Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e211768ca32eb6c0f35255de16ee01ffcda11370
https://github.com/WebKit/WebKit/commit/e211768ca32eb6c0f35255de16ee01ffcda11370
Author: Anthony Tarbinian <[email protected]>
Date: 2026-04-28 (Tue, 28 Apr 2026)
Changed paths:
M LayoutTests/platform/ios-site-isolation/TestExpectations
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
[Site Isolation] Document::isSecureContext ignores RemoteFrame ancestors
https://bugs.webkit.org/show_bug.cgi?id=313498
rdar://175714384
Reviewed by Sihui Liu.
In Document::isSecureContext, WebKit walks the frame tree to check
if all of a frame's ancestors are "secure". It does this to gate access to
powerful web APIs such as navigator.geolocation.
For each ancestor, we call Document::isDocumentSecure which performs
checks to see if the frame is potentially trustworthy. Below is the
implementation.
It does the following:
1. If the document is sandboxed, it checks if the document's URL is trustworthy
2. Otherwise, check if the document's security origin is trustworthy.
```
static inline bool isDocumentSecure(const Document& document)
{
if (document.isSandboxed(SandboxFlag::Origin))
return isURLPotentiallyTrustworthy(document.url());
return document.securityOrigin().isPotentiallyTrustworthy();
}
```
With site isolation enabled, it is possible for some of the document's
ancestors to be RemoteFrames in different processes. Currently, the
code in Document::isSecureContext, only handles LocalFrames and silently
skips any RemoteFrame ancestors.
This patch handles the RemoteFrame case by adding a fallback when
an ancestor frame can't be cast to a LocalFrame. Since we can't get the
document of the RemoteFrame, we can't call Document::isDocumentSecure
like the LocalFrame case. Instead, this patch directly calls
isPotentiallyTrustworthy
on the RemoteFrame's security origin. This is #2 from the description of
Document::isDocumentSecure earlier in this commit message. I chose to skip #1
since
we don't have the full URL or sandbox flags of the remote frame. Also, only
checking
the RemoteFrame's security origin is more conservative since in the worst case
we would
treat a frame as insecure (and block requests) where the pre site isolation
case would
treat it as secure.
This patches fixes
imported/w3c/web-platform-tests/secure-contexts/basic-popup-and-iframe-tests.html
with site isolation enabled.
* LayoutTests/platform/ios-site-isolation/TestExpectations:
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::isSecureContext const):
Canonical link: https://commits.webkit.org/312199@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
