312937 – [Site Isolation] http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-deny.html is failing

RESOLVED FIXED312937

[Site Isolation] http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-deny.html is failing

https://bugs.webkit.org/show_bug.cgi?id=312937

Summary [Site Isolation] http/tests/security/XFrameOptions/x-frame-options-ancestors-...

Anthony Tarbinian

Reported 2026-04-21 16:24:51 PDT

When a cross-origin subframe is blocked by X-Frame-Options with site isolation, two things broke compared to the non-site-isolation behavior: 1. The "Refused to display" console message was silently dropped. 2. The SecurityError changed from a sandbox-specific message to a generic cross-origin error.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2026-04-21 16:24:57 PDT

<rdar://problem/175291706>

Anthony Tarbinian

Comment 2 2026-04-21 16:35:17 PDT

Pull request: https://github.com/WebKit/WebKit/pull/63279

Anthony Tarbinian

Comment 3 2026-05-11 15:03:52 PDT

Thinking about this more, I don't like adding a new field to FrameTreeSyncData just for an error message of an exception. I realized I'm not synchronizing this when the sandbox state changes so it feels a bit error-prone. Going to think of another approach.

EWS

Comment 4 2026-05-19 11:29:10 PDT

Committed 313507@main (cbe41ae4841f): <https://commits.webkit.org/313507@main> Reviewed commits have been landed. Closing PR #63279 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Nobody

Reported

2026-04-21 16:24 PDT

Modified

2026-05-19 11:29 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks