February 20, 2023

WebKitGTK 2.39.90 released!

by The WebKitGTK Project

This is a development release leading toward 2.40 series.

What’s new in the WebKitGTK 2.39.90 release?

  • Add new JavaScript execution APIs.
  • Merge functions of registering and unregistering script message handler in GTK4 API.
  • Mark non-derivable types as final and make instance and class struct declarations private in GTK4 API.
  • Make favicon and snapshot API use GdkTexture instead of cairo surfaces in GTK4 API.
  • Fix scrolling after a history navigation with PSON enabled.
  • Fix criticals from webkitOptionMenuSetEvent when opening any combo box.
  • Fix large memory allocation when uploading content.
  • Always update the active uri of WebKitFrame.
  • Fix several crashes and rendering issues.
  • Translation updates: Ukrainian.

Thanks to all the contributors who made possible this release.

February 20, 2023 12:00 AM



February 16, 2023

WebRTC in WebKitGTK and WPE, status updates, part I

by Philippe Normand

Some time ago we at Igalia embarked on the journey to ship a GStreamer-powered WebRTC backend. This is a long journey, it is not over, but we made some progress …

by Philippe Normand at February 16, 2023 08:30 PM



February 15, 2023

WebKitGTK and WPE WebKit Security Advisory WSA-2023-0002

by The WebKitGTK Project

  • Date Reported: February 15, 2023

  • Advisory ID: WSA-2023-0002

  • CVE identifiers: CVE-2023-23529.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2023-23529
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.5.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A type confusion issue was addressed with improved checks.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

February 15, 2023 12:00 AM



WebKitGTK 2.38.5 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.38 series.

What’s new in the WebKitGTK 2.38.5 release?

  • Fix large memory allocation when uploading content.
  • Fix scrolling after a history navigation with PSON enabled.
  • Always update the active uri of WebKitFrame.
  • Fix the build on Ubuntu 20.04.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 15, 2023 12:00 AM



February 02, 2023

WebKitGTK and WPE WebKit Security Advisory WSA-2023-0001

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2023-23517
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.4.
    • Credit to YeongHyeon Choi (@hyeon101010), Hyeon Park (@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung), JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: The issue was addressed with improved memory handling.
  • CVE-2023-23518
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.4.
    • Credit to YeongHyeon Choi (@hyeon101010), Hyeon Park (@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung), JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: The issue was addressed with improved memory handling.
  • CVE-2022-42826
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.4.
    • Credit to Francisco Alonso (@revskills).
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

February 02, 2023 12:00 AM



WebKitGTK 2.38.4 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.38 series.

What’s new in the WebKitGTK 2.38.4 release?

  • Improve GStreamer multimedia playback across the board with improved codec selection logic, better handling of latency, and improving frame discard to avoid audio/video desynchronization, among other fixes.
  • Disable HLS media playback by default, which makes web sites use MSE instead. If needed WEBKIT_GST_ENABLE_HLS_SUPPORT=1 can be set in the environment to enable it back.
  • Disable threaded rendering in GTK4 builds by default, as it was causing crashes.
  • Fix MediaSession API not showing artwork images.
  • Fix MediaSession MPRIS usage when running inside a Flatpak sandbox.
  • Fix input element controls to correctly scale when applying a zoom factor different than the default.
  • Fix leakage of Web processes in certain situations.
  • Fix the injected bundle not being found when running inside a sandbox.
  • Fix the build with ENABLE_INTROSPECTION when cross-compiling.
  • FIx the build with ENABLE_WEBGL disabled.
  • Fix the build with GStreamer-based WebRTC enabled.
  • Fix the build with USE_GTK4 enabled.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 02, 2023 12:00 AM



January 31, 2023

WebKitGTK 2.39.7 released!

by The WebKitGTK Project

This is a development release leading toward 2.40 series.

What’s new in the WebKitGTK 2.39.7 release?

  • Fix the webkit.h public header causing applications to fail to build.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

January 31, 2023 12:00 AM



January 30, 2023

WebKitGTK 2.39.6 released!

by The WebKitGTK Project

This is a development release leading toward 2.40 series.

What’s new in the WebKitGTK 2.39.6 release?

  • Add support for speech synthesis using Flite.
  • Bring back WebKitConsoleMessage API implementation.
  • Fix async scroll event propagation for GTK4.
  • Add network session API when building with GTK4.
  • Make most public types final when building with GTK4.
  • Remove WebKitPrintCustomWidget when building with GTK4.
  • Remove most of the webkit_web_view_new_with_*() constructors when building with GTK4.
  • Remove webkit_web_context_get/set_process_model when building with GTK4.
  • Do not allow the sandbox to mount the entire home directory.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

January 30, 2023 12:00 AM



January 19, 2023

WebKitGTK 2.39.5 released!

by The WebKitGTK Project

This is a development release leading toward 2.40 series.

What’s new in the WebKitGTK 2.39.5 release?

  • Enable WebGL2 by default again that was disabled by mistake.
  • Fix the build with WebGL disabled.
  • Fix the webkit.h public header causing applications to fail to build.

Thanks to all the contributors who made possible this release.

January 19, 2023 12:00 AM



January 16, 2023

WebKitGTK 2.39.4 released!

by The WebKitGTK Project

This is a development release leading toward 2.40 series.

What’s new in the WebKitGTK 2.39.4 release?

  • Fix WebGL when sandbox is enabled.
  • Fix loading of media documents.
  • Add new API disable web security.
  • Disable support for HLS in media backend by default.
  • Fix several crashes and rendering issues.
  • Translation updates: Swedish.

Thanks to all the contributors who made possible this release.

January 16, 2023 12:00 AM



December 26, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0011

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-42852
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.3.
    • Credit to hazbinhotel working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may result in the disclosure of process memory. Description: The issue was addressed with improved memory handling.
  • CVE-2022-42856
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.3.
    • Credit to Clément Lecigne of Google’s Threat Analysis Group.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved state handling.
  • CVE-2022-42863
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.0.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2022-42867
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.3.
    • Credit to Maddie Stone of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-46691
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.1.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory consumption issue was addressed with improved memory handling.
  • CVE-2022-46692
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.3.
    • Credit to KirtiKumar Anandrao Ramchandani.
    • Impact: Processing maliciously crafted web content may bypass Same Origin Policy. Description: A logic issue was addressed with improved state management.
  • CVE-2022-46698
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.3.
    • Credit to Dohyun Lee (@l33d0hyun) of DNSLab at Korea University, Ryan Shin of IAAI SecLab at Korea University.
    • Impact: Processing maliciously crafted web content may disclose sensitive user information. Description: A logic issue was addressed with improved checks.
  • CVE-2022-46699
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.3.
    • Credit to Samuel Groß of Google V8 Security.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2022-46700
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.3.
    • Credit to Samuel Groß of Google V8 Security.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved input validation.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

December 26, 2022 12:00 AM



December 22, 2022

WebKitGTK 2.38.3 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.38 series.

What’s new in the WebKitGTK 2.38.3 release?

  • Fix runtime critical warnings from media player.
  • Fix network process crash when fetching website data on ephemeral session.
  • Fix the build with Ruby 3.2.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

December 22, 2022 12:00 AM



December 14, 2022

WebKitGTK 2.39.3 released!

by The WebKitGTK Project

This is a development release leading toward 2.40 series.

What’s new in the WebKitGTK 2.39.3 release?

  • Add new API to query the permission state of web features.
  • Deprecate all web extension DOM APIs (WebKitDOMDocument, WebKitDOMElement, WebKitDOMNode).
  • Add webkit_web_hit_test_result_get_js_node() to get the JSCValue for the node.
  • Add WebKitWebFormManager and deprecate WebKitWebPage form related signals.
  • Don’t perform position queries on video sink when the player is for audio only.
  • Fix gibberish text when loading alternate data.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

December 14, 2022 12:00 AM



November 28, 2022

WebKitGTK 2.39.2 released!

by The WebKitGTK Project

This is a development release leading toward 2.40 series.

What’s new in the WebKitGTK 2.39.2 release?

  • Add API to support asynchronously returning values from user script messages.
  • Deprecate WebKitConsoleMessage API.
  • Deprecate event parameter of WebKitWebView::context-menu and WebKitWebView::show-option-menu signals in favor of a getter in WebKitConextMenu and WebKitOptionMenu.
  • Do not emit context-menu signals for media settings popup menu.
  • Use async scrolling also for keyboard scrolling.
  • Add support for client side certificates on WebSocket connections.
  • Fix first party for cookies set on every media request.
  • Fix a crash on authentication dialog with GTK4.
  • Fix web process leak when webkit_download_set_destination is called with empty destination.
  • Fix several warnings when building for ARMv7 (32-bits).
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

November 28, 2022 12:00 AM



November 11, 2022

WebKitGTK 2.39.1 released!

by The WebKitGTK Project

This is the first development release leading toward 2.40 series.

What’s new in the WebKitGTK 2.39.1 release?

  • Use ANGLE for WebGL implementation and enable WebGL2.
  • Remove internal nested wayland compositor making libwpe mandatory when building with wayland enabled.
  • Prefer EGL over X11, intead of GLX, where available.
  • Add support for background-repeat: space.
  • Add API to check if a response policy decision is for the main resource.
  • Fix rendering of checkbox and radio buttons in black backgrounds.
  • Make checkbox, radio and inner spin button scale along by page zoom.
  • Add support for get computed label and get computed role WebDriver commands.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

November 11, 2022 12:00 AM



November 04, 2022

Stop Using QtWebKit

by Michael Catanzaro

Today, WebKit in Linux operating systems is much more secure than it used to be. The problems that I previously discussed in this old, formerly-popular blog post are nowadays a thing of the past. Most major Linux operating systems now update WebKitGTK and WPE WebKit on a regular basis to ensure known vulnerabilities are fixed. (Not all Linux operating systems include WPE WebKit. It’s basically WebKitGTK without the dependency on GTK, and is the best choice if you want to use WebKit on embedded devices.) All major operating systems have removed older, insecure versions of WebKitGTK (“WebKit 1”) that were previously a major security problem for Linux users. And today WebKitGTK and WPE WebKit both provide a webkit_web_context_set_sandbox_enabled() API which, if enabled, employs Linux namespaces to prevent a compromised web content process from accessing your personal data, similar to Flatpak’s sandbox. (If you are a developer and your application does not already enable the sandbox, you should fix that!)

Unfortunately, QtWebKit has not benefited from these improvements. QtWebKit was removed from the upstream WebKit codebase back in 2013. Its current status in Fedora is, unfortunately, representative of other major Linux operating systems. Fedora currently contains two versions of QtWebKit:

  • The qtwebkit package contains upstream QtWebKit 2.3.4 from 2014. I believe this is used by Qt 4 applications. For avoidance of doubt, you should not use applications that depend on a web engine that has not been updated in eight years.
  • The newer qt5-qtwebkit contains Konstantin Tokarev’s fork of QtWebKit, which is de facto the new upstream and without a doubt the best version of QtWebKit available currently. Although it has received occasional updates, most recently 5.212.0-alpha4 from March 2020, it’s still based on WebKitGTK 2.12 from 2016, and the release notes bluntly state that it’s not very safe to use. Looking at WebKitGTK security advisories beginning with WSA-2016-0006, I manually counted 507 CVEs that have been fixed in WebKitGTK 2.14.0 or newer.

These CVEs are mostly (but not exclusively) remote code execution vulnerabilities. Many of those CVEs no doubt correspond to bugs that were introduced more recently than 2.12, but the exact number is not important: what’s important is that it’s a lot, far too many for backporting security fixes to be practical. Since qt5-qtwebkit is two years newer than qtwebkit, the qtwebkit package is no doubt in even worse shape. And because QtWebKit does not have any web process sandbox, any remote code execution is game over: an attacker that exploits QtWebKit gains full access to your user account on your computer, and can steal or destroy all your files, read all your passwords out of your password manager, and do anything else that your user account can do with your computer. In contrast, with WebKitGTK or WPE WebKit’s web process sandbox enabled, attackers only get access to content that’s mounted within the sandbox, which is a much more limited environment without access to your home directory or session bus.

In short, it’s long past time for Linux operating systems to remove QtWebKit and everything that depends on it. Do not feed untrusted data into QtWebKit. Don’t give it any HTML that you didn’t write yourself, and certainly don’t give it anything that contains injected data. Uninstall it and whatever applications depend on it.

Update: I forgot to mention what to do if you are a developer and your application still uses QtWebKit. You should ensure it uses the most recent release of QtWebEngine for Qt 6. Do not use old versions of Qt 6, and do not use QtWebEngine for Qt 5.

by Michael Catanzaro at November 04, 2022 05:20 PM



WebKitGTK and WPE WebKit Security Advisory WSA-2022-0010

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-32888
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.0.
    • Credit to P1umer (@p1umer).
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds write issue was addressed with improved bounds checking.
  • CVE-2022-32923
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.0.
    • Credit to Wonyoung Jung (@nonetype_pwn) of KAIST Hacking Lab.
    • Impact: Processing maliciously crafted web content may disclose internal states of the app. Description: A correctness issue in the JIT was addressed with improved checks.
  • CVE-2022-42799
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.2.
    • Credit to Jihwan Kim (@gPayl0ad), Dohyun Lee. (@l33d0hyun).
    • Impact: Visiting a malicious website may lead to user interface spoofing. Description: The issue was addressed with improved UI handling.
  • CVE-2022-42823
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.2.
    • Credit to Dohyun Lee (@l33d0hyun) of SSD Labs.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved memory handling.
  • CVE-2022-42824
    • Versions affected: WebKitGTK before 2.38.2.
    • Credit to Abdulrahman Alqabandi of Microsoft Browser Vulnerability Research, Ryan Shin of IAAI SecLab at Korea University, Dohyun Lee (@l33d0hyun) of DNSLab at Korea University.
    • Impact: Processing maliciously crafted web content may disclose sensitive user information. Description: A logic issue was addressed with improved state management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

November 04, 2022 12:00 AM



WebKitGTK 2.38.2 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.38 series.

What’s new in the WebKitGTK 2.38.2 release?

  • Fix scrolling issues in some sites having fixed background.
  • Fix prolonged buffering during progressive live playback.
  • Fix the build with accessibility disabled.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

November 04, 2022 12:00 AM



October 20, 2022

WebKitGTK 2.38.1 released!

by The WebKitGTK Project

This is the first bug fix release in the stable 2.38 series.

What’s new in the WebKitGTK 2.38.1 release?

  • Make xdg-dbus-proxy work if host session bus address is an abstract socket.
  • Use a single xdg-dbus-proxy process when sandbox is enabled.
  • Fix high resolution video playback due to unimplemented changeType operation.
  • Ensure GSubprocess uses posix_spawn() again and inherit file descriptors.
  • Fix player stucking in buffering (paused) state for progressive streaming.
  • Do not try to preconnect on link click when link preconnect setting is disabled.
  • Fix close status code returned when the client closes a WebSocket in some cases.
  • Fix media player duration calculation.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

October 20, 2022 12:00 AM



October 03, 2022

Mon 2022/Oct/03

by Claudio Saavedra

The series on the WPE port by the WebKit team at Igalia grows, with several new articles that go deep into different areas of the engine:

These articles are an interesting read not only if you're working on WebKit, but also if you are curious on how a modern browser engine works and some of the moving parts beneath the surface. So go check them out!

On a related note, the WebKit team is always on the lookout for talent to join us. Experience with WebKit or browsers is not necessarily a must, as we know from experience that anyone with a strong C/C++ background and enough curiosity will be able to ramp up and start contributing soon enough. If these articles spark your curiosity, feel free to reach out to me to find out more or to apply directly!

October 03, 2022 11:28 AM



September 19, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0009

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-32886
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
    • Credit to P1umer, afang5472, xmzyshypnc.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2022-32891
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.5.
    • Credit to @real_as3617, an anonymous researcher.
    • Impact: Visiting a website that frames malicious content may lead to UI spoofing. Description: The issue was addressed with improved UI handling.
  • CVE-2022-32912
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
    • Credit to Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds read was addressed with improved bounds checking. This issue only affects MacOS builds (Linux builds are not affected).

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

September 19, 2022 12:00 AM



September 16, 2022

WebKitGTK 2.38.0 released!

by The WebKitGTK Project

This is the first stable release in the 2.38 series.

Highlights of the WebKitGTK 2.38.0 release

  • New media controls UI style.
  • Add new API to set WebView’s Content-Security-Policy for web extensions support.
  • Make it possible to use the remote inspector from other browsers using WEBKIT_INSPECTOR_HTTP_SERVER env var.
  • MediaSession is enabled by default, allowing remote media control using MPRIS.
  • Add support for PDF documents using PDF.js.

For more details about all the changes included in WebKitGTK 2.38 see the NEWS file that is included in the tarball.

Thanks to all the contributors who made possible this release.

September 16, 2022 12:00 AM



WebKitGTK 2.36.8 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.8 release?

  • Fix jumpy elements when scrolling GitLab and other web sites.
  • Fix WebKitWebView:web-process-terminated signal not being emitted for the first web view when sandboxing is enabled.
  • Fix hang when opening HTML <select> elements in GTK4 builds.
  • Fix kinetic scrolling with elements that use overflow scrolling.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

September 16, 2022 12:00 AM



September 02, 2022

WebKitGTK 2.37.91 released!

by The WebKitGTK Project

This is a development release leading toward 2.38 series.

What’s new in the WebKitGTK 2.37.91 release?

  • Cache and reuse image-based backing stores to improve memory consumption.
  • Fix printing with bubblewrap sandbox enabled
  • Deprecate enable-frame-flattening setting because the functionality will be removed for 2.40.
  • Fix deadlock when disposing player while handling rotation tag.
  • Fix several crashes and rendering issues.
  • Translation updates: Polish.

Thanks to all the contributors who made possible this release.

September 02, 2022 12:00 AM



August 25, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008

by The WebKitGTK Project

  • Date Reported: August 25, 2022

  • Advisory ID: WSA-2022-0008

  • CVE identifiers: CVE-2022-32893.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-32893
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.7.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

August 25, 2022 12:00 AM



August 24, 2022

WebKitGTK 2.36.7 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.7 release?

  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

August 24, 2022 12:00 AM



August 19, 2022

WebKitGTK 2.37.90 released!

by The WebKitGTK Project

This is a development release leading toward 2.38 series.

What’s new in the WebKitGTK 2.37.90 release?

  • Remove libnotify dependency.
  • Add support for service worker notifications.
  • Add support for loading the notification icon.
  • Add support for pac proxy type in WebDriver.
  • Fix several crashes and rendering issues.
  • Translation updates: Swedish.

Thanks to all the contributors who made possible this release.

August 19, 2022 12:00 AM



August 07, 2022

WebKitGTK 2.36.6 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.6 release?

  • Fix handling of touchpad scrolling on GTK4 builds.
  • Fix WebKitGTK not allowing to be used from non-main threads.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

August 07, 2022 12:00 AM



July 28, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0007

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-32792
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.5.
    • Credit to Manfred Paul (@_manfp) working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds write issue was addressed with improved input validation.
  • CVE-2022-32816
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.5.
    • Credit to Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.
    • Impact: Visiting a website that frames malicious content may lead to UI spoofing. Description: The issue was addressed with improved UI handling.
  • CVE-2022-2294
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.5 if USE_LIBWEBRTC is enabled.
    • Credit to Jan Vojtesek of Avast Threat Intelligence team.
    • Heap buffer overflow in LibWebRTC allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. NOTE: The tarballs of WebKitGTK or WPE WebKit don’t ship LibWebRTC. Also the LibWebRTC support is disabled by default. You only are affected by this vulnerability if your build enabled the USE_LIBWEBRTC CMake option and used the repository as source instead of the tarballs.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

July 28, 2022 12:00 AM



WebKitGTK 2.36.5 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.5 release?

  • Add support for PAC proxy in the WebDriver implementation.
  • Fix video playback when loaded through custom URIs, this fixes video playback in the Yelp documentation browser.
  • Fix WebKitWebView::context-menu when using GTK4.
  • Fix LTO builds with GCC.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

July 28, 2022 12:00 AM



July 20, 2022

Gamepad in WPEWebkit

by Víctor Jáquez

This is the brief story of the Gamepad implementation in WPEWebKit.

It started with an early development done by Eugene Mutavchi (kudos!). Later, by the end of 2021, I retook those patches and dicussed them with my fellow igalian Adrián, and we decided to come with a slightly different approach.

Before going into the details, let’s quickly review the WPE architecture:

  1. cog library — it’s a shell library that simplifies the task of writing a WPE browser from the scratch, by providing common functionality and helper APIs.
  2. WebKit library — that’s the web engine that, given an URI and other following inputs, returns, among other ouputs, graphic buffers with the page rendered.
  3. WPE library — it’s the API that bridges cog (1) (or whatever other browser application) and WebKit (2).
  4. WPE backend — it’s main duty is to provide graphic buffers to WebKit, buffers supported by the hardware, the operating system, windowing system, etc.

Eugene’s implementation has code in WebKit (implementing the gamepad support for WPE port); code in WPE library with an API to communicate WebKit’s gamepad and WPE backend, which provided a custom implementation of gamepad, reading directly the event in the Linux device. Almost everything was there, but there were some issues:

  • WPE backend is mainly designed as a set of protocols, similar to Wayland, to deal with graphic buffers or audio buffers, but not for input events. Cog library is the place where input events are handled and injected to WebKit, such as keyboard.
  • The gamepad handling in a WPE backend was ad-hoc and low level, reading directly the events from Linux devices. This approach is problematic since there are plenty gamepads in the market and each has its own axis and buttons, so remapping them to the standard map is required. To overcome this issue and many others, there’s a GNOME library: libmanette, which is already used by WebKitGTK port.

Today’s status of the gamepad support is that it works but it’s not yet fully upstreamed.

  • merged libwpe pull request.
  • cog pull request — there are two implementations: none and libmanette. None is just a dummy implementation which will ignore any request for a gamepad provider; it’s provided if libmanette is not available or if available libwpe hasn’t gamepad support.
  • WebKit pull request.

To prove you all that it works my exhibit A is this video, where I play asteroids in a RasberryPi 4 64 bits:

The image was done with buildroot, using its master branch (from a week ago) with a bunch of modifications, such as adding libmanette, a kernel patch for my gamepad device, kernel 5.15.55 and its corresponding firmware, etc.

by vjaquez at July 20, 2022 10:08 AM



July 12, 2022

WebKitGTK 2.37.1 released!

by The WebKitGTK Project

This is the first development release leading toward 2.38 series.

What’s new in the WebKitGTK 2.37.1 release?

  • Add initial implementation of WebRTC using GstWebRTC if GStreamer 1.20 is available, disabled by default via web view settings.
  • Add new API to set WebView’s Content-Security-Policy for web extensions support.
  • Add new API to run async JavaScript functions.
  • Expose typed arrays in JavaScriptCore GLib API.
  • Add support for PDF documents using PDF.js.
  • Show font name and font variant settings in the inspector.
  • MediaSession is enabled by default, allowing remote media control using MPRIS.
  • Modernized media controls UI.
  • Add Support Google Dynamic Ad Insertion (DAI).
  • Add support for capturing encoded video streams from a webcam.
  • Make it possible to use the remote inspector from other browsers using WEBKIT_INSPECTOR_HTTP_SERVER env var.
  • Add support for IPv6 in the remote inspector.
  • Update form elements style to match libadwaita.
  • Fix canvas animations and images with threaded rendering enabled.
  • Switch to use gi-docgen for API documentation instead of gtk-doc.
  • Remove the ATK a11y implementation that has been replaced by AT-SPI DBus interfaces.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

July 12, 2022 12:00 AM



July 05, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0006

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-22662
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.0.
    • Credit to Prakash (@1lastBr3ath) of Threat Nix.
    • Impact: Processing maliciously crafted web content may disclose sensitive user information. Description: A cookie management issue was addressed with improved state management.
  • CVE-2022-22677
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.4.
    • Credit to an anonymous researcher.
    • Impact: The video in a webRTC call may be interrupted if the audio capture gets interrupted. Description: A logic issue in the handling of concurrent media was addressed with improved state handling. NOTE: The tarballs of WebKitGTK or WPE WebKit don’t ship LibWebRTC. Also the LibWebRTC support is disabled by default. You only are affected by this vulnerability if your build enabled the USE_LIBWEBRTC CMake option and used the repository as source instead of the tarballs.
  • CVE-2022-26710
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.4.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

July 05, 2022 12:00 AM



WebKitGTK 2.36.4 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.4 release?

  • Fix the new ATSPI accessibility implementation to add the missing Collection interface for the loaded document.
  • Fix the MediaSession implementation to make the MPRIS object names more sandbox friendly, which plays better with Flatpak and WebKit’s own Bubblwrap-based sandboxing.
  • Fix leaked Web Processes in some particular situations.
  • Fix the build with media capture support enabled.
  • Fix cross-compilation when targeting 64-bit ARM.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

July 05, 2022 12:00 AM



July 01, 2022

Fri 2022/Jul/01

by Claudio Saavedra

I wrote a technical overview of the WebKit WPE project for the WPE WebKit blog, for those interested in WPE as a potential solution to the problem of browsers in embedded devices.

This article begins a series of technical writeups on the architecture of WPE, and we hope to publish during the rest of the year further articles breaking down different components of WebKit, including graphics and other subsystems, that will surely be of great help for those interested in getting more familiar with WebKit and its internals.

July 01, 2022 10:39 AM



May 30, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0005

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-26700
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to ryuzaki.
    • Impact: Processing maliciously crafted web content may lead to code execution. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2022-26709
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-26717
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to Jeonghoon Shin of Theori.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-26716
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to SorryMybad (@S0rryMybad) of Kunlun Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2022-26719
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to Dongzhuo Zhao working with ADLab of Venustech.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2022-30293
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.1.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution or to a denial of service (application crash). Description: A memory corruption issue that could cause a heap use after free or a heap buffer overflow in WebCore::TextureMapperLayer::setContentsLayer was addressed with improved state management.
  • CVE-2022-30294
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.1.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution or to a denial of service (application crash). Description: A memory corruption issue that could cause a heap use after free or a heap buffer overflow in WebCore::TextureMapperLayer::setContentsLayer was addressed with improved state management. This is the same issue than CVE-2022-30293.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

May 30, 2022 12:00 AM



May 28, 2022

WebKitGTK 2.36.3 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.3 release?

  • Support capturing already encoded video streams, which takes advantage of encoding done in hardware by devices which support this feature.
  • Avoid using experimental GStreamer elements for video demuxing.
  • Avoid using the legacy GStreamer VA-API decoding plug-ins, which often cause rendering issues and are not much maintained. Their usage can be re-enabled setting WEBKIT_GST_ENABLE_LEGACY_VAAPI=1 in the environment.
  • Fix playback of YouTube streams which use dynamic ad insertion.
  • Fix display capture with Pipewire.
  • Fix the build without the X11 target when X11 headers are not present.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

May 28, 2022 12:00 AM



May 18, 2022

WebKitGTK 2.36.2 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.2 release?

  • Fix some pages showing empty content boxes when using GTK4.
  • Fix the build with accessibility disabled.
  • Fix the build with newer Ruby versions.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

May 18, 2022 12:00 AM



May 02, 2022

From gst-build to local-projects

by Víctor Jáquez

Two years ago I wrote a blog post about using gst-build inside of WebKit SDK flatpak. Well, all that has changed. That’s the true upstream spirit.

There were two main reason for the change:

  1. Since the switch to GStreamer mono repository, gst-build has been deprecated. The mechanism in WebKit were added, basically, to allow GStreamer upstream, so keeping gst-build directory just polluted the conceptual framework.
  2. By using gst-build one could override almost any other package in WebKit SDK. For example, for developing gamepad handling in WPE I added libmanette as a GStreamer subproject, to link a modified version of the library rather than the one in flatpak. But that approach added an unneeded conceptual depth in tree.

In order to simplify these operations, by taking advantage of Meson’s subproject support directly, gst-build handling were removed and new mechanism was set in place: Local Dependencies. With local dependencies, you can add or override almost any dependency, while flatting the tree layout, by placing at the same level GStreamer and any other library. Of course, in order add dependencies, they must be built with meson.

For example, to override libsoup and GStreamer, just clone both repositories below of Tools/flatpak/local-projects/subprojects, and declare them in WEBKIT_LOCAL_DEPS environment variable:


$ export WEBKIT_SDK_LOCAL_DEPS=libsoup,gstreamer-full
$ export WEBKIT_SDK_LOCAL_DEPS_OPTIONS="-Dgstreamer-full:introspection=disabled -Dgst-plugins-good:soup=disabled"
$ build-webkit --wpe

by vjaquez at May 02, 2022 11:11 AM



April 21, 2022

WebKitGTK 2.36.1 released!

by The WebKitGTK Project

This is the first bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.1 release?

  • Fix the build with accessibility disabled.
  • Fix several crashes and rendering issues.
  • Translation updates: Croatian.

Thanks to all the contributors who made possible this release.

April 21, 2022 12:00 AM



April 08, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0004

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-22624
    • Versions affected: WebKitGTK before 2.36.0 and WPE WebKit before 2.34.7.
    • Credit to Kirin (@Pwnrin) of Tencent Security Xuanwu Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-22628
    • Versions affected: WebKitGTK before 2.36.0 and WPE WebKit before 2.34.7.
    • Credit to Kirin (@Pwnrin) of Tencent Security Xuanwu Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-22629
    • Versions affected: WebKitGTK before 2.36.0 and WPE WebKit before 2.34.7.
    • Credit to Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2022-22637
    • Versions affected: WebKitGTK before 2.34.4 and WPE WebKit before 2.34.4.
    • Credit to Tom McKee of Google.
    • Impact: A malicious website may cause unexpected cross-origin behavior. Description: A logic issue was addressed with improved state management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

April 08, 2022 12:00 AM



March 21, 2022

WebKitGTK 2.36.0 released!

by The WebKitGTK Project

This is the first stable release in the 2.36 series.

Highlights of the WebKitGTK 2.36.0 release

  • Add new accessibility implementation using ATSPI DBus interfaces instead of ATK.
  • Add support for requestVideoFrameCallback.
  • Change hardware-acceleration-policy setting default value to always.
  • Add support for media session.
  • Add new API to set HTTP response information to custom uri schemes.
  • Make user interactive threads (event handler, scrolling, …) real time in linux.

For more details about all the changes included in WebKitGTK 2.36 see the NEWS file that is included in the tarball.

Thanks to all the contributors who made possible this release.

March 21, 2022 12:00 AM



February 25, 2022

WebKitGTK 2.35.90 released!

by The WebKitGTK Project

This is a development release leading toward 2.36 series.

What’s new in the WebKitGTK 2.35.90 release?

  • Fix scrolling with the mouse wheel on sites using overscroll-behavior.
  • Suspend web processes after some time in the process cache.
  • Fix renderning of horizontal scrollbars with themes enabling steppers.
  • Ensure EGL displays are terminated before web process exits.
  • Deinitialize gstreamer before web process exits.
  • Make fonts under XDG_DATA_DIRS available in web process sanbox.
  • Canonicalize paths passed to bubblewrap launcher.
  • Fix several crashes and rendering issues.
  • Translation updates: Hebrew.

Thanks to all the contributors who made possible this release.

February 25, 2022 12:00 AM



February 17, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0003

by The WebKitGTK Project

  • Date Reported: February 17, 2022

  • Advisory ID: WSA-2022-0003

  • CVE identifiers: CVE-2022-22620.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-22620
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.6.
    • Credit to an anonymous researcher.
    • Impact: processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

February 17, 2022 12:00 AM



WebKitGTK 2.34.6 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.6 release?

  • Fix accessibility not working when the Bubblewrap sandbox is enabled.
  • Fix rendering of scrollbars when overlay scrollbars are disabled.
  • Fix the build when the X11 support is disabled.
  • Fix the build in a number of situations where the main OpenGL library is not called libGL or libgl, as is the case on systems that use libglvnd.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 17, 2022 12:00 AM



February 09, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0002

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-22589
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.5.
    • Credit to Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com).
    • Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript. Description: A validation issue was addressed with improved input sanitization.
  • CVE-2022-22590
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.5.
    • Credit to Toan Pham from Team Orca of Sea Security (security.sea.com).
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-22592
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.5.
    • Credit to Prakash (@1lastBr3ath).
    • Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Description: A logic issue was addressed with improved state management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

February 09, 2022 12:00 AM



WebKitGTK 2.35.3 released!

by The WebKitGTK Project

This is a development release leading toward 2.36 series.

What’s new in the WebKitGTK 2.35.3 release?

  • Fix a crash at startup when bubblewrap sandbox is enabled.
  • Fix a crash when starting a drag an drop on touchscreen.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 09, 2022 12:00 AM



WebKitGTK 2.34.5 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.5 release?

  • Improve VP8 codec selection when using GStreamer 1.20.
  • Fix connecting to the accessiblity bus when using the Bubblewrap sandbox.
  • Fix links being incorrectly activated when starting a pinch zoom gesture.
  • Fix touch-based scrolling.
  • Fix the build with recent toolchains based on GCC 12 and on older ones as included e.g. in Ubuntu 18.04.
  • Fix the build with ICU 60, version 61 is no longer required.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 09, 2022 12:00 AM



February 03, 2022

WebKitGTK 2.35.2 released!

by The WebKitGTK Project

This is a development release leading toward 2.36 series.

What’s new in the WebKitGTK 2.35.2 release?

  • Add new accessibility implementation using ATSPI DBus interfaces instead of ATK.
  • Use native GtkWidgets for form validation popups.
  • Add support for requestVideoFrameCallback.
  • Add support for accent colors.
  • Fix pinch zooming from a link to not activate the link.
  • Fix kinetic scrolling via touch screen.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 03, 2022 12:00 AM



January 21, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-30934
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Dani Biro.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2021-30936
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30951
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Pangu.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30952
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to WeBin.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An integer overflow was addressed with improved input validation.
  • CVE-2021-30953
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to VRIJ.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds read was addressed with improved bounds checking.
  • CVE-2021-30954
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Kunlun Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved memory handling.
  • CVE-2021-30984
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Kunlun Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A race condition was addressed with improved state handling.
  • CVE-2022-22594
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Martin Bajanik of fingerprintjs.com.
    • Impact: A website may be able to track sensitive user information. Description: A cross-origin issue in the IndexDB API was addressed with improved input validation. Notes: There is a public PoC demonstrating this issue at safarileaks.com so it may have been actively exploited.
  • CVE-2021-45481
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Processing maliciously crafted web content may cause an application crash due to an incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create.
  • CVE-2021-45482
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Processing maliciously crafted web content may cause a memory corruption issue (use-after-free) in WebCore::ContainerNode::firstChild.
  • CVE-2021-45483
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Processing maliciously crafted web content may cause a memory corruption issue (heap-use-after-free) in WebCore::Frame::page.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

January 21, 2022 12:00 AM



WebKitGTK 2.34.4 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.4 release?

  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

January 21, 2022 12:00 AM



December 20, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0007

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-30809
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30818
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Amar Menezes (@amarekano) of Zon8Research.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved state handling.
  • CVE-2021-30823
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to David Gullasch of Recurity Labs.
    • Impact: An attacker in a privileged network position may be able to bypass HSTS. Description: A logic issue was addressed with improved restrictions.
  • CVE-2021-30836
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to Peter Nguyen Vu Hoang of STAR Labs.
    • Impact: Processing a maliciously crafted audio file may disclose restricted memory. Description: An out-of-bounds read was addressed with improved input validation.
  • CVE-2021-30884
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to an anonymous researcher.
    • Impact: Visiting a maliciously crafted website may reveal a user’s browsing history. Description: The issue was resolved with additional restrictions on CSS compositing.
  • CVE-2021-30887
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.3.
    • Credit to Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd.
    • Impact: Processing maliciously crafted web content may lead to unexpectedly unenforced Content Security Policy. Description: A logic issue was addressed with improved restrictions.
  • CVE-2021-30888
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Prakash (@1lastBr3ath).
    • Impact: A malicious website using Content Security Policy reports may be able to leak information via redirect behavior. Description: An information leakage issue was addressed.
  • CVE-2021-30889
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution, Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2021-30890
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.3.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
  • CVE-2021-30897
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to an anonymous researcher.
    • Impact: A malicious website may exfiltrate data cross-origin. Description: An issue existed in the specification for the resource timing API. The specification was updated and the updated specification was implemented.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

December 20, 2021 12:00 AM



WebKitGTK 2.34.3 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.3 release?

  • Make audio tools (like mixers) display the actual name of the application producing sound, instead of a generic one.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

December 20, 2021 12:00 AM



November 25, 2021

WebKitGTK 2.35.1 released!

by The WebKitGTK Project

This is the first development release leading toward 2.36 series.

What’s new in the WebKitGTK 2.35.1 release?

  • Make user interactive threads (event handler, scrolling, …) real time in linux.
  • Add new API to set HTTP response information to custom uri schemes.
  • Add support for media session.
  • Change hardware-acceleration-policy setting default value to always.
  • Fix jsc_value_object_define_property_accessor() to work with objects not having a wrapped instance.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

November 25, 2021 12:00 AM



November 24, 2021

WebKitGTK 2.34.2 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.2 release?

  • Fix scrolling issues when pressing Home and PgDown keys.
  • Update effective appearance after web process switch on navigation.
  • Fix the build with video disabled.

Thanks to all the contributors who made possible this release.

November 24, 2021 12:00 AM



October 26, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-30846
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Sergei Glazunov of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2021-30848
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to Sergei Glazunov of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to code execution. Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2021-30849
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to Sergei Glazunov of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2021-30851
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Samuel Groß of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to code execution. Description: A memory corruption vulnerability was addressed with improved locking.
  • CVE-2021-30858
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-42762
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.1.
    • Credit to an anonymous reporter.
    • BubblewrapLauncher.cpp allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

October 26, 2021 12:00 AM



October 21, 2021

WebKitGTK 2.34.1 released!

by The WebKitGTK Project

This is the first bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.1 release?

  • Update user agent browser versions.
  • Fix a crash with GTK >= 3.24.30.
  • Fix a crash when loading videos on reddit.
  • Fix file type detection when application calls g_desktop_app_info_set_as_default_for_extension() passing html.

Thanks to all the contributors who made possible this release.

October 21, 2021 12:00 AM



September 22, 2021

WebKitGTK 2.34.0 released!

by The WebKitGTK Project

This is the first stable release in the 2.34 series.

Highlights of the WebKitGTK 2.34.0 release

  • Add support for HTTP/2 when building with libsoup3.
  • Add support for CSS Scroll Snap.
  • Add support for date and datetime-local input elements.
  • Add support for display capture.
  • Add support for ICC color management.
  • Add support color-schemes CSS property.
  • Add support for link preconnect when building with libsoup3.
  • Add support for client side certificates when building with libsoup3.
  • Add multi-track support to MSE media backend.
  • Add new API to handle web process unresponsiveness.
  • Add API to disable CORS on a web view for particular domains.
  • Add new API to access/modify capture devices states.
  • Add new API to configure the memory pressure handler.

For more details about all the changes included in WebKitGTK 2.34 see the NEWS file that is included in the tarball.

Thanks to all the contributors who made possible this release.

September 22, 2021 12:00 AM



September 20, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0005

by The WebKitGTK Project

  • Date Reported: September 20, 2021

  • Advisory ID: WSA-2021-0005

  • CVE identifiers: CVE-2021-30858.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-30858
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

September 20, 2021 12:00 AM



September 17, 2021

WebKitGTK 2.33.91 released!

by The WebKitGTK Project

This is a development release leading toward 2.34 series.

What’s new in the WebKitGTK 2.33.91 release?

  • Use the right display refresh monitor for animations in accelerated compositng mode.
  • Fix several issues in JavaScriptCore on 32bit systems.
  • Prefer python3 over python2 in CMake.

Thanks to all the contributors who made possible this release.

September 17, 2021 12:00 AM