Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b537a57c092d669ff1e1dee094bef292cd95dd5d
https://github.com/WebKit/WebKit/commit/b537a57c092d669ff1e1dee094bef292cd95dd5d
Author: Rupin Mittal <[email protected]>
Date: 2026-04-29 (Wed, 29 Apr 2026)
Changed paths:
M Source/WebCore/page/Navigation.cpp
M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/NavigationAPI.mm
Log Message:
-----------
[Navigation API] intercept() wrongly succeeds for cross-subdomain navigations
https://bugs.webkit.org/show_bug.cgi?id=306050
rdar://165690775
Reviewed by Alex Christensen.
Consider that we have two sites that differ in subdomain:
1. page1.example.com
2. page2.example.com
If we navigate from page1 to page2, page1 should not be able to intercept the
navigation because this is a cross-origin navigation. Our bug is that currently,
the intercept succeeds.
How it's supposed to work:
One of the steps in firing a navigate event says:
(Step 9 in
https://html.spec.whatwg.org/multipage/nav-history-apis.html#inner-navigate-event-firing-algorithm)
"If document can have its URL rewritten to destination's URL, and either
destination's is same document is true or navigationType is not "traverse", then
initialize event's canIntercept to true. Otherwise, initialize it to false."
One of the steps for checking if the URL can be rewritten to destination's URL
is:
(https://html.spec.whatwg.org/multipage/nav-history-apis.html#can-have-its-url-rewritten)
"If targetURL and documentURL differ in their scheme, username, password, host,
or port components, then return false."
Our two URLs differ in host. so canIntercept should be set to false.
Later on, when intercept() is called, it should fail because it's steps say:
(https://html.spec.whatwg.org/multipage/nav-history-apis.html#dom-navigateevent-intercept)
"If this's canIntercept attribute was initialized to false, then throw a
"SecurityError" DOMException."
What's wrong:
Our issue is that the "can-have-its-url-rewritten" check returns true, so
canIntercept is set to true and later on the intercept succeeds. The check is
implemented incorrectly. Instead of checking if the URLS differ in scheme,
username, password, host, or port components, it simply does:
bool isSameSite = documentOrigin->isSameSiteAs(targetOrigin);
bool isSameOrigin = documentOrigin->isSameOriginAs(targetOrigin);
if (!isSameSite && !isSameOrigin)
return false;
For our two URLs, isSameSite is true, so this check doesn't return false as it
should. Also this check never compares the usernames and passwords. This means
that not only does the cross-origin check fail in the case of URLs that differ
by
subdomain but it will also fail for URLs that differ in username and password.
We fix this by changing to check to follow the spec. We also add new API tests
for
both the subdomain and username/password cases.
* Source/WebCore/page/Navigation.cpp:
(WebCore::documentCanHaveURLRewritten):
* Tools/TestWebKitAPI/SourcesCocoa.txt:
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/NavigationAPI.mm: Added.
(TestWebKitAPI::TEST(NavigationAPI, InterceptFailsForDifferentSubdomain)):
(TestWebKitAPI::TEST(NavigationAPI,
InterceptFailsForDifferentUsernameAndPassword)):
Originally-landed-as: 305413.125@safari-7624-branch (67e3366c7a2c).
rdar://173969327
Canonical link: https://commits.webkit.org/312283@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
