<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Provide public API for _committedURL"
href="https://bugs.webkit.org/show_bug.cgi?id=151658">151658</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Provide public API for _committedURL
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>iOS
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>WebKit2
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>stuartmorgan@chromium.org
</td>
</tr></table>
<p>
<div>
<pre>Knowing the committed URL of the page is critical for a variety of security purposes (knowing what to show for a render-initiated navigation, knowing the origin for integrating with native features such as password autofill, etc.)
The "URL" property of WKWebView is unsuitable for those purposes, since it includes pending URLs as soon as a provisional navigation starts. Trying to track the committed URL via navigation delegates and KVO callbacks is quite complicated, and potentially error-prone, meaning the lack of this API increases the chances of security issues in software based on WKWebView.
There is a private property called _committedURL, which is presumably exactly this information. It should be a public API so that clients can more easily write secure software.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>