RESOLVED FIXED314116
[Site Isolation] Popup's inherited origin lost during didCommitLoad 
https://bugs.webkit.org/show_bug.cgi?id=314116
Summary [Site Isolation] Popup's inherited origin lost during didCommitLoad
roberto_rodriguez2
Reported 2026-05-05 13:16:13 PDT
A popup opened via window.open() inherits its opener's origin during frame construction. When the about:blank document commits, didCommitLoad calls updateDocumentSecurityOrigin(nullptr) which overwrites the inherited origin with an opaque one because the creator reference is not retained. The opaque origin propagates to cross-origin processes via FrameTreeSyncData and Page::mainFrameOrigin(), causing the sandbox exemption in isNavigationBlockedByThirdPartyIFrameRedirectBlocking to fail because it can't verify the parent is same-origin with the top frame, so navigations from sandboxed allow-top-navigation iframes are incorrectly blocked.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2026-05-05 13:16:19 PDT
<rdar://problem/176293477>
roberto_rodriguez2
Comment 2 2026-05-05 13:21:27 PDT
Pull request: https://github.com/WebKit/WebKit/pull/64292
EWS
Comment 3 2026-05-08 21:52:52 PDT
Committed 312937@main (14926e2a2447): <https://commits.webkit.org/312937@main> Reviewed commits have been landed. Closing PR #64292 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.