[10] [WebKit] Validate Badging IPC origin against WebProcessProxy
Severity: Medium | Component: WebKit UIProcess Badging | fd1fbad
Rated Medium because the diff hardens the UI-process badging IPC against a renderer-supplied origin and registers a regression test that verifies a coreipc.js-driven spoof is rejected; impact is restricted to OS-level badge spoofing on the victim origin without further primitive.
The UI-process app-badge IPC handler validates that the supplied origin corresponds to a frame, worker, or registered Service Worker hosted in the sending WebProcessProxy. The runAppBadgeSpoofTest regression test exercises a forged coreipc.js-shaped IPC from an attacker page and asserts the delegate registered for the spoofed origin receives no calls.
Source/WebKit/UIProcess/WebPageProxy.cpp
Cross-origin badging spoof closed: the UI process previously accepted any origin field from the renderer and forwarded the update to the OS.
Patch Details
The handler walks frames, workers, and Service Workers hosted in the sender to validate the origin. Mismatch routes to the renderer-kill path. BadgeDelegate gains a FAIL() arm exercised by the spoof test to confirm the spoof is rejected.
Background
The Badging API (navigator.setAppBadge(...)) crosses from a per-origin Service Worker / document into the UI process, which talks to the OS to set the app icon badge. The renderer is the threat-model attacker.
Analysis
Pre-fix, the UI-process message handler accepted the origin field as supplied. A compromised renderer could send a forged IPC naming an unrelated origin (e.g. a registered Service Worker site for a banking or messaging app) and cause the OS-level badge to update on its behalf.