Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b76414d79a7aebea10e129ce3333a9eba638d6f9
https://github.com/WebKit/WebKit/commit/b76414d79a7aebea10e129ce3333a9eba638d6f9
Author: Roberto Rodriguez <[email protected]>
Date: 2026-04-06 (Mon, 06 Apr 2026)
Changed paths:
M LayoutTests/platform/ios-site-isolation/TestExpectations
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebCore/bindings/js/WindowProxy.cpp
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
[Site Isolation] Cross-origin sandboxed iframe with allow-top-navigation
cannot navigate parent to blob URL
https://bugs.webkit.org/show_bug.cgi?id=311323
rdar://173912331
Reviewed by Sihui Liu.
Two issues cause this scenario to fail under site isolation: 1) ownerElement()
returns null
when the iframe element lives in a different process, so the sandbox
allow-top-navigation exemption in
isNavigationBlockedByThirdPartyIFrameRedirectBlocking is never recognized, and
2) WindowProxy::setDOMWindow
creates new JSDOMWindow objects during process swaps without propagating CSP
eval restrictions.
Replace ownerElement()->sandboxFlags() with
LocalFrame::sandboxFlagsFromSandboxAttributeNotCSP(),
and canAccessAncestor() with a direct isSameOriginDomain() check using
frameDocumentSecurityOrigin(),
both of which work for RemoteFrame parents under site isolation. Add
didCreateWindowProxy call in
WindowProxy::setDOMWindow after creating new JSDOMWindow objects.
* LayoutTests/platform/ios-site-isolation/TestExpectations:
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/bindings/js/WindowProxy.cpp:
(WebCore::WindowProxy::setDOMWindow):
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking):
Canonical link: https://commits.webkit.org/310657@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
