Bug 313458
| Summary: | [Site Isolation] http/wpt/html/cross-origin-embedder-policy/require-corp.https.html is failing because the iframe has the wrong cross-origin-embedder-policy | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Anthony Tarbinian <a.tarbinian> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Anthony Tarbinian
http/wpt/html/cross-origin-embedder-policy/require-corp.https.html
is failing with site isolation enabled because when an iframe is navigated to
a cross-origin domain and the server responds with a "Cross-Origin-Resource-Policy"
of "same-site". This header means that the browser should block the navigation since the
iframe's destination URL is cross origin.
With site isolation enabled, this navigation should be blocked but isn't.
This is because in WebLoaderStrategy::addParametersShared(), WebKit
has iframes inherit their "Cross-Origin-Embedder-Polcicy" (COEP) from the parent
via frame->ownerElement. COEP is needed since the "require-corp" option is what
requires the use of the "same-site" "Cross-Origin-Resource-Policy" header.
With site isolation and a cross origin iframe, the parent
is in a different process and can't be accessed via frame->ownerElement.
In this case, the COEP policy defaults to "unsafe-none" and allows the navigation
when it should have been blocked.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/175692864>
Anthony Tarbinian
Pull request: https://github.com/WebKit/WebKit/pull/63724
EWS
Committed 312665@main (9ae2256157fb): <https://commits.webkit.org/312665@main>
Reviewed commits have been landed. Closing PR #63724 and removing active labels.