RESOLVED FIXED303956
[Site Isolation] Can't call window.open() from an about:blank iframe 
https://bugs.webkit.org/show_bug.cgi?id=303956
Summary [Site Isolation] Can't call window.open() from an about:blank iframe
Anthony Tarbinian
Reported 2025-12-10 16:48:42 PST
rdar://165169147 Calling window.open() on an iframe triggers an ASSERT relating to registering a message receiver. See the stack trace below, but it happens when `BrowsingContextGroup` fails to find a process for this webpage and instead tries to create a new one. I suspect that BrowsingContextGroup should pick an existing FrameProcess instead of creating a new one, but I need to think more about it. Steps To Reproduce: Run the following Layout Test with Site Isolation enabled (also hits the same ASSERT when loaded in MiniBrowser or run in the WebInsepctor console). `Tools/Scripts/run-webkit-tests --debug --additional-header=SiteIsolationEnabled=true LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-javascript-url.html` ``` <html> <head> <script> if (window.testRunner) { testRunner.dumpAsText(); testRunner.waitUntilDone(); } window.onload = function() { i = document.body.appendChild(document.createElement("iframe")); i.contentWindow.open(); } </script> </head> <body> This test passes if WebKit doesn't crash </body> </html> ``` Results: WebKit should not hit any ASSERT, but here is the stack trace when this ASSERT is tripped: ``` ASSERTION FAILED: !m_messageReceivers.contains(std::make_pair(messageReceiverName, destinationID)) /Users/atarbinian/Dev/safari-fuzz/OpenSource/Source/WebKit/Platform/IPC/MessageReceiverMap.cpp(53) : void IPC::MessageReceiverMap::addMessageReceiver(ReceiverName, uint64_t, MessageReceiver &) 1 0x12da32618 IPC::MessageReceiverMap::addMessageReceiver(IPC::ReceiverName, unsigned long long, IPC::MessageReceiver&) 2 0x12b0c302c WebKit::AuxiliaryProcessProxy::addMessageReceiver(IPC::ReceiverName, unsigned long long, IPC::MessageReceiver&) 3 0x1299a7a0c void WebKit::AuxiliaryProcessProxy::addMessageReceiver<unsigned long long>(IPC::ReceiverName, WTF::ObjectIdentifierGenericBase<unsigned long long> const&, IPC::MessageReceiver&) 4 0x12b1c0660 WebKit::RemotePageDrawingAreaProxy::RemotePageDrawingAreaProxy(WebKit::DrawingAreaProxy&, WebKit::WebProcessProxy&) 5 0x12b1c02d8 WebKit::RemotePageDrawingAreaProxy::RemotePageDrawingAreaProxy(WebKit::DrawingAreaProxy&, WebKit::WebProcessProxy&) 6 0x12b1c00fc WebKit::RemotePageDrawingAreaProxy::create(WebKit::DrawingAreaProxy&, WebKit::WebProcessProxy&) 7 0x12b1c28d8 WebKit::RemotePageProxy::injectPageIntoNewProcess() 8 0x12b0ce53c WebKit::BrowsingContextGroup::addFrameProcessAndInjectPageContextIf(WebKit::FrameProcess&, WTF::Function<bool (WebKit::WebPageProxy&)>)::$_0::operator()(WebKit::WebPageProxy&, WebCore::Site const&) const 9 0x12b0cd8f0 WebKit::BrowsingContextGroup::addFrameProcessAndInjectPageContextIf(WebKit::FrameProcess&, W TF::Function<bool (WebKit::WebPageProxy&)>) 10 0x12b0ccdac WebKit::BrowsingContextGroup::addFrameProcess(WebKit::FrameProcess&) 11 0x12b1554b8 WebKit::FrameProcess::FrameProcess(WebKit::WebProcessProxy&, WebKit::BrowsingContextGroup&, std::__1::optional<WebCore::Site> const&, WebCore::Site const&, WebKit::WebPreferences const&, WebKit::InjectBrowsingContextIntoProcess) 12 0x12b1556c0 WebKit::FrameProcess::FrameProcess(WebKit::WebProcessProxy&, WebKit::BrowsingContextGroup&, std::__1::optional<WebCore::Site> const&, WebCore::Site const&, WebKit::WebPreferences const&, WebKit::InjectBrowsingContextIntoProcess) 13 0x12b0cca10 WebKit::FrameProcess::create(WebKit::WebProcessProxy&, WebKit::BrowsingContextGroup&, std::__1::optional<WebCore::Site> const&, WebCore::Site const&, WebKit::WebPreferences const&, WebKit::InjectBrowsingContextIntoProcess) 14 0x12b0cc134 WebKit::BrowsingContextGroup::ensureProcessForSite(WebCore::Site const&, WebCore::Site const&, WebKit::WebProcessProxy&, WebKit::WebPreferences const&, WebKit::InjectBrowsingContextIntoProcess) 15 0x12b344d94 WebKit::WebPageProxy::initializeWebPage(WebCore::Site const&, WTF::OptionSet<WebCore::SandboxFlag, (WTF::ConcurrencyTag)0>, WebCore::ReferrerPolicy) 16 0x12a9bda2c WebKit::WebViewImpl::WebViewImpl(WKWebView*, WebKit::WebProcessPool&, WTF::Ref<API::PageConfiguration, WTF::RawPtrTraits<API::PageConfiguration>, WTF::DefaultRefDerefTraits<API::PageConfiguration>>&&) 17 0x12a9c1034 WebKit::WebViewImpl::WebViewImpl(WKWebView*, WebKit::WebProcessPool&, WTF::Ref<API::PageConfiguration, WTF::RawPtrTraits<API::PageConfiguration>, WTF::DefaultRefDerefTraits<API::PageConfiguration>>&&) 18 0x128fd6180 std::__1::unique_ptr<WebKit::WebViewImpl, std::__1::default_delete<WebKit::WebViewImpl>> std::__1::make_unique[abi:sn200100]<WebKit::WebViewImpl, WKWebView*&, WebKit::WebProcessPool&, WTF::Ref<API::PageConfiguration, WTF::RawPtrTraits<API::PageConfiguration>, WTF::DefaultRefDerefTraits<API::PageConfiguration>>, 0>(WKWebView*&, WebKit::WebProcessPool&, WTF::Ref<API::PageConfiguration, WTF::RawPtrTraits<API::PageConfiguration>, WTF::DefaultRefDerefTraits<API::PageConfiguration>>&&) 19 0x128f6e2d0 decltype(auto) WTF::makeUnique<WebKit::WebViewImpl, WKWebView*&, WebKit::WebProcessPool&, WTF::Ref<API::PageConfiguration, WTF::RawPtrTraits<API::PageConfiguration>, WTF::DefaultRefDerefTraits<API::PageConfiguration>>>(WKWebView*&, WebKit::WebProcessPool&, WTF::Ref<API::PageConfiguration, WTF::RawPtrTraits<API::PageConfiguration>, WTF::DefaultRefDerefTraits<API::PageConfiguration>>&&) 20 0x128f6cd9c -[WKWebView _initializeWithConfiguration:] 21 0x128f72c7c -[WKWebView initWithFrame:configuration:] 22 0x1044edca0 -[WK2BrowserWindowController awakeFromNib] 23 0x18d261bc8 -[NSIBObjectData nibInstantiateWithOwner:options:topLevelObjects:] 24 0x18cac1f88 loadNib 25 0x18d468a70 +[NSBundle(NSNibLoading) _loadNibFile:nameTable:options:withZone:ownerBundle:] 26 0x18cb801f4 -[NSWindowController loadWindow] 27 0x18cb7ffac -[NSWindowController window] 28 0x1044f6cf0 -[WK2BrowserWindowController webView:createWebViewWithConfiguration:forNavigationAction:windowFeatures:] 29 0x129abfb9c WebKit::UIDelegate::UIClient::createNewPage(WebKit::WebPageProxy&, WTF::Ref<API::PageConfiguration, WTF::RawPtrTraits<API::PageConfiguration>, WTF::DefaultRefDerefTraits<API::PageConfiguration>>&&, WTF::Ref<API::NavigationAction, WTF::RawPtrTraits<API::NavigationAction>, WTF::DefaultRefDerefTraits<API::NavigationAction>>&&, WTF::CompletionHandler<void (WTF::RefPtr<WebKit::WebPageProxy, WTF::RawPtrTraits<WebKit::WebPageProxy>, WTF::DefaultRefDerefTraits<WebKit::WebPageProxy>>&&)>&&) 30 0x12b5aee54 WebKit::WebPageProxy::createNewPage(IPC::Connection&, WebCore::WindowFeatures&&, WebKit::NavigationActionData&&, WTF::CompletionHandler<void (std::__1::optional<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, std::__1::optional<WebKit::WebPageCreationParameters>)>&&)::$_1::operator()(WTF::Ref<API::NavigationAction, WTF::RawPtrTraits<API::NavigationAction>, WTF::DefaultRefDerefTraits<API::NavigationAction>>&&, WTF::CompletionHandler<void (WTF::RefPtr<WebKit::WebPageProxy, WTF::RawPtrTraits<WebKit::WebPageProxy>, WTF::DefaultRefDerefTraits<WebKit::WebPageProxy>>&&)>&&) 31 0x12b5aeaf8 WTF::Detail::CallableWrapper<WebKit::WebPageProxy::createNewPage(IPC::Connection&, WebCore::WindowFeatures&&, WebKit::NavigationActionData&&, WTF::CompletionHandler<void (std::__1::optional<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, std::__1::optional<WebKit::WebPageCreationParameters>)>&&)::$_1, void, WTF::Ref<API::NavigationAction, WTF::RawPtrTraits<API::NavigationAction>, WTF::DefaultRefDerefTraits<API::NavigationAction>>&&, WTF::CompletionHandler<void (WTF::RefPtr<WebKit::WebPageProxy, WTF::RawPtrTraits<WebKit::WebPageProxy>, WTF::DefaultRefDerefTraits<WebKit::WebPageProxy>>&&)>&&>::call(WTF::Ref<API::NavigationAction, WTF::RawPtrTraits<API::NavigationAction>, WTF::DefaultRefDerefTraits<API::NavigationAction>>&&, WTF::CompletionHandler<void (WTF::RefPtr<WebKit::WebPageProxy, WTF::RawPtrTraits<WebKit::WebPageProxy>, WTF::DefaultRefDerefTraits<WebKit::WebPageProxy>>&&)>&&) 💣 Program crashed: Signal 5: Backtracing from 0xa95200016b9dce60... failed ```
Attachments
Add attachment proposed patch, testcase, etc.
Anthony Tarbinian
Comment 1 2025-12-11 10:45:09 PST
Pull request: https://github.com/WebKit/WebKit/pull/55255
EWS
Comment 2 2025-12-16 13:42:12 PST
Committed 304540@main (7fcf73d2aff0): <https://commits.webkit.org/304540@main> Reviewed commits have been landed. Closing PR #55255 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.