RESOLVED FIXED313458
[Site Isolation] http/wpt/html/cross-origin-embedder-policy/require-corp.https.html is failing because the iframe has the wrong cross-origin-embedder-policy 
https://bugs.webkit.org/show_bug.cgi?id=313458
Summary [Site Isolation] http/wpt/html/cross-origin-embedder-policy/require-corp.http...
Anthony Tarbinian
Reported 2026-04-27 11:14:41 PDT
http/wpt/html/cross-origin-embedder-policy/require-corp.https.html is failing with site isolation enabled because when an iframe is navigated to a cross-origin domain and the server responds with a "Cross-Origin-Resource-Policy" of "same-site". This header means that the browser should block the navigation since the iframe's destination URL is cross origin. With site isolation enabled, this navigation should be blocked but isn't. This is because in WebLoaderStrategy::addParametersShared(), WebKit has iframes inherit their "Cross-Origin-Embedder-Polcicy" (COEP) from the parent via frame->ownerElement. COEP is needed since the "require-corp" option is what requires the use of the "same-site" "Cross-Origin-Resource-Policy" header. With site isolation and a cross origin iframe, the parent is in a different process and can't be accessed via frame->ownerElement. In this case, the COEP policy defaults to "unsafe-none" and allows the navigation when it should have been blocked.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2026-04-27 11:14:47 PDT
<rdar://problem/175692864>
Anthony Tarbinian
Comment 2 2026-04-27 11:27:45 PDT
Pull request: https://github.com/WebKit/WebKit/pull/63724
EWS
Comment 3 2026-05-05 21:24:37 PDT
Committed 312665@main (9ae2256157fb): <https://commits.webkit.org/312665@main> Reviewed commits have been landed. Closing PR #63724 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.