[webkit-changes] [WebKit/WebKit] 97721a: Cross-origin XMLHttpRequest triggers additional ex...

Tue, 19 May 2026 11:15:20 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 97721a87040f669230513a75ee14c742cbe1cac1
      
https://github.com/WebKit/WebKit/commit/97721a87040f669230513a75ee14c742cbe1cac1
  Author: Ari Young <[email protected]>
  Date:   2026-05-19 (Tue, 19 May 2026)

  Changed paths:
    M Source/WebKit/UIProcess/Extensions/Cocoa/WebExtensionContextCocoa.mm
    M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtensionAPIPermissions.mm

  Log Message:
  -----------
  Cross-origin XMLHttpRequest triggers additional extension permissions request
rdar://154866064
https://bugs.webkit.org/show_bug.cgi?id=295336

Reviewed by Brian Weinstein and Timothy Hatcher.

When an XHR or Fetch request failed in a given tab due to CORS, the 
CORS-failure auto-prompt in
`WebExtensionContext::resourceLoadDidCompleteWithError` was requesting 
permission for any extension
which implicitly or explicitly requested access to the URL targeted by the 
failed request. This
would cause the user to see many permission prompts from extensions for no 
apparent reason on pages
where many requests fail due to CORS (for example, pages embedding many ads). 
Granting this
permission only affects the success of future CORS requests which originate 
from extension pages;
therefore, we should only eagerly present these permission prompts for failed 
CORS requests which
were initiated from pages associated with this extension.

Test: Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtensionAPIPermissions.mm

* Source/WebKit/UIProcess/Extensions/Cocoa/WebExtensionContextCocoa.mm:
(WebKit::WebExtensionContext::resourceLoadDidCompleteWithError):
    Only request permission for the failed URL if the load came from a frame 
whose URL is associated
    with this extension.
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WKWebExtensionAPIPermissions.mm:
(TestWebKitAPI::TEST(WKWebExtensionAPIPermissions, 
CORSFailureFromPageDoesNotPromptExtension)):

Canonical link: https://commits.webkit.org/313506@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to