Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 65450223b6e9342cf5acaad151ed32cf8cc72b44
https://github.com/WebKit/WebKit/commit/65450223b6e9342cf5acaad151ed32cf8cc72b44
Author: Anthony Tarbinian <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp
M Source/WebCore/bindings/js/JSDOMBindingSecurity.h
M Source/WebCore/bindings/js/ScriptController.cpp
M Source/WebCore/bindings/js/ScriptController.h
M Source/WebCore/html/HTMLFrameElementBase.cpp
Log Message:
-----------
[Site Isolation] Block setting src of cross-origin frames/iframes to
javascript: urls
https://bugs.webkit.org/show_bug.cgi?id=305615
rdar://168267776
Reviewed by Sihui Liu.
This patch modifies HTMLFrameElementBase::canLoadURL
to indicate that a javascript: url cannot be loaded
on a cross-origin frame which is in a different process.
This fixes several tests in LayoutTests/http/tests/security/javascriptURL/
which attempt to set the src attribute of cross-origin frames/iframes
to javascript: urls (via several different methods).
The tests expect setting the src attribute of a cross-origin frame/iframe
to a javascript: url to be blocked and report a security error.
However, previously, with site isolation, no security error
was reported.
This patch blocks and prints a security error when checking if a
javascript: URL can be loaded in a RemoteFrame (happens in
HTMLFrameElementBase::canLoadURL).
With site isolation off, HTMLFrameElementBase::canLoadURL
calls ScriptController::canAccessFromCurrentOrigin
to check if origins matched. If they didn't, a SecurityError
was printed.
See step 4 of Section 7.4.2.3.2 of the HTML navigation spec
which describes the special case of navigating to javascript
urls.
https://html.spec.whatwg.org/#the-javascript:-url-special-case
If initiatorOrigin is not same origin-domain with
targetNavigable's active document's origin, then return.
Previously, when site isolation was enabled,
contentDocument was null and canLoadURL didn't immediately
return false and print a SecurityError. Now, whenever the
target frame is detected to be a RemoteFrame, we print a
SecurityError since the frame is of a different origin and
in a different process.
This patch also updates ScriptController::canAccessFromCurrentOrigin
to work on both RemoteFrames and LocalFrames.
Note:
HTMLFrameElementBase::canLoadURL is called by
HTMLFrameElementBase::openURL which is called
by HTMLFrameElementBase::setLocation which is called
by the following test cases which attempt
to set the src attribute in various ways.
No new tests, but this patch fixes the following tests with
site isolation enabled:
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-src-getAttribute-value.html
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-src-htmldom.html
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-src-setAttribute.html
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-src-setAttributeNS.html
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-src-setAttributeNode.html
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-src-setAttributeNodeNS.html
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-iframe-src-getAttribute-value.html
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-iframe-src-htmldom.html
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-iframe-src-setAttribute.html
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-iframe-src-setAttributeNS.html
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-iframe-src-setAttributeNode.html
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-iframe-src-setAttributeNodeNS.html
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp:
(WebCore::canAccessTargetOrigin):
(WebCore::canAccessFrame):
(WebCore::canAccessDocument):
(WebCore::BindingSecurity::shouldAllowAccessToFrame):
* Source/WebCore/bindings/js/JSDOMBindingSecurity.h:
* Source/WebCore/bindings/js/ScriptController.cpp:
(WebCore::ScriptController::canAccessFromCurrentOrigin):
* Source/WebCore/bindings/js/ScriptController.h:
* Source/WebCore/html/HTMLFrameElementBase.cpp:
(WebCore::HTMLFrameElementBase::canLoadURL const):
Canonical link: https://commits.webkit.org/308353@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
