Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cbe41ae4841f2bb4621cf826de137e51664e3f02
https://github.com/WebKit/WebKit/commit/cbe41ae4841f2bb4621cf826de137e51664e3f02
Author: Anthony Tarbinian <[email protected]>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
M LayoutTests/platform/ios-site-isolation/TestExpectations
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Document.h
M Source/WebCore/dom/SecurityContext.h
M Source/WebCore/page/DOMWindow.cpp
M Source/WebCore/page/FrameTreeSyncData.in
M Source/WebCore/page/RemoteFrame.cpp
M Source/WebCore/page/RemoteFrame.h
M Source/WebKit/UIProcess/WebFrameProxy.cpp
Log Message:
-----------
[Site Isolation] Fix
http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-deny.html
https://bugs.webkit.org/show_bug.cgi?id=312937
rdar://175291706
Reviewed by Sihui Liu.
When a cross-origin subframe is blocked by X-Frame-Options with site isolation,
the SecurityError changed from a sandbox-specific message to a generic
cross-origin error.
When X-Frame-Options blocks a load, DocumentLoader::loadErrorDocument()
replaces the frame's content with an empty document and calls
enforceSandboxFlags(SandboxFlag::Origin). This makes the document's security
origin opaque so it can't match any other origin.
Without site isolation, when JavaScript tries to access the blocked frame's
contentWindow, the security check sees the sandboxed document and produces:
"Sandbox access violation: ...The frame being accessed is sandboxed and lacks
the 'allow-same-origin' flag."
This patch adds FrameDocumentIsSandboxedOrigin to FrameTreeSyncData.in
so allow-same-origin sandbox state syncs across processes.
The origin sandbox state is broadcasted to other processes
from a new function, Document::enforceSandboxFlags,
which overrides SecurityContext::enforceSandboxFlags.
I chose to synchronize the sandbox origin state here since
enforceSandboxFlags is called from the following call sites:
1. when a document is sandboxed via the "sandbox" HTML attribute
(from Document::initSecurityContext),
2. when a load is blocked by X-Frame-Options headers (this test)
(from DocumentLoader::loadErrorDocument)
3. when CSP headers update the sandbox state
(from ContentSecurityPolicy::applyPolicyToScriptExecutionContext
which calls enforceSandboxFlags on a ScriptExecutionContext which
is guarded by is<Document> so it ends up at
Document::enforceSandboxFlags)
This patch updates DOMWindow::crossDomainAccessErrorMessage to check
RemoteFrame::frameDocumentIsSandboxedOrigin(), which produces the
sandbox-specific message for both Local and Remote frames.
This patch also updates JSDOMBindingSecurity::remoteFrameAccessError
to share code with DOMWindow::crossDomainAccessErrorMessage
to avoid duplicating the sandbox checks.
This patch fixes
http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-deny.html
* LayoutTests/platform/ios-site-isolation/TestExpectations:
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp:
(WebCore::remoteFrameAccessError):
(WebCore::reportErrorAccessingRemoteFrame):
(WebCore::BindingSecurity::shouldAllowAccessToDOMWindow):
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::enforceSandboxFlags):
* Source/WebCore/dom/Document.h:
* Source/WebCore/dom/SecurityContext.h:
* Source/WebCore/page/DOMWindow.cpp:
(WebCore::DOMWindow::crossDomainAccessErrorMessage):
* Source/WebCore/page/FrameTreeSyncData.in:
* Source/WebCore/page/RemoteFrame.cpp:
(WebCore::RemoteFrame::frameDocumentIsSandboxedOrigin const):
* Source/WebCore/page/RemoteFrame.h:
* Source/WebKit/UIProcess/WebFrameProxy.cpp:
(WebKit::WebFrameProxy::calculateFrameTreeSyncData const):
Canonical link: https://commits.webkit.org/313507@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
