Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3dffc69de57f4a810459debcf5739b1ebb51422b
https://github.com/WebKit/WebKit/commit/3dffc69de57f4a810459debcf5739b1ebb51422b
Author: Chris Dumez <[email protected]>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Use-after-move of frameInfo in WebPageProxy::decidePolicyForResponseShared()
https://bugs.webkit.org/show_bug.cgi?id=316514
Reviewed by Rupin Mittal.
decidePolicyForResponseShared() consumed `frameInfo` by passing
WTF::move(frameInfo) to API::FrameInfo::create(), and then immediately
read `frameInfo.securityOrigin.securityOrigin()` for the COOP
browsing-context-group-switch check on the next line. API::FrameInfo's
constructor stores the FrameInfoData by move (m_data(WTF::move(data))),
so the SecurityOriginData's String members were left empty and the COOP
comparison saw an empty origin — typically a false negative, meaning we
failed to disown the opener and clear m_openedMainFrameName when COOP
required it. The same moved-from `frameInfo` was then captured by
WTF::move into the policy listener lambda, where it was further used
(e.g. by FrameInfoData { frameInfo } on the safe-browsing failure path).
Reorder the function so the COOP check runs first against a live
`frameInfo`, pass a copy to API::FrameInfo::create(), and let the
lambda's capture be the sole move.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::decidePolicyForResponseShared):
Canonical link: https://commits.webkit.org/314764@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
