Cherry-pick 3d72c32. rdar://problem/109364674

Follow-up to 259548.752@safari-7615-branch to cancel navigations instead of blocking them https://bugs.webkit.org/show_bug.cgi?id=257161 rdar://108794051 Reviewed by Alex Christensen. 259548.752@safari-7615-branch added further restrictions to prevent top-frame navigations by third-party iframes, in particular using redirects. I had decided to block the redirect with a blockedError(). However, it turns out that Safari shows an error page when doing so, which results in a bad user experience since the top frame is still being navigated (to an error page). To address the issue, I am now cancelling the redirect instead and returning a cancelledError(). I have verified that Safari doesn't show an error page in this case and that the top frame is not getting navigated. * Source/WebCore/loader/DocumentLoader.cpp: (WebCore::DocumentLoader::willSendRequest): Canonical link: https://commits.webkit.org/259548.773@safari-7615-branch Identifier: 245886.887@safari-7613.4.1.0-branch
WebKit · Jun 23, 2023 · 0ecc039 · 0ecc039
1 parent 94269f3
commit 0ecc039
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/Source/WebCore/loader/DocumentLoader.cpp b/Source/WebCore/loader/DocumentLoader.cpp
@@ -640,6 +640,24 @@ void DocumentLoader::willSendRequest(ResourceRequest&& newRequest, const Resourc
         return completionHandler(WTFMove(newRequest));
     }
 
+    if (auto requester = m_triggeringAction.requester(); requester && requester->documentIdentifier) {
+        if (RefPtr requestingDocument = Document::allDocumentsMap().get(requester->documentIdentifier); requestingDocument && requestingDocument->frame()) {
+            if (m_frame && requestingDocument->isNavigationBlockedByThirdPartyIFrameRedirectBlocking(*m_frame, newRequest.url())) {
+                DOCUMENTLOADER_RELEASE_LOG("willSendRequest: canceling - cross-site redirect of top frame triggered by third-party iframe");
+                if (m_frame->document()) {
+                    auto message = makeString("Unsafe JavaScript attempt to initiate navigation for frame with URL '"
+                        , m_frame->document()->url().string()
+                        , "' from frame with URL '"
+                        , requestingDocument->url().string()
+                        , "'. The frame attempting navigation of the top-level window is cross-origin or untrusted and the user has never interacted with the frame.");
+                    m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message);
+                }
+                cancelMainResourceLoad(frameLoader()->cancelledError(newRequest));
+                return completionHandler(WTFMove(newRequest));
+            }
+        }
+    }
+
     ASSERT(timing().startTime());
     if (didReceiveRedirectResponse) {
         // If the redirecting url is not allowed to display content from the target origin,