Bug 314439

Summary: [Site Isolation] AuthenticatorCoordinator::scopeAndCrossOriginParent doesn't handle RemoteFrames
Product: WebKit Reporter: Anthony Tarbinian <a.tarbinian>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer
Priority: P1 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Anthony Tarbinian
Reported 2026-05-08 15:45:46 PDT
AuthenticatorCoordinator::scopeAndCrossOriginParent only checks parent documents when determining if a document's ancestors are same-origin, same-site or cross-origin. With site isolation enabled, parent documents might not be accessible if the parent's document is in a different process. This is causing http/wpt/webauthn/public-key-credential-cross-origin.https.html to fail with site isolation enabled. This is the current code as of https://commits.webkit.org/310802@main: static ScopeAndCrossOriginParent scopeAndCrossOriginParent(const Document& document) { bool isSameSite = true; Ref origin = document.securityOrigin(); auto url = document.url(); std::optional<SecurityOriginData> crossOriginParent; for (RefPtr parentDocument = document.parentDocument(); parentDocument; parentDocument = parentDocument->parentDocument()) { if (!origin->isSameOriginDomain(protect(parentDocument->securityOrigin())) && !areRegistrableDomainsEqual(url, parentDocument->url())) isSameSite = false; if (!crossOriginParent && !origin->isSameOriginAs(protect(parentDocument->securityOrigin()))) crossOriginParent = parentDocument->securityOrigin().data(); } if (!crossOriginParent) return std::pair { WebAuthn::Scope::SameOrigin, std::nullopt }; if (isSameSite) return std::pair { WebAuthn::Scope::SameSite, crossOriginParent }; return std::pair { WebAuthn::Scope::CrossOrigin, crossOriginParent }; }
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2026-05-08 15:45:52 PDT
<rdar://problem/176593716>
Anthony Tarbinian
Comment 2 2026-05-12 14:40:42 PDT
Pull request: https://github.com/WebKit/WebKit/pull/64785
EWS
Comment 3 2026-05-18 09:49:24 PDT
Committed 313422@main (073bf48042ce): <https://commits.webkit.org/313422@main> Reviewed commits have been landed. Closing PR #64785 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.