Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: fec133e2eaadbecd135945e4090f561497e055af
https://github.com/WebKit/WebKit/commit/fec133e2eaadbecd135945e4090f561497e055af
Author: Roberto Rodriguez <[email protected]>
Date: 2026-06-02 (Tue, 02 Jun 2026)
Changed paths:
M LayoutTests/platform/ios-site-isolation/TestExpectations
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebKit/UIProcess/ProvisionalPageProxy.cpp
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/WebProcess/WebPage/WebFrame.cpp
Log Message:
-----------
[Site Isolation] Cross-origin popup navigating to about:blank crashes
https://bugs.webkit.org/show_bug.cgi?id=315987
rdar://178401866
Reviewed by Megan Gardner and Alex Christensen.
When a popup opened via window.open navigates to a cross-origin URL and then
back to
about:blank, the test runner crashes with a MESSAGE_CHECK failure in
RemoteLayerTreeDrawingAreaProxy::notifyPendingCommitLayerTree (release) or an
ASSERT in
WebProcessProxy::didStartUsingProcessForSiteIsolation (debug). The crash is
caused by
the navigation site for about:blank being computed from the URL directly,
producing a
null origin that conflicts with the opener's process site assignment. Fix by
computing
the navigation site from the originating frame's security origin instead.
After resolving the crash, two additional issues prevent the navigation from
completing:
1. The provisional frame creation does not pass the previous frame ID when
shouldReuseMainFrame is true, and uses WaitForLoad commit timing, so the
about:blank
document's security context initializes before the opener is transferred,
resulting
in a null origin that blocks same-origin access from the opener.
2. When the popup returns to the opener's process, the previous frame ID
resolves to the
same RemoteFrame that is already the current main frame.
commitProvisionalFrame
attempts a WindowProxy transfer where the source and destination are the
same frame,
which detaches the original WindowProxy and replaces it with a new one. The
opener's
JavaScript reference still holds the original, so popup.location permanently
throws
SecurityError.
Fix (1) by always passing the previous frame ID and using Immediately commit
timing for
about:blank, matching the existing child-frame behavior. Fix (2) by skipping the
WindowProxy transfer when the source and destination are the same frame, since
the
WindowProxy is already in the correct place and the subsequent transfer to the
new
LocalFrame handles it.
* LayoutTests/platform/ios-site-isolation/TestExpectations:
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebKit/UIProcess/ProvisionalPageProxy.cpp:
(WebKit::ProvisionalPageProxy::initializeWebPage):
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::continueNavigationInNewProcess):
* Source/WebKit/WebProcess/WebPage/WebFrame.cpp:
(WebKit::WebFrame::commitProvisionalFrame):
Canonical link: https://commits.webkit.org/314363@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
