Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: fb9f3322fb79a3da8d5bb2703981d65bf48b6a28
https://github.com/WebKit/WebKit/commit/fb9f3322fb79a3da8d5bb2703981d65bf48b6a28
Author: Rupin Mittal <[email protected]>
Date: 2026-03-16 (Mon, 16 Mar 2026)
Changed paths:
M Source/WebKit/UIProcess/WebProcessPool.cpp
Log Message:
-----------
[Site Isolation] about-url-host.html is failing
https://bugs.webkit.org/show_bug.cgi?id=309690
rdar://172290988
Reviewed by Sihui Liu.
With site isolation enabled, this test crashes when opening an iframe with the
URL "about://example.org".
We hit this assert in WebProcessProxy::didStartUsingProcessForSiteIsolation:
ASSERT(m_site ? (m_site.value().isEmpty() || m_site.value() == *site) ...
because m_site is not equal to site.
WebProcessPool::processForNavigationInternal chooses to load the iframe in the
same web process being used by the main frame because
treatAsSameOriginNavigation
is true (since the iframe's URL is "about:*").
In the continueWithProcessForNavigation callback, since the iframe's Site is
not empty and not equal to the main frame's Site(http, localhost), we call
BrowsingContextGroup::ensureProcessForSite. When creating the FrameProcess,
we call WebProcessProxy::didStartUsingProcessForSiteIsolation where we hit the
assertion because the process' Site(http, localhost) doesn't match the site of
the iframe Site(about, example.org).
Our issue is that we are incorrectly trying to load "about://example.org" in
the same web process as the main frame.
According to the spec
(https://html.spec.whatwg.org/multipage/document-sequences.html#determining-the-origin),
about:blank and about:srcdoc can inherit the security properties of their parent
origin. So they should be put in the same web process as the parent. But other
"about:*" URLS don't inherit the parent's security context, so they should be
put in their own web process.
In order to force a process change, if the the navigation was marked as
treatAsSameOriginNavigation, but the URL is "about:*" and should not inherit the
security properties of its parent, we don't actually treat it as a same origin
navigation.
Note that this does not happen with site isolation off. With just PSON enabled,
if the main frame navigates to "about://example.org", we do not swap processes
(again because treatAsSameOriginNavigation is true). In order to maintain the
shipping behavior, we only do the swap with site isolation enabled.
* Source/WebKit/UIProcess/WebProcessPool.cpp:
(WebKit::WebProcessPool::processForNavigationInternal):
Canonical link: https://commits.webkit.org/309359@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
