Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0beaf193cc762422145d23259b6d039796135c0f
https://github.com/WebKit/WebKit/commit/0beaf193cc762422145d23259b6d039796135c0f
Author: Basuke Suzuki <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
A
LayoutTests/http/wpt/navigation-api/resources/sourceElement-cross-origin-leak-frame.html
A
LayoutTests/http/wpt/navigation-api/sourceElement-cross-origin-leak.sub-expected.txt
A
LayoutTests/http/wpt/navigation-api/sourceElement-cross-origin-leak.sub.html
M
LayoutTests/imported/w3c/web-platform-tests/navigation-api/navigate-event/sourceElement-cross-origin.sub-expected.txt
M Source/WebCore/page/Navigation.cpp
Log Message:
-----------
Cross-origin parent DOM exposed via NavigateEvent.sourceElement
https://bugs.webkit.org/show_bug.cgi?id=317796
rdar://180371329
Reviewed by Rupin Mittal.
When a navigation in a cross-origin iframe is initiated by an element in the
embedding document (for example, an <a> with target= pointing into the iframe),
NavigateEvent.sourceElement received inside the iframe was the parent's element
itself, with full DOM access via event.sourceElement.ownerDocument. This let
the iframe read arbitrary content from the embedder's document, bypassing the
same-origin policy.
Null out sourceElement in Navigation::innerDispatchNavigateEvent when its
owning document is not same-origin-domain with the navigation's relevant
document. The check sits at the central dispatch funnel after the form
submitter/form rewrite, so anchor, form, submitter, and download paths are
covered uniformly.
The upstream WPT
navigation-api/navigate-event/sourceElement-cross-origin.sub.html
already covered this case as a baseline failure; flipped to PASS. Added a
WebKit HTTP/WPT regression test that exercises the leak with private
parent-document data so the bypass scenario is explicit.
*
LayoutTests/http/wpt/navigation-api/resources/sourceElement-cross-origin-leak-frame.html:
Added.
*
LayoutTests/http/wpt/navigation-api/sourceElement-cross-origin-leak.sub-expected.txt:
Added.
* LayoutTests/http/wpt/navigation-api/sourceElement-cross-origin-leak.sub.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/navigation-api/navigate-event/sourceElement-cross-origin.sub-expected.txt:
* Source/WebCore/page/Navigation.cpp:
(WebCore::Navigation::innerDispatchNavigateEvent):
Canonical link: https://commits.webkit.org/316245@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications