Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 0beaf193cc762422145d23259b6d039796135c0f
      
https://github.com/WebKit/WebKit/commit/0beaf193cc762422145d23259b6d039796135c0f
  Author: Basuke Suzuki <[email protected]>
  Date:   2026-07-01 (Wed, 01 Jul 2026)

  Changed paths:
    A 
LayoutTests/http/wpt/navigation-api/resources/sourceElement-cross-origin-leak-frame.html
    A 
LayoutTests/http/wpt/navigation-api/sourceElement-cross-origin-leak.sub-expected.txt
    A 
LayoutTests/http/wpt/navigation-api/sourceElement-cross-origin-leak.sub.html
    M 
LayoutTests/imported/w3c/web-platform-tests/navigation-api/navigate-event/sourceElement-cross-origin.sub-expected.txt
    M Source/WebCore/page/Navigation.cpp

  Log Message:
  -----------
  Cross-origin parent DOM exposed via NavigateEvent.sourceElement
https://bugs.webkit.org/show_bug.cgi?id=317796
rdar://180371329

Reviewed by Rupin Mittal.

When a navigation in a cross-origin iframe is initiated by an element in the
embedding document (for example, an <a> with target= pointing into the iframe),
NavigateEvent.sourceElement received inside the iframe was the parent's element
itself, with full DOM access via event.sourceElement.ownerDocument. This let
the iframe read arbitrary content from the embedder's document, bypassing the
same-origin policy.

Null out sourceElement in Navigation::innerDispatchNavigateEvent when its
owning document is not same-origin-domain with the navigation's relevant
document. The check sits at the central dispatch funnel after the form
submitter/form rewrite, so anchor, form, submitter, and download paths are
covered uniformly.

The upstream WPT 
navigation-api/navigate-event/sourceElement-cross-origin.sub.html
already covered this case as a baseline failure; flipped to PASS. Added a
WebKit HTTP/WPT regression test that exercises the leak with private
parent-document data so the bypass scenario is explicit.

* 
LayoutTests/http/wpt/navigation-api/resources/sourceElement-cross-origin-leak-frame.html:
 Added.
* 
LayoutTests/http/wpt/navigation-api/sourceElement-cross-origin-leak.sub-expected.txt:
 Added.
* LayoutTests/http/wpt/navigation-api/sourceElement-cross-origin-leak.sub.html: 
Added.
* 
LayoutTests/imported/w3c/web-platform-tests/navigation-api/navigate-event/sourceElement-cross-origin.sub-expected.txt:
* Source/WebCore/page/Navigation.cpp:
(WebCore::Navigation::innerDispatchNavigateEvent):

Canonical link: https://commits.webkit.org/316245@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to