WebKit Weekly
Log in
← All issues
← 2026-W21 overview

[21] postMessage extends user gesture token lifetime

Severity: Medium / Medium | Component: WebCore LocalDOMWindow | 4f82ed3, 2050ddd

Rated Medium because the diffs fix a TOCTOU on UserGestureToken::hasExpired in LocalDOMWindow::processPostMessage: an expiration check at one point and gesture consumption at another let wall-clock time elapse between them, so a token that was just past 1s would still be installed on the UserGestureIndicator during MessageEvent dispatch — popup-blocker bypass.

Two commits land the same fix into different branches; one is the rapid backport of the other. processPostMessage re-checks userGestureToForward->hasExpired(maximumIntervalForUserGestureForwarding) immediately adjacent to the UserGestureIndicator construction.

Source/WebCore/page/LocalDOMWindow.cpp

if (userGestureToForward && userGestureToForward->hasExpired(UserGestureToken::maximumIntervalForUserGestureForwarding))
userGestureToForward = nullptr;
 
+ if (userGestureToForward && userGestureToForward->hasExpired(UserGestureToken::maximumIntervalForUserGestureForwarding))
+ userGestureToForward = nullptr;
+
UserGestureIndicator userGestureIndicator(userGestureToForward);

TOCTOU on a time-based freshness predicate: the user-gesture expiration check and the gesture-consumption point were not co-located, allowing wall-clock time to elapse between validation and use.

The HTML/WebKit policy is that a forwarded gesture remains usable only within maximumIntervalForUserGestureForwarding (1 s) of the original interaction; before the fix that cap could be silently exceeded because the check didn't bracket consumption. The minimal patch duplicates the check; a cleaner fix would push it into UserGestureIndicator's constructor.

🔒

How a one-line duplicated check restores the user-gesture forwarding cap, and the broader policy-bypass primitives at stake.

Subscribe to read more

Audit directions
🔒

Multiple audit patterns identified for time-based capability tokens and RAII gesture helpers across WebKit, with concrete starting points for variant discovery.

Subscribe to read more

← Back to 2026-W21 overview