[1] didSameDocumentNavigationForFrame accepts arbitrary URL, enabling address bar spoofing
Severity: High | Component: WebKit UIProcess | 23b15df
Rated High because the diff fixes a UIProcess IPC that updates the displayed URL from a renderer-supplied string with no origin check; reaching it from web content is sufficient to spoof any origin in the address bar.
WebPageProxy::didSameDocumentNavigationForFrameViaJS accepted any well-formed URL from the WebContent process and used it as the frame's new URL after a history.pushState/replaceState-style navigation. The pre-existing MESSAGE_CHECK_URL only validated parseability; nothing enforced that a same-document navigation must remain same-origin.
Source/WebKit/UIProcess/WebPageProxy.cpp
Ref process = WebProcessProxy::fromConnection(connection);
MESSAGE_CHECK_URL(process, url);
+ MESSAGE_CHECK(process, url.protocolIsFile() || frame->url().isEmpty() || protocolHostAndPortAreEqual(url, frame->url()));
Patch Details
A single MESSAGE_CHECK is added immediately after MESSAGE_CHECK_URL, enforcing that the URL is a file URL, the frame URL is empty, or scheme/host/port match the frame's current URL. Failure kills the offending WebContent process.
Missing origin-equivalence check on a renderer-supplied URL crossing the WebContent→UIProcess trust boundary.
Background
A same-document navigation changes the URL without unloading the document (typically via the History API or fragment changes); per spec the new URL must be same-origin with the current document. WebKit's UIProcess owns the address bar and maintains a per-WebFrameProxy URL that feeds it. MESSAGE_CHECK_URL validates URL parseability; protocolHostAndPortAreEqual compares the scheme/host/port tuple that defines an origin.
Analysis
Before the fix, a compromised or scripted WebContent process could call didSameDocumentNavigationForFrameViaJS with any URL and have the UIProcess record it as the frame's current URL — feeding the address bar an attacker-chosen origin while the actual document remained attacker-controlled.
Aaaaaaa Aaaaaa Aaaa Aaa Aaaaaaaaaaaaaaaaaaa Aaaaa Aaaaa a Aaaaaaaaaaaaa Aaaaaaaaaa Aaaa Aaaaaaa a Aaaaaa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaa Aaaaaaaaaaaaa Aaaaaaaaaaa Aaaaa Aaaaaa Aa Aaaaaaaaa Aaa Aaaaaaaaa Aaaaa Aaaaaaa Aaaaaa Aaa Aaaaaaa Aaaaaaa Aaa Aaaaaaaa Aaaa Aaaaaaaa a Aaaaaaaaaa Aaaaaaa Aa Aaa Aaaaaaa Aaaa Aaa Aaaaaaaaaa Aaaaaaaa Aaaaa Aa Aa Aaaaaaaaaaaaaaaaa Aaaaaaaaa a Aaa Aaaaaa Aa a Aaaaaaaaaaaa Aaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaaa Aaaaaaa Aaa Aaaaaaa Aaaaaaaaaa Aaaaa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaa Aa Aaaaa Aaa
🔒The trust boundary between WebContent and UIProcess for URL display is examined, along with the spoofing impact and what a renderer compromise (or just clever JS) could achieve here.
Subscribe to read more
Audit directions
a Aaaaaaaaaaa Aaaaaaaa Aaaa Aaaaaa Aaaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaa Aaaaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaa Aaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaa Aaaaa a Aaa Aa Aaaaaa Aaaaaaaa Aa Aaaaaa Aaaaaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaa Aaa Aaaaaa Aaaa Aaaa Aaaa Aaa Aa Aaaaaaaaaaaa Aaaaaaaa Aaaaaa
a Aaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaa Aaaa Aaa Aaaaaaaaaaa Aaa Aaaaa Aaaa Aaaaaa Aaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaaaaaaa Aaaaa Aaaaa Aaaaaa Aaa Aaaaaaaaa Aaaaa Aaaaaaaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaa Aaaa Aaa Aaaa Aaaa Aaaaaaaa Aaaa Aaaaaaaaa Aaaaa
a Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaa Aaaa Aaaa a Aaa Aaa Aaaa Aaa Aaaaaa Aaa Aaaaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaa Aaaaaa
🔒Several reusable IPC-validation audit patterns identified, covering UIProcess handlers that mutate security-UI state based on renderer-supplied data.
Subscribe to read more