[webkit-changes] [WebKit/WebKit] 040fd2: All RemoteDOMWindow functions are inaccessible in ...

Tue Sep 19 23:38:00 PDT 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 040fd20a08c9f51305ed7f0caa0a2eea6a20d713
      https://github.com/WebKit/WebKit/commit/040fd20a08c9f51305ed7f0caa0a2eea6a20d713
  Author: Charlie Wolfe <charliew at apple.com>
  Date:   2023-09-19 (Tue, 19 Sep 2023)

  Changed paths:
    A LayoutTests/http/tests/site-isolation/post-message-expected.txt
    A LayoutTests/http/tests/site-isolation/post-message.html
    A LayoutTests/http/tests/site-isolation/resources/post-message-to-parent.html
    M Source/WebCore/bindings/js/JSRemoteDOMWindowCustom.cpp

  Log Message:
  -----------
  All RemoteDOMWindow functions are inaccessible in WebKitTestRunner
https://bugs.webkit.org/show_bug.cgi?id=261783
rdar://115753929

Reviewed by Alex Christensen.

When site isolation is enabled in layout tests, attempting to access any RemoteDOMWindow function will
throw a security error. This is because WebKitTestRunner will expose `$vm` to each web content process,
and the proper security checks are not in place in `JSRemoteDOMWindow::getOwnPropertySlot()` to allow
these symbol properties. When site isolation is disabled, we avoid throwing this security error by
checking if the active and target document are of the same origin. We don’t have a good way to do that
right now with site isolation, so let’s always allow `$vm` for now.

Added a test for postMessage to verify that RemoteDOMWindow functions now work.

* LayoutTests/http/tests/site-isolation/post-message-expected.txt: Added.
* LayoutTests/http/tests/site-isolation/post-message.html: Added.
* LayoutTests/http/tests/site-isolation/resources/post-message-to-parent.html: Added.
* Source/WebCore/bindings/js/JSRemoteDOMWindowCustom.cpp:
(WebCore::JSRemoteDOMWindow::getOwnPropertySlot):

Canonical link: https://commits.webkit.org/268182@main