[webkit-changes] [WebKit/WebKit] 9ae225: [Site Isolation] Add fallback for cross-origin-emb...

Tue, 05 May 2026 21:25:10 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 9ae2256157fbee07ee30d5a0ef1699e8d183321e
      
https://github.com/WebKit/WebKit/commit/9ae2256157fbee07ee30d5a0ef1699e8d183321e
  Author: Anthony Tarbinian <[email protected]>
  Date:   2026-05-05 (Tue, 05 May 2026)

  Changed paths:
    M LayoutTests/platform/ios-site-isolation/TestExpectations
    M LayoutTests/platform/mac-site-isolation/TestExpectations
    M Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp

  Log Message:
  -----------
  [Site Isolation] Add fallback for cross-origin-embedder-policy of 
cross-origin iframes
https://bugs.webkit.org/show_bug.cgi?id=313458
rdar://175692864

Reviewed by Sihui Liu.

http/wpt/html/cross-origin-embedder-policy/require-corp.https.html
is failing with site isolation enabled because when an iframe is navigated to
a cross-origin domain and the server responds with a 
"Cross-Origin-Resource-Policy"
of "same-site". This header means that the browser should block the navigation 
since the
 iframe's destination URL is cross origin.

With site isolation enabled, this navigation should be blocked but isn't.
This is because in WebLoaderStrategy::addParametersShared, WebKit
has iframes inherit their "Cross-Origin-Embedder-Polcicy" (COEP) from the parent
via Frame::ownerElement. COEP is needed since the "require-corp" option is what
requires the use of the "same-site" "Cross-Origin-Resource-Policy" header.
With site isolation and a cross origin iframe, the parent
is in a different process and can't be accessed via Frame::ownerElement.
In this case, the COEP policy defaults to "unsafe-none" and allows the 
navigation
when it should have been blocked.

This patch adds a fallback to WebLoaderStrategy::addParametersShared
to inherit the parent's COEP policy via WebFrame::webFrame
when Frame::ownerElement is null.

This patch fixes 
http/wpt/html/cross-origin-embedder-policy/require-corp.https.html
with site isolation enabled.

* LayoutTests/platform/ios-site-isolation/TestExpectations:
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::addParametersShared):

Canonical link: https://commits.webkit.org/312665@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to