[webkit-changes] [WebKit/WebKit] 5e09e0: [Site Isolation] COOP test iframe-popup-same-origi...

Thu, 05 Feb 2026 17:09:15 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 5e09e03789b922c0fb81b0880e57f85ddd3a4140
      
https://github.com/WebKit/WebKit/commit/5e09e03789b922c0fb81b0880e57f85ddd3a4140
  Author: Rupin Mittal <[email protected]>
  Date:   2026-02-05 (Thu, 05 Feb 2026)

  Changed paths:
    M LayoutTests/platform/ios-site-isolation/TestExpectations
    M LayoutTests/platform/mac-site-isolation/TestExpectations
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/dom/Document.h
    M Source/WebCore/dom/SecurityContext.h

  Log Message:
  -----------
  [Site Isolation] COOP test iframe-popup-same-origin-to-same-origin.https.html 
is failing
https://bugs.webkit.org/show_bug.cgi?id=307030
rdar://169677346

Reviewed by Alex Christensen and Sihui Liu.

Only top-level documents have a Cross Origin Opener Policy. When iframes are
opening a popup, they use the main frame document's COOP. With Site Isolation,
because a cross-site iframe cannot access the main frame's document, it cannot
check the main frame document's COOP.

In the current implementation of Document::crossOriginOpenerPolicy(), when the
iframe fails to access the main frame document, it falls back to using the
default COOP, which is UnsafeNone.

In this layout test, this results in incorrect behavior where the iframe opens
a popup and the opener relationship is preserved when it should not have been.

To fix this, we amend Document::crossOriginOpenerPolicy() so that it deals with
these 3 cases:

1. If this document is the main frame document, return the COOP.

Else:

2. If the main frame is local, call LocalFrame::frameDocumentSecurityPolicy(),
   which calls Document::crossOriginOpenerPolicy(), and then we are in case 1.

3. If the main frame is remote, call RemoteFrame::frameDocumentSecurityPolicy(),
   which will return the COOP from FrameTreeSyncData (the main frame document's
   COOP is broadcasted to all WebProcesses via FrameTreeSyncData).

* LayoutTests/platform/ios-site-isolation/TestExpectations:
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::shouldForceNoOpenerBasedOnCOOP const):
(WebCore::Document::crossOriginOpenerPolicy const):
* Source/WebCore/dom/Document.h:
* Source/WebCore/dom/SecurityContext.h:
(WebCore::SecurityContext::crossOriginOpenerPolicy const):

Canonical link: https://commits.webkit.org/306913@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to