Bug 309791

Summary:	Send only the target frame's FrameState during UIProcess-driven back/forward navigation
Product:	WebKit	Reporter:	Basuke Suzuki <basuke>
Component:	New Bugs	Assignee:	Basuke Suzuki <basuke>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Basuke Suzuki

Reported 2026-03-12 09:29:17 PDT

Currently, `goToBackForwardItem` sends the full FrameState tree (including all children) to the WebProcess. Under site isolation, this means a WebProcess receives FrameState for cross-site child frames, which violates the security principle that a process should only have access to same-site content.

Attachments
Add attachment proposed patch, testcase, etc.

Basuke Suzuki

Comment 1 2026-03-12 09:29:34 PDT

When `UseUIProcessForBackForwardItemLoading` is enabled, each child frame receives its own FrameState individually from the UIProcess via `dispatchDecidePolicyForBackForwardNavigationAction`, so the children in the tree are no longer needed. This patch takes advantage of that to stop sending child FrameStates to the WebProcess: 1. In `WebPageProxy::goToBackForwardItem`, use `copyFrameState()` (without children) instead of `copyFrameStateWithChildren()` when `useUIProcessForBackForwardItemLoading` is enabled. 2. In `FrameLoader::setRequestedHistoryItem`, reconstruct the parent-child HistoryItem tree by adding each child's HistoryItem to its parent's current HistoryItem via `setChildItem`. This ensures the HistoryItem tree after a back/forward navigation matches the structure that `createItemTree` would have produced during a normal navigation. Also adds an assertion that `loadChildHistoryItemIntoFrame` — which walks the tree to find child items — is not called when the flag is enabled, since child items are delivered individually rather than through tree traversal.

Basuke Suzuki

Comment 2 2026-03-13 09:02:50 PDT

<rdar://problem/171032743>

Basuke Suzuki

Comment 3 2026-03-13 09:03:05 PDT

Pull request: https://github.com/WebKit/WebKit/pull/60562

EWS

Comment 4 2026-03-16 13:04:01 PDT

Committed 309344@main (ea9560f77928): <https://commits.webkit.org/309344@main> Reviewed commits have been landed. Closing PR #60562 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.