendering, surfaced as a WebContent termination via GPU-process MESSAGE_CHECK, and impact is bounded to LDM users specifically.
Source/WebCore/editing/markup.cpp
+ DownloadableBinaryFontTrustedTypes fontTrustedTypes = DownloadableBinaryFontTrustedTypes::Any;
if (destinationDocument) {
if (RefPtr destinationPage = destinationDocument->page()) {
fontGenericFamilies = destinationPage->settings().fontGenericFamilies();
+ fontTrustedTypes = destinationPage->settings().downloadableBinaryFontTrustedTypes();
}
}
+ page->settings().setDownloadableBinaryFontTrustedTypes(fontTrustedTypes);
Source/WebCore/svg/graphics/SVGImage.cpp
m_page->settings().fontGenericFamilies() = parentSettings->fontGenericFamilies();
+ m_page->settings().setDownloadableBinaryFontTrustedTypes(parentSettings->downloadableBinaryFontTrustedTypes());
Patch Details
Both createPageForSanitizingWebContent and SVGImage::dataChanged now propagate downloadableBinaryFontTrustedTypes from the parent/destination page to the temporary inner Page. A LayoutTest loads an SVG @font-face with an OpenType blob inside an LDM process; an API test verifies a paste of a webarchive into an LDM destination web view does not terminate.
Security-policy setting not propagated from the parent page to a derived/auxiliary page, allowing the auxiliary page to bypass a process-mode restriction (Lockdown Mode font parsing).
Background
Lockdown Mode is an Apple opt-in that disables or hardens features known to yield exploit primitives. SafeFontParser is the restricted font parser used in LDM; it accepts a subset of OpenType/TrueType structures and rejects risky tables. DownloadableBinaryFontTrustedTypes is a Settings enum (Any selects the standard parser; the LDM-enforced value selects SafeFontParser). createPageForSanitizingWebContent builds a throwaway Page for parsing pasted/dropped/web-archive markup; SVGImage owns a private m_page whose document parses and renders SVG-as-image content in isolation. MESSAGE_CHECK is an IPC validation macro that terminates the originating WebContent process on failure.
Analysis
These temporary pages copied a curated subset of parent settings (dark appearance, font generic families, layer-based SVG engine) but omitted downloadableBinaryFontTrustedTypes. They defaulted to Any, selecting the standard system parser even on LDM-engaged user-visible pages.
Aaaa Aaaaaaa Aaaaaaaaa a Aaaaaaaaaaaa Aaaa Aaaaaa Aa Aaa Aaaa a Aaaaaa Aaaaaaaa Aaaaaaaaaaaaa Aaa Aaaaaa Aa Aaa Aa Aaaaa Aaaaaa Aaa Aaaaaaaaaa Aaaaaaa Aaaaaaa Aaa Aaaaaaaa Aaaaaaa Aaa Aaaaaaaaa Aaaaaa Aaaaaa Aaa Aaaaaaaaaa Aa Aaa Aaa Aaaaaaa a Aaaaa Aaaaaa Aaaa Aaaaaaaaaaaaaa Aaaa Aaaaaaaaa Aa Aaa Aaaaaa a Aaaaaaaaa Aaaaaa Aaaaa Aaaaaaaaaaaa Aaa Aaaaaaa a Aaaaaaaaaaaaaaa Aaaa Aaaaaa Aaa Aaaaaaaaaa Aaaaaaaa Aaa Aaaaaaaaaaaa Aaaaaaa Aa Aaa Aaaaaaaa Aaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaa Aaaaaaa Aa Aaaa Aaa Aaa Aaaaaaaaa Aaaaa Aaa Aaaa Aaa Aaaaaaaa Aaaaaaaa Aaa Aaaaa Aaaaaaaaa Aaaa Aaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaa Aaaa Aaaaaaaaaaaa Aaaaa Aaaaaaaa Aaaaaa Aaa Aaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaa Aaa Aaaaaaaaaa Aaaaa Aa a Aaaaaaaa Aaaaa Aaa Aaaaaaaa Aaaaaaaaaaaaaaa Aa Aaaa Aaaaaaaa Aaa Aaaa
🔒Examines how a Lockdown Mode hardening can be silently bypassed on auxiliary code paths, and why a cross-process IPC check — not the WebContent-side font code — is what surfaced the bug.
Subscribe to read more
Audit directions
a Aaaaaaaaa Aaaaaa Aaaaaaaaaaaaa Aaaa Aaaaaaaaa a Aaaaaaa Aaaaaa Aa Aaaaaa Aaaaaaaaaaaaa Aaaaa Aaaa Aaaa Aaaaaaaaaa Aa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaa Aaaaaaaa Aa Aaaaaaaa Aaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaa Aaaaaaaaa Aaaaa Aaaaaaaaaaaaaa Aaaaaaaa
a Aaaaaaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaa Aaaaaa Aa Aaaaaaaaaaaaaa Aaaaaa Aaaaaaaaaa Aaaaaaaa a Aaaaaaaaaaa Aaaaaa Aaaaa Aaaa Aaaaaaaaaaaa Aaa Aaaaaaaaa Aaaaaa Aaaaaa Aaaaaa Aaaaaaaaaaaaa Aaaa Aa Aaa Aaaaaaaaaaaaaaa Aaaaaaaa
a Aaaaaaaaaa Aaaa Aa Aaaaaaaa Aaa Aaaa Aaaaaaaaaaa Aaaaaaaa Aaa a Aaaaaa Aaaa Aaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaa Aaa Aaaaaaa
a Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaa Aa Aaaaa Aaaaaaaaaa Aaaaaaaaaaaa a Aaaaaaaaaaaaa Aaa Aaaaaa Aaaaa
🔒Multiple reusable audit patterns for setting-propagation gaps across derived `Page` constructions and cross-process IPC policy mismatches, with concrete starting points.
Subscribe to read more