Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cbbbc03ee0ea282e9985d32f4095fc22e3099f3e
https://github.com/WebKit/WebKit/commit/cbbbc03ee0ea282e9985d32f4095fc22e3099f3e
Author: Ahmad Saleem <[email protected]>
Date: 2026-04-03 (Fri, 03 Apr 2026)
Changed paths:
R
LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-alias-expected.txt
R
LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-alias.html
A
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/document-write.https.window-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/document-write.https.window.html
A
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/document-write.https.window.js
A
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/document-write.https.window.js.headers
A
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/resources/document-write.html
A
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/resources/document-write.html.headers
A
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/resources/iframe-with-about-blank-iframe.html
A
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/resources/iframe-with-about-blank-iframe.html.headers
A
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/resources/w3c-import.log
M
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/w3c-import.log
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
document.open() should not alias the caller's security origin
https://bugs.webkit.org/show_bug.cgi?id=310760
rdar://173369038
Reviewed by Brent Fulgham.
This patch aligns WebKit with Gecko / Firefox and Blink / Chromium.
Document::open() was calling setSecurityOriginPolicy() with the entry
document's SecurityOriginPolicy, making both documents share the same
SecurityOrigin object. This caused mutations like setting document.domain
on the caller to be visible through the callee.
Per specification [1], the document open steps for a fully active
document only require copying the URL: "Let newURL be a copy of
entryDocument's URL. If entryDocument is not document, then set newURL's
fragment to null..." (Step 12). There is no step that copies or aliases
the security origin.
Remove the setSecurityOriginPolicy() call since the callee already has
its own correct origin (inherited at creation time for about:blank, or
set from its URL for navigated documents), and the same-origin check at
the top of Document::open() already prevents cross-origin calls.
[1]
https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#document-open-steps
Since there was only one test, so this syncs test as well.
Upstream commit:
https://github.com/web-platform-tests/wpt/commit/b592ce44eb85d5276d5743c731a8fb8e33508faf
Below local test was removed since Blink moved it to WPT (Syncing here) [2]:
[2]
https://chromium.googlesource.com/chromium/src/+/33a4fd415caf5a3bbccb66bfb9a3d4c0f58a25f4
*
LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-alias-expected.txt:
Removed.
*
LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-alias.html:
Removed.
*
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/document-write.https.window-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/document-write.https.window.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/document-write.https.window.js:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/document-write.https.window.js.headers:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/resources/document-write.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/resources/document-write.html.headers:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/resources/iframe-with-about-blank-iframe.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/resources/iframe-with-about-blank-iframe.html.headers:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/resources/w3c-import.log:
Copied from
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/w3c-import.log.
*
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/inheritance/w3c-import.log:
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::open):
Canonical link: https://commits.webkit.org/310543@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
