Skip to content

[Page Loading] Network process crashes when downloading a cross-origin target=_blank link#69422

Open
basuke wants to merge 1 commit into
WebKit:mainfrom
basuke:eng/basuke/319427
Open

[Page Loading] Network process crashes when downloading a cross-origin target=_blank link#69422
basuke wants to merge 1 commit into
WebKit:mainfrom
basuke:eng/basuke/319427

Conversation

@basuke

@basuke basuke commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

c57019a

[Page Loading] Network process crashes when downloading a cross-origin target=_blank link
https://bugs.webkit.org/show_bug.cgi?id=319427
rdar://182181803

Reviewed by NOBODY (OOPS!).

Option-clicking a cross-origin link with target="_blank" (for example the "Full logs"
link on an ews-build.webkit.org results page, which points to an S3 URL) reliably
terminates the Network process.

PolicyChecker::checkNewWindowPolicy() handles new-window (target="_blank") navigations. Its
PolicyAction::Download case called FrameLoaderClient::startDownload() without first calling
FrameLoader::setOriginalURLForDownloadRequest(), unlike the same-frame path in
checkNavigationPolicy(). As a result the download request kept the firstPartyForCookies that
FrameLoader sets for a willOpenInNewWindow main-resource load, which is the destination URL
itself (the cross-origin URL). The StartDownload IPC is then sent from the source page's web
process, whose allowed-first-parties set only contains the source site, so the CSRF
first-party-for-cookies MESSAGE_CHECK in NetworkConnectionToWebProcess::startDownload()
rejected the message and terminated the process.

Call setOriginalURLForDownloadRequest() in checkNewWindowPolicy()'s download case, matching
checkNavigationPolicy(). Because m_frame is the source frame, firstPartyForCookies becomes the
originating page, which is in the process's allowed set.

* Source/WebCore/loader/PolicyChecker.cpp:
(WebCore::PolicyChecker::checkNewWindowPolicy):
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/Download.mm:
(TestWebKitAPI::TEST): Added CrossSiteTargetBlankDownloadDoesNotCrashNetworkProcess.
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/SiteIsolation.mm:
(TestWebKitAPI::TEST): Added CrossSiteTargetBlankDownloadDoesNotCrashNetworkProcess.

c57019a

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows Apple Internal
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win ⏳ 🛠 ios-apple
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ⏳ 🧪 win-tests ⏳ 🛠 mac-apple
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe ✅ 🛠 vision-apple
✅ 🧪 ios-wk2-wpt ⏳ 🧪 api-mac-debug ✅ 🛠 gtk3-libwebrtc
loading 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
⏳ 🛠 ios-safer-cpp ⏳ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision ✅ 🧪 api-gtk
✅ 🛠 vision-sim ⏳ 🧪 mac-intel-wk2 ⏳ 🛠 playstation
✅ 🧪 vision-wk2 loading 🛠 mac-safer-cpp
✅ 🛠 tv ✅ 🧪 mac-site-isolation
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

…n target=_blank link

https://bugs.webkit.org/show_bug.cgi?id=319427
rdar://182181803

Reviewed by NOBODY (OOPS!).

Option-clicking a cross-origin link with target="_blank" (for example the "Full logs"
link on an ews-build.webkit.org results page, which points to an S3 URL) reliably
terminates the Network process.

PolicyChecker::checkNewWindowPolicy() handles new-window (target="_blank") navigations. Its
PolicyAction::Download case called FrameLoaderClient::startDownload() without first calling
FrameLoader::setOriginalURLForDownloadRequest(), unlike the same-frame path in
checkNavigationPolicy(). As a result the download request kept the firstPartyForCookies that
FrameLoader sets for a willOpenInNewWindow main-resource load, which is the destination URL
itself (the cross-origin URL). The StartDownload IPC is then sent from the source page's web
process, whose allowed-first-parties set only contains the source site, so the CSRF
first-party-for-cookies MESSAGE_CHECK in NetworkConnectionToWebProcess::startDownload()
rejected the message and terminated the process.

Call setOriginalURLForDownloadRequest() in checkNewWindowPolicy()'s download case, matching
checkNavigationPolicy(). Because m_frame is the source frame, firstPartyForCookies becomes the
originating page, which is in the process's allowed set.

* Source/WebCore/loader/PolicyChecker.cpp:
(WebCore::PolicyChecker::checkNewWindowPolicy):
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/Download.mm:
(TestWebKitAPI::TEST): Added CrossSiteTargetBlankDownloadDoesNotCrashNetworkProcess.
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/SiteIsolation.mm:
(TestWebKitAPI::TEST): Added CrossSiteTargetBlankDownloadDoesNotCrashNetworkProcess.
@basuke basuke requested a review from cdumez as a code owner July 14, 2026 23:47
@basuke basuke self-assigned this Jul 14, 2026
@basuke basuke added the Page Loading For bugs in page loading, including handling of network callbacks. label Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Page Loading For bugs in page loading, including handling of network callbacks.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants