Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: af331edbbff1ffce04f48a635dafbd5e4420e065
https://github.com/WebKit/WebKit/commit/af331edbbff1ffce04f48a635dafbd5e4420e065
Author: Rupin Mittal <[email protected]>
Date: 2026-03-18 (Wed, 18 Mar 2026)
Changed paths:
M LayoutTests/platform/ios-site-isolation/TestExpectations
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebCore/bindings/js/JSDOMBindingSecurity.h
M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
M Source/WebCore/bindings/scripts/IDLAttributes.json
M Source/WebCore/html/HTMLEmbedElement.idl
M Source/WebCore/html/HTMLIFrameElement.idl
M Source/WebCore/html/HTMLObjectElement.idl
Log Message:
-----------
[Site Isolation] 2x xss-DENIED-getSVGDocument-*.html tests are failing
https://bugs.webkit.org/show_bug.cgi?id=310138
rdar://172779838
Reviewed by Ryosuke Niwa.
In this test, a main frame contains an SVG object whose data is hosted
cross-site.
The test verifies that the main frame cannot access the SVG's document.
It fails with site isolation enabled because it's output does not contain:
"CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000"; from
accessing
a frame with origin "http://localhost:8080";. Protocols, domains, and ports must
match."
With site isolation off, the flow is:
1. HTMLFrameOwnerElement::getSVGDocument()
2. HTMLFrameOwnerElement::contentDocument()
This gets the SVG's frame if local and returns the document
3. BindingSecurity::checkSecurityForNode()
(Since the IDL for getSVGDocument() is marked with [CheckSecurityForNode])
4. BindingSecurity::shouldAllowAccessToNode()
5. canAccessDocument()
6. canAccessTargetOrigin()
Log crossDomainAccessErrorMessage and return false
With site isolation on, contentDocument() returns nullptr because the SVG's
frame is remote. Then shouldAllowAccessToNode returns true (the target node is
null). So we allow access to the node, but the node is null.
So the test succeeds in that the SVG's document is not accessible. But fails
simply because the console message was not logged. But we still want to log
this message.
So we add a new IDL attribute [CheckSecurityForNodeWithOwner] and use it on
getSVGDocument(). So now calling getSVGDocument() will call
shouldAllowAccessToNodeWithOwner(). Since the node is null, we will call
shouldAllowAccessToFrame() which will see that the frame is remote and
canAccessTargetOrigin() will log the console message.
This also fixes xss-DENIED-getSVGDocument-iframe.html.
* LayoutTests/platform/ios-site-isolation/TestExpectations:
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/bindings/js/JSDOMBindingSecurity.h:
(WebCore::BindingSecurity::checkSecurityForNodeWithOwner):
* Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:
(NativeToJSValue):
* Source/WebCore/bindings/scripts/IDLAttributes.json:
* Source/WebCore/html/HTMLEmbedElement.idl:
* Source/WebCore/html/HTMLIFrameElement.idl:
* Source/WebCore/html/HTMLObjectElement.idl:
Canonical link: https://commits.webkit.org/309527@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
