This Week in WebKit — May 23 - May 29, 2026

WebPageProxyIdentifier is a process-agnostic handle, but didPostMessage resolved it via the global registry and trusted whoever supplied it. The handler dispatched through the resolved page's WebUserContentControllerProxy without ever asking whether the sending WebProcess owned that page. Application WKScriptMessageHandlers — frequently routing navigation, credentials, and persisted state — treat these messages as same-origin input from their own document. Worse, the fix had to extend isAssociatedWithPage to cover remote-iframe processes and introduce an in-flight-close set, closing a TOCTOU the helper never knew it had.

didChangeValueFromControl dispatches the input event synchronously; a handler that writes input.type = 'text' causes HTMLInputElement to replace its uniquely-owned m_inputType, destroying the live BaseDateAndTimeInputType. The shadow-tree control held its callback owner via a bare WeakPtr, so nothing on the stack kept the InputType alive across the re-entrancy. When control unwound, the method kept calling setupDateTimeChooserParameters and showDateTimeChooser on freed memory — virtual dispatch on a dead this is the classic vtable-hijack precursor on successful reclaim. The fix migrates the owner to AbstractRefCountedAndCanMakeWeakPtr so callbacks can promote to a local RefPtr.

generateConditionsForPropertyMissConcurrently walks the prototype chain emitting Miss conditions per prototype; it never examines the head structure. tryEnsureAbsence delegated cacheability entirely to that helper, so a head like {toJSON: 1, a: 1} placed on a chain still produced an ObjectPropertyConditionSet asserting .toJSON was absent. The DFG would then JIT a fast path on a condition that was false from compile time, ready to be fused with a thenable-getter triggered indexing-type swap to produce a JSObject-vs-Double type confusion. Standard fakeobj/addrof launching pad.

compileMaterializeNewArrayWithButterfly writes contiguous element cells with store64, then calls allocateJSArray to allocate the JSArray header. B3 backward liveness considered each value dead the moment the store retired, so the allocator's slow-path GC could collect those cells: the precise tracer had no path through the not-yet-attached butterfly, and the conservative scan saw nothing in registers because B3 had already dropped them. The PoC reads back an attacker-allocated {} aliasing a freshly-freed slot. ensureStillAliveHere now extends liveness across the allocation as a zero-instruction patchpoint.

enableTemporaryTimeUserGesture constructed a UserGestureIndicator with the default ProcessInteractionStyle::Immediate, which writes a user-interaction record for the page's domain as a side effect. The helper exists for purely internal control flow — letting callers still reach window.open() — but on the rejection path the synthetic interaction made a tracker domain look freshly engaged-with. A subsequent popup-with-opener back to that domain then triggered requestStorageAccessUnderOpener and silently granted cross-site cookie access. The API guaranteed to gate consent issued consent on its rejection path.

resolveSlotsAfterSlotMutation iterates m_slots.values(); inside the loop, hasAssignedNodes called assignSlots, which inserts new entries into m_slots for every unseen slot name. Each HashMap::add can rehash and relocate value storage, invalidating both the iterator and the loop-local slot reference. The next two statements — slot->seenFirstElement = true; WTF::move(slot->element) — happily wrote through the freed unique_ptr<Slot> backing. A bulk replaceChildren on a shadow subtree with many fresh slot names hits it deterministically.