Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b9f789219c6581462af54ae1afbfd95da752ee9c
https://github.com/WebKit/WebKit/commit/b9f789219c6581462af54ae1afbfd95da752ee9c
Author: Anthony Tarbinian <[email protected]>
Date: 2026-04-22 (Wed, 22 Apr 2026)
Changed paths:
M LayoutTests/TestExpectations
M
LayoutTests/http/tests/security/block-top-level-navigation-via-redirect-by-third-party-iframes.html
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Document.h
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/loader/NavigationRequester.cpp
M Source/WebCore/loader/NavigationRequester.h
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
[Site Isolation] Fix
block-top-level-navigation-via-redirect-by-third-party-iframes
https://bugs.webkit.org/show_bug.cgi?id=311128
rdar://173717035
Reviewed by Sihui Liu.
Handles the case when site isolation is enabled and a cross origin iframe
tries to navigate the top frame (by setting top.location) to
a same origin site which has a cross origin redirect.
Example:
Top frame's origin is https://a.com
Cross-origin iframe's origin is https://b.com
The cross origin iframe attempts to navigate the top frame
to a same origin site (https://a.com) which has a cross-origin
redirect (to https://b.com) via the following JavaScript:
top.location = "https://a.com?url=https://b.com";
If the server hosting a.com responds with a redirect (302 status code)
then WebKit will inspect the validity of the redirect.
In this case, while the initial navigation is same origin and should
be allowed, the redirect goes to a cross-origin site relative to the
top frame. Since the requesting frame is cross-origin, this redirect
should be blocked.
In DocumentLoader::willSendRequest, WebKit inspects the redirect request
and determines if it should be allowed or blocked.
When Site Isolation was enabled,
Document::allDocumentsMap().get(requester->documentIdentifier)
would return null since the requestingDocument was in a cross-origin
RemoteFrame from another process. As a result, the log that reads
"Unsafe JavaScript attempt to initiate navigation for frame ..."
was never logged.
This patch updates DocumentLoader::willSendRequest for site isolation
when requestingDocument is null. Instead,
isNavigationBlockedByThirdPartyIFrameRedirectBlocking
has been updated to be a static method which doesn't depend on Document.
Instead, it takes a NavigationRequester. The Document fields which
isNavigationBlockedByThirdPartyIFrameRedirectBlocking
uses normally have been populated as new fields in NavigationRequester.
The test was also flaky because it only waited 100ms for the cross-site
redirect to be processed and blocked. This was often not enough time,
causing the test to finish before the redirect was handled and the
"Unsafe JavaScript attempt to initiate navigation for frame ..."
console message was generated. This patch also increases the
timeout to 1000ms.
* LayoutTests/TestExpectations:
*
LayoutTests/http/tests/security/block-top-level-navigation-via-redirect-by-third-party-iframes.html:
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::canNavigate):
(WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking):
* Source/WebCore/dom/Document.h:
(WebCore::Document::hasLoadedThirdPartyScript const):
(WebCore::Document::hasLoadedThirdPartyFrame const):
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):
* Source/WebCore/loader/NavigationRequester.cpp:
(WebCore::NavigationRequester::from):
* Source/WebCore/loader/NavigationRequester.h:
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
Canonical link: https://commits.webkit.org/311805@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
