[webkit-changes] [WebKit/WebKit] 1af18a: [Site Isolation] CSP violation reports not sent fo...

Mon, 27 Apr 2026 17:35:35 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1af18a130b98c50d069370762a58f3c92d383901
      
https://github.com/WebKit/WebKit/commit/1af18a130b98c50d069370762a58f3c92d383901
  Author: Roberto Rodriguez <[email protected]>
  Date:   2026-04-27 (Mon, 27 Apr 2026)

  Changed paths:
    M LayoutTests/platform/ios-site-isolation/TestExpectations
    M LayoutTests/platform/mac-site-isolation/TestExpectations
    M Source/WebCore/loader/FrameLoader.h
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp

  Log Message:
  -----------
  [Site Isolation] CSP violation reports not sent for frame-ancestors 
violations in cross-origin iframes
https://bugs.webkit.org/show_bug.cgi?id=312418
rdar://174871083

Reviewed by Youenn Fablet.

When site isolation places a cross-origin iframe in a separate WebContent 
process, CSP frame-ancestors
violation reports are silently dropped. The NetworkProcess detects the 
violation and sends a SendReportToEndpoints
IPC to the iframe's WebContent process, but the iframe's frame has not 
committed yet, so coreLocalFrame()
returns null and the report is discarded.

The three affected frame-ancestors tests under site isolation load a 
cross-origin iframe with frame-ancestors 'none';
report-uri save-report.py, then navigate to a script that reads the saved 
report and calls testRunner.notifyDone().
With the report never sent, that script waits indefinitely and the tests time 
out.

Fix by addressing two gaps: (1) fall back to the provisional LocalFrame when 
coreLocalFrame() is null so PingLoader
has a frame to send from, and (2) set the frame's outgoing referrer from the 
provisional DocumentLoader's request,
since the provisional frame has no committed document and would otherwise 
produce a report with no referrer header.

* LayoutTests/platform/ios-site-isolation/TestExpectations:
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/loader/FrameLoader.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::sendReportToEndpoints):

Canonical link: https://commits.webkit.org/312160@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to