Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e12ff02f1726745fb3c8144b7ccccf46a53dc742
https://github.com/WebKit/WebKit/commit/e12ff02f1726745fb3c8144b7ccccf46a53dc742
Author: Basuke Suzuki <[email protected]>
Date: 2026-03-11 (Wed, 11 Mar 2026)
Changed paths:
M LayoutTests/fast/css/target-fragment-match.html
M LayoutTests/fast/dom/location-hash.html
M LayoutTests/fast/history/history-scroll-restoration.html
M
LayoutTests/http/tests/site-isolation/history/back-iframe-cross-site-no-bf-cache-expected.txt
M
LayoutTests/http/tests/site-isolation/history/back-iframe-cross-site-no-bf-cache.html
M Source/WebCore/loader/EmptyClients.cpp
M Source/WebCore/loader/EmptyFrameLoaderClient.h
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/loader/FrameLoader.h
M Source/WebCore/loader/HistoryController.cpp
M Source/WebCore/loader/LocalFrameLoaderClient.h
M Source/WebCore/loader/NavigationScheduler.cpp
M Source/WebCore/loader/NavigationScheduler.h
M Source/WebCore/page/LocalFrame.cpp
M Source/WebKit/UIProcess/WebBackForwardList.cpp
M Source/WebKit/UIProcess/WebBackForwardList.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebPageProxy.h
M Source/WebKit/UIProcess/WebPageProxy.messages.in
M Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp
M Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.h
M Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm
Log Message:
-----------
[Site Isolation] Support history.back() for cross-site iframe back-forward
navigation.
https://bugs.webkit.org/show_bug.cgi?id=309366
rdar://171918182
Reviewed by Charlie Wolfe.
With site isolation enabled, history.back() and history.go(n) triggered from
JavaScript in a page containing cross-site iframes does not work correctly.
The NavigationScheduler bypasses the UIProcess-driven back-forward navigation
path and directly calls page->goToItem(), which fails because the correct
frame state is not resolved for cross-site iframes.
The fix sends the step count to the UIProcess via a new
GoToBackForwardItemAtIndex
IPC message, letting the UIProcess resolve the correct back-forward item and
child frame state before initiating navigation. This eliminates sync IPCs from
the scheduling path and aligns with the UIProcess-driven architecture.
Key changes:
1. New async traversal mechanism: ScheduledHistoryNavigation now sends only the
step count to the UIProcess via dispatchGoToBackForwardItemAtIndex, instead
of
resolving the HistoryItem locally. The UIProcess looks up the item via
itemAtIndex(), resolves the navigated child frame, and calls
goToBackForwardItem().
2. Deferred HistoryItem lookup: ScheduledHistoryNavigation no longer fetches the
HistoryItem at schedule time (which required a sync IPC). Instead, it lazily
resolves the item only when needed for isSameDocumentNavigation() checks.
When
the flag is enabled, fire() only uses the step count, avoiding the sync IPC
entirely. When the flag is disabled, the lazy lookup produces identical
behavior
to the previous eager lookup.
3. Async back-forward navigation state machine: A tri-state
(None/Pending/Cancelled)
in FrameLoader tracks the lifecycle of async traversals. The state is only
set to
Pending when the flag is enabled. Fragment navigations and other new loads
set it
to Cancelled; WebPage::goToBackForwardItem() checks and skips cancelled
traversals.
Both Pending and Cancelled prevent parent frame early completion via
preventsParentFromBeingComplete().
4. Steps adjustment for overlapping same-document navigations: Per spec,
same-document
navigations (fragment changes, pushState) must not cancel traversals. When
they add
a new back-forward entry, the pending step count is adjusted (decremented
for back,
cancelled for forward) so the UIProcess resolves the correct target item
despite
the shifted list. This adjustment is only meaningful when the flag is
enabled, as
the non-flag path uses the already-resolved HistoryItem directly.
All behavioral changes are guarded by the UseUIProcessForBackForwardItemLoading
preference flag (currently "unstable" status). When the flag is disabled, the
existing code paths are unchanged (except 2).
Tests: http/tests/site-isolation/history/back-iframe-cross-site-no-bf-cache.html
* LayoutTests/fast/css/target-fragment-match.html:
* LayoutTests/fast/dom/location-hash.html:
* LayoutTests/fast/history/history-scroll-restoration.html:
*
LayoutTests/http/tests/site-isolation/history/back-iframe-cross-site-no-bf-cache-expected.txt:
*
LayoutTests/http/tests/site-isolation/history/back-iframe-cross-site-no-bf-cache.html:
* Source/WebCore/loader/EmptyClients.cpp:
(WebCore::EmptyFrameLoaderClient::dispatchGoToBackForwardItemAtIndex):
* Source/WebCore/loader/EmptyFrameLoaderClient.h:
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::didBeginDocument):
(WebCore::FrameLoader::loadWithDocumentLoader):
(WebCore::FrameLoader::setPendingAsyncBackForwardNavigation):
(WebCore::FrameLoader::cancelPendingAsyncBackForwardNavigation):
(WebCore::FrameLoader::shouldProceedWithAsyncBackForwardNavigation):
* Source/WebCore/loader/FrameLoader.h:
* Source/WebCore/loader/HistoryController.cpp:
(WebCore::HistoryController::updateBackForwardListForFragmentScroll):
(WebCore::HistoryController::pushState):
* Source/WebCore/loader/LocalFrameLoaderClient.h:
* Source/WebCore/loader/NavigationScheduler.cpp:
(WebCore::ScheduledNavigation::adjustForNewBackForwardEntry):
(WebCore::ScheduledHistoryNavigation::ScheduledHistoryNavigation):
(WebCore::ScheduledHistoryNavigation::targetHistoryItem const):
(WebCore::NavigationScheduler::scheduleHistoryNavigation):
(WebCore::NavigationScheduler::adjustPendingHistoryNavigationForNewBackForwardEntry):
* Source/WebCore/loader/NavigationScheduler.h:
* Source/WebCore/page/LocalFrame.cpp:
(WebCore::LocalFrame::preventsParentFromBeingComplete const):
* Source/WebKit/UIProcess/WebBackForwardList.cpp:
(WebKit::WebBackForwardList::backForwardUpdateItem):
(WebKit::WebBackForwardList::updateFrameIdentifier):
(WebKit::WebBackForwardList::updateAllFrameIDs): Deleted.
* Source/WebKit/UIProcess/WebBackForwardList.h:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::goToBackForwardItemAtIndex):
(WebKit::WebPageProxy::continueNavigationInNewProcess):
(WebKit::WebPageProxy::frameStateForBackForwardChildFrame):
(WebKit::WebPageProxy::decidePolicyForNavigationAction):
* Source/WebKit/UIProcess/WebPageProxy.h:
* Source/WebKit/UIProcess/WebPageProxy.messages.in:
* Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp:
(WebKit::WebLocalFrameLoaderClient::dispatchDecidePolicyForBackForwardNavigationAction):
(WebKit::WebLocalFrameLoaderClient::dispatchGoToBackForwardItemAtIndex):
* Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::goToBackForwardItem):
* Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.h:
* Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm:
(WebFrameLoaderClient::dispatchGoToBackForwardItemAtIndex):
Canonical link: https://commits.webkit.org/309079@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
