RESOLVED FIXED305615
[Site Isolation] Setting src attribute of frames/iframes to javascript: url doesn't throw SecurityError 
https://bugs.webkit.org/show_bug.cgi?id=305615
Summary [Site Isolation] Setting src attribute of frames/iframes to javascript: url d...
Anthony Tarbinian
Reported 2026-01-15 17:18:17 PST
When setting the .src attribute of cross-origin frames/iframes to javascript: urls, WebKit should block the setter from modifying a cross-origin frame but currently doesn't with site isolation enabled. The following 12 tests fail since they don't throw SecurityErrors to block setting of src attribute on cross-origin iframes. LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-src-getAttribute-value.html LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-src-htmldom.html LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-src-setAttribute.html LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-src-setAttributeNS.html LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-src-setAttributeNode.html LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-src-setAttributeNodeNS.html LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-iframe-src-getAttribute-value.html LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-iframe-src-htmldom.html LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-iframe-src-setAttribute.html LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-iframe-src-setAttributeNS.html LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-iframe-src-setAttributeNode.html LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-iframe-src-setAttributeNodeNS.html
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2026-01-15 17:18:23 PST
<rdar://problem/168267776>
Anthony Tarbinian
Comment 2 2026-01-15 17:27:10 PST
Pull request: https://github.com/WebKit/WebKit/pull/56682
Anthony Tarbinian
Comment 3 2026-01-30 07:52:19 PST
*** Bug 305614 has been marked as a duplicate of this bug. ***
EWS
Comment 4 2026-02-27 11:01:51 PST
Committed 308353@main (65450223b6e9): <https://commits.webkit.org/308353@main> Reviewed commits have been landed. Closing PR #56682 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.