Changeset 263313 in webkit

Timestamp:

Jun 19, 2020, 8:50:10 PM (5 years ago)

Author:

Chris Dumez

Message:

[Cocoa] Delay issuing ManagedSession & Network Extension sandbox extensions until a load is actually issued
​https://bugs.webkit.org/show_bug.cgi?id=213414
<rdar://problem/64548684>

Reviewed by Per Arne Vollan.

Source/WebCore:

setHasConsumedSandboxExtensions() can now get called several times, every time a WebPage is created.
Once a sandbox extension has been consumed, there is no going back so return early if the state is
already "Consumed".

• platform/cocoa/NetworkExtensionContentFilter.mm:

(WebCore::NetworkExtensionContentFilter::setHasConsumedSandboxExtensions):

• platform/cocoa/ParentalControlsContentFilter.mm:

(WebCore::ParentalControlsContentFilter::setHasConsumedSandboxExtension):

Source/WebKit:

Delay issuing ManagedSession & Network Extension sandbox extensions until a load is actually issued.
This is a Safari launch time optimization since the checks needed to decide whether or not to issue
the extensions are expensive and there is no reason to issue them as soon as the process launches
(especially in the case of a prewarmed process).

• Shared/Cocoa/LoadParametersCocoa.mm:

(WebKit::LoadParameters::platformEncode const):
(WebKit::LoadParameters::platformDecode):

• Shared/LoadParameters.h:
• Shared/WebProcessCreationParameters.cpp:

(WebKit::WebProcessCreationParameters::encode const):
(WebKit::WebProcessCreationParameters::decode):

• Shared/WebProcessCreationParameters.h:
• UIProcess/Cocoa/WebPageProxyCocoa.mm:

(WebKit::WebPageProxy::addPlatformLoadParameters):

• UIProcess/Cocoa/WebProcessPoolCocoa.mm:

(WebKit::WebProcessPool::platformInitializeWebProcess):

• UIProcess/WebPageProxy.cpp:

(WebKit::WebPageProxy::addPlatformLoadParameters):
(WebKit::WebPageProxy::loadRequestWithNavigationShared):
(WebKit::WebPageProxy::loadFile):
(WebKit::WebPageProxy::loadDataWithNavigationShared):
(WebKit::WebPageProxy::loadAlternateHTML):
(WebKit::WebPageProxy::loadWebArchiveData):

• UIProcess/WebPageProxy.h:
• UIProcess/WebProcessProxy.h:

(WebKit::WebProcessProxy::hasNetworkExtensionSandboxAccess const):
(WebKit::WebProcessProxy::markHasNetworkExtensionSandboxAccess):
(WebKit::WebProcessProxy::hasManagedSessionSandboxAccess const):
(WebKit::WebProcessProxy::markHasManagedSessionSandboxAccess):

• WebProcess/WebPage/Cocoa/WebPageCocoa.mm:

(WebKit::WebPage::platformDidReceiveLoadParameters):

• WebProcess/cocoa/WebProcessCocoa.mm:

(WebKit::WebProcess::platformInitializeWebProcess):

Location:

trunk/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/platform/cocoa/NetworkExtensionContentFilter.mm (modified) (1 diff)
• WebCore/platform/cocoa/ParentalControlsContentFilter.mm (modified) (1 diff)
• WebKit/ChangeLog (modified) (1 diff)
• WebKit/Shared/Cocoa/LoadParametersCocoa.mm (modified) (1 diff)
• WebKit/Shared/LoadParameters.h (modified) (1 diff)
• WebKit/Shared/WebProcessCreationParameters.cpp (modified) (4 diffs)
• WebKit/Shared/WebProcessCreationParameters.h (modified) (2 diffs)
• WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm (modified) (3 diffs)
• WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (modified) (3 diffs)
• WebKit/UIProcess/WebPageProxy.cpp (modified) (6 diffs)
• WebKit/UIProcess/WebPageProxy.h (modified) (1 diff)
• WebKit/UIProcess/WebProcessProxy.h (modified) (2 diffs)
• WebKit/WebProcess/WebPage/Cocoa/WebPageCocoa.mm (modified) (2 diffs)
• WebKit/WebProcess/cocoa/WebProcessCocoa.mm (modified) (4 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-06-19  Chris Dumez  <cdumez@apple.com>
+
+        [Cocoa] Delay issuing ManagedSession & Network Extension sandbox extensions until a load is actually issued
+        https://bugs.webkit.org/show_bug.cgi?id=213414
+        <rdar://problem/64548684>
+
+        Reviewed by Per Arne Vollan.
+
+        setHasConsumedSandboxExtensions() can now get called several times, every time a WebPage is created.
+        Once a sandbox extension has been consumed, there is no going back so return early if the state is
+        already "Consumed".
+
+        * platform/cocoa/NetworkExtensionContentFilter.mm:
+        (WebCore::NetworkExtensionContentFilter::setHasConsumedSandboxExtensions):
+        * platform/cocoa/ParentalControlsContentFilter.mm:
+        (WebCore::ParentalControlsContentFilter::setHasConsumedSandboxExtension):
+
 2020-06-19  Zalan Bujtas  <zalan@apple.com>
 

trunk/Source/WebCore/platform/cocoa/NetworkExtensionContentFilter.mm

@@ -229 +229 @@
 void NetworkExtensionContentFilter::setHasConsumedSandboxExtensions(bool hasConsumedSandboxExtensions)
 {
+    if (m_sandboxExtensionsState == SandboxExtensionsState::Consumed)
+        return;
+
     m_sandboxExtensionsState = (hasConsumedSandboxExtensions ? SandboxExtensionsState::Consumed : SandboxExtensionsState::NotConsumed);
 }

trunk/Source/WebCore/platform/cocoa/ParentalControlsContentFilter.mm

@@ -151 +151 @@
 void ParentalControlsContentFilter::setHasConsumedSandboxExtension(bool hasConsumedSandboxExtension)
 {
+    if (m_sandboxExtensionState == SandboxExtensionState::Consumed)
+        return;
+
     m_sandboxExtensionState = (hasConsumedSandboxExtension ? SandboxExtensionState::Consumed : SandboxExtensionState::NotConsumed);
 }

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2020-06-19  Chris Dumez  <cdumez@apple.com>
+
+        [Cocoa] Delay issuing ManagedSession & Network Extension sandbox extensions until a load is actually issued
+        https://bugs.webkit.org/show_bug.cgi?id=213414
+        <rdar://problem/64548684>
+
+        Reviewed by Per Arne Vollan.
+
+        Delay issuing ManagedSession & Network Extension sandbox extensions until a load is actually issued.
+        This is a Safari launch time optimization since the checks needed to decide whether or not to issue
+        the extensions are expensive and there is no reason to issue them as soon as the process launches
+        (especially in the case of a prewarmed process).
+
+        * Shared/Cocoa/LoadParametersCocoa.mm:
+        (WebKit::LoadParameters::platformEncode const):
+        (WebKit::LoadParameters::platformDecode):
+        * Shared/LoadParameters.h:
+        * Shared/WebProcessCreationParameters.cpp:
+        (WebKit::WebProcessCreationParameters::encode const):
+        (WebKit::WebProcessCreationParameters::decode):
+        * Shared/WebProcessCreationParameters.h:
+        * UIProcess/Cocoa/WebPageProxyCocoa.mm:
+        (WebKit::WebPageProxy::addPlatformLoadParameters):
+        * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+        (WebKit::WebProcessPool::platformInitializeWebProcess):
+        * UIProcess/WebPageProxy.cpp:
+        (WebKit::WebPageProxy::addPlatformLoadParameters):
+        (WebKit::WebPageProxy::loadRequestWithNavigationShared):
+        (WebKit::WebPageProxy::loadFile):
+        (WebKit::WebPageProxy::loadDataWithNavigationShared):
+        (WebKit::WebPageProxy::loadAlternateHTML):
+        (WebKit::WebPageProxy::loadWebArchiveData):
+        * UIProcess/WebPageProxy.h:
+        * UIProcess/WebProcessProxy.h:
+        (WebKit::WebProcessProxy::hasNetworkExtensionSandboxAccess const):
+        (WebKit::WebProcessProxy::markHasNetworkExtensionSandboxAccess):
+        (WebKit::WebProcessProxy::hasManagedSessionSandboxAccess const):
+        (WebKit::WebProcessProxy::markHasManagedSessionSandboxAccess):
+        * WebProcess/WebPage/Cocoa/WebPageCocoa.mm:
+        (WebKit::WebPage::platformDidReceiveLoadParameters):
+        * WebProcess/cocoa/WebProcessCocoa.mm:
+        (WebKit::WebProcess::platformInitializeWebProcess):
+
 2020-06-19  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/Source/WebKit/Shared/Cocoa/LoadParametersCocoa.mm

@@ -37 +37 @@
 {
     IPC::encode(encoder, dataDetectionContext.get());
+
+    encoder << neHelperExtensionHandle;
+    encoder << neSessionManagerExtensionHandle;
+#if PLATFORM(IOS)
+    encoder << contentFilterExtensionHandle;
+    encoder << frontboardServiceExtensionHandle;
+#endif
 }
 
-bool LoadParameters::platformDecode(IPC::Decoder& decoder, LoadParameters& data)
+bool LoadParameters::platformDecode(IPC::Decoder& decoder, LoadParameters& parameters)
 {
-    if (!IPC::decode(decoder, data.dataDetectionContext))
+    if (!IPC::decode(decoder, parameters.dataDetectionContext))
         return false;
+
+    Optional<Optional<SandboxExtension::Handle>> neHelperExtensionHandle;
+    decoder >> neHelperExtensionHandle;
+    if (!neHelperExtensionHandle)
+        return false;
+    parameters.neHelperExtensionHandle = WTFMove(*neHelperExtensionHandle);
+
+    Optional<Optional<SandboxExtension::Handle>> neSessionManagerExtensionHandle;
+    decoder >> neSessionManagerExtensionHandle;
+    if (!neSessionManagerExtensionHandle)
+        return false;
+    parameters.neSessionManagerExtensionHandle = WTFMove(*neSessionManagerExtensionHandle);
+
+#if PLATFORM(IOS)
+    Optional<Optional<SandboxExtension::Handle>> contentFilterExtensionHandle;
+    decoder >> contentFilterExtensionHandle;
+    if (!contentFilterExtensionHandle)
+        return false;
+    parameters.contentFilterExtensionHandle = WTFMove(*contentFilterExtensionHandle);
+
+    Optional<Optional<SandboxExtension::Handle>> frontboardServiceExtensionHandle;
+    decoder >> frontboardServiceExtensionHandle;
+    if (!frontboardServiceExtensionHandle)
+        return false;
+    parameters.frontboardServiceExtensionHandle = WTFMove(*frontboardServiceExtensionHandle);
+#endif
 
     return true;

trunk/Source/WebKit/Shared/LoadParameters.h

@@ -75 +75 @@
 #if PLATFORM(COCOA)
     RetainPtr<NSDictionary> dataDetectionContext;
+    Optional<SandboxExtension::Handle> neHelperExtensionHandle;
+    Optional<SandboxExtension::Handle> neSessionManagerExtensionHandle;
+#endif
+#if PLATFORM(IOS)
+    Optional<SandboxExtension::Handle> contentFilterExtensionHandle;
+    Optional<SandboxExtension::Handle> frontboardServiceExtensionHandle;
 #endif
 };

trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp

@@ -158 +158 @@
 #if PLATFORM(IOS)
     encoder << compilerServiceExtensionHandle;
-    encoder << contentFilterExtensionHandle;
-    encoder << frontboardServiceExtensionHandle;
 #endif
 
@@ -169 +167 @@
 
 #if PLATFORM(COCOA)
-    encoder << neHelperExtensionHandle;
-    encoder << neSessionManagerExtensionHandle;
     encoder << mapDBExtensionHandle;
     encoder << systemHasBattery;
@@ -422 +418 @@
         return false;
     parameters.compilerServiceExtensionHandle = WTFMove(*compilerServiceExtensionHandle);
-
-    Optional<Optional<SandboxExtension::Handle>> contentFilterExtensionHandle;
-    decoder >> contentFilterExtensionHandle;
-    if (!contentFilterExtensionHandle)
-        return false;
-    parameters.contentFilterExtensionHandle = WTFMove(*contentFilterExtensionHandle);
-
-    Optional<Optional<SandboxExtension::Handle>> frontboardServiceExtensionHandle;
-    decoder >> frontboardServiceExtensionHandle;
-    if (!frontboardServiceExtensionHandle)
-        return false;
-    parameters.frontboardServiceExtensionHandle = WTFMove(*frontboardServiceExtensionHandle);
 #endif
 
@@ -457 +441 @@
 
 #if PLATFORM(COCOA)
-    Optional<Optional<SandboxExtension::Handle>> neHelperExtensionHandle;
-    decoder >> neHelperExtensionHandle;
-    if (!neHelperExtensionHandle)
-        return false;
-    parameters.neHelperExtensionHandle = WTFMove(*neHelperExtensionHandle);
-
-    Optional<Optional<SandboxExtension::Handle>> neSessionManagerExtensionHandle;
-    decoder >> neSessionManagerExtensionHandle;
-    if (!neSessionManagerExtensionHandle)
-        return false;
-    parameters.neSessionManagerExtensionHandle = WTFMove(*neSessionManagerExtensionHandle);
-
     Optional<Optional<SandboxExtension::Handle>> mapDBExtensionHandle;
     decoder >> mapDBExtensionHandle;

trunk/Source/WebKit/Shared/WebProcessCreationParameters.h

@@ -202 +202 @@
 #if PLATFORM(IOS)
     Optional<SandboxExtension::Handle> compilerServiceExtensionHandle;
-    Optional<SandboxExtension::Handle> contentFilterExtensionHandle;
-    Optional<SandboxExtension::Handle> frontboardServiceExtensionHandle;
 #endif
 
@@ -213 +211 @@
 
 #if PLATFORM(COCOA)
-    Optional<SandboxExtension::Handle> neHelperExtensionHandle;
-    Optional<SandboxExtension::Handle> neSessionManagerExtensionHandle;
     Optional<SandboxExtension::Handle> mapDBExtensionHandle;
     bool systemHasBattery { false };

trunk/Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm

@@ -48 +48 @@
 #import <WebCore/TextAlternativeWithRange.h>
 #import <WebCore/ValidationBubble.h>
+#import <pal/spi/cocoa/NEFilterSourceSPI.h>
 #import <wtf/BlockPtr.h>
+#import <wtf/SoftLinking.h>
 #import <wtf/cf/TypeCastsCF.h>
 
@@ -54 +56 @@
 #import "MediaUsageManagerCocoa.h"
 #endif
+
+#if PLATFORM(IOS)
+#import <pal/spi/cocoa/WebFilterEvaluatorSPI.h>
+
+SOFT_LINK_PRIVATE_FRAMEWORK(WebContentAnalysis);
+SOFT_LINK_CLASS(WebContentAnalysis, WebFilterEvaluator);
+#endif
+
+SOFT_LINK_FRAMEWORK_OPTIONAL(NetworkExtension);
+SOFT_LINK_CLASS_OPTIONAL(NetworkExtension, NEFilterSource);
 
 #define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, process().connection())
@@ -130 +142 @@
 #endif
 
-void WebPageProxy::addPlatformLoadParameters(LoadParameters& loadParameters)
+void WebPageProxy::addPlatformLoadParameters(WebProcessProxy& process, LoadParameters& loadParameters)
 {
     loadParameters.dataDetectionContext = m_uiClient->dataDetectionContext();
+
+    if (!process.hasNetworkExtensionSandboxAccess() && [getNEFilterSourceClass() filterRequired]) {
+        SandboxExtension::Handle helperHandle;
+        SandboxExtension::createHandleForMachLookup("com.apple.nehelper"_s, WTF::nullopt, helperHandle);
+        loadParameters.neHelperExtensionHandle = WTFMove(helperHandle);
+        SandboxExtension::Handle managerHandle;
+#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED < 101500
+        SandboxExtension::createHandleForMachLookup("com.apple.nesessionmanager"_s, WTF::nullopt, managerHandle);
+#else
+        SandboxExtension::createHandleForMachLookup("com.apple.nesessionmanager.content-filter"_s, WTF::nullopt, managerHandle);
+#endif
+        loadParameters.neSessionManagerExtensionHandle = WTFMove(managerHandle);
+
+        process.markHasNetworkExtensionSandboxAccess();
+    }
+
+#if PLATFORM(IOS)
+    if (!process.hasManagedSessionSandboxAccess() && [getWebFilterEvaluatorClass() isManagedSession]) {
+        SandboxExtension::Handle handle;
+        SandboxExtension::createHandleForMachLookup("com.apple.uikit.viewservice.com.apple.WebContentFilter.remoteUI"_s, WTF::nullopt, handle);
+        loadParameters.contentFilterExtensionHandle = WTFMove(handle);
+
+        SandboxExtension::Handle frontboardServiceExtensionHandle;
+        if (SandboxExtension::createHandleForMachLookup("com.apple.frontboard.systemappservices"_s, WTF::nullopt, frontboardServiceExtensionHandle))
+            loadParameters.frontboardServiceExtensionHandle = WTFMove(frontboardServiceExtensionHandle);
+
+        process.markHasManagedSessionSandboxAccess();
+    }
+#endif
 }
 

trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm

@@ -80 +80 @@
 #else
 #import "UIKitSPI.h"
-#import <pal/ios/ManagedConfigurationSoftLink.h>
-#import <pal/spi/ios/ManagedConfigurationSPI.h>
 #endif
 
 #if PLATFORM(IOS_FAMILY)
 #import <pal/spi/ios/MobileGestaltSPI.h>
-#endif
-
-#if PLATFORM(IOS)
-#import <pal/spi/cocoa/WebFilterEvaluatorSPI.h>
-
-SOFT_LINK_PRIVATE_FRAMEWORK(WebContentAnalysis);
-SOFT_LINK_CLASS(WebContentAnalysis, WebFilterEvaluator);
 #endif
 
 #if PLATFORM(COCOA)
 #import <WebCore/SystemBattery.h>
-#import <pal/spi/cocoa/NEFilterSourceSPI.h>
-
-SOFT_LINK_FRAMEWORK_OPTIONAL(NetworkExtension);
-SOFT_LINK_CLASS_OPTIONAL(NetworkExtension, NEFilterSource);
 #endif
 
@@ -409 +396 @@
     
 #if PLATFORM(COCOA)
-    if ([getNEFilterSourceClass() filterRequired]) {
-        SandboxExtension::Handle helperHandle;
-        SandboxExtension::createHandleForMachLookup("com.apple.nehelper"_s, WTF::nullopt, helperHandle);
-        parameters.neHelperExtensionHandle = WTFMove(helperHandle);
-        SandboxExtension::Handle managerHandle;
-#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED < 101500
-        SandboxExtension::createHandleForMachLookup("com.apple.nesessionmanager"_s, WTF::nullopt, managerHandle);
-#else
-        SandboxExtension::createHandleForMachLookup("com.apple.nesessionmanager.content-filter"_s, WTF::nullopt, managerHandle);
-#endif
-        parameters.neSessionManagerExtensionHandle = WTFMove(managerHandle);
-    }
     parameters.systemHasBattery = systemHasBattery();
 
@@ -426 +401 @@
     if (SandboxExtension::createHandleForMachLookup("com.apple.lsd.mapdb"_s, WTF::nullopt, mapDBHandle, SandboxExtension::Flags::NoReport))
         parameters.mapDBExtensionHandle = WTFMove(mapDBHandle);
-#endif
-    
-#if PLATFORM(IOS)
-    if ([getWebFilterEvaluatorClass() isManagedSession]) {
-        SandboxExtension::Handle handle;
-        SandboxExtension::createHandleForMachLookup("com.apple.uikit.viewservice.com.apple.WebContentFilter.remoteUI"_s, WTF::nullopt, handle);
-        parameters.contentFilterExtensionHandle = WTFMove(handle);
-
-        SandboxExtension::Handle frontboardServiceExtensionHandle;
-        if (SandboxExtension::createHandleForMachLookup("com.apple.frontboard.systemappservices"_s, WTF::nullopt, frontboardServiceExtensionHandle))
-            parameters.frontboardServiceExtensionHandle = WTFMove(frontboardServiceExtensionHandle);
-    }
 #endif
 

trunk/Source/WebKit/UIProcess/WebPageProxy.cpp

@@ -1267 +1267 @@
 
 #if !PLATFORM(COCOA)
-void WebPageProxy::addPlatformLoadParameters(LoadParameters&)
+void WebPageProxy::addPlatformLoadParameters(WebProcessProxy&, LoadParameters&)
 {
 }
@@ -1324 +1324 @@
     maybeInitializeSandboxExtensionHandle(process, url, m_pageLoadState.resourceDirectoryURL(), loadParameters.sandboxExtensionHandle);
 
-    addPlatformLoadParameters(loadParameters);
+    addPlatformLoadParameters(process, loadParameters);
 
     preconnectTo(url);
@@ -1386 +1386 @@
     const bool checkAssumedReadAccessToResourceURL = false;
     maybeInitializeSandboxExtensionHandle(m_process, fileURL, resourceDirectoryURL, loadParameters.sandboxExtensionHandle, checkAssumedReadAccessToResourceURL);
-    addPlatformLoadParameters(loadParameters);
+    addPlatformLoadParameters(m_process, loadParameters);
 
 #if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
@@ -1446 +1446 @@
     loadParameters.shouldOpenExternalURLsPolicy = shouldOpenExternalURLsPolicy;
     loadParameters.isNavigatingToAppBoundDomain = isNavigatingToAppBoundDomain;
-    addPlatformLoadParameters(loadParameters);
+    addPlatformLoadParameters(process, loadParameters);
 
     process->assumeReadAccessToBaseURL(*this, baseURL);
@@ -1488 +1488 @@
     loadParameters.provisionalLoadErrorURLString = m_failingProvisionalLoadURL;
     loadParameters.userData = UserData(process().transformObjectsToHandles(userData).get());
-    addPlatformLoadParameters(loadParameters);
+    addPlatformLoadParameters(process(), loadParameters);
 
     m_process->assumeReadAccessToBaseURL(*this, baseURL.string());
@@ -1517 +1517 @@
     loadParameters.encodingName = "utf-16"_s;
     loadParameters.userData = UserData(process().transformObjectsToHandles(userData).get());
-    addPlatformLoadParameters(loadParameters);
+    addPlatformLoadParameters(process(), loadParameters);
 
     send(Messages::WebPage::LoadData(loadParameters));

trunk/Source/WebKit/UIProcess/WebPageProxy.h

@@ -604 +604 @@
     void closePage();
 
-    void addPlatformLoadParameters(LoadParameters&);
+    void addPlatformLoadParameters(WebProcessProxy&, LoadParameters&);
     RefPtr<API::Navigation> loadRequest(WebCore::ResourceRequest&&, WebCore::ShouldOpenExternalURLsPolicy = WebCore::ShouldOpenExternalURLsPolicy::ShouldAllowExternalSchemes, API::Object* userData = nullptr);
     RefPtr<API::Navigation> loadFile(const String& fileURL, const String& resourceDirectoryURL, API::Object* userData = nullptr);

trunk/Source/WebKit/UIProcess/WebProcessProxy.h

@@ -389 +389 @@
     bool hasSleepDisabler() const;
 
+#if PLATFORM(COCOA)
+    bool hasNetworkExtensionSandboxAccess() const { return m_hasNetworkExtensionSandboxAccess; }
+    void markHasNetworkExtensionSandboxAccess() { m_hasNetworkExtensionSandboxAccess = true; }
+#endif
+#if PLATFORM(IOS)
+    bool hasManagedSessionSandboxAccess() const { return m_hasManagedSessionSandboxAccess; }
+    void markHasManagedSessionSandboxAccess() { m_hasManagedSessionSandboxAccess = true; }
+#endif
+
 protected:
     WebProcessProxy(WebProcessPool&, WebsiteDataStore*, IsPrewarmed);
@@ -579 +588 @@
     bool m_hasIssuedAttachmentElementRelatedSandboxExtensions { false };
 #endif
+#if PLATFORM(COCOA)
+    bool m_hasNetworkExtensionSandboxAccess { false };
+#endif
+#if PLATFORM(IOS)
+    bool m_hasManagedSessionSandboxAccess { false };
+#endif
     Optional<UseLazyStop> m_shouldStartResponsivenessTimerWhenLaunched;
 

trunk/Source/WebKit/WebProcess/WebPage/Cocoa/WebPageCocoa.mm

@@ -46 +46 @@
 #import <WebCore/HTMLUListElement.h>
 #import <WebCore/HitTestResult.h>
+#import <WebCore/NetworkExtensionContentFilter.h>
 #import <WebCore/NodeRenderStyle.h>
 #import <WebCore/PaymentCoordinator.h>
@@ -52 +53 @@
 #import <WebCore/RenderElement.h>
 
+#if PLATFORM(IOS)
+#import <WebCore/ParentalControlsContentFilter.h>
+#endif
+
 #if PLATFORM(COCOA)
 
 namespace WebKit {
 
-void WebPage::platformDidReceiveLoadParameters(const LoadParameters& loadParameters)
-{
-    m_dataDetectionContext = loadParameters.dataDetectionContext;
+void WebPage::platformDidReceiveLoadParameters(const LoadParameters& parameters)
+{
+    m_dataDetectionContext = parameters.dataDetectionContext;
+
+    if (parameters.neHelperExtensionHandle)
+        SandboxExtension::consumePermanently(*parameters.neHelperExtensionHandle);
+    if (parameters.neSessionManagerExtensionHandle)
+        SandboxExtension::consumePermanently(*parameters.neSessionManagerExtensionHandle);
+    NetworkExtensionContentFilter::setHasConsumedSandboxExtensions(parameters.neHelperExtensionHandle.hasValue() && parameters.neSessionManagerExtensionHandle.hasValue());
+
+#if PLATFORM(IOS)
+    if (parameters.contentFilterExtensionHandle)
+        SandboxExtension::consumePermanently(*parameters.contentFilterExtensionHandle);
+    ParentalControlsContentFilter::setHasConsumedSandboxExtension(parameters.contentFilterExtensionHandle.hasValue());
+
+    if (parameters.frontboardServiceExtensionHandle)
+        SandboxExtension::consumePermanently(*parameters.frontboardServiceExtensionHandle);
+#endif
 }
 

trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm

@@ -64 +64 @@
 #import <WebCore/MemoryRelease.h>
 #import <WebCore/NSScrollerImpDetails.h>
-#import <WebCore/NetworkExtensionContentFilter.h>
 #import <WebCore/PerformanceLogging.h>
 #import <WebCore/PictureInPictureSupport.h>
@@ -95 +94 @@
 #endif
 
-#if PLATFORM(IOS)
-#import <WebCore/ParentalControlsContentFilter.h>
-#endif
-
 #if PLATFORM(IOS_FAMILY)
 #import "UIKitSPI.h"
@@ -273 +268 @@
     if (parameters.compilerServiceExtensionHandle)
         SandboxExtension::consumePermanently(*parameters.compilerServiceExtensionHandle);
-
-    if (parameters.contentFilterExtensionHandle)
-        SandboxExtension::consumePermanently(*parameters.contentFilterExtensionHandle);
-    ParentalControlsContentFilter::setHasConsumedSandboxExtension(parameters.contentFilterExtensionHandle.hasValue());
-
-    if (parameters.frontboardServiceExtensionHandle)
-        SandboxExtension::consumePermanently(*parameters.frontboardServiceExtensionHandle);
 #endif
 
@@ -288 +276 @@
 #endif
     
-    if (parameters.neHelperExtensionHandle)
-        SandboxExtension::consumePermanently(*parameters.neHelperExtensionHandle);
-    if (parameters.neSessionManagerExtensionHandle)
-        SandboxExtension::consumePermanently(*parameters.neSessionManagerExtensionHandle);
-    NetworkExtensionContentFilter::setHasConsumedSandboxExtensions(parameters.neHelperExtensionHandle.hasValue() && parameters.neSessionManagerExtensionHandle.hasValue());
-
     setSystemHasBattery(parameters.systemHasBattery);