diff -Nru webkit2gtk-2.18.5/debian/changelog webkit2gtk-2.18.6/debian/changelog --- webkit2gtk-2.18.5/debian/changelog 2018-01-10 16:50:05.000000000 +0000 +++ webkit2gtk-2.18.6/debian/changelog 2018-01-29 20:44:08.000000000 +0000 @@ -1,3 +1,11 @@ +webkit2gtk (2.18.6-0ubuntu0.16.04.1) xenial-security; urgency=medium + + * Updated to 2.18.6 to fix multiple security issues. + - CVE-2017-7153, CVE-2017-7160, CVE-2017-7161, CVE-2017-7165, + CVE-2017-13884, CVE-2017-13885, CVE-2018-4088, CVE-2018-4096 + + -- Chris Coulson Mon, 29 Jan 2018 20:44:08 +0000 + webkit2gtk (2.18.5-0ubuntu0.16.04.1) xenial-security; urgency=medium * Updated to 2.18.5 to add Spectre mitigations. diff -Nru webkit2gtk-2.18.5/Documentation/webkit2gtk-4.0/html/index.html webkit2gtk-2.18.6/Documentation/webkit2gtk-4.0/html/index.html --- webkit2gtk-2.18.5/Documentation/webkit2gtk-4.0/html/index.html 2018-01-10 10:01:11.000000000 +0000 +++ webkit2gtk-2.18.6/Documentation/webkit2gtk-4.0/html/index.html 2018-01-24 10:24:16.000000000 +0000 @@ -14,7 +14,7 @@
-

for WebKit2GTK+ 2.18.5

+

for WebKit2GTK+ 2.18.6

diff -Nru webkit2gtk-2.18.5/Documentation/webkit2gtk-4.0/html/webkit2gtk-4.0-WebKitVersion.html webkit2gtk-2.18.6/Documentation/webkit2gtk-4.0/html/webkit2gtk-4.0-WebKitVersion.html --- webkit2gtk-2.18.5/Documentation/webkit2gtk-4.0/html/webkit2gtk-4.0-WebKitVersion.html 2018-01-10 10:01:11.000000000 +0000 +++ webkit2gtk-2.18.6/Documentation/webkit2gtk-4.0/html/webkit2gtk-4.0-WebKitVersion.html 2018-01-24 10:24:16.000000000 +0000 @@ -213,7 +213,7 @@

WEBKIT_MICRO_VERSION

-
#define WEBKIT_MICRO_VERSION (5)
+
#define WEBKIT_MICRO_VERSION (6)
 

 
Like webkit_get_micro_version(), but from the headers used at
 application compile time, rather than from the library linked
diff -Nru webkit2gtk-2.18.5/Documentation/webkitdomgtk-4.0/html/index.html webkit2gtk-2.18.6/Documentation/webkitdomgtk-4.0/html/index.html
--- webkit2gtk-2.18.5/Documentation/webkitdomgtk-4.0/html/index.html	2018-01-10 10:00:47.000000000 +0000
+++ webkit2gtk-2.18.6/Documentation/webkitdomgtk-4.0/html/index.html	2018-01-24 10:23:54.000000000 +0000
@@ -14,7 +14,7 @@
 

 

 

-
for WebKitDOMGTK+ 2.18.5

+
for WebKitDOMGTK+ 2.18.6

 

 

 

diff -Nru webkit2gtk-2.18.5/NEWS webkit2gtk-2.18.6/NEWS
--- webkit2gtk-2.18.5/NEWS	2018-01-10 09:57:17.000000000 +0000
+++ webkit2gtk-2.18.6/NEWS	2018-01-24 10:23:11.000000000 +0000
@@ -1,8 +1,19 @@
 ==================
+WebKitGTK+  2.18.6
+==================
+
+What's new in WebKitGTK+ 2.18.6?
+
+  - Fix deadlock in GStreamer video sink during shutdown when accelerated compositing is disabled.
+  - Several fixes and improvements in WebDriver.
+  - Security fixes: CVE-2018-4088, CVE-2017-13885, CVE-2017-7165, CVE-2017-13884, CVE-2017-7160,
+    CVE-2017-7153, CVE-2017-7153, CVE-2017-7161, CVE-2018-4096.
+
+==================
 WebKitGTK+  2.18.5
 ==================
 
-What's new in WebKitGTK+ 2.18.4?
+What's new in WebKitGTK+ 2.18.5?
 
   - Disable SharedArrayBuffers from Web API.
   - Reduce the precision of "high" resolution time to 1ms.
diff -Nru webkit2gtk-2.18.5/Source/cmake/OptionsGTK.cmake webkit2gtk-2.18.6/Source/cmake/OptionsGTK.cmake
--- webkit2gtk-2.18.5/Source/cmake/OptionsGTK.cmake	2018-01-10 09:47:18.000000000 +0000
+++ webkit2gtk-2.18.6/Source/cmake/OptionsGTK.cmake	2018-01-24 10:18:11.000000000 +0000
@@ -1,11 +1,11 @@
 include(GNUInstallDirs)
 include(VersioningUtils)
 
-SET_PROJECT_VERSION(2 18 5)
+SET_PROJECT_VERSION(2 18 6)
 set(WEBKITGTK_API_VERSION 4.0)
 
-CALCULATE_LIBRARY_VERSIONS_FROM_LIBTOOL_TRIPLE(WEBKIT2 61 8 24)
-CALCULATE_LIBRARY_VERSIONS_FROM_LIBTOOL_TRIPLE(JAVASCRIPTCORE 24 14 6)
+CALCULATE_LIBRARY_VERSIONS_FROM_LIBTOOL_TRIPLE(WEBKIT2 61 9 24)
+CALCULATE_LIBRARY_VERSIONS_FROM_LIBTOOL_TRIPLE(JAVASCRIPTCORE 24 15 6)
 
 # These are shared variables, but we special case their definition so that we can use the
 # CMAKE_INSTALL_* variables that are populated by the GNUInstallDirs macro.
diff -Nru webkit2gtk-2.18.5/Source/JavaScriptCore/bytecode/AccessCase.cpp webkit2gtk-2.18.6/Source/JavaScriptCore/bytecode/AccessCase.cpp
--- webkit2gtk-2.18.5/Source/JavaScriptCore/bytecode/AccessCase.cpp	2017-08-09 09:13:40.000000000 +0000
+++ webkit2gtk-2.18.6/Source/JavaScriptCore/bytecode/AccessCase.cpp	2018-01-24 08:43:28.000000000 +0000
@@ -945,7 +945,9 @@
                 state.emitExplicitExceptionHandler();
                 
                 noException.link(&jit);
-                state.restoreLiveRegistersFromStackForCall(spillState);
+                RegisterSet resultRegisterToExclude;
+                resultRegisterToExclude.set(scratchGPR);
+                state.restoreLiveRegistersFromStackForCall(spillState, resultRegisterToExclude);
             }
         }
         
diff -Nru webkit2gtk-2.18.5/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h webkit2gtk-2.18.6/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
--- webkit2gtk-2.18.5/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h	2017-12-19 07:23:07.000000000 +0000
+++ webkit2gtk-2.18.6/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h	2018-01-24 08:44:40.000000000 +0000
@@ -563,6 +563,14 @@
             setConstant(node, jsNumber(clz32(value)));
             break;
         }
+        switch (node->child1().useKind()) {
+        case Int32Use:
+        case KnownInt32Use:
+            break;
+        default:
+            clobberWorld(node->origin.semantic, clobberLimit);
+            break;
+        }
         forNode(node).setType(SpecInt32Only);
         break;
     }
@@ -2101,8 +2109,13 @@
         break;
 
     case NewFunction:
-        forNode(node).set(
-            m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->functionStructure());
+        if (node->castOperand()->isStrictMode()) {
+            forNode(node).set(
+                m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->strictFunctionStructure());
+        } else {
+            forNode(node).set(
+                m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->sloppyFunctionStructure());
+        }
         break;
         
     case GetCallee:
@@ -2854,10 +2867,12 @@
     }
     case HasGenericProperty: {
         forNode(node).setType(SpecBoolean);
+        clobberWorld(node->origin.semantic, clobberLimit);
         break;
     }
     case HasStructureProperty: {
         forNode(node).setType(SpecBoolean);
+        clobberWorld(node->origin.semantic, clobberLimit);
         break;
     }
     case HasIndexedProperty: {
@@ -2884,6 +2899,7 @@
     }
     case GetPropertyEnumerator: {
         forNode(node).setType(m_graph, SpecCell);
+        clobberWorld(node->origin.semantic, clobberLimit);
         break;
     }
     case GetEnumeratorStructurePname: {
diff -Nru webkit2gtk-2.18.5/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp webkit2gtk-2.18.6/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
--- webkit2gtk-2.18.5/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp	2017-08-09 09:13:41.000000000 +0000
+++ webkit2gtk-2.18.6/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp	2018-01-24 08:37:52.000000000 +0000
@@ -4993,6 +4993,13 @@
             JITCompiler::selectScratchGPR(GPRInfo::returnValueGPR, argumentsTagGPR, argumentsPayloadGPR);
         
         m_jit.add32(TrustedImm32(1), GPRInfo::returnValueGPR, argCountIncludingThisGPR);
+
+        speculationCheck(
+            VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
+                MacroAssembler::Above,
+                GPRInfo::returnValueGPR,
+                argCountIncludingThisGPR));
+
         speculationCheck(
             VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
                 MacroAssembler::Above,
diff -Nru webkit2gtk-2.18.5/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp webkit2gtk-2.18.6/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
--- webkit2gtk-2.18.5/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp	2017-08-09 09:13:41.000000000 +0000
+++ webkit2gtk-2.18.6/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp	2018-01-24 08:37:52.000000000 +0000
@@ -5401,6 +5401,13 @@
             JITCompiler::selectScratchGPR(GPRInfo::returnValueGPR, argumentsGPR);
         
         m_jit.add32(TrustedImm32(1), GPRInfo::returnValueGPR, argCountIncludingThisGPR);
+
+        speculationCheck(
+            VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
+                MacroAssembler::Above,
+                GPRInfo::returnValueGPR,
+                argCountIncludingThisGPR));
+
         speculationCheck(
             VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
                 MacroAssembler::Above,
diff -Nru webkit2gtk-2.18.5/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp webkit2gtk-2.18.6/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
--- webkit2gtk-2.18.5/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp	2017-12-19 07:23:07.000000000 +0000
+++ webkit2gtk-2.18.6/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp	2018-01-24 08:47:48.000000000 +0000
@@ -6487,9 +6487,20 @@
     }
 
     RegisteredStructure structure = m_jit.graph().registerStructure(
-        nodeType == NewGeneratorFunction ? m_jit.graph().globalObjectFor(node->origin.semantic)->generatorFunctionStructure() :
-        nodeType == NewAsyncFunction ? m_jit.graph().globalObjectFor(node->origin.semantic)->asyncFunctionStructure() :
-        m_jit.graph().globalObjectFor(node->origin.semantic)->functionStructure());
+        [&] () {
+            switch (nodeType) {
+            case NewGeneratorFunction:
+                return m_jit.graph().globalObjectFor(node->origin.semantic)->generatorFunctionStructure();
+            case NewAsyncFunction:
+                return m_jit.graph().globalObjectFor(node->origin.semantic)->asyncFunctionStructure();
+            case NewFunction:
+                if (node->castOperand()->isStrictMode())
+                    return m_jit.graph().globalObjectFor(node->origin.semantic)->strictFunctionStructure();
+                return m_jit.graph().globalObjectFor(node->origin.semantic)->sloppyFunctionStructure();
+            default:
+                RELEASE_ASSERT_NOT_REACHED();
+            }
+        }());
     
     GPRTemporary result(this);
     GPRTemporary scratch1(this);
diff -Nru webkit2gtk-2.18.5/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp webkit2gtk-2.18.6/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
--- webkit2gtk-2.18.5/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp	2017-12-19 07:23:07.000000000 +0000
+++ webkit2gtk-2.18.6/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp	2018-01-24 08:48:35.000000000 +0000
@@ -4340,10 +4340,23 @@
             return;
         }
         
+
         RegisteredStructure structure = m_graph.registerStructure(
-            isGeneratorFunction ? m_graph.globalObjectFor(m_node->origin.semantic)->generatorFunctionStructure() :
-            isAsyncFunction ? m_graph.globalObjectFor(m_node->origin.semantic)->asyncFunctionStructure() :
-            m_graph.globalObjectFor(m_node->origin.semantic)->functionStructure());
+            [&] () {
+                switch (m_node->op()) {
+                case NewGeneratorFunction:
+                    return m_graph.globalObjectFor(m_node->origin.semantic)->generatorFunctionStructure();
+                case NewAsyncFunction:
+                    return m_graph.globalObjectFor(m_node->origin.semantic)->asyncFunctionStructure();
+                case NewFunction:
+                    if (m_node->castOperand()->isStrictMode())
+                        return m_graph.globalObjectFor(m_node->origin.semantic)->strictFunctionStructure();
+                    return m_graph.globalObjectFor(m_node->origin.semantic)->sloppyFunctionStructure();
+                    break;
+                default:
+                    RELEASE_ASSERT_NOT_REACHED();
+                }
+            }());
         
         LBasicBlock slowPath = m_out.newBlock();
         LBasicBlock continuation = m_out.newBlock();
@@ -7253,6 +7266,11 @@
         // https://bugs.webkit.org/show_bug.cgi?id=141448
         
         LValue lengthIncludingThis = m_out.add(length, m_out.int32One);
+
+        speculate(
+            VarargsOverflow, noValue(), nullptr,
+            m_out.above(length, lengthIncludingThis));
+
         speculate(
             VarargsOverflow, noValue(), nullptr,
             m_out.above(lengthIncludingThis, m_out.constInt32(data->limit)));
diff -Nru webkit2gtk-2.18.5/Source/JavaScriptCore/runtime/FunctionConstructor.cpp webkit2gtk-2.18.6/Source/JavaScriptCore/runtime/FunctionConstructor.cpp
--- webkit2gtk-2.18.5/Source/JavaScriptCore/runtime/FunctionConstructor.cpp	2017-12-19 07:23:07.000000000 +0000
+++ webkit2gtk-2.18.6/Source/JavaScriptCore/runtime/FunctionConstructor.cpp	2018-01-24 08:54:09.000000000 +0000
@@ -95,18 +95,14 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
     const char* prefix = nullptr;
-    Structure* structure = nullptr;
     switch (functionConstructionMode) {
     case FunctionConstructionMode::Function:
-        structure = globalObject->functionStructure();
         prefix = "function ";
         break;
     case FunctionConstructionMode::Generator:
-        structure = globalObject->generatorFunctionStructure();
         prefix = "function *";
         break;
     case FunctionConstructionMode::Async:
-        structure = globalObject->asyncFunctionStructure();
         prefix = "async function ";
         break;
     }
@@ -184,6 +180,22 @@
         return throwException(exec, scope, exception);
     }
 
+    Structure* structure = nullptr;
+    switch (functionConstructionMode) {
+    case FunctionConstructionMode::Function:
+        if (function->isStrictMode())
+            structure = globalObject->strictFunctionStructure();
+        else
+            structure = globalObject->sloppyFunctionStructure();
+        break;
+    case FunctionConstructionMode::Generator:
+        structure = globalObject->generatorFunctionStructure();
+        break;
+    case FunctionConstructionMode::Async:
+        structure = globalObject->asyncFunctionStructure();
+        break;
+    }
+
     Structure* subclassStructure = InternalFunction::createSubclassStructure(exec, newTarget, structure);
     RETURN_IF_EXCEPTION(scope, nullptr);
 
diff -Nru webkit2gtk-2.18.5/Source/JavaScriptCore/runtime/JSFunction.cpp webkit2gtk-2.18.6/Source/JavaScriptCore/runtime/JSFunction.cpp
--- webkit2gtk-2.18.5/Source/JavaScriptCore/runtime/JSFunction.cpp	2017-12-19 07:23:07.000000000 +0000
+++ webkit2gtk-2.18.6/Source/JavaScriptCore/runtime/JSFunction.cpp	2018-01-24 08:44:40.000000000 +0000
@@ -65,7 +65,8 @@
 
 JSFunction* JSFunction::create(VM& vm, FunctionExecutable* executable, JSScope* scope)
 {
-    return create(vm, executable, scope, scope->globalObject(vm)->functionStructure());
+    Structure* structure = executable->isStrictMode() ? scope->globalObject(vm)->strictFunctionStructure() : scope->globalObject(vm)->sloppyFunctionStructure();
+    return create(vm, executable, scope, structure);
 }
 
 JSFunction* JSFunction::create(VM& vm, FunctionExecutable* executable, JSScope* scope, Structure* structure)
@@ -78,7 +79,8 @@
 JSFunction* JSFunction::create(VM& vm, JSGlobalObject* globalObject, int length, const String& name, NativeFunction nativeFunction, Intrinsic intrinsic, NativeFunction nativeConstructor, const DOMJIT::Signature* signature)
 {
     NativeExecutable* executable = vm.getHostFunction(nativeFunction, intrinsic, nativeConstructor, signature, name);
-    JSFunction* function = new (NotNull, allocateCell(vm.heap)) JSFunction(vm, globalObject, globalObject->functionStructure());
+    Structure* structure = globalObject->strictFunctionStructure();
+    JSFunction* function = new (NotNull, allocateCell(vm.heap)) JSFunction(vm, globalObject, structure);
     // Can't do this during initialization because getHostFunction might do a GC allocation.
     function->finishCreation(vm, executable, length, name);
     return function;
diff -Nru webkit2gtk-2.18.5/Source/JavaScriptCore/runtime/JSFunctionInlines.h webkit2gtk-2.18.6/Source/JavaScriptCore/runtime/JSFunctionInlines.h
--- webkit2gtk-2.18.5/Source/JavaScriptCore/runtime/JSFunctionInlines.h	2017-12-19 07:23:07.000000000 +0000
+++ webkit2gtk-2.18.6/Source/JavaScriptCore/runtime/JSFunctionInlines.h	2018-01-24 08:44:39.000000000 +0000
@@ -35,7 +35,8 @@
     VM& vm, FunctionExecutable* executable, JSScope* scope)
 {
     ASSERT(executable->singletonFunction()->hasBeenInvalidated());
-    return createImpl(vm, executable, scope, scope->globalObject(vm)->functionStructure());
+    Structure* structure = executable->isStrictMode() ? scope->globalObject(vm)->strictFunctionStructure() : scope->globalObject(vm)->sloppyFunctionStructure();
+    return createImpl(vm, executable, scope, structure);
 }
 
 inline JSFunction::JSFunction(VM& vm, FunctionExecutable* executable, JSScope* scope, Structure* structure)
diff -Nru webkit2gtk-2.18.5/Source/JavaScriptCore/runtime/JSGlobalObject.cpp webkit2gtk-2.18.6/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
--- webkit2gtk-2.18.5/Source/JavaScriptCore/runtime/JSGlobalObject.cpp	2018-01-10 07:48:52.000000000 +0000
+++ webkit2gtk-2.18.6/Source/JavaScriptCore/runtime/JSGlobalObject.cpp	2018-01-24 08:51:29.000000000 +0000
@@ -382,7 +382,8 @@
     ExecState::initGlobalExec(JSGlobalObject::globalExec(), globalCallee);
     ExecState* exec = JSGlobalObject::globalExec();
 
-    m_functionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
+    m_strictFunctionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
+    m_sloppyFunctionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
     m_customGetterSetterFunctionStructure.initLater(
         [] (const Initializer& init) {
             init.set(JSCustomGetterSetterFunction::createStructure(init.vm, init.owner, init.owner->m_functionPrototype.get()));
@@ -396,10 +397,6 @@
         [] (const Initializer& init) {
             init.set(JSNativeStdFunction::createStructure(init.vm, init.owner, init.owner->m_functionPrototype.get()));
         });
-    m_namedFunctionStructure.initLater(
-        [] (const Initializer& init) {
-            init.set(Structure::addPropertyTransition(init.vm, init.owner->m_functionStructure.get(), init.vm.propertyNames->name, DontDelete | ReadOnly | DontEnum, init.owner->m_functionNameOffset));
-        });
     JSFunction* callFunction = nullptr;
     JSFunction* applyFunction = nullptr;
     JSFunction* hasInstanceSymbolFunction = nullptr;
@@ -1271,12 +1268,12 @@
     thisObject->m_nullPrototypeObjectStructure.visit(visitor);
     visitor.append(thisObject->m_errorStructure);
     visitor.append(thisObject->m_calleeStructure);
-    visitor.append(thisObject->m_functionStructure);
+    visitor.append(thisObject->m_strictFunctionStructure);
+    visitor.append(thisObject->m_sloppyFunctionStructure);
     thisObject->m_customGetterSetterFunctionStructure.visit(visitor);
     thisObject->m_boundFunctionStructure.visit(visitor);
     visitor.append(thisObject->m_getterSetterStructure);
     thisObject->m_nativeStdFunctionStructure.visit(visitor);
-    thisObject->m_namedFunctionStructure.visit(visitor);
     visitor.append(thisObject->m_symbolObjectStructure);
     visitor.append(thisObject->m_regExpStructure);
     visitor.append(thisObject->m_generatorFunctionStructure);
diff -Nru webkit2gtk-2.18.5/Source/JavaScriptCore/runtime/JSGlobalObject.h webkit2gtk-2.18.6/Source/JavaScriptCore/runtime/JSGlobalObject.h
--- webkit2gtk-2.18.5/Source/JavaScriptCore/runtime/JSGlobalObject.h	2018-01-10 07:36:40.000000000 +0000
+++ webkit2gtk-2.18.6/Source/JavaScriptCore/runtime/JSGlobalObject.h	2018-01-24 08:44:40.000000000 +0000
@@ -315,12 +315,12 @@
 #endif
     LazyProperty m_nullPrototypeObjectStructure;
     WriteBarrier m_calleeStructure;
-    WriteBarrier m_functionStructure;
+    WriteBarrier m_strictFunctionStructure;
+    WriteBarrier m_sloppyFunctionStructure;
     LazyProperty m_boundFunctionStructure;
     LazyProperty m_customGetterSetterFunctionStructure;
     WriteBarrier m_getterSetterStructure;
     LazyProperty m_nativeStdFunctionStructure;
-    LazyProperty m_namedFunctionStructure;
     PropertyOffset m_functionNameOffset;
     WriteBarrier m_privateNameStructure;
     WriteBarrier m_regExpStructure;
@@ -616,12 +616,12 @@
     Structure* nullPrototypeObjectStructure() const { return m_nullPrototypeObjectStructure.get(this); }
     Structure* errorStructure() const { return m_errorStructure.get(); }
     Structure* calleeStructure() const { return m_calleeStructure.get(); }
-    Structure* functionStructure() const { return m_functionStructure.get(); }
+    Structure* strictFunctionStructure() const { return m_strictFunctionStructure.get(); }
+    Structure* sloppyFunctionStructure() const { return m_sloppyFunctionStructure.get(); }
     Structure* boundFunctionStructure() const { return m_boundFunctionStructure.get(this); }
     Structure* customGetterSetterFunctionStructure() const { return m_customGetterSetterFunctionStructure.get(this); }
     Structure* getterSetterStructure() const { return m_getterSetterStructure.get(); }
     Structure* nativeStdFunctionStructure() const { return m_nativeStdFunctionStructure.get(this); }
-    Structure* namedFunctionStructure() const { return m_namedFunctionStructure.get(this); }
     PropertyOffset functionNameOffset() const { return m_functionNameOffset; }
     Structure* numberObjectStructure() const { return m_numberObjectStructure.get(); }
     Structure* privateNameStructure() const { return m_privateNameStructure.get(); }
diff -Nru webkit2gtk-2.18.5/Source/WebCore/html/HTMLFormElement.cpp webkit2gtk-2.18.6/Source/WebCore/html/HTMLFormElement.cpp
--- webkit2gtk-2.18.5/Source/WebCore/html/HTMLFormElement.cpp	2017-08-17 06:17:12.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebCore/html/HTMLFormElement.cpp	2018-01-24 08:40:57.000000000 +0000
@@ -546,6 +546,9 @@
     removeFromPastNamesMap(e);
     m_associatedElements.remove(index);
 
+    if (auto* nodeLists = this->nodeLists())
+        nodeLists->invalidateCaches();
+
     if (e == m_defaultButton)
         resetDefaultButton();
 }
diff -Nru webkit2gtk-2.18.5/Source/WebCore/loader/ResourceLoader.cpp webkit2gtk-2.18.6/Source/WebCore/loader/ResourceLoader.cpp
--- webkit2gtk-2.18.5/Source/WebCore/loader/ResourceLoader.cpp	2017-08-09 09:13:51.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebCore/loader/ResourceLoader.cpp	2018-01-24 08:32:10.000000000 +0000
@@ -42,6 +42,7 @@
 #include "InspectorInstrumentation.h"
 #include "LoaderStrategy.h"
 #include "MainFrame.h"
+#include "MixedContentChecker.h"
 #include "Page.h"
 #include "PlatformStrategies.h"
 #include "ProgressTracker.h"
@@ -63,10 +64,11 @@
 namespace WebCore {
 
 ResourceLoader::ResourceLoader(Frame& frame, ResourceLoaderOptions options)
-    : m_frame(&frame)
-    , m_documentLoader(frame.loader().activeDocumentLoader())
-    , m_defersLoading(options.defersLoadingPolicy == DefersLoadingPolicy::AllowDefersLoading && frame.page()->defersLoading())
-    , m_options(options)
+    : m_frame { &frame }
+    , m_documentLoader { frame.loader().activeDocumentLoader() }
+    , m_defersLoading { options.defersLoadingPolicy == DefersLoadingPolicy::AllowDefersLoading && frame.page()->defersLoading() }
+    , m_canAskClientForCredentials { options.clientCredentialPolicy == ClientCredentialPolicy::MayAskClientForCredentials }
+    , m_options { options }
 {
 }
 
@@ -132,6 +134,7 @@
 #endif
     
     m_defersLoading = m_options.defersLoadingPolicy == DefersLoadingPolicy::AllowDefersLoading && m_frame->page()->defersLoading();
+    m_canAskClientForCredentials = m_options.clientCredentialPolicy == ClientCredentialPolicy::MayAskClientForCredentials && !isMixedContent(r.url());
 
     if (m_options.securityCheck == DoSecurityCheck && !m_frame->document()->securityOrigin().canDisplay(clientRequest.url())) {
         FrameLoader::reportLocalLoadFailed(m_frame.get(), clientRequest.url().string());
@@ -326,6 +329,16 @@
     return false;
 }
 
+bool ResourceLoader::isMixedContent(const URL& url) const
+{
+    if (MixedContentChecker::isMixedContent(m_frame->document()->securityOrigin(), url))
+        return true;
+    Frame& topFrame = m_frame->tree().top();
+    if (&topFrame != m_frame && MixedContentChecker::isMixedContent(topFrame.document()->securityOrigin(), url))
+        return true;
+    return false;
+}
+
 void ResourceLoader::willSendRequestInternal(ResourceRequest& request, const ResourceResponse& redirectResponse)
 {
     // Protect this in this delegate method since the additional processing can do
@@ -385,6 +398,10 @@
 #endif
 
     bool isRedirect = !redirectResponse.isNull();
+
+    if (isMixedContent(m_request.url()) || (isRedirect && isMixedContent(request.url())))
+        m_canAskClientForCredentials = false;
+
     if (isRedirect)
         platformStrategies()->loaderStrategy()->crossOriginRedirectReceived(this, request.url());
 
@@ -682,7 +699,7 @@
 
 bool ResourceLoader::isAllowedToAskUserForCredentials() const
 {
-    if (m_options.clientCredentialPolicy == ClientCredentialPolicy::CannotAskClientForCredentials)
+    if (!m_canAskClientForCredentials)
         return false;
     return m_options.credentials == FetchOptions::Credentials::Include || (m_options.credentials == FetchOptions::Credentials::SameOrigin && m_frame->document()->securityOrigin().canRequest(originalRequest().url()));
 }
diff -Nru webkit2gtk-2.18.5/Source/WebCore/loader/ResourceLoader.h webkit2gtk-2.18.6/Source/WebCore/loader/ResourceLoader.h
--- webkit2gtk-2.18.5/Source/WebCore/loader/ResourceLoader.h	2017-08-09 09:13:51.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebCore/loader/ResourceLoader.h	2018-01-24 08:32:10.000000000 +0000
@@ -207,6 +207,8 @@
     bool shouldCacheResponse(ResourceHandle*, CFCachedURLResponseRef) override;
 #endif
 
+    bool isMixedContent(const URL&) const;
+
     ResourceRequest m_request;
     ResourceRequest m_originalRequest; // Before redirects.
     RefPtr m_resourceData;
@@ -225,6 +227,7 @@
     CancellationStatus m_cancellationStatus { NotCancelled };
 
     bool m_defersLoading;
+    bool m_canAskClientForCredentials;
     ResourceRequest m_deferredRequest;
     ResourceLoaderOptions m_options;
 
diff -Nru webkit2gtk-2.18.5/Source/WebCore/Modules/mediasource/MediaSource.cpp webkit2gtk-2.18.6/Source/WebCore/Modules/mediasource/MediaSource.cpp
--- webkit2gtk-2.18.5/Source/WebCore/Modules/mediasource/MediaSource.cpp	2017-08-09 09:13:51.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebCore/Modules/mediasource/MediaSource.cpp	2018-01-24 09:40:45.000000000 +0000
@@ -232,7 +232,10 @@
     // ↳ Otherwise
     // Continue
 
+// https://bugs.webkit.org/show_bug.cgi?id=125157 broke seek on MediaPlayerPrivateGStreamerMSE
+#if !USE(GSTREAMER)
     m_private->waitForSeekCompleted();
+#endif
     completeSeek();
 }
 
diff -Nru webkit2gtk-2.18.5/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp webkit2gtk-2.18.6/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp
--- webkit2gtk-2.18.5/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp	2017-10-16 09:31:16.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp	2018-01-24 10:05:42.000000000 +0000
@@ -661,6 +661,8 @@
 
     if (!m_renderingCanBeAccelerated) {
         LockHolder locker(m_drawMutex);
+        if (m_drawCancelled)
+            return;
         m_drawTimer.startOneShot(0_s);
         m_drawCondition.wait(m_drawMutex);
         return;
@@ -672,6 +674,8 @@
 #else
     {
         LockHolder lock(m_drawMutex);
+        if (m_drawCancelled)
+            return;
         if (!m_platformLayerProxy->scheduleUpdateOnCompositorThread([this] { this->pushTextureToCompositor(); }))
             return;
         m_drawCondition.wait(m_drawMutex);
@@ -687,11 +691,14 @@
 
 void MediaPlayerPrivateGStreamerBase::cancelRepaint()
 {
+    LockHolder locker(m_drawMutex);
+
     if (!m_renderingCanBeAccelerated) {
         m_drawTimer.stop();
-        LockHolder locker(m_drawMutex);
-        m_drawCondition.notifyOne();
     }
+
+    m_drawCancelled = true;
+    m_drawCondition.notifyOne();
 }
 
 void MediaPlayerPrivateGStreamerBase::repaintCancelledCallback(MediaPlayerPrivateGStreamerBase* player)
diff -Nru webkit2gtk-2.18.5/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.h webkit2gtk-2.18.6/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.h
--- webkit2gtk-2.18.5/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.h	2017-10-16 09:28:31.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.h	2018-01-24 10:05:42.000000000 +0000
@@ -205,6 +205,7 @@
 
     Condition m_drawCondition;
     Lock m_drawMutex;
+    bool m_drawCancelled { false };
     RunLoop::Timer m_drawTimer;
 
 #if USE(TEXTURE_MAPPER_GL)
diff -Nru webkit2gtk-2.18.5/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h webkit2gtk-2.18.6/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h
--- webkit2gtk-2.18.5/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h	2017-08-30 10:19:51.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h	2018-01-24 08:59:35.000000000 +0000
@@ -143,7 +143,11 @@
 
     void synchronizeWrappersIfNeeded()
     {
-        ASSERT(isAnimating());
+        if (!isAnimating()) {
+            // This should never happen, but we've seen it in the field. Please comment in bug #181316 if you hit this.
+            ASSERT_NOT_REACHED();
+            return;
+        }
 
         // Eventually the wrapper list needs synchronization because any SVGAnimateLengthList::calculateAnimatedValue() call may
         // mutate the length of our values() list, and thus the wrapper() cache needs synchronization, to have the same size.
diff -Nru webkit2gtk-2.18.5/Source/WebCore/svg/SVGAnimatedTypeAnimator.h webkit2gtk-2.18.6/Source/WebCore/svg/SVGAnimatedTypeAnimator.h
--- webkit2gtk-2.18.5/Source/WebCore/svg/SVGAnimatedTypeAnimator.h	2017-12-19 07:51:31.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebCore/svg/SVGAnimatedTypeAnimator.h	2018-01-24 08:59:35.000000000 +0000
@@ -127,10 +127,14 @@
     {
         ASSERT(animatedTypes[0].properties.size() == 2);
         ASSERT(type.type() == m_type);
+        auto* firstProperty = castAnimatedPropertyToActualType(animatedTypes[0].properties[0].get());
+        auto* secondProperty =  castAnimatedPropertyToActualType(animatedTypes[0].properties[1].get());
+        firstProperty->synchronizeWrappersIfNeeded();
+        secondProperty->synchronizeWrappersIfNeeded();
 
         std::pair& animatedTypeValue = (type.*getter)();
-        animatedTypeValue.first = castAnimatedPropertyToActualType(animatedTypes[0].properties[0].get())->currentBaseValue();
-        animatedTypeValue.second = castAnimatedPropertyToActualType(animatedTypes[0].properties[1].get())->currentBaseValue();
+        animatedTypeValue.first = firstProperty->currentBaseValue();
+        animatedTypeValue.second = secondProperty->currentBaseValue();
 
         executeAction(StartAnimationAction, animatedTypes, 0, &animatedTypeValue.first);
         executeAction(StartAnimationAction, animatedTypes, 1, &animatedTypeValue.second);
diff -Nru webkit2gtk-2.18.5/Source/WebDriver/Capabilities.h webkit2gtk-2.18.6/Source/WebDriver/Capabilities.h
--- webkit2gtk-2.18.5/Source/WebDriver/Capabilities.h	2017-12-18 17:41:15.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebDriver/Capabilities.h	2018-01-24 09:56:33.000000000 +0000
@@ -57,6 +57,7 @@
     std::optional browserVersion;
     std::optional platformName;
     std::optional acceptInsecureCerts;
+    std::optional setWindowRect;
     std::optional timeouts;
     std::optional pageLoadStrategy;
     std::optional unhandledPromptBehavior;
diff -Nru webkit2gtk-2.18.5/Source/WebDriver/glib/SessionHostGlib.cpp webkit2gtk-2.18.6/Source/WebDriver/glib/SessionHostGlib.cpp
--- webkit2gtk-2.18.5/Source/WebDriver/glib/SessionHostGlib.cpp	2017-08-17 07:50:09.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebDriver/glib/SessionHostGlib.cpp	2018-01-24 09:54:17.000000000 +0000
@@ -98,7 +98,7 @@
     { 0 }
 };
 
-void SessionHost::connectToBrowser(Function&& completionHandler)
+void SessionHost::connectToBrowser(Function error)>&& completionHandler)
 {
     launchBrowser(WTFMove(completionHandler));
 }
@@ -109,7 +109,7 @@
 }
 
 struct ConnectToBrowserAsyncData {
-    ConnectToBrowserAsyncData(SessionHost* sessionHost, GUniquePtr&& dbusAddress, GCancellable* cancellable, Function&& completionHandler)
+    ConnectToBrowserAsyncData(SessionHost* sessionHost, GUniquePtr&& dbusAddress, GCancellable* cancellable, Function error)>&& completionHandler)
         : sessionHost(sessionHost)
         , dbusAddress(WTFMove(dbusAddress))
         , cancellable(cancellable)
@@ -120,7 +120,7 @@
     SessionHost* sessionHost;
     GUniquePtr dbusAddress;
     GRefPtr cancellable;
-    Function completionHandler;
+    Function error)> completionHandler;
 };
 
 static guint16 freePort()
@@ -135,7 +135,7 @@
     return g_inet_socket_address_get_port(G_INET_SOCKET_ADDRESS(address.get()));
 }
 
-void SessionHost::launchBrowser(Function&& completionHandler)
+void SessionHost::launchBrowser(Function error)>&& completionHandler)
 {
     m_cancellable = adoptGRef(g_cancellable_new());
     GRefPtr launcher = adoptGRef(g_subprocess_launcher_new(G_SUBPROCESS_FLAGS_NONE));
@@ -152,7 +152,13 @@
     for (unsigned i = 0; i < browserArguments.size(); ++i)
         args.get()[i + 1] = g_strdup(browserArguments[i].utf8().data());
 
-    m_browser = adoptGRef(g_subprocess_launcher_spawnv(launcher.get(), args.get(), nullptr));
+    GUniqueOutPtr error;
+    m_browser = adoptGRef(g_subprocess_launcher_spawnv(launcher.get(), args.get(), &error.outPtr()));
+    if (error) {
+        completionHandler(String::fromUTF8(error->message));
+        return;
+    }
+
     g_subprocess_wait_async(m_browser.get(), m_cancellable.get(), [](GObject* browser, GAsyncResult* result, gpointer userData) {
         GUniqueOutPtr error;
         g_subprocess_wait_finish(G_SUBPROCESS(browser), result, &error.outPtr());
@@ -190,10 +196,11 @@
                         return;
                     }
 
-                    data->completionHandler(Succeeded::No);
+                    data->completionHandler(String::fromUTF8(error->message));
                     return;
                 }
-                data->sessionHost->setupConnection(WTFMove(connection), WTFMove(data->completionHandler));
+                data->sessionHost->setupConnection(WTFMove(connection));
+                data->completionHandler(std::nullopt);
         }, data);
     });
 }
@@ -212,7 +219,7 @@
         WTFLogAlways("RemoteInspectorServer failed to send DBus message: %s", error->message);
 }
 
-void SessionHost::setupConnection(GRefPtr&& connection, Function&& completionHandler)
+void SessionHost::setupConnection(GRefPtr&& connection)
 {
     ASSERT(!m_dbusConnection);
     ASSERT(connection);
@@ -225,8 +232,6 @@
         introspectionData = g_dbus_node_info_new_for_xml(introspectionXML, nullptr);
 
     g_dbus_connection_register_object(m_dbusConnection.get(), REMOTE_INSPECTOR_CLIENT_OBJECT_PATH, introspectionData->interfaces[0], &s_interfaceVTable, this, nullptr, nullptr);
-
-    completionHandler(Succeeded::Yes);
 }
 
 std::optional SessionHost::matchCapabilities(GVariant* capabilities)
diff -Nru webkit2gtk-2.18.5/Source/WebDriver/gtk/WebDriverServiceGtk.cpp webkit2gtk-2.18.6/Source/WebDriver/gtk/WebDriverServiceGtk.cpp
--- webkit2gtk-2.18.5/Source/WebDriver/gtk/WebDriverServiceGtk.cpp	2017-12-18 13:51:09.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebDriver/gtk/WebDriverServiceGtk.cpp	2018-01-24 09:56:33.000000000 +0000
@@ -37,6 +37,7 @@
     Capabilities capabilities;
     capabilities.platformName = String("linux");
     capabilities.acceptInsecureCerts = false;
+    capabilities.setWindowRect = true;
     return capabilities;
 }
 
diff -Nru webkit2gtk-2.18.5/Source/WebDriver/Session.cpp webkit2gtk-2.18.6/Source/WebDriver/Session.cpp
--- webkit2gtk-2.18.5/Source/WebDriver/Session.cpp	2017-12-18 17:41:16.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebDriver/Session.cpp	2018-01-24 09:55:58.000000000 +0000
@@ -39,9 +39,19 @@
 // https://www.w3.org/TR/webdriver/#elements
 static const String webElementIdentifier = ASCIILiteral("element-6066-11e4-a52e-4f735466cecf");
 
+// https://w3c.github.io/webdriver/webdriver-spec.html#dfn-session-script-timeout
+static const Seconds defaultScriptTimeout = 30_s;
+// https://w3c.github.io/webdriver/webdriver-spec.html#dfn-session-page-load-timeout
+static const Seconds defaultPageLoadTimeout = 300_s;
+// https://w3c.github.io/webdriver/webdriver-spec.html#dfn-session-implicit-wait-timeout
+static const Seconds defaultImplicitWaitTimeout = 0_s;
+
 Session::Session(std::unique_ptr&& host)
     : m_host(WTFMove(host))
     , m_id(createCanonicalUUIDString())
+    , m_scriptTimeout(defaultScriptTimeout)
+    , m_pageLoadTimeout(defaultPageLoadTimeout)
+    , m_implicitWaitTimeout(defaultImplicitWaitTimeout)
 {
 }
 
@@ -97,14 +107,23 @@
     });
 }
 
+void Session::getTimeouts(Function&& completionHandler)
+{
+    RefPtr parameters = JSON::Object::create();
+    parameters->setInteger(ASCIILiteral("script"), m_scriptTimeout.millisecondsAs());
+    parameters->setInteger(ASCIILiteral("pageLoad"), m_pageLoadTimeout.millisecondsAs());
+    parameters->setInteger(ASCIILiteral("implicit"), m_implicitWaitTimeout.millisecondsAs());
+    completionHandler(CommandResult::success(WTFMove(parameters)));
+}
+
 void Session::setTimeouts(const Timeouts& timeouts, Function&& completionHandler)
 {
     if (timeouts.script)
-        m_timeouts.script = timeouts.script;
+        m_scriptTimeout = timeouts.script.value();
     if (timeouts.pageLoad)
-        m_timeouts.pageLoad = timeouts.pageLoad;
+        m_pageLoadTimeout = timeouts.pageLoad.value();
     if (timeouts.implicit)
-        m_timeouts.implicit = timeouts.implicit;
+        m_implicitWaitTimeout = timeouts.implicit.value();
     completionHandler(CommandResult::success());
 }
 
@@ -270,8 +289,7 @@
         RefPtr parameters = JSON::Object::create();
         parameters->setString(ASCIILiteral("handle"), m_toplevelBrowsingContext.value());
         parameters->setString(ASCIILiteral("url"), url);
-        if (m_timeouts.pageLoad)
-            parameters->setInteger(ASCIILiteral("pageLoadTimeout"), m_timeouts.pageLoad.value().millisecondsAs());
+        parameters->setInteger(ASCIILiteral("pageLoadTimeout"), m_pageLoadTimeout.millisecondsAs());
         if (auto pageLoadStrategy = pageLoadStrategyString())
             parameters->setString(ASCIILiteral("pageLoadStrategy"), pageLoadStrategy.value());
         m_host->sendCommandToBackend(ASCIILiteral("navigateBrowsingContext"), WTFMove(parameters), [this, protectedThis = makeRef(*this), completionHandler = WTFMove(completionHandler)](SessionHost::CommandResponse&& response) {
@@ -334,8 +352,7 @@
         }
         RefPtr parameters = JSON::Object::create();
         parameters->setString(ASCIILiteral("handle"), m_toplevelBrowsingContext.value());
-        if (m_timeouts.pageLoad)
-            parameters->setInteger(ASCIILiteral("pageLoadTimeout"), m_timeouts.pageLoad.value().millisecondsAs());
+        parameters->setInteger(ASCIILiteral("pageLoadTimeout"), m_pageLoadTimeout.millisecondsAs());
         if (auto pageLoadStrategy = pageLoadStrategyString())
             parameters->setString(ASCIILiteral("pageLoadStrategy"), pageLoadStrategy.value());
         m_host->sendCommandToBackend(ASCIILiteral("goBackInBrowsingContext"), WTFMove(parameters), [this, protectedThis = makeRef(*this), completionHandler = WTFMove(completionHandler)](SessionHost::CommandResponse&& response) {
@@ -363,8 +380,7 @@
         }
         RefPtr parameters = JSON::Object::create();
         parameters->setString(ASCIILiteral("handle"), m_toplevelBrowsingContext.value());
-        if (m_timeouts.pageLoad)
-            parameters->setInteger(ASCIILiteral("pageLoadTimeout"), m_timeouts.pageLoad.value().millisecondsAs());
+        parameters->setInteger(ASCIILiteral("pageLoadTimeout"), m_pageLoadTimeout.millisecondsAs());
         if (auto pageLoadStrategy = pageLoadStrategyString())
             parameters->setString(ASCIILiteral("pageLoadStrategy"), pageLoadStrategy.value());
         m_host->sendCommandToBackend(ASCIILiteral("goForwardInBrowsingContext"), WTFMove(parameters), [this, protectedThis = makeRef(*this), completionHandler = WTFMove(completionHandler)](SessionHost::CommandResponse&& response) {
@@ -392,8 +408,7 @@
         }
         RefPtr parameters = JSON::Object::create();
         parameters->setString(ASCIILiteral("handle"), m_toplevelBrowsingContext.value());
-        if (m_timeouts.pageLoad)
-            parameters->setInteger(ASCIILiteral("pageLoadTimeout"), m_timeouts.pageLoad.value().millisecondsAs());
+        parameters->setInteger(ASCIILiteral("pageLoadTimeout"), m_pageLoadTimeout.millisecondsAs());
         if (auto pageLoadStrategy = pageLoadStrategyString())
             parameters->setString(ASCIILiteral("pageLoadStrategy"), pageLoadStrategy.value());
         m_host->sendCommandToBackend(ASCIILiteral("reloadBrowsingContext"), WTFMove(parameters), [this, protectedThis = makeRef(*this), completionHandler = WTFMove(completionHandler)](SessionHost::CommandResponse&& response) {
@@ -683,7 +698,7 @@
         double width, height;
         if (!browsingContext->getObject(ASCIILiteral("windowSize"), windowSize)
             || !windowSize->getDouble(ASCIILiteral("width"), width)
-            || !windowSize->getDouble(ASCIILiteral("height"), width)) {
+            || !windowSize->getDouble(ASCIILiteral("height"), height)) {
             completionHandler(CommandResult::fail(CommandResult::ErrorCode::UnknownError));
             return;
         }
@@ -915,7 +930,6 @@
         return;
     }
 
-    auto implicitWait = m_timeouts.implicit.value_or(0_s);
     RefPtr arguments = JSON::Array::create();
     arguments->pushString(JSON::Value::create(strategy)->toJSONString());
     if (rootElementID.isEmpty())
@@ -924,7 +938,7 @@
         arguments->pushString(createElement(rootElementID)->toJSONString());
     arguments->pushString(JSON::Value::create(selector)->toJSONString());
     arguments->pushString(JSON::Value::create(mode == FindElementsMode::Single)->toJSONString());
-    arguments->pushString(JSON::Value::create(implicitWait.milliseconds())->toJSONString());
+    arguments->pushString(JSON::Value::create(m_implicitWaitTimeout.milliseconds())->toJSONString());
 
     RefPtr parameters = JSON::Object::create();
     parameters->setString(ASCIILiteral("browsingContextHandle"), m_toplevelBrowsingContext.value());
@@ -934,8 +948,8 @@
     parameters->setArray(ASCIILiteral("arguments"), WTFMove(arguments));
     parameters->setBoolean(ASCIILiteral("expectsImplicitCallbackArgument"), true);
     // If there's an implicit wait, use one second more as callback timeout.
-    if (implicitWait)
-        parameters->setInteger(ASCIILiteral("callbackTimeout"), Seconds(implicitWait + 1_s).millisecondsAs());
+    if (m_implicitWaitTimeout)
+        parameters->setInteger(ASCIILiteral("callbackTimeout"), Seconds(m_implicitWaitTimeout + 1_s).millisecondsAs());
 
     m_host->sendCommandToBackend(ASCIILiteral("evaluateJavaScriptFunction"), WTFMove(parameters), [this, protectedThis = makeRef(*this), mode, completionHandler = WTFMove(completionHandler)](SessionHost::CommandResponse&& response) {
         if (response.isError || !response.responseObject) {
@@ -1349,6 +1363,47 @@
     });
 }
 
+void Session::getElementCSSValue(const String& elementID, const String& cssProperty, Function&& completionHandler)
+{
+    if (!m_toplevelBrowsingContext) {
+        completionHandler(CommandResult::fail(CommandResult::ErrorCode::NoSuchWindow));
+        return;
+    }
+
+    handleUserPrompts([this, elementID, cssProperty, completionHandler = WTFMove(completionHandler)](CommandResult&& result) mutable {
+        if (result.isError()) {
+            completionHandler(WTFMove(result));
+            return;
+        }
+        RefPtr arguments = JSON::Array::create();
+        arguments->pushString(createElement(elementID)->toJSONString());
+
+        RefPtr parameters = JSON::Object::create();
+        parameters->setString(ASCIILiteral("browsingContextHandle"), m_toplevelBrowsingContext.value());
+        if (m_currentBrowsingContext)
+            parameters->setString(ASCIILiteral("frameHandle"), m_currentBrowsingContext.value());
+        parameters->setString(ASCIILiteral("function"), makeString("function(element) { return document.defaultView.getComputedStyle(element).getPropertyValue('", cssProperty, "'); }"));
+        parameters->setArray(ASCIILiteral("arguments"), WTFMove(arguments));
+        m_host->sendCommandToBackend(ASCIILiteral("evaluateJavaScriptFunction"), WTFMove(parameters), [this, protectedThis = makeRef(*this), completionHandler = WTFMove(completionHandler)](SessionHost::CommandResponse&& response) {
+            if (response.isError || !response.responseObject) {
+                completionHandler(CommandResult::fail(WTFMove(response.responseObject)));
+                return;
+            }
+            String valueString;
+            if (!response.responseObject->getString(ASCIILiteral("result"), valueString)) {
+                completionHandler(CommandResult::fail(CommandResult::ErrorCode::UnknownError));
+                return;
+            }
+            RefPtr resultValue;
+            if (!JSON::Value::parseJSON(valueString, resultValue)) {
+                completionHandler(CommandResult::fail(CommandResult::ErrorCode::UnknownError));
+                return;
+            }
+            completionHandler(CommandResult::success(WTFMove(resultValue)));
+        });
+    });
+}
+
 void Session::waitForNavigationToComplete(Function&& completionHandler)
 {
     if (!m_toplevelBrowsingContext) {
@@ -1360,8 +1415,7 @@
     parameters->setString(ASCIILiteral("browsingContextHandle"), m_toplevelBrowsingContext.value());
     if (m_currentBrowsingContext)
         parameters->setString(ASCIILiteral("frameHandle"), m_currentBrowsingContext.value());
-    if (m_timeouts.pageLoad)
-        parameters->setInteger(ASCIILiteral("pageLoadTimeout"), m_timeouts.pageLoad.value().millisecondsAs());
+    parameters->setInteger(ASCIILiteral("pageLoadTimeout"), m_pageLoadTimeout.millisecondsAs());
     if (auto pageLoadStrategy = pageLoadStrategyString())
         parameters->setString(ASCIILiteral("pageLoadStrategy"), pageLoadStrategy.value());
     m_host->sendCommandToBackend(ASCIILiteral("waitForNavigationToComplete"), WTFMove(parameters), [this, protectedThis = makeRef(*this), completionHandler = WTFMove(completionHandler)](SessionHost::CommandResponse&& response) {
@@ -1725,8 +1779,8 @@
         parameters->setArray(ASCIILiteral("arguments"), WTFMove(arguments));
         if (mode == ExecuteScriptMode::Async) {
             parameters->setBoolean(ASCIILiteral("expectsImplicitCallbackArgument"), true);
-            if (m_timeouts.script)
-                parameters->setInteger(ASCIILiteral("callbackTimeout"), m_timeouts.script.value().millisecondsAs());
+            if (m_scriptTimeout)
+                parameters->setInteger(ASCIILiteral("callbackTimeout"), m_scriptTimeout.millisecondsAs());
         }
         m_host->sendCommandToBackend(ASCIILiteral("evaluateJavaScriptFunction"), WTFMove(parameters), [this, protectedThis = makeRef(*this), completionHandler = WTFMove(completionHandler)](SessionHost::CommandResponse&& response) mutable {
             if (response.isError || !response.responseObject) {
diff -Nru webkit2gtk-2.18.5/Source/WebDriver/Session.h webkit2gtk-2.18.6/Source/WebDriver/Session.h
--- webkit2gtk-2.18.5/Source/WebDriver/Session.h	2017-12-18 17:41:16.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebDriver/Session.h	2018-01-24 09:57:06.000000000 +0000
@@ -49,10 +49,12 @@
 
     const String& id() const { return m_id; }
     const Capabilities& capabilities() const;
+    Seconds scriptTimeout() const  { return m_scriptTimeout; }
+    Seconds pageLoadTimeout() const { return m_pageLoadTimeout; }
+    Seconds implicitWaitTimeout() const { return m_implicitWaitTimeout; }
 
     enum class FindElementsMode { Single, Multiple };
     enum class ExecuteScriptMode { Sync, Async };
-    enum class Timeout { Script, PageLoad, Implicit };
 
     struct Cookie {
         String name;
@@ -89,6 +91,7 @@
     void isElementSelected(const String& elementID, Function&&);
     void getElementAttribute(const String& elementID, const String& attribute, Function&&);
     void getElementProperty(const String& elementID, const String& attribute, Function&&);
+    void getElementCSSValue(const String& elementID, const String& cssProperty, Function&&);
     void getElementText(const String& elementID, Function&&);
     void getElementTagName(const String& elementID, Function&&);
     void getElementRect(const String& elementID, Function&&);
@@ -179,8 +182,10 @@
     void performKeyboardInteractions(Vector&&, Function&&);
 
     std::unique_ptr m_host;
-    Timeouts m_timeouts;
     String m_id;
+    Seconds m_scriptTimeout;
+    Seconds m_pageLoadTimeout;
+    Seconds m_implicitWaitTimeout;
     std::optional m_toplevelBrowsingContext;
     std::optional m_currentBrowsingContext;
 };
diff -Nru webkit2gtk-2.18.5/Source/WebDriver/SessionHost.h webkit2gtk-2.18.6/Source/WebDriver/SessionHost.h
--- webkit2gtk-2.18.5/Source/WebDriver/SessionHost.h	2017-12-18 13:51:09.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebDriver/SessionHost.h	2018-01-24 09:54:17.000000000 +0000
@@ -53,8 +53,7 @@
 
     const Capabilities& capabilities() const { return m_capabilities; }
 
-    enum class Succeeded { No, Yes };
-    void connectToBrowser(Function&&);
+    void connectToBrowser(Function error)>&&);
     void startAutomationSession(const String& sessionID, Function)>&&);
 
     struct CommandResponse {
@@ -77,10 +76,10 @@
 #if USE(GLIB)
     static void dbusConnectionClosedCallback(SessionHost*);
     static const GDBusInterfaceVTable s_interfaceVTable;
-    void launchBrowser(Function&&);
+    void launchBrowser(Function error)>&&);
     void connectToBrowser(std::unique_ptr&&);
     std::optional matchCapabilities(GVariant*);
-    void setupConnection(GRefPtr&&, Function&&);
+    void setupConnection(GRefPtr&&);
     void setTargetList(uint64_t connectionID, Vector&&);
     void sendMessageToFrontend(uint64_t connectionID, uint64_t targetID, const char* message);
 #endif
diff -Nru webkit2gtk-2.18.5/Source/WebDriver/WebDriverService.cpp webkit2gtk-2.18.6/Source/WebDriver/WebDriverService.cpp
--- webkit2gtk-2.18.5/Source/WebDriver/WebDriverService.cpp	2017-12-18 17:41:15.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebDriver/WebDriverService.cpp	2018-01-24 09:57:41.000000000 +0000
@@ -101,6 +101,7 @@
     { HTTPMethod::Post, "/session", &WebDriverService::newSession },
     { HTTPMethod::Delete, "/session/$sessionId", &WebDriverService::deleteSession },
     { HTTPMethod::Get, "/status", &WebDriverService::status },
+    { HTTPMethod::Get, "/session/$sessionId/timeouts", &WebDriverService::getTimeouts },
     { HTTPMethod::Post, "/session/$sessionId/timeouts", &WebDriverService::setTimeouts },
 
     { HTTPMethod::Post, "/session/$sessionId/url", &WebDriverService::go },
@@ -128,6 +129,7 @@
     { HTTPMethod::Get, "/session/$sessionId/element/$elementId/selected", &WebDriverService::isElementSelected },
     { HTTPMethod::Get, "/session/$sessionId/element/$elementId/attribute/$name", &WebDriverService::getElementAttribute },
     { HTTPMethod::Get, "/session/$sessionId/element/$elementId/property/$name", &WebDriverService::getElementProperty },
+    { HTTPMethod::Get, "/session/$sessionId/element/$elementId/css/$name", &WebDriverService::getElementCSSValue },
     { HTTPMethod::Get, "/session/$sessionId/element/$elementId/text", &WebDriverService::getElementText },
     { HTTPMethod::Get, "/session/$sessionId/element/$elementId/name", &WebDriverService::getElementTagName },
     { HTTPMethod::Get, "/session/$sessionId/element/$elementId/rect", &WebDriverService::getElementRect },
@@ -270,6 +272,22 @@
     replyHandler({ result.httpStatusCode(), responseObject->toJSONString().utf8(), ASCIILiteral("application/json; charset=utf-8") });
 }
 
+static bool integerValue(JSON::Value& value, int& output)
+{
+    // Bail if an integer value cannot be retrieved.
+    if (!value.asInteger(output))
+        return false;
+
+    // If the contained value is a double, bail in case it doesn't match the integer
+    // value, i.e. if the double value was not originally in integer form.
+    // https://w3c.github.io/webdriver/webdriver-spec.html#dfn-integer
+    double doubleValue;
+    if (value.asDouble(doubleValue) && doubleValue != output)
+        return false;
+
+    return true;
+}
+
 static std::optional deserializeTimeouts(JSON::Object& timeoutsObject)
 {
     // §8.5 Set Timeouts.
@@ -281,7 +299,7 @@
             continue;
 
         int timeoutMS;
-        if (it->value->type() != JSON::Value::Type::Integer || !it->value->asInteger(timeoutMS) || timeoutMS < 0 || timeoutMS > INT_MAX)
+        if (!integerValue(*it->value, timeoutMS) || timeoutMS < 0 || timeoutMS > INT_MAX)
             return std::nullopt;
 
         if (it->key == "script")
@@ -328,6 +346,9 @@
     bool acceptInsecureCerts;
     if (matchedCapabilities.getBoolean(ASCIILiteral("acceptInsecureCerts"), acceptInsecureCerts))
         capabilities.acceptInsecureCerts = acceptInsecureCerts;
+    bool setWindowRect;
+    if (matchedCapabilities.getBoolean(ASCIILiteral("setWindowRect"), setWindowRect))
+        capabilities.setWindowRect = setWindowRect;
     String browserName;
     if (matchedCapabilities.getString(ASCIILiteral("browserName"), browserName))
         capabilities.browserName = browserName;
@@ -421,12 +442,8 @@
         result->setValue(it->key, RefPtr(it->value));
 
     auto firstMatchEnd = firstMatchCapabilities.end();
-    for (auto it = firstMatchCapabilities.begin(); it != firstMatchEnd; ++it) {
-        if (requiredCapabilities.find(it->key) != requiredEnd)
-            return nullptr;
-
+    for (auto it = firstMatchCapabilities.begin(); it != firstMatchEnd; ++it)
         result->setValue(it->key, RefPtr(it->value));
-    }
 
     return result;
 }
@@ -448,6 +465,8 @@
         matchedCapabilities->setString(ASCIILiteral("platformName"), platformCapabilities.platformName.value());
     if (platformCapabilities.acceptInsecureCerts)
         matchedCapabilities->setBoolean(ASCIILiteral("acceptInsecureCerts"), platformCapabilities.acceptInsecureCerts.value());
+    if (platformCapabilities.setWindowRect)
+        matchedCapabilities->setBoolean(ASCIILiteral("setWindowRect"), platformCapabilities.setWindowRect.value());
 
     auto end = mergedCapabilities.end();
     for (auto it = mergedCapabilities.begin(); it != end; ++it) {
@@ -552,6 +571,18 @@
             completionHandler(CommandResult::fail(CommandResult::ErrorCode::InvalidArgument, String("Invalid firstMatch capabilities")));
             return nullptr;
         }
+
+        // Validate here that firstMatchCapabilities don't shadow alwaysMatchCapabilities.
+        auto requiredEnd = requiredCapabilities->end();
+        auto firstMatchEnd = firstMatchCapabilities->end();
+        for (auto it = firstMatchCapabilities->begin(); it != firstMatchEnd; ++it) {
+            if (requiredCapabilities->find(it->key) != requiredEnd) {
+                completionHandler(CommandResult::fail(CommandResult::ErrorCode::InvalidArgument,
+                    makeString("Invalid firstMatch capabilities: key ", it->key, " is present in alwaysMatch")));
+                return nullptr;
+            }
+        }
+
         // 5.2. Append validated capabilities to validated first match capabilities.
         validatedFirstMatchCapabilitiesList.uncheckedAppend(WTFMove(firstMatchCapabilities));
     }
@@ -594,9 +625,9 @@
     parseCapabilities(*matchedCapabilities, capabilities);
     auto sessionHost = std::make_unique(WTFMove(capabilities));
     auto* sessionHostPtr = sessionHost.get();
-    sessionHostPtr->connectToBrowser([this, sessionHost = WTFMove(sessionHost), completionHandler = WTFMove(completionHandler)](SessionHost::Succeeded succeeded) mutable {
-        if (succeeded == SessionHost::Succeeded::No) {
-            completionHandler(CommandResult::fail(CommandResult::ErrorCode::SessionNotCreated, String("Failed to connect to browser")));
+    sessionHostPtr->connectToBrowser([this, sessionHost = WTFMove(sessionHost), completionHandler = WTFMove(completionHandler)](std::optional error) mutable {
+        if (error) {
+            completionHandler(CommandResult::fail(CommandResult::ErrorCode::SessionNotCreated, makeString("Failed to connect to browser: ", error.value())));
             return;
         }
 
@@ -624,29 +655,8 @@
                 capabilitiesObject->setString(ASCIILiteral("platformName"), capabilities.platformName.value());
             if (capabilities.acceptInsecureCerts)
                 capabilitiesObject->setBoolean(ASCIILiteral("acceptInsecureCerts"), capabilities.acceptInsecureCerts.value());
-            if (capabilities.timeouts) {
-                RefPtr timeoutsObject = JSON::Object::create();
-                if (capabilities.timeouts.value().script)
-                    timeoutsObject->setInteger(ASCIILiteral("script"), capabilities.timeouts.value().script.value().millisecondsAs());
-                if (capabilities.timeouts.value().pageLoad)
-                    timeoutsObject->setInteger(ASCIILiteral("pageLoad"), capabilities.timeouts.value().pageLoad.value().millisecondsAs());
-                if (capabilities.timeouts.value().implicit)
-                    timeoutsObject->setInteger(ASCIILiteral("implicit"), capabilities.timeouts.value().implicit.value().millisecondsAs());
-                capabilitiesObject->setObject(ASCIILiteral("timeouts"), WTFMove(timeoutsObject));
-            }
-            if (capabilities.pageLoadStrategy) {
-                switch (capabilities.pageLoadStrategy.value()) {
-                case PageLoadStrategy::None:
-                    capabilitiesObject->setString(ASCIILiteral("pageLoadStrategy"), "none");
-                    break;
-                case PageLoadStrategy::Normal:
-                    capabilitiesObject->setString(ASCIILiteral("pageLoadStrategy"), "normal");
-                    break;
-                case PageLoadStrategy::Eager:
-                    capabilitiesObject->setString(ASCIILiteral("pageLoadStrategy"), "eager");
-                    break;
-                }
-            }
+            if (capabilities.setWindowRect)
+                capabilitiesObject->setBoolean(ASCIILiteral("setWindowRect"), capabilities.setWindowRect.value());
             if (capabilities.unhandledPromptBehavior) {
                 switch (capabilities.unhandledPromptBehavior.value()) {
                 case UnhandledPromptBehavior::Dismiss:
@@ -666,6 +676,25 @@
                     break;
                 }
             }
+            switch (capabilities.pageLoadStrategy.value_or(PageLoadStrategy::Normal)) {
+            case PageLoadStrategy::None:
+                capabilitiesObject->setString(ASCIILiteral("pageLoadStrategy"), "none");
+                break;
+            case PageLoadStrategy::Normal:
+                capabilitiesObject->setString(ASCIILiteral("pageLoadStrategy"), "normal");
+                break;
+            case PageLoadStrategy::Eager:
+                capabilitiesObject->setString(ASCIILiteral("pageLoadStrategy"), "eager");
+                break;
+            }
+            // FIXME: implement proxy support.
+            capabilitiesObject->setObject(ASCIILiteral("proxy"), JSON::Object::create());
+            RefPtr timeoutsObject = JSON::Object::create();
+            timeoutsObject->setInteger(ASCIILiteral("script"), m_session->scriptTimeout().millisecondsAs());
+            timeoutsObject->setInteger(ASCIILiteral("pageLoad"), m_session->pageLoadTimeout().millisecondsAs());
+            timeoutsObject->setInteger(ASCIILiteral("implicit"), m_session->implicitWaitTimeout().millisecondsAs());
+            capabilitiesObject->setObject(ASCIILiteral("timeouts"), WTFMove(timeoutsObject));
+
             resultObject->setObject(ASCIILiteral("capabilities"), WTFMove(capabilitiesObject));
             completionHandler(CommandResult::success(WTFMove(resultObject)));
         });
@@ -703,6 +732,16 @@
     completionHandler(CommandResult::success(WTFMove(body)));
 }
 
+void WebDriverService::getTimeouts(RefPtr&& parameters, Function&& completionHandler)
+{
+    // §8.4 Get Timeouts.
+    // https://w3c.github.io/webdriver/webdriver-spec.html#get-timeouts
+    if (!findSessionOrCompleteWithError(*parameters, completionHandler))
+        return;
+
+    m_session->getTimeouts(WTFMove(completionHandler));
+}
+
 void WebDriverService::setTimeouts(RefPtr&& parameters, Function&& completionHandler)
 {
     // §8.5 Set Timeouts.
@@ -1164,6 +1203,26 @@
     m_session->getElementProperty(elementID.value(), attribute, WTFMove(completionHandler));
 }
 
+void WebDriverService::getElementCSSValue(RefPtr&& parameters, Function&& completionHandler)
+{
+    // §13.4 Get Element CSS Value
+    // https://w3c.github.io/webdriver/webdriver-spec.html#get-element-css-value
+    if (!findSessionOrCompleteWithError(*parameters, completionHandler))
+        return;
+
+    auto elementID = findElementOrCompleteWithError(*parameters, completionHandler);
+    if (!elementID)
+        return;
+
+    String cssProperty;
+    if (!parameters->getString(ASCIILiteral("name"), cssProperty)) {
+        completionHandler(CommandResult::fail(CommandResult::ErrorCode::InvalidArgument));
+        return;
+    }
+
+    m_session->getElementCSSValue(elementID.value(), cssProperty, WTFMove(completionHandler));
+}
+
 void WebDriverService::getElementText(RefPtr&& parameters, Function&& completionHandler)
 {
     // §13.5 Get Element Text.
diff -Nru webkit2gtk-2.18.5/Source/WebDriver/WebDriverService.h webkit2gtk-2.18.6/Source/WebDriver/WebDriverService.h
--- webkit2gtk-2.18.5/Source/WebDriver/WebDriverService.h	2017-12-18 17:33:06.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebDriver/WebDriverService.h	2018-01-24 09:55:25.000000000 +0000
@@ -63,6 +63,7 @@
     void newSession(RefPtr&&, Function&&);
     void deleteSession(RefPtr&&, Function&&);
     void status(RefPtr&&, Function&&);
+    void getTimeouts(RefPtr&&, Function&&);
     void setTimeouts(RefPtr&&, Function&&);
     void go(RefPtr&&, Function&&);
     void getCurrentURL(RefPtr&&, Function&&);
@@ -86,6 +87,7 @@
     void isElementSelected(RefPtr&&, Function&&);
     void getElementAttribute(RefPtr&&, Function&&);
     void getElementProperty(RefPtr&&, Function&&);
+    void getElementCSSValue(RefPtr&&, Function&&);
     void getElementText(RefPtr&&, Function&&);
     void getElementTagName(RefPtr&&, Function&&);
     void getElementRect(RefPtr&&, Function&&);
diff -Nru webkit2gtk-2.18.5/Source/WebInspectorUI/UserInterface/Models/Resource.js webkit2gtk-2.18.6/Source/WebInspectorUI/UserInterface/Models/Resource.js
--- webkit2gtk-2.18.5/Source/WebInspectorUI/UserInterface/Models/Resource.js	2017-08-09 09:13:52.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebInspectorUI/UserInterface/Models/Resource.js	2018-01-24 08:30:17.000000000 +0000
@@ -949,6 +949,7 @@
                                  .replace(/'/g, "\\'")
                                  .replace(/\n/g, "\\n")
                                  .replace(/\r/g, "\\r")
+                                 .replace(/!/g, "\\041")
                                  .replace(/[^\x20-\x7E]/g, escapeCharacter) + "'";
             } else {
                 // Use single quote syntax.
diff -Nru webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/cache/NetworkCacheSpeculativeLoad.h webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/cache/NetworkCacheSpeculativeLoad.h
--- webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/cache/NetworkCacheSpeculativeLoad.h	2017-08-09 09:13:52.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/cache/NetworkCacheSpeculativeLoad.h	2018-01-24 08:32:10.000000000 +0000
@@ -57,6 +57,7 @@
     void canAuthenticateAgainstProtectionSpaceAsync(const WebCore::ProtectionSpace&) override;
 #endif
     bool isSynchronous() const override { return false; }
+    bool isAllowedToAskUserForCredentials() const final { return false; }
     void willSendRedirectedRequest(WebCore::ResourceRequest&&, WebCore::ResourceRequest&& redirectRequest, WebCore::ResourceResponse&& redirectResponse) override;
     ShouldContinueDidReceiveResponse didReceiveResponse(WebCore::ResourceResponse&&) override;
     void didReceiveBuffer(Ref&&, int reportedEncodedDataLength) override;
diff -Nru webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/Downloads/PendingDownload.cpp webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/Downloads/PendingDownload.cpp
--- webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/Downloads/PendingDownload.cpp	2017-08-09 09:13:52.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/Downloads/PendingDownload.cpp	2018-01-24 08:32:10.000000000 +0000
@@ -41,6 +41,8 @@
 PendingDownload::PendingDownload(NetworkLoadParameters&& parameters, DownloadID downloadID, NetworkSession& networkSession, const String& suggestedName)
     : m_networkLoad(std::make_unique(*this, WTFMove(parameters), networkSession))
 {
+    m_isAllowedToAskUserForCredentials = parameters.clientCredentialPolicy == ClientCredentialPolicy::MayAskClientForCredentials;
+
     m_networkLoad->setPendingDownloadID(downloadID);
     m_networkLoad->setPendingDownload(*this);
     m_networkLoad->setSuggestedFilename(suggestedName);
@@ -51,6 +53,8 @@
 PendingDownload::PendingDownload(std::unique_ptr&& networkLoad, DownloadID downloadID, const ResourceRequest& request, const ResourceResponse& response)
     : m_networkLoad(WTFMove(networkLoad))
 {
+    m_isAllowedToAskUserForCredentials = m_networkLoad->isAllowedToAskUserForCredentials();
+
     m_networkLoad->setPendingDownloadID(downloadID);
     send(Messages::DownloadProxy::DidStart(request, String()));
 
diff -Nru webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/Downloads/PendingDownload.h webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/Downloads/PendingDownload.h
--- webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/Downloads/PendingDownload.h	2017-08-09 09:13:52.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/Downloads/PendingDownload.h	2018-01-24 08:32:10.000000000 +0000
@@ -61,6 +61,7 @@
     void canAuthenticateAgainstProtectionSpaceAsync(const WebCore::ProtectionSpace&) override;
 #endif
     bool isSynchronous() const override { return false; }
+    bool isAllowedToAskUserForCredentials() const final { return m_isAllowedToAskUserForCredentials; }
     void willSendRedirectedRequest(WebCore::ResourceRequest&&, WebCore::ResourceRequest&& redirectRequest, WebCore::ResourceResponse&& redirectResponse) override;
     ShouldContinueDidReceiveResponse didReceiveResponse(WebCore::ResourceResponse&&) override { return ShouldContinueDidReceiveResponse::No; };
     void didReceiveBuffer(Ref&&, int reportedEncodedDataLength) override { };
@@ -73,6 +74,7 @@
 
 private:
     std::unique_ptr m_networkLoad;
+    bool m_isAllowedToAskUserForCredentials;
 };
 
 }
diff -Nru webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/NetworkLoadClient.h webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/NetworkLoadClient.h
--- webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/NetworkLoadClient.h	2017-08-09 09:13:52.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/NetworkLoadClient.h	2018-01-24 08:32:10.000000000 +0000
@@ -48,6 +48,8 @@
 
     virtual bool isSynchronous() const = 0;
 
+    virtual bool isAllowedToAskUserForCredentials() const = 0;
+
     virtual void didSendData(unsigned long long bytesSent, unsigned long long totalBytesToBeSent) = 0;
 #if USE(PROTECTION_SPACE_AUTH_CALLBACK)
     virtual void canAuthenticateAgainstProtectionSpaceAsync(const WebCore::ProtectionSpace&) = 0;
diff -Nru webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/NetworkLoad.cpp webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/NetworkLoad.cpp
--- webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/NetworkLoad.cpp	2017-08-18 07:28:45.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/NetworkLoad.cpp	2018-01-24 08:36:16.000000000 +0000
@@ -268,6 +268,11 @@
     m_client.get().willSendRedirectedRequest(WTFMove(oldRequest), WTFMove(request), WTFMove(redirectResponse));
 }
 
+bool NetworkLoad::isAllowedToAskUserForCredentials() const
+{
+    return m_client.get().isAllowedToAskUserForCredentials();
+}
+
 #if USE(NETWORK_SESSION)
 
 void NetworkLoad::convertTaskToDownload(PendingDownload& pendingDownload, const ResourceRequest& updatedRequest, const ResourceResponse& response)
@@ -340,7 +345,7 @@
 void NetworkLoad::completeAuthenticationChallenge(ChallengeCompletionHandler&& completionHandler)
 {
     bool isServerTrustEvaluation = m_challenge->protectionSpace().authenticationScheme() == ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested;
-    if (m_parameters.clientCredentialPolicy == ClientCredentialPolicy::CannotAskClientForCredentials && !isServerTrustEvaluation) {
+    if (!isAllowedToAskUserForCredentials() && !isServerTrustEvaluation) {
         completionHandler(AuthenticationChallengeDisposition::UseCredential, { });
         return;
     }
@@ -564,7 +569,7 @@
 {
     ASSERT_UNUSED(handle, handle == m_handle);
 
-    if (m_parameters.clientCredentialPolicy == ClientCredentialPolicy::CannotAskClientForCredentials) {
+    if (!isAllowedToAskUserForCredentials()) {
         challenge.authenticationClient()->receivedRequestToContinueWithoutCredential(challenge);
         return;
     }
diff -Nru webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/NetworkLoad.h webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/NetworkLoad.h
--- webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/NetworkLoad.h	2017-08-09 09:13:52.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/NetworkLoad.h	2018-01-24 08:32:10.000000000 +0000
@@ -64,6 +64,8 @@
     void setDefersLoading(bool);
     void cancel();
 
+    bool isAllowedToAskUserForCredentials() const;
+
     const WebCore::ResourceRequest& currentRequest() const { return m_currentRequest; }
     void clearCurrentRequest() { m_currentRequest = WebCore::ResourceRequest(); }
 
diff -Nru webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
--- webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp	2017-08-09 09:13:52.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp	2018-01-24 08:32:10.000000000 +0000
@@ -82,11 +82,12 @@
 }
 
 NetworkResourceLoader::NetworkResourceLoader(const NetworkResourceLoadParameters& parameters, NetworkConnectionToWebProcess& connection, RefPtr&& synchronousReply)
-    : m_parameters(parameters)
-    , m_connection(connection)
-    , m_defersLoading(parameters.defersLoading)
-    , m_bufferingTimer(*this, &NetworkResourceLoader::bufferingTimerFired)
-    , m_cache(sessionID().isEphemeral() ? nullptr : NetworkProcess::singleton().cache())
+    : m_parameters { parameters }
+    , m_connection { connection }
+    , m_defersLoading { parameters.defersLoading }
+    , m_isAllowedToAskUserForCredentials { parameters.clientCredentialPolicy == ClientCredentialPolicy::MayAskClientForCredentials }
+    , m_bufferingTimer { *this, &NetworkResourceLoader::bufferingTimerFired }
+    , m_cache { sessionID().isEphemeral() ? nullptr : NetworkProcess::singleton().cache() }
 {
     ASSERT(RunLoop::isMain());
     // FIXME: This is necessary because of the existence of EmptyFrameLoaderClient in WebCore.
@@ -464,7 +465,9 @@
             m_networkLoad->clearCurrentRequest();
             overridenRequest = ResourceRequest();
         }
-        continueWillSendRequest(WTFMove(overridenRequest));
+        // We do not support prompting for credentials for synchronous loads. If we ever change this policy then
+        // we need to take care to prompt if and only if request and redirectRequest are not mixed content.
+        continueWillSendRequest(WTFMove(overridenRequest), false);
         return;
     }
     send(Messages::WebResourceLoader::WillSendRequest(redirectRequest, redirectResponse));
@@ -477,10 +480,12 @@
 #endif
 }
 
-void NetworkResourceLoader::continueWillSendRequest(ResourceRequest&& newRequest)
+void NetworkResourceLoader::continueWillSendRequest(ResourceRequest&& newRequest, bool isAllowedToAskUserForCredentials)
 {
     RELEASE_LOG_IF_ALLOWED("continueWillSendRequest: (pageID = %" PRIu64 ", frameID = %" PRIu64 ", resourceID = %" PRIu64 ")", m_parameters.webPageID, m_parameters.webFrameID, m_parameters.identifier);
 
+    m_isAllowedToAskUserForCredentials = isAllowedToAskUserForCredentials;
+
     // If there is a match in the network cache, we need to reuse the original cache policy and partition.
     newRequest.setCachePolicy(originalRequest().cachePolicy());
     newRequest.setCachePartition(originalRequest().cachePartition());
diff -Nru webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/NetworkResourceLoader.h webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/NetworkResourceLoader.h
--- webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/NetworkResourceLoader.h	2017-08-18 07:28:45.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/NetworkResourceLoader.h	2018-01-24 08:32:10.000000000 +0000
@@ -72,7 +72,7 @@
 #if USE(PROTECTION_SPACE_AUTH_CALLBACK)
     void continueCanAuthenticateAgainstProtectionSpace(bool);
 #endif
-    void continueWillSendRequest(WebCore::ResourceRequest&& newRequest);
+    void continueWillSendRequest(WebCore::ResourceRequest&& newRequest, bool isAllowedToAskUserForCredentials);
 
     const WebCore::ResourceResponse& response() const { return m_response; }
 
@@ -90,6 +90,7 @@
     void canAuthenticateAgainstProtectionSpaceAsync(const WebCore::ProtectionSpace&) override;
 #endif
     bool isSynchronous() const override;
+    bool isAllowedToAskUserForCredentials() const override { return m_isAllowedToAskUserForCredentials; }
     void willSendRedirectedRequest(WebCore::ResourceRequest&&, WebCore::ResourceRequest&& redirectRequest, WebCore::ResourceResponse&&) override;
     ShouldContinueDidReceiveResponse didReceiveResponse(WebCore::ResourceResponse&&) override;
     void didReceiveBuffer(Ref&&, int reportedEncodedDataLength) override;
@@ -154,6 +155,7 @@
     bool m_wasStarted { false };
     bool m_didConsumeSandboxExtensions { false };
     bool m_defersLoading { false };
+    bool m_isAllowedToAskUserForCredentials { false };
     size_t m_numBytesReceived { 0 };
 
     unsigned m_retrievedDerivedDataCount { 0 };
diff -Nru webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/NetworkResourceLoader.messages.in webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/NetworkResourceLoader.messages.in
--- webkit2gtk-2.18.5/Source/WebKit/NetworkProcess/NetworkResourceLoader.messages.in	2017-08-09 09:13:52.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebKit/NetworkProcess/NetworkResourceLoader.messages.in	2018-01-24 08:32:10.000000000 +0000
@@ -22,6 +22,6 @@
 
 messages -> NetworkResourceLoader LegacyReceiver {
 
-    ContinueWillSendRequest(WebCore::ResourceRequest request)
+    ContinueWillSendRequest(WebCore::ResourceRequest request, bool isAllowedToAskUserForCredentials)
     ContinueDidReceiveResponse()
 }
diff -Nru webkit2gtk-2.18.5/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp webkit2gtk-2.18.6/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp
--- webkit2gtk-2.18.5/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp	2017-08-09 09:13:52.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp	2018-01-24 08:32:10.000000000 +0000
@@ -94,7 +94,7 @@
         if (!protectedThis->m_coreLoader)
             return;
 
-        protectedThis->send(Messages::NetworkResourceLoader::ContinueWillSendRequest(request));
+        protectedThis->send(Messages::NetworkResourceLoader::ContinueWillSendRequest(request, protectedThis->m_coreLoader->isAllowedToAskUserForCredentials()));
     });
 }
 
diff -Nru webkit2gtk-2.18.5/Source/WebKit/WebProcess/WebProcess.cpp webkit2gtk-2.18.6/Source/WebKit/WebProcess/WebProcess.cpp
--- webkit2gtk-2.18.5/Source/WebKit/WebProcess/WebProcess.cpp	2018-01-10 08:36:03.000000000 +0000
+++ webkit2gtk-2.18.6/Source/WebKit/WebProcess/WebProcess.cpp	2018-01-24 09:38:48.000000000 +0000
@@ -265,6 +265,7 @@
             WebCore::releaseMemory(critical, synchronous);
         });
 #if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MAX_ALLOWED >= 101200) || PLATFORM(GTK) || PLATFORM(WPE)
+#if CPU(X86_64) || CPU(ARM64)
         memoryPressureHandler.setShouldUsePeriodicMemoryMonitor(true);
         memoryPressureHandler.setMemoryKillCallback([this] () {
             WebCore::logMemoryStatisticsAtTimeOfDeath();
@@ -277,6 +278,7 @@
             parentProcessConnection()->send(Messages::WebProcessProxy::DidExceedInactiveMemoryLimitWhileActive(), 0);
         });
 #endif
+#endif
         memoryPressureHandler.setMemoryPressureStatusChangedCallback([this](bool isUnderMemoryPressure) {
             if (parentProcessConnection())
                 parentProcessConnection()->send(Messages::WebProcessProxy::MemoryPressureStatusChanged(isUnderMemoryPressure), 0);