WebKitGTK and WPE WebKit API Design Flaw Allows Unauthorized Network Requests

An API design flaw exists in WebKitGTK and WPE WebKit, enabling untrusted web content to unintentionally make IP connections, perform DNS lookups, and send HTTP requests. This issue arises because certain types of HTTP requests can bypass the expected signal handler, WebPage::send-request, which applications rely on to manage network requests. As a result, unauthorized connections can be established, potentially leading to privacy concerns, especially when WebKit is used in email clients.

Impact

Exploitation of this vulnerability allows for an authorization bypass, enabling untrusted content to make network requests without proper oversight. This could be misused to track email interactions by sending content that triggers the bypass, thereby confirming email read status.

Reproduction

The vulnerability can be reproduced by creating a WebKit application that processes HTML links with certain rel attributes, such as 'preconnect' or 'stylesheet'. When these links are activated, the application should intercept the requests using the WebPage::send-request signal handler. However, the vulnerability occurs when the expected interception fails, allowing the connections to proceed. This can be demonstrated with a sample application that logs network traffic, showing how the connections are established despite being redirected by the signal handler.