313458 2026-04-27 11:14:41 -0700 [Site Isolation] http/wpt/html/cross-origin-embedder-policy/require-corp.https.html is failing because the iframe has the wrong cross-origin-embedder-policy 2026-05-05 21:24:38 -0700 1 1 1 Unclassified WebKit New Bugs WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 a.tarbinian webkit-unassigned webkit-bug-importer oldest_to_newest 2205005 0 a.tarbinian 2026-04-27 11:14:41 -0700 http/wpt/html/cross-origin-embedder-policy/require-corp.https.html is failing with site isolation enabled because when an iframe is navigated to a cross-origin domain and the server responds with a "Cross-Origin-Resource-Policy" of "same-site". This header means that the browser should block the navigation since the iframe's destination URL is cross origin. With site isolation enabled, this navigation should be blocked but isn't. This is because in WebLoaderStrategy::addParametersShared(), WebKit has iframes inherit their "Cross-Origin-Embedder-Polcicy" (COEP) from the parent via frame->ownerElement. COEP is needed since the "require-corp" option is what requires the use of the "same-site" "Cross-Origin-Resource-Policy" header. With site isolation and a cross origin iframe, the parent is in a different process and can't be accessed via frame->ownerElement. In this case, the COEP policy defaults to "unsafe-none" and allows the navigation when it should have been blocked. 2205006 1 webkit-bug-importer 2026-04-27 11:14:47 -0700 <rdar://problem/175692864> 2205015 2 a.tarbinian 2026-04-27 11:27:45 -0700 Pull request: https://github.com/WebKit/WebKit/pull/63724 2207974 3 ews-feeder 2026-05-05 21:24:37 -0700 Committed 312665@main (9ae2256157fb): <https://commits.webkit.org/312665@main> Reviewed commits have been landed. Closing PR #63724 and removing active labels.