Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5d32c1ef78c3d11fa397fca3d8e46418b32e3abe
https://github.com/WebKit/WebKit/commit/5d32c1ef78c3d11fa397fca3d8e46418b32e3abe
Author: Ruthvik Konda <[email protected]>
Date: 2025-11-21 (Fri, 21 Nov 2025)
Changed paths:
M Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm
Log Message:
-----------
[Site Isolation] Make MESSAGE_CHECK in commitLayerTree() robust against
process swaps in Site Isolation
https://bugs.webkit.org/show_bug.cgi?id=302497
rdar://164916965
Reviewed by Matt Woodrow.
302408@main added a MESSAGE_CHECK at the start of commitLayerTree() to verify
that main frame data is only provided
from the main frame process. This MESSAGE_CHECK caused API test
SiteIsolation.NavigationAfterWindowOpen and layout
tests
LayoutTests/http/tests/site-isolation/window-open-with-name-cross-site.html and
http/tests/site-isolation/history/add-iframes-and-navigate-mainframe.html to be
flaky crashes.
And so, we reverted the MESSAGE_CHECK portion of 302408@main in 303201@main.
The flaky crashes are due to process swaps that occur due to cross site
navigations in Site Isolation.
Let's say you're on site a.com and do window.open(b.com). If you take this
scenario and then do
window.open(c.com, "same target as b.com"), a process swap gets triggered. A
new WebProcessProxy gets spun up.
A new ProvisionalPageProxy (which is really just a weak reference to existing
b.com WebPageProxy) with a new RemoteLayerTreeDrawingAreaProxy
gets spun up which corresponds to the new c.com WCP. When c.com WCP sends its
CommitLayerTree message, if the swap isn't
done yet (WebPageProxy::swapToProvisionalPage() which does m_mainFrame =
provisionalPage->mainFrame()), then the m_mainframe
in this ProvisionalPageProxy is still old (corresponds to b.com still) and so
the MESSAGE_CHECK fails.
To solve this, we now add the MESSAGE_CHECK back but using m_webProcessProxy in
DrawingAreaProxy. m_webProcessProxy is always set to the main frame process for
that Page/PageProxy.
Non-mainframe processes (which are cross site iframe processes) take a
different path by sending to RemotePageDrawingAreaProxy
which then gets forwarded to RemoteLayerTreeDrawingAreaProxy. So we can safely
use this to verify main frame process identity.
This PR relies on https://github.com/WebKit/WebKit/pull/53683 being landed
first since it makes bundle.mainFrameData
the sole source of truth for checking for main frame identity
* Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm:
(WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTree):
Canonical link: https://commits.webkit.org/303415@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
