Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 553624f87f6e16aa77717f997880f3fff10674f1
https://github.com/WebKit/WebKit/commit/553624f87f6e16aa77717f997880f3fff10674f1
Author: Ryosuke Niwa <[email protected]>
Date: 2026-04-30 (Thu, 30 Apr 2026)
Changed paths:
M Source/WebCore/fileapi/URLKeepingBlobAlive.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebPageProxy.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.h
M Source/WebKit/WebProcess/WebPage/WebPage.messages.in
Log Message:
-----------
[Site Isolation]
imported/w3c/web-platform-tests/FileAPI/url/url-in-tags-revoke.window.html fails
https://bugs.webkit.org/show_bug.cgi?id=313634
Reviewed by Youenn Fablet.
When user clicks on <a target="_blank" href="blob:...">, the HTML spec implies
for the new window
to have no opener (as there's no rel="opener"). In WebPageProxy::createNewPage,
when hasOpener is
false and site isolation is enabled, the UIProcess replies null to the
CreateNewPage sync IPC and
loads the blob URL in a new process via loadRequest. The null reply causes the
old process's
checkNewWindowPolicy lambda to finish and drop its URLKeepingBlobAlive. This
unregisters the blob
URL handle in the NetworkProcess. Since revokeObjectURL was already called by
JS, the blob's
refcount drops to zero and the blob data is deleted before the new process can
fetch it.
This PR fixes the test by keeping the blob live for longer. In the old process,
WebLocalFrameLoaderClient::dispatchCreatePage now creates and stores a
URLKeepingBlobAlive on the
WebPage when createWindow returns null for a blob URL. This keeps the blob
alive after
checkNewWindowPolicy's lambda exits. On the UIProcess side, createNewPage
records the old page's
process and page ID on the new WebPageProxy. When the new process handles
LoadRequest and sends
back decidePolicyForNavigationActionAsync - meaning it has registered its own
blob URL handle in
checkNavigationPolicy - the UIProcess sends
ReleaseKeptBlobURLForNewWindowNavigation to the old
process, which clears the stored handle.
Test: imported/w3c/web-platform-tests/FileAPI/url/url-in-tags-revoke.window.html
* Source/WebCore/fileapi/URLKeepingBlobAlive.h:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::decidePolicyForNavigationActionAsync):
(WebKit::WebPageProxy::createNewPage):
* Source/WebKit/UIProcess/WebPageProxy.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::keepBlobURLAliveForNewWindowNavigation):
(WebKit::WebPage::releaseKeptBlobURLForNewWindowNavigation):
* Source/WebKit/WebProcess/WebPage/WebPage.h:
* Source/WebKit/WebProcess/WebPage/WebPage.messages.in:
Canonical link: https://commits.webkit.org/312340@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
