September 19, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0009

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-32886
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
    • Credit to P1umer, afang5472, xmzyshypnc.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2022-32891
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.5.
    • Credit to @real_as3617, an anonymous researcher.
    • Impact: Visiting a website that frames malicious content may lead to UI spoofing. Description: The issue was addressed with improved UI handling.
  • CVE-2022-32912
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
    • Credit to Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds read was addressed with improved bounds checking. This issue only affects MacOS builds (Linux builds are not affected).

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

September 19, 2022 12:00 AM



September 16, 2022

WebKitGTK 2.38.0 released!

by The WebKitGTK Project

This is the first stable release in the 2.38 series.

Highlights of the WebKitGTK 2.38.0 release

  • New media controls UI style.
  • Add new API to set WebView’s Content-Security-Policy for web extensions support.
  • Make it possible to use the remote inspector from other browsers using WEBKIT_INSPECTOR_HTTP_SERVER env var.
  • MediaSession is enabled by default, allowing remote media control using MPRIS.
  • Add support for PDF documents using PDF.js.

For more details about all the changes included in WebKitGTK 2.38 see the NEWS file that is included in the tarball.

Thanks to all the contributors who made possible this release.

September 16, 2022 12:00 AM



WebKitGTK 2.36.8 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.8 release?

  • Fix jumpy elements when scrolling GitLab and other web sites.
  • Fix WebKitWebView:web-process-terminated signal not being emitted for the first web view when sandboxing is enabled.
  • Fix hang when opening HTML <select> elements in GTK4 builds.
  • Fix kinetic scrolling with elements that use overflow scrolling.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

September 16, 2022 12:00 AM



September 02, 2022

WebKitGTK 2.37.91 released!

by The WebKitGTK Project

This is a development release leading toward 2.38 series.

What’s new in the WebKitGTK 2.37.91 release?

  • Cache and reuse image-based backing stores to improve memory consumption.
  • Fix printing with bubblewrap sandbox enabled
  • Deprecate enable-frame-flattening setting because the functionality will be removed for 2.40.
  • Fix deadlock when disposing player while handling rotation tag.
  • Fix several crashes and rendering issues.
  • Translation updates: Polish.

Thanks to all the contributors who made possible this release.

September 02, 2022 12:00 AM



August 25, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008

by The WebKitGTK Project

  • Date Reported: August 25, 2022

  • Advisory ID: WSA-2022-0008

  • CVE identifiers: CVE-2022-32893.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-32893
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.7.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

August 25, 2022 12:00 AM



August 24, 2022

WebKitGTK 2.36.7 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.7 release?

  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

August 24, 2022 12:00 AM



August 19, 2022

WebKitGTK 2.37.90 released!

by The WebKitGTK Project

This is a development release leading toward 2.38 series.

What’s new in the WebKitGTK 2.37.90 release?

  • Remove libnotify dependency.
  • Add support for service worker notifications.
  • Add support for loading the notification icon.
  • Add support for pac proxy type in WebDriver.
  • Fix several crashes and rendering issues.
  • Translation updates: Swedish.

Thanks to all the contributors who made possible this release.

August 19, 2022 12:00 AM



August 07, 2022

WebKitGTK 2.36.6 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.6 release?

  • Fix handling of touchpad scrolling on GTK4 builds.
  • Fix WebKitGTK not allowing to be used from non-main threads.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

August 07, 2022 12:00 AM



July 28, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0007

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-32792
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.5.
    • Credit to Manfred Paul (@_manfp) working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds write issue was addressed with improved input validation.
  • CVE-2022-32816
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.5.
    • Credit to Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.
    • Impact: Visiting a website that frames malicious content may lead to UI spoofing. Description: The issue was addressed with improved UI handling.
  • CVE-2022-2294
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.5 if USE_LIBWEBRTC is enabled.
    • Credit to Jan Vojtesek of Avast Threat Intelligence team.
    • Heap buffer overflow in LibWebRTC allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. NOTE: The tarballs of WebKitGTK or WPE WebKit don’t ship LibWebRTC. Also the LibWebRTC support is disabled by default. You only are affected by this vulnerability if your build enabled the USE_LIBWEBRTC CMake option and used the repository as source instead of the tarballs.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

July 28, 2022 12:00 AM



WebKitGTK 2.36.5 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.5 release?

  • Add support for PAC proxy in the WebDriver implementation.
  • Fix video playback when loaded through custom URIs, this fixes video playback in the Yelp documentation browser.
  • Fix WebKitWebView::context-menu when using GTK4.
  • Fix LTO builds with GCC.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

July 28, 2022 12:00 AM



July 20, 2022

Gamepad in WPEWebkit

by Víctor Jáquez

This is the brief story of the Gamepad implementation in WPEWebKit.

It started with an early development done by Eugene Mutavchi (kudos!). Later, by the end of 2021, I retook those patches and dicussed them with my fellow igalian Adrián, and we decided to come with a slightly different approach.

Before going into the details, let’s quickly review the WPE architecture:

  1. cog library — it’s a shell library that simplifies the task of writing a WPE browser from the scratch, by providing common functionality and helper APIs.
  2. WebKit library — that’s the web engine that, given an URI and other following inputs, returns, among other ouputs, graphic buffers with the page rendered.
  3. WPE library — it’s the API that bridges cog (1) (or whatever other browser application) and WebKit (2).
  4. WPE backend — it’s main duty is to provide graphic buffers to WebKit, buffers supported by the hardware, the operating system, windowing system, etc.

Eugene’s implementation has code in WebKit (implementing the gamepad support for WPE port); code in WPE library with an API to communicate WebKit’s gamepad and WPE backend, which provided a custom implementation of gamepad, reading directly the event in the Linux device. Almost everything was there, but there were some issues:

  • WPE backend is mainly designed as a set of protocols, similar to Wayland, to deal with graphic buffers or audio buffers, but not for input events. Cog library is the place where input events are handled and injected to WebKit, such as keyboard.
  • The gamepad handling in a WPE backend was ad-hoc and low level, reading directly the events from Linux devices. This approach is problematic since there are plenty gamepads in the market and each has its own axis and buttons, so remapping them to the standard map is required. To overcome this issue and many others, there’s a GNOME library: libmanette, which is already used by WebKitGTK port.

Today’s status of the gamepad support is that it works but it’s not yet fully upstreamed.

  • merged libwpe pull request.
  • cog pull request — there are two implementations: none and libmanette. None is just a dummy implementation which will ignore any request for a gamepad provider; it’s provided if libmanette is not available or if available libwpe hasn’t gamepad support.
  • WebKit pull request.

To prove you all that it works my exhibit A is this video, where I play asteroids in a RasberryPi 4 64 bits:

The image was done with buildroot, using its master branch (from a week ago) with a bunch of modifications, such as adding libmanette, a kernel patch for my gamepad device, kernel 5.15.55 and its corresponding firmware, etc.

by vjaquez at July 20, 2022 10:08 AM



July 12, 2022

WebKitGTK 2.37.1 released!

by The WebKitGTK Project

This is the first development release leading toward 2.38 series.

What’s new in the WebKitGTK 2.37.1 release?

  • Add initial implementation of WebRTC using GstWebRTC if GStreamer 1.20 is available, disabled by default via web view settings.
  • Add new API to set WebView’s Content-Security-Policy for web extensions support.
  • Add new API to run async JavaScript functions.
  • Expose typed arrays in JavaScriptCore GLib API.
  • Add support for PDF documents using PDF.js.
  • Show font name and font variant settings in the inspector.
  • MediaSession is enabled by default, allowing remote media control using MPRIS.
  • Modernized media controls UI.
  • Add Support Google Dynamic Ad Insertion (DAI).
  • Add support for capturing encoded video streams from a webcam.
  • Make it possible to use the remote inspector from other browsers using WEBKIT_INSPECTOR_HTTP_SERVER env var.
  • Add support for IPv6 in the remote inspector.
  • Update form elements style to match libadwaita.
  • Fix canvas animations and images with threaded rendering enabled.
  • Switch to use gi-docgen for API documentation instead of gtk-doc.
  • Remove the ATK a11y implementation that has been replaced by AT-SPI DBus interfaces.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

July 12, 2022 12:00 AM



July 05, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0006

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-22662
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.0.
    • Credit to Prakash (@1lastBr3ath) of Threat Nix.
    • Impact: Processing maliciously crafted web content may disclose sensitive user information. Description: A cookie management issue was addressed with improved state management.
  • CVE-2022-22677
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.4.
    • Credit to an anonymous researcher.
    • Impact: The video in a webRTC call may be interrupted if the audio capture gets interrupted. Description: A logic issue in the handling of concurrent media was addressed with improved state handling. NOTE: The tarballs of WebKitGTK or WPE WebKit don’t ship LibWebRTC. Also the LibWebRTC support is disabled by default. You only are affected by this vulnerability if your build enabled the USE_LIBWEBRTC CMake option and used the repository as source instead of the tarballs.
  • CVE-2022-26710
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.4.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

July 05, 2022 12:00 AM



WebKitGTK 2.36.4 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.4 release?

  • Fix the new ATSPI accessibility implementation to add the missing Collection interface for the loaded document.
  • Fix the MediaSession implementation to make the MPRIS object names more sandbox friendly, which plays better with Flatpak and WebKit’s own Bubblwrap-based sandboxing.
  • Fix leaked Web Processes in some particular situations.
  • Fix the build with media capture support enabled.
  • Fix cross-compilation when targeting 64-bit ARM.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

July 05, 2022 12:00 AM



July 01, 2022

Fri 2022/Jul/01

by Claudio Saavedra

I wrote a technical overview of the WebKit WPE project for the WPE WebKit blog, for those interested in WPE as a potential solution to the problem of browsers in embedded devices.

This article begins a series of technical writeups on the architecture of WPE, and we hope to publish during the rest of the year further articles breaking down different components of WebKit, including graphics and other subsystems, that will surely be of great help for those interested in getting more familiar with WebKit and its internals.

July 01, 2022 10:39 AM



May 30, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0005

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-26700
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to ryuzaki.
    • Impact: Processing maliciously crafted web content may lead to code execution. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2022-26709
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-26717
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to Jeonghoon Shin of Theori.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-26716
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to SorryMybad (@S0rryMybad) of Kunlun Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2022-26719
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to Dongzhuo Zhao working with ADLab of Venustech.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2022-30293
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.1.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution or to a denial of service (application crash). Description: A memory corruption issue that could cause a heap use after free or a heap buffer overflow in WebCore::TextureMapperLayer::setContentsLayer was addressed with improved state management.
  • CVE-2022-30294
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.1.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution or to a denial of service (application crash). Description: A memory corruption issue that could cause a heap use after free or a heap buffer overflow in WebCore::TextureMapperLayer::setContentsLayer was addressed with improved state management. This is the same issue than CVE-2022-30293.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

May 30, 2022 12:00 AM



May 28, 2022

WebKitGTK 2.36.3 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.3 release?

  • Support capturing already encoded video streams, which takes advantage of encoding done in hardware by devices which support this feature.
  • Avoid using experimental GStreamer elements for video demuxing.
  • Avoid using the legacy GStreamer VA-API decoding plug-ins, which often cause rendering issues and are not much maintained. Their usage can be re-enabled setting WEBKIT_GST_ENABLE_LEGACY_VAAPI=1 in the environment.
  • Fix playback of YouTube streams which use dynamic ad insertion.
  • Fix display capture with Pipewire.
  • Fix the build without the X11 target when X11 headers are not present.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

May 28, 2022 12:00 AM



May 18, 2022

WebKitGTK 2.36.2 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.2 release?

  • Fix some pages showing empty content boxes when using GTK4.
  • Fix the build with accessibility disabled.
  • Fix the build with newer Ruby versions.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

May 18, 2022 12:00 AM



May 02, 2022

From gst-build to local-projects

by Víctor Jáquez

Two years ago I wrote a blog post about using gst-build inside of WebKit SDK flatpak. Well, all that has changed. That’s the true upstream spirit.

There were two main reason for the change:

  1. Since the switch to GStreamer mono repository, gst-build has been deprecated. The mechanism in WebKit were added, basically, to allow GStreamer upstream, so keeping gst-build directory just polluted the conceptual framework.
  2. By using gst-build one could override almost any other package in WebKit SDK. For example, for developing gamepad handling in WPE I added libmanette as a GStreamer subproject, to link a modified version of the library rather than the one in flatpak. But that approach added an unneeded conceptual depth in tree.

In order to simplify these operations, by taking advantage of Meson’s subproject support directly, gst-build handling were removed and new mechanism was set in place: Local Dependencies. With local dependencies, you can add or override almost any dependency, while flatting the tree layout, by placing at the same level GStreamer and any other library. Of course, in order add dependencies, they must be built with meson.

For example, to override libsoup and GStreamer, just clone both repositories below of Tools/flatpak/local-projects/subprojects, and declare them in WEBKIT_LOCAL_DEPS environment variable:


$ export WEBKIT_SDK_LOCAL_DEPS=libsoup,gstreamer-full
$ export WEBKIT_SDK_LOCAL_DEPS_OPTIONS="-Dgstreamer-full:introspection=disabled -Dgst-plugins-good:soup=disabled"
$ build-webkit --wpe

by vjaquez at May 02, 2022 11:11 AM



April 21, 2022

WebKitGTK 2.36.1 released!

by The WebKitGTK Project

This is the first bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.1 release?

  • Fix the build with accessibility disabled.
  • Fix several crashes and rendering issues.
  • Translation updates: Croatian.

Thanks to all the contributors who made possible this release.

April 21, 2022 12:00 AM



April 08, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0004

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-22624
    • Versions affected: WebKitGTK before 2.36.0 and WPE WebKit before 2.34.7.
    • Credit to Kirin (@Pwnrin) of Tencent Security Xuanwu Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-22628
    • Versions affected: WebKitGTK before 2.36.0 and WPE WebKit before 2.34.7.
    • Credit to Kirin (@Pwnrin) of Tencent Security Xuanwu Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-22629
    • Versions affected: WebKitGTK before 2.36.0 and WPE WebKit before 2.34.7.
    • Credit to Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2022-22637
    • Versions affected: WebKitGTK before 2.34.4 and WPE WebKit before 2.34.4.
    • Credit to Tom McKee of Google.
    • Impact: A malicious website may cause unexpected cross-origin behavior. Description: A logic issue was addressed with improved state management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

April 08, 2022 12:00 AM



March 21, 2022

WebKitGTK 2.36.0 released!

by The WebKitGTK Project

This is the first stable release in the 2.36 series.

Highlights of the WebKitGTK 2.36.0 release

  • Add new accessibility implementation using ATSPI DBus interfaces instead of ATK.
  • Add support for requestVideoFrameCallback.
  • Change hardware-acceleration-policy setting default value to always.
  • Add support for media session.
  • Add new API to set HTTP response information to custom uri schemes.
  • Make user interactive threads (event handler, scrolling, …) real time in linux.

For more details about all the changes included in WebKitGTK 2.36 see the NEWS file that is included in the tarball.

Thanks to all the contributors who made possible this release.

March 21, 2022 12:00 AM



February 25, 2022

WebKitGTK 2.35.90 released!

by The WebKitGTK Project

This is a development release leading toward 2.36 series.

What’s new in the WebKitGTK 2.35.90 release?

  • Fix scrolling with the mouse wheel on sites using overscroll-behavior.
  • Suspend web processes after some time in the process cache.
  • Fix renderning of horizontal scrollbars with themes enabling steppers.
  • Ensure EGL displays are terminated before web process exits.
  • Deinitialize gstreamer before web process exits.
  • Make fonts under XDG_DATA_DIRS available in web process sanbox.
  • Canonicalize paths passed to bubblewrap launcher.
  • Fix several crashes and rendering issues.
  • Translation updates: Hebrew.

Thanks to all the contributors who made possible this release.

February 25, 2022 12:00 AM



February 17, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0003

by The WebKitGTK Project

  • Date Reported: February 17, 2022

  • Advisory ID: WSA-2022-0003

  • CVE identifiers: CVE-2022-22620.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-22620
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.6.
    • Credit to an anonymous researcher.
    • Impact: processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

February 17, 2022 12:00 AM



WebKitGTK 2.34.6 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.6 release?

  • Fix accessibility not working when the Bubblewrap sandbox is enabled.
  • Fix rendering of scrollbars when overlay scrollbars are disabled.
  • Fix the build when the X11 support is disabled.
  • Fix the build in a number of situations where the main OpenGL library is not called libGL or libgl, as is the case on systems that use libglvnd.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 17, 2022 12:00 AM



February 09, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0002

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-22589
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.5.
    • Credit to Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com).
    • Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript. Description: A validation issue was addressed with improved input sanitization.
  • CVE-2022-22590
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.5.
    • Credit to Toan Pham from Team Orca of Sea Security (security.sea.com).
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-22592
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.5.
    • Credit to Prakash (@1lastBr3ath).
    • Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Description: A logic issue was addressed with improved state management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

February 09, 2022 12:00 AM



WebKitGTK 2.35.3 released!

by The WebKitGTK Project

This is a development release leading toward 2.36 series.

What’s new in the WebKitGTK 2.35.3 release?

  • Fix a crash at startup when bubblewrap sandbox is enabled.
  • Fix a crash when starting a drag an drop on touchscreen.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 09, 2022 12:00 AM



WebKitGTK 2.34.5 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.5 release?

  • Improve VP8 codec selection when using GStreamer 1.20.
  • Fix connecting to the accessiblity bus when using the Bubblewrap sandbox.
  • Fix links being incorrectly activated when starting a pinch zoom gesture.
  • Fix touch-based scrolling.
  • Fix the build with recent toolchains based on GCC 12 and on older ones as included e.g. in Ubuntu 18.04.
  • Fix the build with ICU 60, version 61 is no longer required.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 09, 2022 12:00 AM



February 03, 2022

WebKitGTK 2.35.2 released!

by The WebKitGTK Project

This is a development release leading toward 2.36 series.

What’s new in the WebKitGTK 2.35.2 release?

  • Add new accessibility implementation using ATSPI DBus interfaces instead of ATK.
  • Use native GtkWidgets for form validation popups.
  • Add support for requestVideoFrameCallback.
  • Add support for accent colors.
  • Fix pinch zooming from a link to not activate the link.
  • Fix kinetic scrolling via touch screen.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 03, 2022 12:00 AM



January 21, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-30934
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Dani Biro.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2021-30936
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30951
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Pangu.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30952
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to WeBin.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An integer overflow was addressed with improved input validation.
  • CVE-2021-30953
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to VRIJ.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds read was addressed with improved bounds checking.
  • CVE-2021-30954
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Kunlun Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved memory handling.
  • CVE-2021-30984
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Kunlun Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A race condition was addressed with improved state handling.
  • CVE-2022-22594
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Martin Bajanik of fingerprintjs.com.
    • Impact: A website may be able to track sensitive user information. Description: A cross-origin issue in the IndexDB API was addressed with improved input validation. Notes: There is a public PoC demonstrating this issue at safarileaks.com so it may have been actively exploited.
  • CVE-2021-45481
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Processing maliciously crafted web content may cause an application crash due to an incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create.
  • CVE-2021-45482
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Processing maliciously crafted web content may cause a memory corruption issue (use-after-free) in WebCore::ContainerNode::firstChild.
  • CVE-2021-45483
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Processing maliciously crafted web content may cause a memory corruption issue (heap-use-after-free) in WebCore::Frame::page.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

January 21, 2022 12:00 AM



WebKitGTK 2.34.4 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.4 release?

  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

January 21, 2022 12:00 AM



December 20, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0007

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-30809
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30818
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Amar Menezes (@amarekano) of Zon8Research.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved state handling.
  • CVE-2021-30823
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to David Gullasch of Recurity Labs.
    • Impact: An attacker in a privileged network position may be able to bypass HSTS. Description: A logic issue was addressed with improved restrictions.
  • CVE-2021-30836
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to Peter Nguyen Vu Hoang of STAR Labs.
    • Impact: Processing a maliciously crafted audio file may disclose restricted memory. Description: An out-of-bounds read was addressed with improved input validation.
  • CVE-2021-30884
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to an anonymous researcher.
    • Impact: Visiting a maliciously crafted website may reveal a user’s browsing history. Description: The issue was resolved with additional restrictions on CSS compositing.
  • CVE-2021-30887
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.3.
    • Credit to Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd.
    • Impact: Processing maliciously crafted web content may lead to unexpectedly unenforced Content Security Policy. Description: A logic issue was addressed with improved restrictions.
  • CVE-2021-30888
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Prakash (@1lastBr3ath).
    • Impact: A malicious website using Content Security Policy reports may be able to leak information via redirect behavior. Description: An information leakage issue was addressed.
  • CVE-2021-30889
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution, Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2021-30890
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.3.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
  • CVE-2021-30897
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to an anonymous researcher.
    • Impact: A malicious website may exfiltrate data cross-origin. Description: An issue existed in the specification for the resource timing API. The specification was updated and the updated specification was implemented.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

December 20, 2021 12:00 AM



WebKitGTK 2.34.3 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.3 release?

  • Make audio tools (like mixers) display the actual name of the application producing sound, instead of a generic one.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

December 20, 2021 12:00 AM



November 25, 2021

WebKitGTK 2.35.1 released!

by The WebKitGTK Project

This is the first development release leading toward 2.36 series.

What’s new in the WebKitGTK 2.35.1 release?

  • Make user interactive threads (event handler, scrolling, …) real time in linux.
  • Add new API to set HTTP response information to custom uri schemes.
  • Add support for media session.
  • Change hardware-acceleration-policy setting default value to always.
  • Fix jsc_value_object_define_property_accessor() to work with objects not having a wrapped instance.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

November 25, 2021 12:00 AM



November 24, 2021

WebKitGTK 2.34.2 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.2 release?

  • Fix scrolling issues when pressing Home and PgDown keys.
  • Update effective appearance after web process switch on navigation.
  • Fix the build with video disabled.

Thanks to all the contributors who made possible this release.

November 24, 2021 12:00 AM



October 26, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-30846
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Sergei Glazunov of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2021-30848
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to Sergei Glazunov of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to code execution. Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2021-30849
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to Sergei Glazunov of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2021-30851
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Samuel Groß of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to code execution. Description: A memory corruption vulnerability was addressed with improved locking.
  • CVE-2021-30858
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-42762
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.1.
    • Credit to an anonymous reporter.
    • BubblewrapLauncher.cpp allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

October 26, 2021 12:00 AM



October 21, 2021

WebKitGTK 2.34.1 released!

by The WebKitGTK Project

This is the first bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.1 release?

  • Update user agent browser versions.
  • Fix a crash with GTK >= 3.24.30.
  • Fix a crash when loading videos on reddit.
  • Fix file type detection when application calls g_desktop_app_info_set_as_default_for_extension() passing html.

Thanks to all the contributors who made possible this release.

October 21, 2021 12:00 AM



September 22, 2021

WebKitGTK 2.34.0 released!

by The WebKitGTK Project

This is the first stable release in the 2.34 series.

Highlights of the WebKitGTK 2.34.0 release

  • Add support for HTTP/2 when building with libsoup3.
  • Add support for CSS Scroll Snap.
  • Add support for date and datetime-local input elements.
  • Add support for display capture.
  • Add support for ICC color management.
  • Add support color-schemes CSS property.
  • Add support for link preconnect when building with libsoup3.
  • Add support for client side certificates when building with libsoup3.
  • Add multi-track support to MSE media backend.
  • Add new API to handle web process unresponsiveness.
  • Add API to disable CORS on a web view for particular domains.
  • Add new API to access/modify capture devices states.
  • Add new API to configure the memory pressure handler.

For more details about all the changes included in WebKitGTK 2.34 see the NEWS file that is included in the tarball.

Thanks to all the contributors who made possible this release.

September 22, 2021 12:00 AM



September 20, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0005

by The WebKitGTK Project

  • Date Reported: September 20, 2021

  • Advisory ID: WSA-2021-0005

  • CVE identifiers: CVE-2021-30858.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-30858
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

September 20, 2021 12:00 AM



September 17, 2021

WebKitGTK 2.33.91 released!

by The WebKitGTK Project

This is a development release leading toward 2.34 series.

What’s new in the WebKitGTK 2.33.91 release?

  • Use the right display refresh monitor for animations in accelerated compositng mode.
  • Fix several issues in JavaScriptCore on 32bit systems.
  • Prefer python3 over python2 in CMake.

Thanks to all the contributors who made possible this release.

September 17, 2021 12:00 AM



WebKitGTK 2.32.4 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.32 series.

What’s new in the WebKitGTK 2.32.4 release?

  • Do not append .asc extension to downloaded text/plain files.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

September 17, 2021 12:00 AM



September 02, 2021

WebKitGTK 2.33.90 released!

by The WebKitGTK Project

This is a development release leading toward 2.34 series.

What’s new in the WebKitGTK 2.33.90 release?

  • Show TLS protocol version and ciphersuite name in the inspector when building with libsoup3.
  • Add multi-track support to media backend.
  • Avoid strong alias computations in font fallback code.
  • Fix deadlock tearing down pipeline when using fallback sink.
  • Fix the build with gtk-doc enabled.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

September 02, 2021 12:00 AM



August 16, 2021

WebKitGTK 2.33.3 released!

by The WebKitGTK Project

This is a development release leading toward 2.34 series.

What’s new in the WebKitGTK 2.33.3 release?

  • Add support for display capture.
  • Add new API to access/modify capture devices states.
  • Add new API to configure the memory pressure handler.
  • Add support for client side certifiates authentication.
  • Add support color-schemes CSS property.
  • Add support for dark scrollbars.
  • Keep GtkSettings used by web processes in sync with the settings set in the UI process.
  • Add support for drawing the scrollbars corner.
  • Allow to opt-out of GL rendering at runtime for media player.
  • Add support for A420 compositing in media player.
  • Improve pinch to zoom gesture in accerlerated compositing mode.
  • Fix cookies configuration after a network process crash.
  • Fix touchscreen navigation swipe when the page scrolls horizontally.
  • Fix rendering of elliptic radial gradients.
  • Fix several crashes and rendering issues.
  • Translation updates: Brazilian Portuguese, French, Swedish, Ukrainian

Thanks to all the contributors who made possible this release.

August 16, 2021 12:00 AM



August 02, 2021

Introducing the GNOME Web Canary flavor

by Philippe Normand

Today I am happy to unveil GNOME Web Canary which aims to provide bleeding edge, most likely very unstable builds of Epiphany, depending on daily builds of the WebKitGTK development version. Read on to know more about this.

Until recently the GNOME Web browser was available for end-users in two …

by Philippe Normand at August 02, 2021 12:00 PM



July 23, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0004

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-1817
    • Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
    • Credit to zhunki.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2021-1820
    • Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
    • Credit to André Bargull.
    • Impact: Processing maliciously crafted web content may result in the disclosure of process memory. Description: A memory initialization issue was addressed with improved memory handling.
  • CVE-2021-1825
    • Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
    • Credit to Alex Camboe of Aon’s Cyber Solutions.
    • Impact: Processing maliciously crafted web content may lead to a cross site scripting attack. Description: An input validation issue was addressed with improved input validation.
  • CVE-2021-1826
    • Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved restrictions.
  • CVE-2021-21775
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Marcin Towalski of Cisco Talos.
    • A use-after-free vulnerability exists in the way certain events are processed for ImageLoader objects of WebKit. A specially crafted web page can lead to a potential information leak and further memory corruption. In order to trigger the vulnerability, a victim must be tricked into visiting a malicious webpage.
  • CVE-2021-21779
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Marcin Towalski of Cisco Talos.
    • A use-after-free vulnerability exists in the way that WebKit GraphicsContext handles certain events. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability.
  • CVE-2021-21806
    • Versions affected: WebKitGTK and WPE WebKit before 2.30.6.
    • Credit to Marcin ‘Icewall’ Noga of Cisco Talos.
    • An exploitable use-after-free vulnerability exists in WebKit. A specially crafted HTML web page can cause a use-after-free condition, resulting in remote code execution. The victim needs to visit a malicious web site to trigger the vulnerability.
  • CVE-2021-30661
    • Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
    • Credit to yangkang(@dnpushme) of 360 ATA.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30663
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An integer overflow was addressed with improved input validation.
  • CVE-2021-30665
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2021-30666
    • Versions affected: WebKitGTK and WPE WebKit before 2.26.0.
    • Credit to yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2021-30682
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.0.
    • Credit to an anonymous researcher and 1lastBr3ath.
    • Impact: A malicious application may be able to leak sensitive user information. Description: A logic issue was addressed with improved restrictions.
  • CVE-2021-30689
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
  • CVE-2021-30720
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to David Schütz (@xdavidhu).
    • Impact: A malicious website may be able to access restricted ports on arbitrary servers. Description: A logic issue was addressed with improved restrictions.
  • CVE-2021-30734
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Jack Dates of RET2 Systems, Inc. (@ret2systems) working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2021-30744
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Dan Hite of jsontop.
    • Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A cross-origin issue with iframe elements was addressed with improved tracking of security origins.
  • CVE-2021-30749
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to an anonymous researcher and mipu94 of SEFCOM lab, ASU. working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2021-30758
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.2.
    • Credit to Christoph Guttandin of Media Codings.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved state handling.
  • CVE-2021-30761
    • Versions affected: WebKitGTK and WPE WebKit before 2.26.0.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2021-30762
    • Versions affected: WebKitGTK and WPE WebKit before 2.28.0.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30795
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Sergei Glazunov of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30797
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Ivan Fratric of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to code execution. Description: This issue was addressed with improved checks.
  • CVE-2021-30799
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Sergei Glazunov of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

July 23, 2021 12:00 AM



WebKitGTK 2.32.3 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.32 series.

What’s new in the WebKitGTK 2.32.3 release?

  • Properly set the cookies settings after a network process crash.
  • Fix accessibility tree after a cross site navigation with PSON enabled.
  • Ensure WebKitScriptWorld::window-object-cleared signal is always emitted.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

July 23, 2021 12:00 AM



July 09, 2021

WebKitGTK 2.32.2 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.32 series.

What’s new in the WebKitGTK 2.32.2 release?

  • Improve calculation of initial WebKitWebView size.
  • Fix kinetic scrolling on touchpad with async scrolling off.
  • Fix a crash on empty drag operation in X11.
  • Fix rendering on HiDPI /4k screen and scaling.
  • Handle null native surface for for surfaceless rendering.
  • Fix JavaScriptCore crash on 32-bit big endian systems.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

July 09, 2021 12:00 AM



June 08, 2021

WebKitGTK 2.33.2 released!

by The WebKitGTK Project

This is a development release leading toward 2.34 series.

What’s new in the WebKitGTK 2.33.2 release?

  • HTTP/2 support when building with libsoup3.
  • Add API to disable CORS on a web view for particular domains.
  • Fix rendering on HiDPI /4k screen and scaling.
  • Improve calculation of initial WebKitWebView size.
  • Fix rendering of VP9 with transparency.
  • Remove dependency on glvideoflip and videoflip.
  • Several fixes on scrolling when async scrolling is enabled.
  • Ensure WebKitScriptWorld::window-object-cleared signal is always emitted.
  • Translation updates: Danish, Swedish, Ukrainian.

Thanks to all the contributors who made possible this release.

June 08, 2021 12:00 AM



May 14, 2021

WebKitGTK 2.33.1 released!

by The WebKitGTK Project

This is the first development release leading toward 2.34 series.

What’s new in the WebKitGTK 2.33.1 release?

  • Add support for CSS Scroll Snap.
  • Add support for date and datetime-local input elements.
  • Add support for ICC color management.
  • Build with libsoup3 by default.
  • Add new API to handle web process unresponsiveness.
  • Add support for link preconnect when building with libsoup3.
  • Refactored Media Source Extensions platform code to increase stability and ease support of more features in the future.

Thanks to all the contributors who made possible this release.

May 14, 2021 12:00 AM



May 10, 2021

WebKitGTK 2.32.1 released!

by The WebKitGTK Project

This is the first bug fix release in the stable 2.32 series.

What’s new in the WebKitGTK 2.32.1 release?

  • Support building against the Musl C library.
  • Support building against ICU version 69 or newer.
  • Improve handling of Media Capture devices.
  • Improve WebAudio playback.
  • Improve video orientation handling.
  • Improve seeking support for MSE playback.
  • Improve flush support in EME decryptors.
  • Fix HTTP status codes for requests done through a custom URI handler.
  • Fix the Bubblewrap sandbox in certain 32-bit systems.
  • Fix inconsistencies between the WebKitWebView.is-muted property state and values returned by webkit_web_view_is_playing_audio().
  • Fix the build with ENABLE_VIDEO=OFF.
  • Fix wrong timestamps for long-lived cookies.
  • Fix UI process crash when failing to load favicons.
  • Fix several crashes and rendering issues.
  • Translation updates: Swedish.

Thanks to all the contributors who made possible this release.

May 10, 2021 12:00 AM



April 21, 2021

Review of Igalia Multimedia activities (2020/H2)

by Víctor Jáquez

As the first quarter of 2021 has aready come to a close, we reckon it’s time to recap our achievements from the second half of 2020, and update you on the improvements we have been making to the multimedia experience on the Web and Linux in general.

Our previous reports:

WPE / WebKitGTK

We have closed ~100 issues related with multimedia in WebKitGTK/WPE, such as fixed seek issues while playback, plugged memory leaks, gardening tests, improved Flatpak-based developing work-flow, enabled new codecs, etc.. Overall, we improved a bit the multimedia’s user experience on these Webkit engine ports.

To highlight a couple tasks, we did some maintenance work on WebAudio backends, and we upstreamed an internal audio mixer, keeping only one connection to the audio server, such as PulseAudio, instead of multiple connections, one for every audio resource. The mixer combines all streams into a single audio server connection.

Adaptive media streaming for the Web (MSE)

We have been working on a new MSE backend for a while, but along the way many related bugs have appeared and they were squashed. Also many code cleanups has been carried out. Though it has been like yak shaving, we are confident that we will reach the end of this long and winding road soonish.

DRM media playback for the Web (EME)

Regarding digital protected media playback, we worked to upstream OpenCDM, support with Widevine, through RDK’s Thunder framework, while continued with the usual maintenance of the others key systems, such as Clear Key, Widevine and PlayReady.

For more details we published a blog post: Serious Encrypted Media Extensions on GStreamer based WebKit ports.

Realtime communications for the Web (WebRTC)

Just as EME, WebRTC is not currently enabled by default in browsers such as Epiphany because license problems, but they are available for custom adopters, and we are maintaining it. For example, we collaborated to upgrade LibWebRTC to M87 and fixed the expected regressions and gardening.

Along the way we experimented a bit with the new GPUProcess for capture devices, but we decided to stop the experimentation while waiting for a broader adoption of the process, for example in graphics rendering, in WPE/WebKitGTK.

GPUProcess work will be retaken at some point, because it’s not, currently, a hard requirement, since we already have moved capture devices handling from the UIProcess to the WebProcess, isolating all GStreamer operations in the latter.

GStreamer

GStreamer is one of our core multimedia technologies, and we contribute on it on a daily basis. We pushed ~400 commits, with similar number of code reviews, along the second half of 2020. Among of those contributions let us highlight the following list:

  • A lot of bug fixing aiming for release 1.18.
  • Reworked and enhanced decodebin3, the GstTranscoder
    API
    and encodebin.
  • Merged av1parse in video parsers plugin.
  • Merged qroverlay plugin.
  • Iterated on the mono-repo
    proposal, which requires consensus and coordination among the whole community.
  • gstwpe element has been greatly improved from new user requests.
  • Contributed on the new libgstcodecs library, which enables stateless video decoders through different platforms (for example, v4l2, d3d11, va, etc.).
  • Developed a new plugin for VA-API using this library, exposing H.264, H.265, VP9, VP8, MPEG2 decoders and a full featured postprocessor, with better performance, according our measurements, than GStreamer-VAAPI.

Conferences

Despite 2020 was not a year for conferences, many of them went virtual. We attended one, the Mile high video conference, and participated in the Slack workspace.

Thank you for reading this report and stay tuned with our work.

by vjaquez at April 21, 2021 04:49 AM



March 29, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0003

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-1788
    • Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
    • Credit to Francisco Alonso (@revskills).
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-1844
    • Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
    • Credit to Clément Lecigne of Google’s Threat Analysis Group, Alison Huffman of Microsoft Browser Vulnerability Research.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved validation.
  • CVE-2021-1871
    • Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
    • Credit to an anonymous researcher.
    • Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A logic issue was addressed with improved restrictions.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

March 29, 2021 12:00 AM



March 26, 2021

WebKitGTK 2.32.0 released!

by The WebKitGTK Project

This is the first stable release in the 2.32 series.

Highlights of the WebKitGTK 2.32.0 release

  • NPAPI plugins support have been removed.
  • System font scaling factor is correctly applied now.
  • New permission request API for MediaKeySystem access.
  • New API to remove individual scripts/stylesheets using WebKitUserContentManager.
  • Web inspector now shows detailed information about main loop frames.
  • The minimum required GStreamer version is now 1.14.
  • The GStreamer runtime is now initialized only when required.
  • Improved platform support for WebAudio (WebAudio->MediaStream, Worklet, Multi-channel).
  • Support for hardware-accelerated video rendering on i.MX8 platforms (using the NXP driver).

For more details about all the changes included in WebKitGTK 2.32 see the NEWS file that is included in the tarball.

Thanks to all the contributors who made possible this release.

March 26, 2021 12:00 AM



March 22, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0002

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2020-27918
    • Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    • Credit to Liu Long of Ant Security Light-Year Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2020-29623
    • Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    • Credit to Simon Hunt of OvalTwo LTD.
    • Impact: A user may be unable to fully delete browsing history. Description: “Clear History and Website Data” did not clear the history in some circumstances. The issue was addressed with improved data deletion.
  • CVE-2020-9947
    • Versions affected: WebKitGTK before 2.30.0 and WPE WebKit before 2.30.0.
    • Credit to cc working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-1765
    • Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    • Credit to Eliya Stein of Confiant.
    • Impact: Maliciously crafted web content may violate iframe sandboxing policy. Description: This issue was addressed with improved iframe sandbox enforcement.
  • CVE-2021-1789
    • Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    • Credit to @S0rryMybad of 360 Vulcan Team.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved state handling.
  • CVE-2021-1799
    • Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    • Credit to Gregory Vishnepolsky & Ben Seri of Armis Security, and Samy Kamkar.
    • Impact: A malicious website may be able to access restricted ports on arbitrary servers, Description: A port redirection issue was addressed with additional port validation.
  • CVE-2021-1801
    • Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    • Credit to Eliya Stein of Confiant.
    • Impact: Maliciously crafted web content may violate iframe sandboxing policy. Description: This issue was addressed with improved iframe sandbox enforcement.
  • CVE-2021-1870
    • Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    • Credit to an anonymous researcher.
    • Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A logic issue was addressed with improved restrictions.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

March 22, 2021 12:00 AM



March 18, 2021

WebKitGTK 2.30.6 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.30 series.

What’s new in the WebKitGTK 2.30.6 release?

  • Update user agent quirks again for Google Docs and Google Drive
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

March 18, 2021 12:00 AM



March 12, 2021

WebKitGTK 2.31.91 released!

by The WebKitGTK Project

This is a development release leading toward 2.32 series.

What’s new in the WebKitGTK 2.31.91 release?

  • Make WebKitSecurityOrigin a simple data store for <protocol, host, port> and deprecate webkit_security_origin_is_opaque().
  • Fix user agent again to work on several google websites.
  • Fix web view url on web process terminate signals.
  • Fix preferred language overrides sent to the web process.
  • Fix the build in i386.
  • Translation updates: Simplified Chinese.

Thanks to all the contributors who made possible this release.

March 12, 2021 12:00 AM



February 26, 2021

WebKitGTK 2.31.90 released!

by The WebKitGTK Project

This is a development release leading toward 2.32 series.

What’s new in the WebKitGTK 2.31.90 release?

  • Add permission request API for MediaKeySystem access.
  • Fix rendering when using opacity filters on hardware accelerated layers.
  • Fix flatpak-spawn subsandbox to not clear environment variables.
  • Ensure a URI scheme handler can’t be registered multiple times.
  • Fix several crashes and rendering issues.
  • The minimum required GStreamer version is now 1.14.
  • CEA-608 closed captions support (requires WEBKIT_GST_USE_PLAYBIN3=1 environment variable).
  • Advertise CBCS decryption and VP9 support in Thunder.
  • Advertise DASH as supported in the media player.
  • Improved support for playbin3.
  • Translation updates: Ukrainian.

Thanks to all the contributors who made possible this release.

February 26, 2021 12:00 AM



February 15, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0001

by The WebKitGTK Project

  • Date Reported: February 15, 2021

  • Advisory ID: WSA-2021-0001

  • CVE identifiers: CVE-2020-13558.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2020-13558
    • Versions affected: WebKitGTK before 2.30.5 and WPE WebKit before 2.30.5.
    • Credit to Marcin ‘Icewall’ Noga of Cisco Talos.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue in the AudioSourceProviderGStreamer class was addressed with improved memory management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

February 15, 2021 12:00 AM



February 11, 2021

WebKitGTK 2.30.5 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.30 series.

What’s new in the WebKitGTK 2.30.5 release?

  • Bring back the WebKitPluginProcess intallation that was removed by mistake.
  • Fix RunLoop objects leaked in worker threads.
  • Fix aarch64 llint build with JIT disabled.
  • Use Internet Explorer quirk for Google Docs.

Thanks to all the contributors who made possible this release.

February 11, 2021 12:00 AM



January 20, 2021

Flexbox Cats (a.k.a fixing images in flexbox)

by Sergio Villar

In my previous post I discussed my most recent contributions to flexbox code in WebKit mainly targeted at reducing the number of interoperability issues among the most popular browsers. The ultimate goal was of course to make the life of web developers easier. It got quite some attention (I loved Alan Stearns’ description of the post) so I decided to write another one, this time focused in the changes I recently landed in WebKit (Safari’s engine) to improve the handling of elements with aspect ratio inside flexbox, a.k.a make images work inside flexbox. Some of them have been already released in the Safari 118 Tech Preview so it’s now possible to help test them and provide early feedback.

(BTW if you wonder about the blog post title I couldn’t resist the temptation of writing “Flexbox Cats” which sounded really great after the previous “Flexbox Gaps”. After all, image support was added to the Web just to post pictures of ğŸ�±, wasn’t it?)

Same as I did before, I think it’d be useful to review some of the more relevant changes with examples so you could have any of those so inspiring a-ha moments when you realize that the issue you just couldn’t figure out was actually a problem in the implementation.

What was done

Images as flex items in column flows

Web engines are in charge of taking an element tree, and accompanying CSS and creating a box tree from this. All of this relies on Formatting Contexts. Each formatting context has specific ideas about how layout behaves. Both flex and grid, for example, created new, interesting formatting contexts which allow them to size their children by shrinking and or stretching them. But how all this works can vary. While there is “general” box code that is consulted by each formatting text, there are also special cases which require specialized overrides. Replaced elements (images, for example), should work a little differently in flex and grid containers. Consider this:
.flexbox {
    display: flex;
    flex-direction: column;
    height: 500px;
    justify-content: flex-start;
    align-items: flex-start;
}

.flexbox > * {
    flex: 1;
    min-width: 0;
    min-height: 0;
}

<div class="flexbox">
      <img src="cat1.jpg>
</div>

Ideally, the aspect ratio of the replaced element (the image, in the example) would be preserved as the flex context calculated its size in the relevant direction (column is the block direction/vertical in western writing modes, for example)…. But in WebKit, they weren’t. They are now.

Black and white cat by pixabay

Images as flex items in row flows

This second issue is kind of the specular twin of the previous one. The same issue that existed for block sizes was also there for inline sizes. Overriding inline sizes were not used to compute block sizes of items with aspect ratio (again the intrinsic inline size was used) and thus the aspect ratio of the image (replaced elements in general) was not preserved at all. Some examples of this issue:
.flexbox {
  display: flex;
  flex-direction: row;
  width: 500px;
  justify-content: flex-start;
  align-items: flex-start;
}
.flexbox > * {
  flex: 1;
  min-width: 0;
  min-height: 0;
}

<div class="flexbox">
    <img src="cat2.jpg">
</div>

Gray Cat by Gabriel Criçan

Images as flex items in auto-height flex containers

The two fixes above allowed us to “easily” fix this one because we can now rely on the computations done by the replaced elements code to compute sizes for items with aspect ratio even if they’re inside special formatting contexts as grid or flex. This fix was precisely about delegating that computation to the replaced elements code instead of duplicating all the aspect-ratio machinery in the flexbox code. This fix has apparently the potential to be a game changer:
This is a key bug to fix so that Authors can use Flexbox as intended. At the moment, no one can use Flexbox in a DOM structure where images are flex children.

Jen Simmons in bug 209983
Also don’t miss the opportunity to check this visually appealing demo by Jen which should work as expected now. For those of you not having a WebKit based browser I’ve recorded a screencast for you to compare (all circles should be round).
Left: old WebKit. Right: new WebKit (tested using WebKitGtk)
Apart from the screen cast, I’m also showcasing the issue with some actual code.
.flexbox {
    width: 500px;
    display: flex;
}
.flexbox > * {
    min-width: 0;
}

<div class="flexbox">  
  <img style="flex: auto;" src="cat3.jpg">
</div>

Tabby Cat by Bekka Mongeau

Flexbox additional cases for definite sizes

This was likely the trickiest one. I remember having nightmares with all the definite/indefinite stuff back then when I was implementing grid layout with other Igalia colleages. The whole thing about definite/indefinite sizes although sensible and relatively easy to understand is actually a huge challenge for web engines which were not really designed with them in mind. Laying out web content traditionally means taking a width as input to produce a height as output. However formatting contexts like grid or flex make the whole picture much more complicated.
This particular issue was not a malfunction but something that was not implemented. Essentially the flex specs define some cases where indefinite sizes should be considered as definite although the general rule considers them indefinite. For example, if a single-line flex container has a definite cross size we could assume that flex items have a definite size in the cross axis which is indeed equal to the flex container inner cross size.
In the following example the flex item, the image, has height:auto (by default) which is an indefinite size. However the flex container has a definite height (a fixed 300px). This means that when laying out the image, we could assume that its height is definite and equal to the height of the container. Having a definite height then allows you to properly compute the width using an aspect ratio.
.flexbox {
    display: flex;
    width: 0;
    height: 300px;
}

<div class="flexbox">
  <img src="cat4.png">
</div>

White and Black Cat With Blue Eyes by Thomas Svensson

Aspect ratio computations and box-sizing

Very common overlook in layout code. When dealing with layout bugs we (browser engineers) usually forget about box-sizing because the standard box model is the truth and the whole truth and the sole truth in our minds. Jokes aside, in this case the aspect ratio was applied to the border box (content + border + padding) instead of to the content box as it should. The result were distorted images because border and padding where altering the aspect ratio computations.
.flexbox {
  display: flex;
}
.flexbox > * {
  border-top: 150px solid blue;
  border-left: 30px solid orange;
  height: 300px;
  box-sizing: border-box;
}

<div class=flexbox>
  <img src="cat5.png"/>
</div>

Grayscale Photo of Long Fur Cat by Skyler Ewin

Conclusions

I mentioned this in the previous post but I’ll do it again here, having the web platform test suite has been an an absolute game changer for web browser engineers. They have helped us in many ways, from easily allowing us to verify our implementations to acting as a safety net against potential regressions we might add while fixing issues in the engines. We no longer have to manually test stuff in different browsers to check how other developers have interpreted the specs. We now have the test, period.
In this case, I’ve been using them in a different way. They have served me both as a guide, directing my efforts to reduce the flexbox interoperability issues and also as a nice metric to measure the progress of the task. Talking about metrics, this work made WebKit based browsers pass an additional 64 test cases from the WPT test suite, a very nice step forward for interoperability.
I’m attaching a screenshot with the current status of images as flex items from the WPT point of view. Each html file on the left column is a test, and each test performs multiple checks. For example the image-as-flexitem-* ones run 19 different checks (use cases) each. Each column show how many tests each browser successfully run. A quarter ago Safari’s (WebKit’s) figures for most of them were 11/19, 13/19 but now the last Tech Preview it’s passing all of them. Not bad huh?
image-as-flexitem-* flexbox tests in WPT as of 2021/01/20

Acknowledgements

Again many thanks to the different awesome folks at Apple, Google and my beloved Igalia that helped me with very insightful reviews and strong support at all levels.
Also I am thankful to all the photographers from whom I borrowed their nice cat pictures (including the Brown and Black Cat on top by pixabay).

by svillar at January 20, 2021 09:45 AM