Add support to return an adjusted URL when accessed from JavaScript b…

…indings

https://bugs.webkit.org/show_bug.cgi?id=248490
rdar://100472810

Reviewed by Wenson Hsieh.

This patch adds support to return an adjusted URL for JavaScript bindings
after a cross site top level navigation.

* Source/WebCore/dom/Document.cpp:
(WebCore::Document::setURL):
(WebCore::Document::urlForBindings const):
(WebCore::Document::adjustedURL const):
* Source/WebCore/dom/Document.h:
(WebCore::Document::urlForBindings const): Deleted.
* Source/WebCore/page/Location.cpp:
(WebCore::Location::url const):

Canonical link: https://commits.webkit.org/257490@main

Source/WebCore/dom/Document.cpp

@@ -3530,9 +3530,42 @@ void Document::setURL(const URL& url)
     m_url = WTFMove(newURL);
 
     m_documentURI = m_url.url().string();
+    m_adjustedURL = adjustedURL();
     updateBaseURL();
 }
 
+const URL& Document::urlForBindings() const
+{
+    auto shouldAdjustURL = [this] {
+        if (m_url.url().isEmpty() || !loader() || !isTopDocument())
+            return false;
+
+        auto* topDocumentLoader = topDocument().loader();
+        if (!topDocumentLoader || !topDocumentLoader->networkConnectionIntegrityPolicy().contains(WebCore::NetworkConnectionIntegrity::Enabled))
+            return false;
+
+        auto preNavigationURL = loader()->originalRequest().httpReferrer();
+        if (preNavigationURL.isEmpty() || RegistrableDomain { URL { preNavigationURL } }.matches(securityOrigin().data()))
+            return false;
+
+        return true;
+    }();
+
+    if (shouldAdjustURL)
+        return m_adjustedURL;
+
+    return m_url.url().isEmpty() ? aboutBlankURL() : m_url.url();
+}
+
+#if USE(APPLE_INTERNAL_SDK) && __has_include(<WebKitAdditions/DocumentAdditions.cpp>)
+#include <WebKitAdditions/DocumentAdditions.cpp>
+#else
+URL Document::adjustedURL() const
+{
+    return m_url.url();
+}
+#endif
+
 // https://html.spec.whatwg.org/#fallback-base-url
 URL Document::fallbackBaseURL() const
 {

Source/WebCore/dom/Document.h

@@ -722,7 +722,9 @@ class Document
 
     const URL& url() const final { return m_url; }
     void setURL(const URL&);
-    const URL& urlForBindings() const { return m_url.url().isEmpty() ? aboutBlankURL() : m_url.url(); }
+    WEBCORE_EXPORT const URL& urlForBindings() const;
+
+    URL adjustedURL() const;
 
     const URL& creationURL() const { return m_creationURL; }
 
@@ -1879,6 +1881,7 @@ class Document
     URL m_cookieURL; // The URL to use for cookie access.
     URL m_firstPartyForCookies; // The policy URL for third-party cookie blocking.
     URL m_siteForCookies; // The policy URL for Same-Site cookies.
+    URL m_adjustedURL; // The URL to return for bindings after a cross-site navigation when the "network connection integrity" setting is enabled.
 
     // Document.documentURI:
     // Although URL-like, Document.documentURI can actually be set to any

Source/WebCore/page/Location.cpp

@@ -53,7 +53,7 @@ inline const URL& Location::url() const
     if (!frame())
         return aboutBlankURL();
 
-    const URL& url = frame()->document()->url();
+    const URL& url = frame()->document()->urlForBindings();
     if (!url.isValid())
         return aboutBlankURL(); // Use "about:blank" while the page is still loading (before we have a frame).