Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 888c80c640da3d5a5224f727e3e45fbd6fbdf5b8
https://github.com/WebKit/WebKit/commit/888c80c640da3d5a5224f727e3e45fbd6fbdf5b8
Author: Roberto Rodriguez <[email protected]>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebCore/loader/LocalFrameLoaderClient.h
M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
M Source/WebCore/page/csp/ContentSecurityPolicy.h
M Source/WebCore/platform/network/ResourceRequestBase.h
M Source/WebKit/UIProcess/API/APINavigation.cpp
M Source/WebKit/UIProcess/API/APINavigation.h
M Source/WebKit/UIProcess/ProvisionalPageProxy.cpp
M Source/WebKit/UIProcess/ProvisionalPageProxy.h
M Source/WebKit/UIProcess/WebFrameProxy.cpp
M Source/WebKit/UIProcess/WebFrameProxy.h
M Source/WebKit/UIProcess/WebFrameProxy.messages.in
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebPageProxy.h
M Source/WebKit/UIProcess/WebPageProxy.messages.in
M Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp
M Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.h
Log Message:
-----------
[Site Isolation] CSP upgrade-insecure-requests not applied when cross-process
iframe navigates top frame
https://bugs.webkit.org/show_bug.cgi?id=313690
rdar://175889340
Reviewed by Alex Christensen.
When a cross-origin iframe navigates window.top.location.href to an http:// URL
under site isolation,
the parent's upgrade-insecure-requests CSP is never applied. The upgrade
normally happens in
FrameLoader::changeLocation() using the target frame's document CSP, but the
site isolation path
bypasses that code entirely and lands in a provisional page where no document
exists to check.
Sync each frame's CSP navigation upgrade origins to its WebFrameProxy in the
UIProcess. The set is
sent in DidCommitLoadForFrame when the directive arrives via response header,
or via a new
DidChangeCSPOriginsThatUpgradeInsecureNavigations IPC to WebFrameProxy when
added dynamically via
meta tag. Then in receivedNavigationActionPolicyDecision, consult the set and
upgrade the URL before
process routing.
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/loader/LocalFrameLoaderClient.h:
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::setUpgradeInsecureRequests):
(WebCore::ContentSecurityPolicy::inheritInsecureNavigationRequestsToUpgradeFromOpener):
(WebCore::ContentSecurityPolicy::setInsecureNavigationRequestsToUpgrade):
(WebCore::ContentSecurityPolicy::notifyInsecureNavigationRequestsToUpgradeChanged
const):
* Source/WebCore/page/csp/ContentSecurityPolicy.h:
* Source/WebCore/platform/network/ResourceRequestBase.h:
* Source/WebKit/UIProcess/API/APINavigation.cpp:
(API::Navigation::upgradeCurrentInsecureRequest):
* Source/WebKit/UIProcess/API/APINavigation.h:
* Source/WebKit/UIProcess/ProvisionalPageProxy.cpp:
(WebKit::ProvisionalPageProxy::didCommitLoadForFrame):
* Source/WebKit/UIProcess/ProvisionalPageProxy.h:
* Source/WebKit/UIProcess/WebFrameProxy.cpp:
(WebKit::WebFrameProxy::didCommitLoad):
(WebKit::WebFrameProxy::commitProvisionalFrame):
(WebKit::WebFrameProxy::didChangeCSPOriginsThatUpgradeInsecureNavigations):
* Source/WebKit/UIProcess/WebFrameProxy.h:
(WebKit::WebFrameProxy::cspOriginsThatUpgradeInsecureNavigations const):
(WebKit::WebFrameProxy::setCSPOriginsThatUpgradeInsecureNavigations):
* Source/WebKit/UIProcess/WebFrameProxy.messages.in:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::receivedNavigationActionPolicyDecision):
(WebKit::WebPageProxy::commitProvisionalPage):
(WebKit::WebPageProxy::didCommitLoadForFrame):
* Source/WebKit/UIProcess/WebPageProxy.h:
* Source/WebKit/UIProcess/WebPageProxy.messages.in:
* Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp:
(WebKit::WebLocalFrameLoaderClient::dispatchDidChangeCSPOriginsThatUpgradeInsecureNavigations):
(WebKit::WebLocalFrameLoaderClient::dispatchDidCommitLoad):
* Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.h:
Canonical link: https://commits.webkit.org/314221@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
