Cherry-pick 305413.548@safari-7624-branch — Web Locks origin validation
+bool WebProcessProxy::hasCommittedClientOrigin(const WebCore::ClientOrigin& clientOrigin) const
+{
+ return m_committedClientOrigins.contains(clientOrigin);
+}
+void WebProcessProxy::didCommitLoadClientOrigin(const WebCore::ClientOrigin& clientOrigin)
+{
+ m_committedClientOrigins.add(clientOrigin);
+}
The Web Locks API (navigator.locks) gives pages named, origin-scoped mutexes managed by a registry in the UI process (WebLockRegistryProxy). Renderers reach the registry via IPC, sending their ClientOrigin in the message. Because IPC from a compromised renderer is untrusted, the UI process must independently verify that the claimed origin is one that legitimately loaded in that process.
This commit closes an IPC origin-spoofing hole. WebFrameProxy::didCommitLoad now records each ClientOrigin into WebProcessProxy::m_committedClientOrigins, and WebLockRegistryProxy::requestLock (plus releaseLock, abortLockRequest, snapshot, clientIsGoingAway) validates that any claimed origin was actually committed by that web process before acting on it. Pre-fix, no such check existed — the UI process accepted whatever origin the renderer declared.
Significance
Before this fix, a compromised renderer could forge any ClientOrigin in a lock request, allowing it to acquire, block, or inspect locks belonging to completely different origins.