Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ceb4d817be51a2f1fd44eb46cd575598358abbdc
https://github.com/WebKit/WebKit/commit/ceb4d817be51a2f1fd44eb46cd575598358abbdc
Author: Basuke Suzuki <[email protected]>
Date: 2026-06-03 (Wed, 03 Jun 2026)
Changed paths:
A
LayoutTests/fast/history/site-isolation/go-back-then-navigate-subframe-expected.txt
A
LayoutTests/fast/history/site-isolation/go-back-then-navigate-subframe.html
A
LayoutTests/fast/history/site-isolation/history-back-initial-vs-final-url-expected.txt
A
LayoutTests/fast/history/site-isolation/history-back-initial-vs-final-url.html
A
LayoutTests/fast/loader/site-isolation/form-state-restore-with-frames-expected.txt
A LayoutTests/fast/loader/site-isolation/form-state-restore-with-frames.html
M Source/WebKit/UIProcess/BrowsingContextGroup.cpp
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.h
Log Message:
-----------
[Site Isolation] Approve file URLs from the back-forward target item on the
new process, and tighten BrowsingContextGroup processMap invariants
https://bugs.webkit.org/show_bug.cgi?id=315787
rdar://178185140
Reviewed by Sihui Liu.
Two related fixes uncovered by the same set of layout tests.
1. File URL approval gap across process swap.
When continueNavigationInNewProcess swaps to a fresh WebContent process, the
new process inherits the page's back/forward list. Once it commits, it can
surface child-frame history items via BackForwardUpdateItem IPC. The per-
process file URL approval gate at WebBackForwardList.cpp:768 then trips
because the new process was only seeded with the top-level navigation URL,
not with iframe URLs in the target back/forward item's frame-state tree.
Add WebProcessProxy::addPreviouslyApprovedFileURLsFromFrameStateTree, which
recursively approves both urlString and originalURLString file URLs in a
FrameState tree on the process. continueNavigationInNewProcess calls it for
navigation.targetItem() (assembled via copyMainFrameStateWithChildren(), since
FrameState::children is cleared by WebBackForwardListFrameItem::setFrameState),
before the new process can send any IPC referencing those URLs.
2. BrowsingContextGroup processMap conflict on data:/empty-site replacement.
A history navigation that swaps to a data: page (which carries an empty
registrable domain) followed by history.back() registers a fresh FrameProcess
for the data: site in a BrowsingContextGroup that already has one. The old
ASSERT in addFrameProcessWithoutInjectingPageContext insisted the existing
entry be terminated; for empty-domain sites that is not the case, and the
ASSERT trips. The same constraint in removeFrameProcess silently overwrote
the wrong entry in Release.
Replace m_processMap.remove with a guarded removal that only fires when the
process is still the current entry for its site, and gate both ASSERTs on a
shared canReplaceFrameProcessInProcessMap helper that recognises terminated
processes and empty-site keys as legitimate replacements.
Tests: Site Isolation copies of existing back/forward navigation layout tests
that use file:// iframes. Each enables SiteIsolationEnabled +
MultiProcessBackForwardCacheEnabled and crashes the UI process via the
WebBackForwardList.cpp MESSAGE_CHECK before this change; each passes after it.
history-back-initial-vs-final-url.html additionally exercises the data: process
swap that triggers the BCG processMap conflict and asserts in Debug builds.
* Source/WebKit/UIProcess/BrowsingContextGroup.cpp:
(WebKit::canReplaceFrameProcessInProcessMap): Added. Returns true when the
existing entry is terminated or its site has an empty registrable domain.
(WebKit::BrowsingContextGroup::addFrameProcessWithoutInjectingPageContext):
ASSERT via the new helper; allow replacement when the helper accepts.
(WebKit::BrowsingContextGroup::removeFrameProcess): ASSERT via the new helper
and only remove the m_processMap entry when this process is still current.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::continueNavigationInNewProcess): Approve file URLs from
the back-forward target item on newProcess via the new WebProcessProxy helper.
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::addPreviouslyApprovedFileURLsFromFrameStateTree):
Added. Recursively approve file URLs in a FrameState tree.
* Source/WebKit/UIProcess/WebProcessProxy.h:
* LayoutTests/fast/history/site-isolation/go-back-then-navigate-subframe.html:
Added.
*
LayoutTests/fast/history/site-isolation/go-back-then-navigate-subframe-expected.txt:
Added.
*
LayoutTests/fast/history/site-isolation/history-back-initial-vs-final-url.html:
Added.
*
LayoutTests/fast/history/site-isolation/history-back-initial-vs-final-url-expected.txt:
Added.
* LayoutTests/fast/loader/site-isolation/form-state-restore-with-frames.html:
Added.
*
LayoutTests/fast/loader/site-isolation/form-state-restore-with-frames-expected.txt:
Added.
Canonical link: https://commits.webkit.org/314518@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
