Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ea9560f779284b145f3e0b061e48699fd3df777f
https://github.com/WebKit/WebKit/commit/ea9560f779284b145f3e0b061e48699fd3df777f
Author: Basuke Suzuki <[email protected]>
Date: 2026-03-16 (Mon, 16 Mar 2026)
Changed paths:
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebKit/Shared/WebBackForwardListFrameItem.cpp
M Source/WebKit/Shared/WebBackForwardListFrameItem.h
M Source/WebKit/Shared/WebBackForwardListItem.cpp
M Source/WebKit/Shared/WebBackForwardListItem.h
M Source/WebKit/UIProcess/ProvisionalPageProxy.cpp
M Source/WebKit/UIProcess/ProvisionalPageProxy.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebPageProxy.h
M Source/WebKit/WebProcess/WebPage/WebFrame.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
Log Message:
-----------
Send only target frame's FrameState during back/forward navigation when
useUIProcessForBackForwardItemLoading is enabled
https://bugs.webkit.org/show_bug.cgi?id=309791
rdar://171032743
Reviewed by Sihui Liu.
When useUIProcessForBackForwardItemLoading is enabled, the UI process
sends each frame only its own FrameState (without children) during
back/forward navigation. Child frames receive their FrameState
individually through the existing dispatchBackForwardItemLoading path.
Previously, the full frame tree was sent to a single web process via
GoToBackForwardItem, which is a Site Isolation violation — a web process
should not receive FrameState for cross-origin child frames hosted in
other processes. This change ensures each process only receives data for
the frames it hosts.
On the sending side, add copyFrameState() / copyMainFrameState() methods
that copy FrameState without children, and use them in all three UI
process paths that send GoToBackForwardItem: WebPageProxy::goToBackForwardItem,
ProvisionalPageProxy::goToBackForwardItem, and
WebPageProxy::launchProcessForReload.
On the receiving side, rebuild the parent-child HistoryItem tree in
FrameLoader::setRequestedHistoryItem so the tree structure matches what
createItemTree would have produced during a normal navigation. Add
assertions to verify children are empty when the preference is enabled.
No new tests. Ensured by ASSERT.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadChildHistoryItemIntoFrame):
(WebCore::FrameLoader::setRequestedHistoryItem):
* Source/WebKit/Shared/WebBackForwardListFrameItem.cpp:
(WebKit::WebBackForwardListFrameItem::copyFrameState):
(WebKit::WebBackForwardListFrameItem::copyFrameStateWithChildren):
* Source/WebKit/Shared/WebBackForwardListFrameItem.h:
* Source/WebKit/Shared/WebBackForwardListItem.cpp:
(WebKit::WebBackForwardListItem::copyMainFrameState const):
* Source/WebKit/Shared/WebBackForwardListItem.h:
* Source/WebKit/UIProcess/ProvisionalPageProxy.cpp:
(WebKit::ProvisionalPageProxy::goToBackForwardItem):
(WebKit::ProvisionalPageProxy::copyFrameStateForBackForwardNavigation const):
* Source/WebKit/UIProcess/ProvisionalPageProxy.h:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::launchProcessForReload):
(WebKit::WebPageProxy::goToBackForwardItem):
(WebKit::WebPageProxy::processOfTheFrameItem const):
(WebKit::WebPageProxy::copyFrameStateForBackForwardNavigation const):
* Source/WebKit/UIProcess/WebPageProxy.h:
* Source/WebKit/WebProcess/WebPage/WebFrame.cpp:
(WebKit::WebFrame::setHistoryItemForBackForwardNavigation):
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::goToBackForwardItem):
Canonical link: https://commits.webkit.org/309344@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
