Bug 314116

Summary:	[Site Isolation] Popup's inherited origin lost during didCommitLoad
Product:	WebKit	Reporter:	roberto_rodriguez2
Component:	New Bugs	Assignee:	roberto_rodriguez2
Status:	RESOLVED FIXED
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

roberto_rodriguez2

Reported 2026-05-05 13:16:13 PDT

A popup opened via window.open() inherits its opener's origin during frame construction. When the about:blank document commits, didCommitLoad calls updateDocumentSecurityOrigin(nullptr) which overwrites the inherited origin with an opaque one because the creator reference is not retained. The opaque origin propagates to cross-origin processes via FrameTreeSyncData and Page::mainFrameOrigin(), causing the sandbox exemption in isNavigationBlockedByThirdPartyIFrameRedirectBlocking to fail because it can't verify the parent is same-origin with the top frame, so navigations from sandboxed allow-top-navigation iframes are incorrectly blocked.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2026-05-05 13:16:19 PDT

<rdar://problem/176293477>

roberto_rodriguez2

Comment 2 2026-05-05 13:21:27 PDT

Pull request: https://github.com/WebKit/WebKit/pull/64292

EWS

Comment 3 2026-05-08 21:52:52 PDT

Committed 312937@main (14926e2a2447): <https://commits.webkit.org/312937@main> Reviewed commits have been landed. Closing PR #64292 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.