From: ap@apple.com Date: Thu, 22 Sep 2011 19:41:00 +0000 (+0000) Subject: [WK2] UIProcess should check that WebProcess isn't sending unexpected file... X-Git-Tag: 070512121124~23866 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=2d0fed9ac7942e721a53e07cefe6ebe523aaf7b5;p=profile%2Fivi%2Fwebkit-efl.git [WK2] UIProcess should check that WebProcess isn't sending unexpected file: URLs to it https://bugs.webkit.org/show_bug.cgi?id=68573 Reviewed by Anders Carlsson. Re-landing with a slightly less aggressive check. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95747 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- diff --git a/Source/WebKit2/ChangeLog b/Source/WebKit2/ChangeLog index 667877c..0daf20b 100644 --- a/Source/WebKit2/ChangeLog +++ b/Source/WebKit2/ChangeLog @@ -1,3 +1,67 @@ +2011-09-22 Alexey Proskuryakov + + [WK2] UIProcess should check that WebProcess isn't sending unexpected file: URLs to it + https://bugs.webkit.org/show_bug.cgi?id=68573 + + Reviewed by Anders Carlsson. + + Re-landing with a slightly less aggressive check. + + * UIProcess/API/mac/WKView.mm: + (maybeCreateSandboxExtensionFromPasteboard): Return a boolean, telling the caller whether + an extension actually needed to be created + (-[WKView performDragOperation:]): Tell process proxy when the process is going to get + universal file read sandbox extension. + + * UIProcess/WebContext.cpp: + (WebKit::WebContext::didPerformClientRedirect): Check the URLs. + (WebKit::WebContext::didPerformServerRedirect): Ditto. + (WebKit::WebContext::didUpdateHistoryTitle): Ditto. + (WebKit::WebContext::getPluginPath): Ditto. Also, properly parse the URL - we can never + assume that a string coming from WebProcess is a ParsedURLString. + + * UIProcess/WebPageProxy.cpp: + (WebKit::WebPageProxy::reattachToWebProcessWithItem): Tell process proxy when the process + is going to get universal file read sandbox extension. + (WebKit::WebPageProxy::maybeInitializeSandboxExtensionHandle): Changed to return a boolean, + telling the caller whether an extension actually needed to be created. + (WebKit::WebPageProxy::loadURL): Tell process proxy about extension. + (WebKit::WebPageProxy::loadURLRequest): Ditto. + (WebKit::WebPageProxy::loadHTMLString): Tell process proxy if a file URL was used as a base + one for a string. In this case, WebKit2 assumes that WebProcess has access to a subdirectory, + (typically, one where error page resources live), and can load from it. + (WebKit::WebPageProxy::loadAlternateHTMLString): Ditto. + (WebKit::WebPageProxy::goForward): Tell process proxy about extension. + (WebKit::WebPageProxy::goBack): Tell process proxy about extension. + (WebKit::WebPageProxy::goToBackForwardItem): Tell process proxy about extension. + (WebKit::WebPageProxy::didStartProvisionalLoadForFrame): Check the URL. + (WebKit::WebPageProxy::didReceiveServerRedirectForProvisionalLoadForFrame): Ditto. + (WebKit::WebPageProxy::didSameDocumentNavigationForFrame): Ditto. + (WebKit::WebPageProxy::decidePolicyForNavigationAction): Ditto. + (WebKit::WebPageProxy::decidePolicyForNewWindowAction): Ditto. + (WebKit::WebPageProxy::decidePolicyForResponse): Ditto. + (WebKit::WebPageProxy::didInitiateLoadForResource): Ditto. + (WebKit::WebPageProxy::didSendRequestForResource): Ditto. + (WebKit::WebPageProxy::didReceiveResponseForResource): Ditto. + (WebKit::WebPageProxy::missingPluginButtonClicked): Ditto. + + * UIProcess/WebPageProxy.h: Changed initializeSandboxExtensionHandle() to return a bool, + and renamed to maybeInitializeSandboxExtensionHandle (matching WKView counterpart). + + * UIProcess/WebProcessProxy.cpp: + (WebKit::WebProcessProxy::WebProcessProxy): Initialize m_mayHaveUniversalFileReadSandboxExtension. + It's going to be true if we ever granted an extension for "/". + (WebKit::WebProcessProxy::willLoadHTMLStringWithBaseURL): Remember the path, we should expect + that WebProcess will load subresources from it. + (WebKit::WebProcessProxy::checkURLReceivedFromWebProcess): Check that it's reasonable to expect + WebProcess send us a URL like this. + (WebKit::WebProcessProxy::addBackForwardItem): Check the URLs. + + * UIProcess/WebProcessProxy.h: Added data members remembering what to expect from this process. + + * UIProcess/cf/WebPageProxyCF.cpp: (WebKit::WebPageProxy::restoreFromSessionStateData): + Tell process proxy when the process is going to get universal file read sandbox extension. + 2011-09-22 Alpha Lam https://bugs.webkit.org/show_bug.cgi?id=68081 diff --git a/Source/WebKit2/UIProcess/API/mac/WKView.mm b/Source/WebKit2/UIProcess/API/mac/WKView.mm index 77aa7d0..0b88d32 100644 --- a/Source/WebKit2/UIProcess/API/mac/WKView.mm +++ b/Source/WebKit2/UIProcess/API/mac/WKView.mm @@ -1660,25 +1660,26 @@ static void extractUnderlines(NSAttributedString *string, Vector)draggingInfo @@ -1688,7 +1689,9 @@ static void maybeCreateSandboxExtensionFromPasteboard(NSPasteboard *pasteboard, DragData dragData(draggingInfo, client, global, static_cast([draggingInfo draggingSourceOperationMask]), [self applicationFlags:draggingInfo]); SandboxExtension::Handle sandboxExtensionHandle; - maybeCreateSandboxExtensionFromPasteboard([draggingInfo draggingPasteboard], sandboxExtensionHandle); + bool createdExtension = maybeCreateSandboxExtensionFromPasteboard([draggingInfo draggingPasteboard], sandboxExtensionHandle); + if (createdExtension) + _data->_page->process()->willAcquireUniversalFileReadSandboxExtension(); _data->_page->performDrag(&dragData, [[draggingInfo draggingPasteboard] name], sandboxExtensionHandle); diff --git a/Source/WebKit2/UIProcess/WebContext.cpp b/Source/WebKit2/UIProcess/WebContext.cpp index 16fc9d7..1289c32 100644 --- a/Source/WebKit2/UIProcess/WebContext.cpp +++ b/Source/WebKit2/UIProcess/WebContext.cpp @@ -65,7 +65,8 @@ #include #endif -#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, process()->connection()) +#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, m_process->connection()) +#define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(m_process->checkURLReceivedFromWebProcess(url), m_process->connection()) using namespace WebCore; @@ -439,7 +440,9 @@ void WebContext::didPerformClientRedirect(uint64_t pageID, const String& sourceU WebFrameProxy* frame = m_process->webFrame(frameID); MESSAGE_CHECK(frame); MESSAGE_CHECK(frame->page() == page); - + MESSAGE_CHECK_URL(sourceURLString); + MESSAGE_CHECK_URL(destinationURLString); + m_historyClient.didPerformClientRedirect(this, page, sourceURLString, destinationURLString, frame); } @@ -455,7 +458,9 @@ void WebContext::didPerformServerRedirect(uint64_t pageID, const String& sourceU WebFrameProxy* frame = m_process->webFrame(frameID); MESSAGE_CHECK(frame); MESSAGE_CHECK(frame->page() == page); - + MESSAGE_CHECK_URL(sourceURLString); + MESSAGE_CHECK_URL(destinationURLString); + m_historyClient.didPerformServerRedirect(this, page, sourceURLString, destinationURLString, frame); } @@ -468,6 +473,7 @@ void WebContext::didUpdateHistoryTitle(uint64_t pageID, const String& title, con WebFrameProxy* frame = m_process->webFrame(frameID); MESSAGE_CHECK(frame); MESSAGE_CHECK(frame->page() == page); + MESSAGE_CHECK_URL(url); m_historyClient.didUpdateHistoryTitle(this, page, title, url, frame); } @@ -553,9 +559,11 @@ void WebContext::getPlugins(bool refresh, Vector& pluginInfos) void WebContext::getPluginPath(const String& mimeType, const String& urlString, String& pluginPath) { + MESSAGE_CHECK_URL(urlString); + String newMimeType = mimeType.lower(); - PluginModuleInfo plugin = pluginInfoStore().findPlugin(newMimeType, KURL(ParsedURLString, urlString)); + PluginModuleInfo plugin = pluginInfoStore().findPlugin(newMimeType, KURL(KURL(), urlString)); if (!plugin.path) return; diff --git a/Source/WebKit2/UIProcess/WebPageProxy.cpp b/Source/WebKit2/UIProcess/WebPageProxy.cpp index 0acb684..7d8d4c2 100644 --- a/Source/WebKit2/UIProcess/WebPageProxy.cpp +++ b/Source/WebKit2/UIProcess/WebPageProxy.cpp @@ -90,7 +90,8 @@ // This controls what strategy we use for mouse wheel coalescing. #define MERGE_WHEEL_EVENTS 1 -#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, process()->connection()) +#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, m_process->connection()) +#define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(m_process->checkURLReceivedFromWebProcess(url), m_process->connection()) using namespace WebCore; @@ -296,7 +297,9 @@ void WebPageProxy::reattachToWebProcessWithItem(WebBackForwardListItem* item) return; SandboxExtension::Handle sandboxExtensionHandle; - initializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle); + bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle); + if (createdExtension) + process()->willAcquireUniversalFileReadSandboxExtension(); process()->send(Messages::WebPage::GoToBackForwardItem(item->itemID(), sandboxExtensionHandle), m_pageID); process()->responsivenessTimer()->start(); } @@ -396,16 +399,17 @@ bool WebPageProxy::tryClose() return false; } -void WebPageProxy::initializeSandboxExtensionHandle(const KURL& url, SandboxExtension::Handle& sandboxExtensionHandle) +bool WebPageProxy::maybeInitializeSandboxExtensionHandle(const KURL& url, SandboxExtension::Handle& sandboxExtensionHandle) { if (!url.isLocalFile()) - return; + return false; // Don't give the inspector full access to the file system. if (WebInspectorProxy::isInspectorPage(this)) - return; + return false; SandboxExtension::createHandle("/", SandboxExtension::ReadOnly, sandboxExtensionHandle); + return true; } void WebPageProxy::loadURL(const String& url) @@ -416,7 +420,9 @@ void WebPageProxy::loadURL(const String& url) reattachToWebProcess(); SandboxExtension::Handle sandboxExtensionHandle; - initializeSandboxExtensionHandle(KURL(KURL(), url), sandboxExtensionHandle); + bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), url), sandboxExtensionHandle); + if (createdExtension) + process()->willAcquireUniversalFileReadSandboxExtension(); process()->send(Messages::WebPage::LoadURL(url, sandboxExtensionHandle), m_pageID); process()->responsivenessTimer()->start(); } @@ -429,7 +435,9 @@ void WebPageProxy::loadURLRequest(WebURLRequest* urlRequest) reattachToWebProcess(); SandboxExtension::Handle sandboxExtensionHandle; - initializeSandboxExtensionHandle(urlRequest->resourceRequest().url(), sandboxExtensionHandle); + bool createdExtension = maybeInitializeSandboxExtensionHandle(urlRequest->resourceRequest().url(), sandboxExtensionHandle); + if (createdExtension) + process()->willAcquireUniversalFileReadSandboxExtension(); process()->send(Messages::WebPage::LoadURLRequest(urlRequest->resourceRequest(), sandboxExtensionHandle), m_pageID); process()->responsivenessTimer()->start(); } @@ -439,6 +447,7 @@ void WebPageProxy::loadHTMLString(const String& htmlString, const String& baseUR if (!isValid()) reattachToWebProcess(); + process()->willLoadHTMLStringWithBaseURL(baseURL); process()->send(Messages::WebPage::LoadHTMLString(htmlString, baseURL), m_pageID); process()->responsivenessTimer()->start(); } @@ -451,6 +460,7 @@ void WebPageProxy::loadAlternateHTMLString(const String& htmlString, const Strin if (m_mainFrame) m_mainFrame->setUnreachableURL(unreachableURL); + process()->willLoadHTMLStringWithBaseURL(baseURL); process()->send(Messages::WebPage::LoadAlternateHTMLString(htmlString, baseURL, unreachableURL), m_pageID); process()->responsivenessTimer()->start(); } @@ -502,7 +512,9 @@ void WebPageProxy::goForward() } SandboxExtension::Handle sandboxExtensionHandle; - initializeSandboxExtensionHandle(KURL(KURL(), forwardItem->url()), sandboxExtensionHandle); + bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), forwardItem->url()), sandboxExtensionHandle); + if (createdExtension) + process()->willAcquireUniversalFileReadSandboxExtension(); process()->send(Messages::WebPage::GoForward(forwardItem->itemID(), sandboxExtensionHandle), m_pageID); process()->responsivenessTimer()->start(); } @@ -527,7 +539,9 @@ void WebPageProxy::goBack() } SandboxExtension::Handle sandboxExtensionHandle; - initializeSandboxExtensionHandle(KURL(KURL(), backItem->url()), sandboxExtensionHandle); + bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), backItem->url()), sandboxExtensionHandle); + if (createdExtension) + process()->willAcquireUniversalFileReadSandboxExtension(); process()->send(Messages::WebPage::GoBack(backItem->itemID(), sandboxExtensionHandle), m_pageID); process()->responsivenessTimer()->start(); } @@ -547,7 +561,9 @@ void WebPageProxy::goToBackForwardItem(WebBackForwardListItem* item) setPendingAPIRequestURL(item->url()); SandboxExtension::Handle sandboxExtensionHandle; - initializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle); + bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle); + if (createdExtension) + process()->willAcquireUniversalFileReadSandboxExtension(); process()->send(Messages::WebPage::GoToBackForwardItem(item->itemID(), sandboxExtensionHandle), m_pageID); process()->responsivenessTimer()->start(); } @@ -1524,6 +1540,7 @@ void WebPageProxy::didStartProvisionalLoadForFrame(uint64_t frameID, const Strin WebFrameProxy* frame = process()->webFrame(frameID); MESSAGE_CHECK(frame); + MESSAGE_CHECK_URL(url); frame->setUnreachableURL(unreachableURL); @@ -1540,6 +1557,7 @@ void WebPageProxy::didReceiveServerRedirectForProvisionalLoadForFrame(uint64_t f WebFrameProxy* frame = process()->webFrame(frameID); MESSAGE_CHECK(frame); + MESSAGE_CHECK_URL(url); frame->didReceiveServerRedirectForProvisionalLoad(url); @@ -1661,6 +1679,7 @@ void WebPageProxy::didSameDocumentNavigationForFrame(uint64_t frameID, uint32_t WebFrameProxy* frame = process()->webFrame(frameID); MESSAGE_CHECK(frame); + MESSAGE_CHECK_URL(url); clearPendingAPIRequestURL(); frame->didSameDocumentNavigation(url); @@ -1773,6 +1792,7 @@ void WebPageProxy::decidePolicyForNavigationAction(uint64_t frameID, uint32_t op WebFrameProxy* frame = process()->webFrame(frameID); MESSAGE_CHECK(frame); + MESSAGE_CHECK_URL(request.url()); NavigationType navigationType = static_cast(opaqueNavigationType); WebEvent::Modifiers modifiers = static_cast(opaqueModifiers); @@ -1807,6 +1827,7 @@ void WebPageProxy::decidePolicyForNewWindowAction(uint64_t frameID, uint32_t opa WebFrameProxy* frame = process()->webFrame(frameID); MESSAGE_CHECK(frame); + MESSAGE_CHECK_URL(request.url()); NavigationType navigationType = static_cast(opaqueNavigationType); WebEvent::Modifiers modifiers = static_cast(opaqueModifiers); @@ -1826,7 +1847,9 @@ void WebPageProxy::decidePolicyForResponse(uint64_t frameID, const ResourceRespo WebFrameProxy* frame = process()->webFrame(frameID); MESSAGE_CHECK(frame); - + MESSAGE_CHECK_URL(request.url()); + MESSAGE_CHECK_URL(response.url()); + RefPtr listener = frame->setUpPolicyListenerProxy(listenerID); ASSERT(!m_inDecidePolicyForMIMEType); @@ -1886,6 +1909,7 @@ void WebPageProxy::didInitiateLoadForResource(uint64_t frameID, uint64_t resourc { WebFrameProxy* frame = process()->webFrame(frameID); MESSAGE_CHECK(frame); + MESSAGE_CHECK_URL(request.url()); m_resourceLoadClient.didInitiateLoadForResource(this, frame, resourceIdentifier, request, pageIsProvisionallyLoading); } @@ -1894,6 +1918,7 @@ void WebPageProxy::didSendRequestForResource(uint64_t frameID, uint64_t resource { WebFrameProxy* frame = process()->webFrame(frameID); MESSAGE_CHECK(frame); + MESSAGE_CHECK_URL(request.url()); m_resourceLoadClient.didSendRequestForResource(this, frame, resourceIdentifier, request, redirectResponse); } @@ -1902,6 +1927,7 @@ void WebPageProxy::didReceiveResponseForResource(uint64_t frameID, uint64_t reso { WebFrameProxy* frame = process()->webFrame(frameID); MESSAGE_CHECK(frame); + MESSAGE_CHECK_URL(response.url()); m_resourceLoadClient.didReceiveResponseForResource(this, frame, resourceIdentifier, response); } @@ -2016,6 +2042,9 @@ void WebPageProxy::mouseDidMoveOverElement(const WebHitTestResult::Data& hitTest void WebPageProxy::missingPluginButtonClicked(const String& mimeType, const String& url, const String& pluginsPageURL) { + MESSAGE_CHECK_URL(url); + MESSAGE_CHECK_URL(pluginsPageURL); + m_uiClient.missingPluginButtonClicked(this, mimeType, url, pluginsPageURL); } diff --git a/Source/WebKit2/UIProcess/WebPageProxy.h b/Source/WebKit2/UIProcess/WebPageProxy.h index b0ab796..2a9ccb7 100644 --- a/Source/WebKit2/UIProcess/WebPageProxy.h +++ b/Source/WebKit2/UIProcess/WebPageProxy.h @@ -774,7 +774,7 @@ private: void clearPendingAPIRequestURL() { m_pendingAPIRequestURL = String(); } void setPendingAPIRequestURL(const String& pendingAPIRequestURL) { m_pendingAPIRequestURL = pendingAPIRequestURL; } - void initializeSandboxExtensionHandle(const WebCore::KURL&, SandboxExtension::Handle&); + bool maybeInitializeSandboxExtensionHandle(const WebCore::KURL&, SandboxExtension::Handle&); #if PLATFORM(MAC) void substitutionsPanelIsShowing(bool&); diff --git a/Source/WebKit2/UIProcess/WebProcessProxy.cpp b/Source/WebKit2/UIProcess/WebProcessProxy.cpp index a8dfae0..0085cf9 100644 --- a/Source/WebKit2/UIProcess/WebProcessProxy.cpp +++ b/Source/WebKit2/UIProcess/WebProcessProxy.cpp @@ -45,6 +45,8 @@ using namespace WebCore; using namespace std; +#define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(checkURLReceivedFromWebProcess(url), connection()) + namespace WebKit { template @@ -67,6 +69,7 @@ PassRefPtr WebProcessProxy::create(PassRefPtr conte WebProcessProxy::WebProcessProxy(PassRefPtr context) : m_responsivenessTimer(this) , m_context(context) + , m_mayHaveUniversalFileReadSandboxExtension(false) { connect(); } @@ -200,8 +203,51 @@ void WebProcessProxy::registerNewWebBackForwardListItem(WebBackForwardListItem* m_backForwardListItemMap.set(item->itemID(), item); } +void WebProcessProxy::willLoadHTMLStringWithBaseURL(const String& urlString) +{ + KURL url(KURL(), urlString); + if (!url.isLocalFile()) + return; + + // Client loads an alternate string. This doesn't grant universal file read, but the web process is assumed + // to have read access to this directory already. + m_localPathsWithAssumedReadAccess.add(url.fileSystemPath()); +} + +bool WebProcessProxy::checkURLReceivedFromWebProcess(const String& urlString) +{ + return checkURLReceivedFromWebProcess(KURL(KURL(), urlString)); +} + +bool WebProcessProxy::checkURLReceivedFromWebProcess(const KURL& url) +{ + // FIXME: Consider checking that the URL is valid. Currently, WebProcess sends invalid URLs in many cases, but it probably doesn't have good reasons to do that. + + // Any other non-file URL is OK. + if (!url.isLocalFile()) + return true; + + // Any file URL is also OK if we've loaded a file URL through API before, granting universal read access. + if (m_mayHaveUniversalFileReadSandboxExtension) + return true; + + // If we loaded a string with a file base URL before, loading resources from that subdirectory is fine. + // There are no ".." components, because all URLs received from WebProcess are parsed with KURL, which removes those. + String path = url.fileSystemPath(); + for (HashSet::const_iterator iter = m_localPathsWithAssumedReadAccess.begin(); iter != m_localPathsWithAssumedReadAccess.end(); ++iter) { + if (path.startsWith(*iter)) + return true; + } + + // A Web process that was never asked to load a file URL should not ever ask us to do anything with a file URL. + return false; +} + void WebProcessProxy::addBackForwardItem(uint64_t itemID, const String& originalURL, const String& url, const String& title, const CoreIPC::DataReference& backForwardData) { + MESSAGE_CHECK_URL(originalURL); + MESSAGE_CHECK_URL(url); + std::pair result = m_backForwardListItemMap.add(itemID, 0); if (result.second) { // New item. diff --git a/Source/WebKit2/UIProcess/WebProcessProxy.h b/Source/WebKit2/UIProcess/WebProcessProxy.h index 0e99494..2a5b075 100644 --- a/Source/WebKit2/UIProcess/WebProcessProxy.h +++ b/Source/WebKit2/UIProcess/WebProcessProxy.h @@ -104,6 +104,12 @@ public: void registerNewWebBackForwardListItem(WebBackForwardListItem*); + void willAcquireUniversalFileReadSandboxExtension() { m_mayHaveUniversalFileReadSandboxExtension = true; } + void willLoadHTMLStringWithBaseURL(const String&); + + bool checkURLReceivedFromWebProcess(const String&); + bool checkURLReceivedFromWebProcess(const WebCore::KURL&); + // FIXME: This variant of send is deprecated. All clients should move to an overload that take a message type. template bool deprecatedSend(E messageID, uint64_t destinationID, const T& arguments); @@ -175,6 +181,9 @@ private: RefPtr m_context; + bool m_mayHaveUniversalFileReadSandboxExtension; // True if a read extension for "/" was ever granted - we don't track whether WebProcess still has it. + HashSet m_localPathsWithAssumedReadAccess; + HashMap m_pageMap; WebFrameProxyMap m_frameMap; WebBackForwardListItemMap m_backForwardListItemMap; diff --git a/Source/WebKit2/UIProcess/cf/WebPageProxyCF.cpp b/Source/WebKit2/UIProcess/cf/WebPageProxyCF.cpp index d3acc55..41fd01b 100644 --- a/Source/WebKit2/UIProcess/cf/WebPageProxyCF.cpp +++ b/Source/WebKit2/UIProcess/cf/WebPageProxyCF.cpp @@ -166,7 +166,9 @@ void WebPageProxy::restoreFromSessionStateData(WebData* webData) else { SandboxExtension::Handle sandboxExtensionHandle; if (WebBackForwardListItem* item = m_backForwardList->currentItem()) { - initializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle); + bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle); + if (createdExtension) + process()->willAcquireUniversalFileReadSandboxExtension(); setPendingAPIRequestURL(item->url()); }