Adopt the CGImageSourceSetAllowableTypes SPI to prevent CoreGraphics from running image decoders for riskier image types.
<rdar://problem/89369518>
Created attachment 453010 [details] Patch
Created attachment 453023 [details] Patch
Comment on attachment 453023 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=453023&action=review > Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:248 > +#if HAVE(CGIMAGESOURCE_WITH_SET_ALLOWABLE_TYPES) > +static NSArray *UTITypes() > +{ > + return @[@"public.jpeg", > + @"public.png", > + @"org.webmproject.webp", > + @"com.compuserve.gif", > + ]; > +} > +#endif Does not seem like we need a separate function for this. NSArray *types = @[ @"public.jpeg", @"public.png", @"org.webmproject.webp", @"com.compuserve.gif", ]; auto status = CGImageSourceSetAllowableTypes(bridge_cast(types)); Could even use auto or constexpr. > Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:255 > +#if HAVE(CGIMAGESOURCE_WITH_SET_ALLOWABLE_TYPES) I think we should format the #if differently. Strange to just check the boolean and then do nothing, so maybe we can put more of the function inside the #if, or put the #if at the call site too.
See Bug 237120 for the actual issue.
After reviewing this with the CoreGraphics/ImageIO team, we don't need to do this, as we have already adopted the necessary entitlements to limit decoders in Captive Portal mode. The cause of PDF images still appearing is a separate issue, which requires a different fix (see Bug 237120).