Bug 312418

Summary: [Site Isolation] CSP violation reports not sent for frame-ancestors violations in cross-origin iframes
Product: WebKit Reporter: roberto_rodriguez2
Component: New BugsAssignee: roberto_rodriguez2
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

roberto_rodriguez2
Reported 2026-04-15 15:23:02 PDT
When site isolation places a cross-origin iframe in a separate WebContent process, CSP frame-ancestors violation reports are silently dropped. The NetworkProcess detects the violation and sends a SendReportToEndpoints IPC to the iframe's WebContent process, but the iframe's frame has not committed yet, so coreLocalFrame() returns null and the report is discarded. The three affected frame-ancestors tests under site isolation load a cross-origin iframe with frame-ancestors 'none'; report-uri save-report.py, then navigate to a script that reads the saved report and calls testRunner.notifyDone(). With the report never sent, that script waits indefinitely and the tests time out.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2026-04-15 15:23:11 PDT
<rdar://problem/174871083>
roberto_rodriguez2
Comment 2 2026-04-15 15:30:21 PDT
Pull request: https://github.com/WebKit/WebKit/pull/62856
Ryan Haddad
Comment 3 2026-04-28 16:30:07 PDT
Landed in https://commits.webkit.org/312160@main
Note You need to log in before you can comment on or make changes to this bug.