commit 874c5779b2429acf0844c956bb72c529a2047b01
parent 0edd3d1a9ed2d159b4eeed7c5f7b25951cdd1249
Author: Sandor Molnar <smolnar@mozilla.com>
Date: Sat, 10 Jan 2026 00:47:14 +0200
Revert "Bug 2009144 - Allow Navigation API to navigate sandboxed frames sometimes r=smaug,farre" for causing mochitest failures @ test_navigate_after_pagehide.html
This reverts commit 88bfdb3cdb7de6ed796b7d0c1d5cea130bcde0fc.
Diffstat:
3 files changed, 18 insertions(+), 21 deletions(-)
diff --git a/docshell/base/BrowsingContext.cpp b/docshell/base/BrowsingContext.cpp
@@ -1430,7 +1430,6 @@ BrowsingContext* BrowsingContext::FindWithNameInSubtree(
return nullptr;
}
-// https://html.spec.whatwg.org/#allowed-to-navigate
bool BrowsingContext::IsSandboxedFrom(BrowsingContext* aTarget) {
// If no target then not sandboxed.
if (!aTarget) {
@@ -2468,28 +2467,14 @@ void BrowsingContext::Navigate(
loadState->SetLoadType(LOAD_STOP_CONTENT);
}
- const auto snapShot = [&](auto& source) {
- loadState->SetSourceBrowsingContext(source->GetBrowsingContext());
- WindowContext* context = source->GetWindowContext();
+ // Get the incumbent script's browsing context to set as source.
+ nsCOMPtr<nsPIDOMWindowInner> sourceWindow =
+ nsContentUtils::IncumbentInnerWindow();
+ if (sourceWindow) {
+ WindowContext* context = sourceWindow->GetWindowContext();
+ loadState->SetSourceBrowsingContext(sourceWindow->GetBrowsingContext());
loadState->SetHasValidUserGestureActivation(
context && context->HasValidTransientUserGestureActivation());
- };
-
- // aSourceDocument is used for snapshot params and "allowed by sandboxing to
- // navigate" in https://html.spec.whatwg.org/#navigate first step 2 then 6.2.
- // When snap shotting we read the UA value
- // https://html.spec.whatwg.org/#snapshotting-source-snapshot-params
- if (aSourceDocument) {
- snapShot(aSourceDocument);
- } else if (nsCOMPtr<nsPIDOMWindowInner> incumbentWindow =
- nsContentUtils::IncumbentInnerWindow()) {
- // Get the incumbent script's browsing context to set as source, if no
- // source document was provided, as a fallback.
- // TODO: Possibly remove when BrowsingContext::Navigate can get called when
- // `userInvolvement == "browser UI"` (aSourceDocument will be null then),
- // because then, snap shot params get default values like has UA = true,
- // sandbox flags = 0
- snapShot(incumbentWindow);
}
loadState->SetLoadFlags(nsIWebNavigation::LOAD_FLAGS_NONE);
diff --git a/testing/web-platform/meta/navigation-api/navigation-methods/sandboxing-navigate-parent.html.ini b/testing/web-platform/meta/navigation-api/navigation-methods/sandboxing-navigate-parent.html.ini
@@ -0,0 +1,8 @@
+[sandboxing-navigate-parent.html]
+ expected:
+ if (os == "linux") and debug and not fission: [OK, ERROR]
+ if (os == "linux") and not debug and fission: [OK, ERROR]
+ if (os == "android") and not debug: [OK, ERROR]
+ if os == "win": [OK, ERROR]
+ [A sandboxed iframe can use its sibling's navigation object to call navigate(), as long as allow-same-origin is present]
+ expected: FAIL
diff --git a/testing/web-platform/meta/navigation-api/navigation-methods/sandboxing-navigate-sibling.html.ini b/testing/web-platform/meta/navigation-api/navigation-methods/sandboxing-navigate-sibling.html.ini
@@ -0,0 +1,4 @@
+[sandboxing-navigate-sibling.html]
+ expected: TIMEOUT
+ [A sandboxed iframe can use its parent's navigation object to call navigate(), as long as allow-same-origin is present]
+ expected: TIMEOUT
