[webkit-changes] [WebKit/WebKit] 923205: Implement navigation rate limiting

Tue, 02 Dec 2025 11:22:09 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 923205935b5be77b722f998a306732eacd648754
      
https://github.com/WebKit/WebKit/commit/923205935b5be77b722f998a306732eacd648754
  Author: Roberto Rodriguez <[email protected]>
  Date:   2025-11-12 (Wed, 12 Nov 2025)

  Changed paths:
    A LayoutTests/navigation-api/navigation-api-rate-limit-exceeded-expected.txt
    A LayoutTests/navigation-api/navigation-api-rate-limit-exceeded.html
    A 
LayoutTests/navigation-api/navigation-api-rate-limit-window-reset-expected.txt
    A LayoutTests/navigation-api/navigation-api-rate-limit-window-reset.html
    M Source/WebCore/page/LocalDOMWindow.h
    M Source/WebCore/page/Navigation.cpp
    M Source/WebCore/page/Navigation.h
    M Source/WebCore/testing/Internals.cpp
    M Source/WebCore/testing/Internals.h
    M Source/WebCore/testing/Internals.idl

  Log Message:
  -----------
  Implement navigation rate limiting
https://bugs.webkit.org/show_bug.cgi?id=302355
rdar://164510890

Reviewed by Basuke Suzuki.

Add a sliding window rate limiter (200 navigations per 10 second window) to the 
Navigation API
to prevent malicious or buggy scripts from flooding the system with navigation 
requests. This
matches Chromium's implementation and prevents IPC flooding, resource 
exhaustion, and other
issues caused by excessive navigation attempts. The limiter is enforced at 
innerDispatchNavigateEvent()
to cover all navigation methods (navigate, reload, back, forward, traverseTo).

Tests: navigation-api/navigation-api-rate-limit-exceeded.html
       navigation-api/navigation-api-rate-limit-window-reset.html

* LayoutTests/navigation-api/navigation-api-rate-limit-exceeded-expected.txt: 
Added.
* LayoutTests/navigation-api/navigation-api-rate-limit-exceeded.html: Added.
* 
LayoutTests/navigation-api/navigation-api-rate-limit-window-reset-expected.txt: 
Added.
* LayoutTests/navigation-api/navigation-api-rate-limit-window-reset.html: Added.
* Source/WebCore/page/LocalDOMWindow.h:
* Source/WebCore/page/Navigation.cpp:
(WebCore::Navigation::innerDispatchNavigateEvent):
(WebCore::Navigation::RateLimiter::navigationAllowed):
* Source/WebCore/page/Navigation.h:
* Source/WebCore/testing/Internals.cpp:
(WebCore::Internals::setNavigationRateLimiterParameters):
(WebCore::Internals::resetNavigationRateLimiter):
* Source/WebCore/testing/Internals.h:
* Source/WebCore/testing/Internals.idl:

Canonical link: https://commits.webkit.org/302943@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to