Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 67d0f9bda630a53a2e7ecae36d9a6973e7701090
https://github.com/WebKit/WebKit/commit/67d0f9bda630a53a2e7ecae36d9a6973e7701090
Author: Anthony Tarbinian <[email protected]>
Date: 2026-03-04 (Wed, 04 Mar 2026)
Changed paths:
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebCore/page/DOMWindow.cpp
M Source/WebCore/page/DOMWindow.h
M Source/WebCore/page/LocalDOMWindow.cpp
Log Message:
-----------
[Site Isolation] Block window.open for a javascript url on a cross origin
target window
https://bugs.webkit.org/show_bug.cgi?id=308992
rdar://171541099
Reviewed by Sihui Liu.
When window.open is called, a "target" argument can optionally be provided.
This "target" parameter describes the name of the new window to open.
If a window with the given "target" parameter already exists, then window.open
will reuse that window for the navigation.
See https://html.spec.whatwg.org/multipage/nav-history-apis.html#dom-open-dev
Using this target parameter, we can reuse existing windows for navigation.
If we choose the right window name, we can choose a window that is cross origin
from our active context, effectively performing a navigation of a cross origin
frame.
When it comes to javascript urls, the HTML navigation spec doesn't allow
navigation
to javascript urls where the origin of the target document is different than the
active document.
See step 4 of Section 7.4.2.3.2 of the HTML navigation spec which describes the
special case of navigating to javascript urls.
https://html.spec.whatwg.org/#the-javascript:-url-special-case
If initiatorOrigin is not same origin-domain with targetNavigable's
active document's origin, then return.
This is essentially the same bug as
https://bugs.webkit.org/show_bug.cgi?id=305615
except for window.open instead of by directly setting the .src attribute of
frames/iframes.
Here is an example of a window.open call which should be blocked:
```
... // JS currently running at example.com
// note the target window "tg"
window.open("javascript:alert('FAIL')", "tg");
... <!-- HTML -->
<iframe onload="runTest()" name="tg"
src="https://wikipedia.org";
></iframe>
```
This patch blocks window.open from navigating a cross origin frame
to a javascript url when the target frame is a RemoteFrame.
It adds a check to LocalDOMWindow::createWindow to check for access when
window.open is called and the target window is already a RemoteFrame.
If the origin of the active and target documents don't match, navigating
the target window to a javascript url is blocked.
This patch fixes the following LayoutTests with site isolation enabled:
- http/tests/security/xss-DENIED-window-open-javascript-url-with-spaces.html
- http/tests/security/xss-DENIED-window-open-javascript-url.html
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/page/DOMWindow.cpp:
(WebCore::DOMWindow::isInsecureScriptAccess):
* Source/WebCore/page/DOMWindow.h:
* Source/WebCore/page/LocalDOMWindow.cpp:
(WebCore::LocalDOMWindow::createWindow):
Canonical link: https://commits.webkit.org/308632@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
