Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: df46e3a5b40be524cfac1b445dc56fddf44f8cd4
https://github.com/WebKit/WebKit/commit/df46e3a5b40be524cfac1b445dc56fddf44f8cd4
Author: Sihui Liu <[email protected]>
Date: 2026-04-27 (Mon, 27 Apr 2026)
Changed paths:
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/SiteIsolation.mm
Log Message:
-----------
[Site Isolation] SessionStorage message from cross-site frame fails site
validation for site being empty
https://bugs.webkit.org/show_bug.cgi?id=312906
rdar://175261604
Reviewed by Per Arne Vollan.
In the WebPage constructor, setMainFrameURLAndOrigin was called before URL
scheme handlers were registered. For remote
pages (iframe processes with site isolation), this caused
SecurityOrigin::create(url) to produce an opaque origin for
custom URL schemes, because
LegacySchemeRegistry::schemeIsHandledBySchemeHandler returned false at that
point. This
resulted in SessionStorage messages from cross-origin iframes carrying an
opaque top origin, failing site validation
checks.
To fix it, move URL scheme handler registration before the remotePageParameters
block so that custom schemes are
recognized when SecurityOrigin::create is called.
Test: SiteIsolation.StorageSiteValidationCustomScheme
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::m_allowsImmersiveEnvironments):
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/SiteIsolation.mm:
(TestWebKitAPI::TEST(SiteIsolation, StorageSiteValidationCustomScheme)):
Canonical link: https://commits.webkit.org/312158@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
