Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 1fd159ccc6dfeef72c7d30b9226b5747aa7d534f
https://github.com/WebKit/WebKit/commit/1fd159ccc6dfeef72c7d30b9226b5747aa7d534f
Author: Ryosuke Niwa <[email protected]>
Date: 2026-04-29 (Wed, 29 Apr 2026)
Changed paths:
M
LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt
R
LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt
M LayoutTests/platform/ios-site-isolation/TestExpectations
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebCore/loader/SubresourceLoader.cpp
Log Message:
-----------
[Site Isolation] http/tests/xmlhttprequest/origin-allow-list-all.html fails
https://bugs.webkit.org/show_bug.cgi?id=313361
Reviewed by Chris Dumez.
Under site isolation, testRunner.addOriginAccessAllowListEntry() updates the
calling WebProcess's local
SecurityPolicy::originAccessMap and the Network Process's global copy via IPC.
But the iframe's WebProcess
(a separate process for localhost:8000) never receives these entries.
The Network Process correctly identifies the request as same-origin via its
global allowlist and returns
the response. However,
SubresourceLoader::checkResponseCrossOriginAccessControl() in the iframe's
WebProcess performs a redundant CORS header check. It uses
m_resource->isCrossOrigin(), which was set at
CachedResource construction time using the WebProcess-local allowlist (empty in
the iframe's process).
Since the server doesn't send Access-Control-Allow-Origin headers (the test
relies on the allowlist to
bypass CORS), this check fails for the async XHR. The sync XHR works because it
bypasses SubresourceLoader
entirely and trusts the Network Process when shouldPerformSecurityChecks() is
true.
Fixed the test by adding an early return in
SubresourceLoader::checkResponseCrossOriginAccessControl()
when havePerformedSecurityChecks(response) returns true to skip the redundant
WebProcess-side CORS check
when the Network Process has already validated the response. This follows the
same pattern already used
in DocumentThreadableLoader::willSendRequest and
DocumentLoader::responseReceived.
Co-authored with Claude.
Tests: http/tests/xmlhttprequest/origin-allow-list-all.html
http/tests/xmlhttprequest/origin-allow-list-ip-addresses.html
*
LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt:
*
LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt:
Removed.
* LayoutTests/platform/ios-site-isolation/TestExpectations:
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::checkResponseCrossOriginAccessControl):
Canonical link: https://commits.webkit.org/312297@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
