Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c81acd9e6c43769125f264ffd5f0f20297ebf57e
https://github.com/WebKit/WebKit/commit/c81acd9e6c43769125f264ffd5f0f20297ebf57e
Author: Rupin Mittal <[email protected]>
Date: 2026-03-18 (Wed, 18 Mar 2026)
Changed paths:
M LayoutTests/platform/ios-site-isolation/TestExpectations
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebCore/page/LocalDOMWindow.cpp
Log Message:
-----------
[Site Isolation] xss-DENIED-window-open-parent.html is failing
https://bugs.webkit.org/show_bug.cgi?id=310133
rdar://172772765
Reviewed by Sihui Liu.
In this test, a cross-site iframe attempts to execute JavaScript code on the
main frame's document with "open("javascript:alert('failed')", "_top");".
This should be blocked because the two frames are not same origin. But the
test fails with site isolation enabled.
With site isolation off, we block this request in LocalDOMWindow::open when we
call
DOMWindow::isInsecureScriptAccess. This should return true, log an error message
and stop the script from executing.
The issue is that we only call isInsecureScriptAccess on the target frame's
window if that window is local. The call to open() occurs in the iframe's web
process, and with site isolation on, the cross-site main frame's window is
remote in this web process.
There is no reason the window must be local for us to call
isInsecureScriptAccess
because it can be called directly from a DOMWindow. So we edit the code to call
the
function, regardless of if the window is local or not.
* LayoutTests/platform/ios-site-isolation/TestExpectations:
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/page/LocalDOMWindow.cpp:
(WebCore::LocalDOMWindow::open):
Canonical link: https://commits.webkit.org/309499@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
