Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cf40e124d0d26f90fc47e7ecf36434319bcbb47f
https://github.com/WebKit/WebKit/commit/cf40e124d0d26f90fc47e7ecf36434319bcbb47f
Author: Alex Christensen <[email protected]>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
M
LayoutTests/imported/w3c/web-platform-tests/speculation-rules/prefetch/redirect-url.https_origin=cross-site-redirect-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/speculation-rules/speculation-tags/same-site-to-cross-site-redirection-prefetch.https-expected.txt
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebCore/loader/DocumentPrefetcher.cpp
M Source/WebCore/loader/DocumentPrefetcher.h
M Source/WebCore/loader/FrameLoader.cpp
Log Message:
-----------
Restrict DocumentPrefetcher redirects to same-origin like we do with the
original fetch
https://bugs.webkit.org/show_bug.cgi?id=316722
rdar://173711135
Reviewed by Brady Eidson.
We restrict document prefetching to the same origin. Before this change, a
same-origin fetch could redirect
to a different origin and we would fetch documents of other origins with the
other origin's cookies.
This was causing crashes with site isolation because those origins' processes
weren't allowed to access their cookies,
but it's also something we don't want to do with site isolation off. Add the
missing security check on redirects.
Also, make DocumentPrefetcher's m_frameLoader a WeakPtr instead of a WeakRef
because DocumentPrefetcher is
RefCounted and has no guarantee it won't outlive the FrameLoader. Make it a
WeakPtr<LocalFrame> instead of
a WeakPtr<FrameLoader> to make it pass the safer-cpp checks.
This intentionally makes a wpt go from passing to failing. That is ok and
desirable because the wpt verifies
that cross-site redirects are successfully prefetched, but we have made the
decision not to support cross-site
prefetches unlike other browsers to improve privacy and make it so a site is
unable to use the cookies of another
site. Allowing redirects was just an oversight in this additional privacy, and
we need to fix it to actually
have the privacy benefits.
*
LayoutTests/imported/w3c/web-platform-tests/speculation-rules/prefetch/redirect-url.https_origin=cross-site-redirect-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/speculation-rules/speculation-tags/same-site-to-cross-site-redirection-prefetch.https-expected.txt:
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/loader/DocumentPrefetcher.cpp:
(WebCore::DocumentPrefetcher::DocumentPrefetcher):
(WebCore::DocumentPrefetcher::prefetch):
(WebCore::DocumentPrefetcher::redirectReceived):
* Source/WebCore/loader/DocumentPrefetcher.h:
(WebCore::DocumentPrefetcher::create):
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::FrameLoader):
Canonical link: https://commits.webkit.org/314970@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
