[webkit-changes] [WebKit/WebKit] 339576: [Site Isolation] cross-site-to-same-site-redirecti...

Fri, 08 May 2026 12:33:19 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 339576162549a8332736405e5e185ed65649f7e2
      
https://github.com/WebKit/WebKit/commit/339576162549a8332736405e5e185ed65649f7e2
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-05-08 (Fri, 08 May 2026)

  Changed paths:
    M Source/WebCore/dom/Document.cpp

  Log Message:
  -----------
  [Site Isolation] cross-site-to-same-site-redirection-prefetch.https.html fails
https://bugs.webkit.org/show_bug.cgi?id=314375

Reviewed by Chris Dumez.

When `Document::setURL` is called from the `Document` constructor, it 
unconditionally calls
`LocalFrame::documentURLOrOriginDidChange`, which reads `frame->document()`. 
This document is
the old document this new Document is about to replace when 
LocalFrame::setDocument runs later
in DocumentWriter::begin. Normally the old document's URL matches 
m_topDocumentSyncData, but
under site isolation, IPC from another process 
(TopDocumentSyncDataChangedInAnotherProcess
/ AllTopDocumentSyncDataChangedInAnotherProcess / 
loadDidCommitInAnotherProcess) has already
mutated or replaced m_topDocumentSyncData, so the old document's URL no longer 
matches and
Page::setMainFrameURLAndOrigin's assertion that `url == 
m_topDocumentSyncData->documentURL`
fails.

This PR fixes this issue by guarding the call to documentURLOrOriginDidChange in
`Document::setURL`, and `Document::securityOriginDidChange` with a document 
identity check
so that the no-op-but-asserting dispatch doesn't run during construction. Real 
sync still
happens in Page::didChangeMainDocument via LocalFrame::setDocument.

Tests: 
imported/w3c/web-platform-tests/html/browsers/browsing-the-web/history-traversal/pageswap/pageswap-push-with-cross-origin-redirect.sub.html
       
imported/w3c/web-platform-tests/speculation-rules/speculation-tags/cross-site-to-same-site-redirection-prefetch.https.html

* Source/WebCore/dom/Document.cpp:
(WebCore::Document::setURL):
(WebCore::Document::securityOriginDidChange):

Canonical link: https://commits.webkit.org/312911@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to