316182 – [Site Isolation] CSP upgrade-insecure-requests misses cross-origin iframe-to-top navigations

RESOLVED FIXED316182

[Site Isolation] CSP upgrade-insecure-requests misses cross-origin iframe-to-top navigations

https://bugs.webkit.org/show_bug.cgi?id=316182

Summary [Site Isolation] CSP upgrade-insecure-requests misses cross-origin iframe-to-...

roberto_rodriguez2

Reported 2026-06-02 23:19:33 PDT

When a cross-origin sandboxed iframe with upgrade-insecure-requests does window.top.location = "http://...", the URL should get upgraded to https but doesn't. The upgrade logic looks at the target frame's CSP origin set, which only knows about the target frame's own origin. Since the URL points to the iframe's origin (not the top frame's), nothing matches.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2026-06-02 23:19:38 PDT

<rdar://problem/178591146>

roberto_rodriguez2

Comment 2 2026-06-02 23:23:20 PDT

Pull request: https://github.com/WebKit/WebKit/pull/66347

EWS

Comment 3 2026-06-03 20:26:39 PDT

Committed 314523@main (c1ab79ebcc0f): <https://commits.webkit.org/314523@main> Reviewed commits have been landed. Closing PR #66347 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

roberto_rodriguez2

Reported

2026-06-02 23:19 PDT

Modified

2026-06-03 20:26 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks