239651 2022-04-22 03:54:29 -0700 [GLib] Make WebKitSettings XSS auditor functions no-op 2022-05-26 19:12:22 -0700 1 1 1 Unclassified WebKit New Bugs WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=239538 https://bugs.webkit.org/show_bug.cgi?id=240993 https://bugs.webkit.org/show_bug.cgi?id=235151 InRadar P2 Normal --- 239772 1 zan mcatanzaro aperez commit-queue mcatanzaro pnormand webkit-bug-importer oldest_to_newest 1863614 0 zan 2022-04-22 03:54:29 -0700 [GLib] Make WebKitSettings XSS auditor functions no-op 1863616 1 458135 zan 2022-04-22 03:55:52 -0700 Created attachment 458135 Patch 1863617 2 458135 aperez 2022-04-22 04:03:53 -0700 Comment on attachment 458135 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=458135&action=review > Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp:1824 > + g_warning("webkit_settings_get_enable_xss_auditor is deprecated and always returns FALSE. XSS auditor is no longer supported."); It would be nice to use g_warning_once(), but that was added in GLib 2.64 which is newer than our minimum GLib requirement, so let's just leave this as-is. Anyway, I don't expect any program to have many calls to these functions, and therefore there shouldn't be logging spam due to this 🤔️ 1863620 3 458135 zan 2022-04-22 04:09:12 -0700 Comment on attachment 458135 Patch Clearing flags on attachment: 458135 Committed r293215 (249884@trunk): <https://commits.webkit.org/249884@trunk> 1863621 4 zan 2022-04-22 04:09:17 -0700 All reviewed patches have been landed. Closing bug. 1864317 5 webkit-bug-importer 2022-04-25 17:37:34 -0700 <rdar://problem/92304443> 1864318 6 mcatanzaro 2022-04-25 17:38:02 -0700 Would be good to deprecate these too 1864483 7 mcatanzaro 2022-04-26 09:20:26 -0700 Ah, oops, we actually need to revert this: it prints whenever constructing a WebKitSettings object because the property setter calls these functions. I don't think we need runtime warnings. It would be sufficient to just deprecate the functions (WEBKIT_API -> WEBKIT_DEPRECATED in the header file, and Deprecated: 2.38 annotation in the source file). I'll follow up on that in bug #239538 if you don't beat me to it. 1864485 8 commit-queue 2022-04-26 09:21:33 -0700 Re-opened since this is blocked by bug 239772 1864503 9 mcatanzaro 2022-04-26 09:49:30 -0700 Actually I'll just do that here, it's quick/easy. 1864506 10 mcatanzaro 2022-04-26 10:13:56 -0700 (In reply to Michael Catanzaro from comment #7) > Ah, oops, we actually need to revert this: it prints whenever constructing a > WebKitSettings object because the property setter calls these functions. Also it looks like this broke >200 API tests, but nobody noticed. The API tests were already in bad shape. 1864509 11 mcatanzaro 2022-04-26 10:16:44 -0700 https://github.com/WebKit/WebKit/pull/389 1864783 12 ews-feeder 2022-04-27 06:16:53 -0700 Committed r293507 (250038@main): <https://commits.webkit.org/250038@main> Reviewed commits have been landed. Closing PR #389 and removing active labels. 1865386 13 pnormand 2022-04-29 02:00:10 -0700 And now we get a bunch of build warnings, can this be avoided? [1727/2070] Building CXX object Source/WebKit/CMakeFiles/WebKit.dir/UIProcess/API/glib/WebKitSettings.cpp.o /app/webkit/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp:232:9: warning: 'webkit_settings_set_enable_xss_auditor' is deprecated [-Wdeprecated-declarations] webkit_settings_set_enable_xss_auditor(settings, g_value_get_boolean(value)); ^ /app/webkit/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h:141:55: note: 'webkit_settings_set_enable_xss_auditor' has been explicitly marked deprecated here __attribute__((visibility("default"))) __attribute__((__deprecated__)) void ^ /app/webkit/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp:434:36: warning: 'webkit_settings_get_enable_xss_auditor' is deprecated [-Wdeprecated-declarations] g_value_set_boolean(value, webkit_settings_get_enable_xss_auditor(settings)); ^ /app/webkit/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h:138:55: note: 'webkit_settings_get_enable_xss_auditor' has been explicitly marked deprecated here __attribute__((visibility("default"))) __attribute__((__deprecated__)) gboolean ^ 2 warnings generated. [1934/2070] Building CXX object Tools/TestWebKitAPI/glib/CMakeFiles/TestWebKitSettings.dir/__/Tests/WebKitGLib/TestWebKitSettings.cpp.o /app/webkit/Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitSettings.cpp:76:76: warning: 'webkit_settings_get_enable_xss_auditor' is deprecated [-Wdeprecated-declarations] do { if (__builtin_expect (__extension__ ({ int _g_boolean_var_; if (!(webkit_settings_get_enable_xss_auditor(settings))) _g_boolean_var_ = 1; else _g_boolean_var_ = 0; _g_boolean_var_; }), 1)) ; else g_assertion_message (((gchar*) 0), "/app/webkit/Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitSettings.cpp", 76, ((const char*) (__PRETTY_FUNCTION__)), "'" "webkit_settings_get_enable_xss_auditor(settings)" "' should be FALSE"); } while (0); ^ /app/webkit/WebKitBuild/Release/WebKit2Gtk/Headers/webkit2/WebKitSettings.h:138:55: note: 'webkit_settings_get_enable_xss_auditor' has been explicitly marked deprecated here __attribute__((visibility("default"))) __attribute__((__deprecated__)) gboolean ^ /app/webkit/Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitSettings.cpp:77:5: warning: 'webkit_settings_set_enable_xss_auditor' is deprecated [-Wdeprecated-declarations] webkit_settings_set_enable_xss_auditor(settings, (!(0))); ^ /app/webkit/WebKitBuild/Release/WebKit2Gtk/Headers/webkit2/WebKitSettings.h:141:55: note: 'webkit_settings_set_enable_xss_auditor' has been explicitly marked deprecated here __attribute__((visibility("default"))) __attribute__((__deprecated__)) void ^ /app/webkit/Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitSettings.cpp:78:76: warning: 'webkit_settings_get_enable_xss_auditor' is deprecated [-Wdeprecated-declarations] do { if (__builtin_expect (__extension__ ({ int _g_boolean_var_; if (!(webkit_settings_get_enable_xss_auditor(settings))) _g_boolean_var_ = 1; else _g_boolean_var_ = 0; _g_boolean_var_; }), 1)) ; else g_assertion_message (((gchar*) 0), "/app/webkit/Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitSettings.cpp", 78, ((const char*) (__PRETTY_FUNCTION__)), "'" "webkit_settings_get_enable_xss_auditor(settings)" "' should be FALSE"); } while (0); ^ /app/webkit/WebKitBuild/Release/WebKit2Gtk/Headers/webkit2/WebKitSettings.h:138:55: note: 'webkit_settings_get_enable_xss_auditor' has been explicitly marked deprecated here __attribute__((visibility("default"))) __attribute__((__deprecated__)) gboolean ^ 3 warnings generated. 1865415 14 mcatanzaro 2022-04-29 06:50:22 -0700 (In reply to Philippe Normand from comment #13) > And now we get a bunch of build warnings, can this be avoided? Oops, not sure how I missed this. Yes, they should be suppressed. 1865419 15 mcatanzaro 2022-04-29 07:11:01 -0700 (In reply to Michael Catanzaro from comment #14) > Oops, not sure how I missed this. Ah, the answer is: too many other warnings that I haven't fixed yet. 1865489 16 mcatanzaro 2022-04-29 11:52:17 -0700 Pull request: https://github.com/WebKit/WebKit/pull/441 1865787 17 ews-feeder 2022-05-02 02:32:41 -0700 Committed r293660 (250164@main): <https://commits.webkit.org/250164@main> Reviewed commits have been landed. Closing PR #441 and removing active labels. 1872234 18 mcatanzaro 2022-05-26 18:05:48 -0700 I forgot to deprecate the property WebKitSettings:enable-xss-auditor, because I am incompetent. I think we all knew that already, though. ;) 1872236 19 mcatanzaro 2022-05-26 18:09:17 -0700 Bug #240993. 458135 2022-04-22 03:55:52 -0700 2022-04-22 04:09:12 -0700 Patch bug-239651-20220422125551.patch text/plain 2363 zan U3VidmVyc2lvbiBSZXZpc2lvbjogMjkzMjEwCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IGM2ODVkZTdjY2VlMTJlNTQw YzljNjQ3YzI0MGI1YjMyMTUxODE2YjEuLjQxY2Y5YWY3NWM0YThkMTRmODdiNTBjYzRlZTczZjBm YzlmY2NhM2YgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTkgQEAKKzIwMjItMDQtMjIgIFphbiBEb2Jl cnNlayAgPHpkb2JlcnNla0BpZ2FsaWEuY29tPgorCisgICAgICAgIFtHTGliXSBNYWtlIFdlYktp dFNldHRpbmdzIFhTUyBhdWRpdG9yIGZ1bmN0aW9ucyBuby1vcAorICAgICAgICBodHRwczovL2J1 Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjM5NjUxCisKKyAgICAgICAgUmV2aWV3ZWQg YnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgV2l0aCB0aGUgWFNTIGF1ZGl0b3IgZmVhdHVy ZSBiZWluZyBkZXByZWNhdGVkIGFuZCByZW1vdmVkLCBhbmQgdGhlCisgICAgICAgIHByZWZlcmVu Y2UgZW50cmllcyByZW1vdmVkIGluIHIyOTMxOTksIHRoZSBHTGliIEFQSSBmb3IgdGhpcyBmZWF0 dXJlCisgICAgICAgIGhhcyB0byBiZSBhZGp1c3RlZCBhcyB3ZWxsLiBJbiBib3RoIGdldHRlciBh bmQgc2V0dGVyLCBhIHdhcm5pbmcgaXMKKyAgICAgICAgcHJpbnRlZCBvdXQgd2hlbiBpbnZva2Vk LgorCisgICAgICAgICogVUlQcm9jZXNzL0FQSS9nbGliL1dlYktpdFNldHRpbmdzLmNwcDoKKyAg ICAgICAgKHdlYmtpdF9zZXR0aW5nc19nZXRfZW5hYmxlX3hzc19hdWRpdG9yKToKKyAgICAgICAg KHdlYmtpdF9zZXR0aW5nc19zZXRfZW5hYmxlX3hzc19hdWRpdG9yKToKKwogMjAyMi0wNC0yMCAg WXVzdWtlIFN1enVraSAgPHlzdXp1a2lAYXBwbGUuY29tPgogCiAgICAgICAgIFtXVEZdIEFkZCBz dHJpbmcgY29uY2F0ZW5hdGUgYWRhcHRlciBmb3IgVVVJRApkaWZmIC0tZ2l0IGEvU291cmNlL1dl YktpdC9VSVByb2Nlc3MvQVBJL2dsaWIvV2ViS2l0U2V0dGluZ3MuY3BwIGIvU291cmNlL1dlYktp dC9VSVByb2Nlc3MvQVBJL2dsaWIvV2ViS2l0U2V0dGluZ3MuY3BwCmluZGV4IGIzNWJkYzVlN2Ni OGVjYzg4OGM0YTdlYTk1YTFkYzA0OWMyNmJlZWIuLjVhYjNjMzQ4ZjRiNzRjMjY2ODIzN2IwMmQ3 MzgxMjQwOTg1ODI2MTkgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvVUlQcm9jZXNzL0FQSS9n bGliL1dlYktpdFNldHRpbmdzLmNwcAorKysgYi9Tb3VyY2UvV2ViS2l0L1VJUHJvY2Vzcy9BUEkv Z2xpYi9XZWJLaXRTZXR0aW5ncy5jcHAKQEAgLTE4MjEsNyArMTgyMSw5IEBAIGdib29sZWFuIHdl YmtpdF9zZXR0aW5nc19nZXRfZW5hYmxlX3hzc19hdWRpdG9yKFdlYktpdFNldHRpbmdzKiBzZXR0 aW5ncykKIHsKICAgICBnX3JldHVybl92YWxfaWZfZmFpbChXRUJLSVRfSVNfU0VUVElOR1Moc2V0 dGluZ3MpLCBGQUxTRSk7CiAKLSAgICByZXR1cm4gc2V0dGluZ3MtPnByaXYtPnByZWZlcmVuY2Vz LT54c3NBdWRpdG9yRW5hYmxlZCgpOworICAgIGdfd2FybmluZygid2Via2l0X3NldHRpbmdzX2dl dF9lbmFibGVfeHNzX2F1ZGl0b3IgaXMgZGVwcmVjYXRlZCBhbmQgYWx3YXlzIHJldHVybnMgRkFM U0UuIFhTUyBhdWRpdG9yIGlzIG5vIGxvbmdlciBzdXBwb3J0ZWQuIik7CisKKyAgICByZXR1cm4g RkFMU0U7CiB9CiAKIC8qKgpAQCAtMTgzNSwxMyArMTgzNyw4IEBAIHZvaWQgd2Via2l0X3NldHRp bmdzX3NldF9lbmFibGVfeHNzX2F1ZGl0b3IoV2ViS2l0U2V0dGluZ3MqIHNldHRpbmdzLCBnYm9v bGVhbiBlCiB7CiAgICAgZ19yZXR1cm5faWZfZmFpbChXRUJLSVRfSVNfU0VUVElOR1Moc2V0dGlu Z3MpKTsKIAotICAgIFdlYktpdFNldHRpbmdzUHJpdmF0ZSogcHJpdiA9IHNldHRpbmdzLT5wcml2 OwotICAgIGJvb2wgY3VycmVudFZhbHVlID0gcHJpdi0+cHJlZmVyZW5jZXMtPnhzc0F1ZGl0b3JF bmFibGVkKCk7Ci0gICAgaWYgKGN1cnJlbnRWYWx1ZSA9PSBlbmFibGVkKQotICAgICAgICByZXR1 cm47Ci0KLSAgICBwcml2LT5wcmVmZXJlbmNlcy0+c2V0WFNTQXVkaXRvckVuYWJsZWQoZW5hYmxl ZCk7Ci0gICAgZ19vYmplY3Rfbm90aWZ5X2J5X3BzcGVjKEdfT0JKRUNUKHNldHRpbmdzKSwgc09i alByb3BlcnRpZXNbUFJPUF9FTkFCTEVfWFNTX0FVRElUT1JdKTsKKyAgICBpZiAoZW5hYmxlZCkK KyAgICAgICAgZ193YXJuaW5nKCJ3ZWJraXRfc2V0dGluZ3Nfc2V0X2VuYWJsZV94c3NfYXVkaXRv ciBpcyBkZXByZWNhdGVkIGFuZCBkb2VzIG5vdGhpbmcuIFhTUyBhdWRpdG9yIGlzIG5vIGxvbmdl ciBzdXBwb3J0ZWQuIik7CiB9CiAKIC8qKgo=