Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 14926e2a244710d9f93bad46f6d4bf5aeaacf3a7
https://github.com/WebKit/WebKit/commit/14926e2a244710d9f93bad46f6d4bf5aeaacf3a7
Author: Roberto Rodriguez <[email protected]>
Date: 2026-05-08 (Fri, 08 May 2026)
Changed paths:
A
LayoutTests/http/tests/site-isolation/resources/navigate-parent-to-blob.html
A
LayoutTests/http/tests/site-isolation/sandbox-allow-top-navigation-cross-origin-iframe-expected.txt
A
LayoutTests/http/tests/site-isolation/sandbox-allow-top-navigation-cross-origin-iframe.html
M Source/WebKit/UIProcess/WebFrameProxy.cpp
M Source/WebKit/UIProcess/WebFrameProxy.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
Log Message:
-----------
[Site Isolation] Popup's inherited origin lost during didCommitLoad
https://bugs.webkit.org/show_bug.cgi?id=314116
rdar://176293477
Reviewed by Sihui Liu.
A popup opened via window.open() inherits its opener's origin during frame
construction.
When the about:blank document commits, didCommitLoad calls
updateDocumentSecurityOrigin(nullptr)
which overwrites the inherited origin with an opaque one because the creator
reference is not
retained. The opaque origin propagates to cross-origin processes via
FrameTreeSyncData and Page::mainFrameOrigin(),
causing the sandbox exemption in
isNavigationBlockedByThirdPartyIFrameRedirectBlocking to fail
because it can't verify the parent is same-origin with the top frame, so
navigations from sandboxed
allow-top-navigation iframes are incorrectly blocked.
Add a ForInitialization parameter to updateDocumentSecurityOrigin so the
constructor path can set opaque when no
creator exists, while didCommitLoad leaves the origin unchanged and preserves
whatever was correctly set during
construction. Pass the correct origin from FrameTreeSyncData to
setMainFrameURLAndOrigin in the web process so
Page::mainFrameOrigin() reflects the inherited origin. Make securityOrigin()
public and use it in
prepareForProvisionalLoadInProcess to derive the main frame domain, so
addAllowedFirstPartyForCookies registers
the correct inherited domain instead of an empty one for about:blank popups.
Test:
http/tests/site-isolation/sandbox-allow-top-navigation-cross-origin-iframe.html
* LayoutTests/http/tests/site-isolation/resources/navigate-parent-to-blob.html:
Added.
*
LayoutTests/http/tests/site-isolation/sandbox-allow-top-navigation-cross-origin-iframe-expected.txt:
Added.
*
LayoutTests/http/tests/site-isolation/sandbox-allow-top-navigation-cross-origin-iframe.html:
Added.
* Source/WebKit/UIProcess/WebFrameProxy.cpp:
(WebKit::WebFrameProxy::WebFrameProxy):
(WebKit::WebFrameProxy::prepareForProvisionalLoadInProcess):
(WebKit::WebFrameProxy::updateDocumentSecurityOrigin):
* Source/WebKit/UIProcess/WebFrameProxy.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::m_allowsImmersiveEnvironments):
Canonical link: https://commits.webkit.org/312937@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
