Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cc6b337ba1540c4c071c16103cd2c0fdb8e32564
https://github.com/WebKit/WebKit/commit/cc6b337ba1540c4c071c16103cd2c0fdb8e32564
Author: Roberto Rodriguez <[email protected]>
Date: 2026-06-04 (Thu, 04 Jun 2026)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/css/css-view-transitions/navigation/no-view-transition-with-csp-sandbox-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/css/css-view-transitions/navigation/no-view-transition-with-csp-sandbox.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-view-transitions/navigation/resources/csp-sandbox-new.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-view-transitions/navigation/resources/csp-sandbox-new.html.headers
A
LayoutTests/imported/w3c/web-platform-tests/css/css-view-transitions/navigation/resources/csp-sandbox-old.html
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/ViewTransition.cpp
M Source/WebCore/dom/ViewTransition.h
Log Message:
-----------
CSP sandbox does not prevent cross-document view transition state transfer
https://bugs.webkit.org/show_bug.cgi?id=314705
rdar://175369822
Reviewed by Tim Nguyen.
A navigation to a same-origin URL that responds with Content-Security-Policy:
sandbox
(but without allow-same-origin) still receives the full inbound cross-document
view
transition. The same-origin check runs before CSP headers are applied and is
never
re-evaluated. The previous page's captured element names, geometry, and
rendered content
get transfered to the sandboxed document.
Store the old document's SecurityOrigin in ViewTransitionParams at pageswap
capture time.
Re-check same-origin in resolveInboundCrossDocumentViewTransition, which runs
during
Document::reveal() after CSP headers have been applied and the new document's
final origin
is established. If the origins no longer match, the transition is rejected and
no state is
transferred.
Test:
imported/w3c/web-platform-tests/css/css-view-transitions/navigation/no-view-transition-with-csp-sandbox.html
*
LayoutTests/imported/w3c/web-platform-tests/css/css-view-transitions/navigation/no-view-transition-with-csp-sandbox-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-view-transitions/navigation/no-view-transition-with-csp-sandbox.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-view-transitions/navigation/resources/csp-sandbox-new.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-view-transitions/navigation/resources/csp-sandbox-new.html.headers:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-view-transitions/navigation/resources/csp-sandbox-old.html:
Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::dispatchPageswapEvent):
* Source/WebCore/dom/ViewTransition.cpp:
(WebCore::ViewTransition::resolveInboundCrossDocumentViewTransition):
* Source/WebCore/dom/ViewTransition.h:
Originally-landed-as: 305413.920@safari-7624-branch (5002f3bd2e07).
rdar://175369822
Canonical link: https://commits.webkit.org/314585@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
