Bug 314257
| Summary: | [Site Isolation] [iOS] File picker selection is dropped when <input type=file> is in a cross-origin iframe | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | zak ridouh <zakr> |
| Component: | New Bugs | Assignee: | zak ridouh <zakr> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | karlcow, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
zak ridouh
With Site Isolation, an <input type=file> in a cross-origin iframe runs
in a different WebContent process than the main frame. After the user
picks a file, WebPageProxy::didChooseFilesForOpenPanelWithDisplayStringAndIcon
was sending the reply IPCs with the main frame's PageID and granting the
read sandbox extension to the main frame's process — so the iframe's
WebContent never sees the result. input.files stays empty, and because
its m_activeOpenPanelResultListener never clears, subsequent taps on the
input are short-circuited by WebChromeClient::runOpenPanel.
Route the reply IPCs and the NetworkProcess file-access grant through
the WebOpenPanelResultListenerProxy that runOpenPanel created for the
originating frame, matching how the non-display-string path already
works.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
zak ridouh
<rdar://175037150>
zak ridouh
Pull request: https://github.com/WebKit/WebKit/pull/64417
EWS
Committed 313619@main (14ef33d019a7): <https://commits.webkit.org/313619@main>
Reviewed commits have been landed. Closing PR #64417 and removing active labels.