Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 455735f9ee78b76dd55392499bb6693616a0a01c
https://github.com/WebKit/WebKit/commit/455735f9ee78b76dd55392499bb6693616a0a01c
Author: Rupin Mittal <[email protected]>
Date: 2026-03-20 (Fri, 20 Mar 2026)
Changed paths:
M Source/WebCore/page/DOMWindow.cpp
M Source/WebCore/page/LocalDOMWindow.cpp
Log Message:
-----------
[Site Isolation] Simplify logic in LocalDOMWindow::createWindow and
DOMWindow::isInsecureScriptAccess
https://bugs.webkit.org/show_bug.cgi?id=310297
rdar://172931973
Reviewed by Chris Dumez.
When LocalDOMWindow::createWindow() calls DOMWindow::isInsecureScriptAccess(),
it handles the local and remote cases separately. But that's not necessary
because we can call isInsecureScriptAccess from a DOMWindow regardless of if
it's local or remote.
Similarly, when DOMWindow::isInsecureScriptAccess() compares the active window's
securityOrigin with that of the target frame, it handles the local and remote
cases separately. But that's not necessary because we can obtain the
securityOrigin
from a Frame regardless of if it's local or remote.
There is no behavior change. This is tested by the two tests that were fixed by
adding this logic initially in https://commits.webkit.org/308632@main:
- http/tests/security/xss-DENIED-window-open-javascript-url-with-spaces.html
- http/tests/security/xss-DENIED-window-open-javascript-url.html
* Source/WebCore/page/DOMWindow.cpp:
(WebCore::DOMWindow::isInsecureScriptAccess):
* Source/WebCore/page/LocalDOMWindow.cpp:
(WebCore::LocalDOMWindow::createWindow):
Canonical link: https://commits.webkit.org/309624@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
