Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 2471bc7150ce4cbf2695764e71885d5045d3019d
https://github.com/WebKit/WebKit/commit/2471bc7150ce4cbf2695764e71885d5045d3019d
Author: Ryosuke Niwa <[email protected]>
Date: 2026-04-28 (Tue, 28 Apr 2026)
Changed paths:
M LayoutTests/platform/ios-site-isolation/TestExpectations
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebCore/page/Page.cpp
M Source/WebKit/UIProcess/ProvisionalPageProxy.cpp
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.h
Log Message:
-----------
[Site Isolation] http/tests/local/blob/navigate-blob.html fails
https://bugs.webkit.org/show_bug.cgi?id=313525
Reviewed by Brady Eidson.
This PR fixes a number of issues with site isolation pertaining to
navigate-blob.html
1. Named window lookup fails across processes
When RemotePageProxy::injectPageIntoNewProcess() creates a popup's WebPage in
another process,
the opener frame doesn't exist yet (IPC ordering). FrameTree::find() locates
the popup by name
but isFrameFamiliarWith() rejects it because the opener is null.
Fix: Deferred opener resolution in WebPage::create() (WebPage.cpp, WebPage.h).
Store unresolved
opener ID; when the opener's WebPage is later created in the same process,
resolve pending
openers by calling updateOpener().
2. topDocumentSyncData not propagated during main frame process swap
When a main frame navigates cross-origin, didChangeMainDocument() in the new
process broadcasts
BroadcastAllDocumentSyncData. This message arrives at
ProvisionalPageProxy::didReceiveMessage(),
which has an explicit list of forwarded messages — BroadcastAllDocumentSyncData
was not on it.
The message was silently dropped, so the old process (hosting subframes) never
learned the new
top-level origin. Blobs created by subframes were registered with the wrong
partition key.
Fix: Added BroadcastDocumentSyncData and BroadcastAllDocumentSyncData to the
forwarded message
list in ProvisionalPageProxy::didReceiveMessage() (ProvisionalPageProxy.cpp).
3. topDocumentSyncData race conditions during process swap
Page::updateTopDocumentSyncData(Ref<DocumentSyncData>&&) rejected broadcasts
when the main frame
was a LocalFrame with a document, so the broadcast arriving before the frame
swap was ignored.
In addition, Page::setMainFrame() resets m_topDocumentSyncData unconditionally,
wiping
the just-received broadcast when the main frame was replaced with a RemoteFrame.
Fix: Always accept broadcasts in updateTopDocumentSyncData, and only update
m_topDocumentSyncData
from the new frame's document when the new frame is a LocalFrame with a
document (Page.cpp).
4. Debug assertion failure: null opener frame
WebPageProxy assumed the opener frame still existed when
processInheritedFromOpener was true.
With site isolation, the opener frame can be destroyed or replaced between the
time the popup was
opened and when it later navigates. The processInheritedFromOpener flag is a
sticky property set
at popup creation time. It doesn't track whether the opener frame is still
alive. By the time
the popup navigates, the opener frame may have been removed by a process swap,
page close, or
DOM mutation.
Fix: Fall back to ensureProcessForSite when the opener frame is gone
(WebPageProxy.cpp).
5. Debug assertion in frameWasRemovedInAnotherProcess
frameWasRemovedInAnotherProcess is the normal cross-process frame
synchronization message under
site isolation. When a frame is removed in one process, every other process
hosting a remote
representation of that frame receives this message to tear down its RemoteFrame.
With the deferred opener resolution fix, more cross-process frame relationships
are established
(popups correctly linked to openers across processes). When those frames are
later removed
- during navigation, process swap, or DOM manipulation — the synchronization
message legitimately
arrives at the WebPage hosting the remote representation. The
ASSERT_NOT_REACHED was incorrect
because it treated a normal synchronization path as unreachable.
Fix: Removed the assertion (WebPage.cpp).
Co-authored with Claude.
Test: http/tests/local/blob/navigate-blob.html
* LayoutTests/platform/ios-site-isolation/TestExpectations:
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/page/Page.cpp:
(WebCore::Page::setMainFrame):
(WebCore::Page::updateTopDocumentSyncData):
* Source/WebKit/UIProcess/ProvisionalPageProxy.cpp:
(WebKit::ProvisionalPageProxy::didReceiveMessage):
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::initializeWebPage):
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::create):
(WebKit::WebPage::frameWasRemovedInAnotherProcess):
* Source/WebKit/WebProcess/WebPage/WebPage.h:
Canonical link: https://commits.webkit.org/312259@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
