[Navigation API] NavigateEvent.sourceElement can be cross-window.

basuke · basuke · commit 8fe87a5ca819 · 2025-11-03T13:58:29.000-08:00
https://bugs.webkit.org/show_bug.cgi?id=301885 rdar://163962362 Reviewed by NOBODY (OOPS!). NavigateEvent.sourceElement should be allowed to reference elements from different browsing contexts (e.g., when an anchor in a parent window targets an iframe). Since navigate events only fire for same-origin navigations, there is no security risk in exposing the source element across windows. This aligns WebKit's behavior with the HTML specification and matches Chromium's implementation after their fix. Spec: https://html.spec.whatwg.org/multipage/nav-history-apis.html#fire-a-push/replace/reload-navigate-event * LayoutTests/imported/w3c/web-platform-tests/navigation-api/navigate-event/navigate-anchor-with-target.html: imported from web-platform-tests/wpt#55760 * Source/WebCore/loader/FrameLoader.cpp: (WebCore::FrameLoader::dispatchNavigateEvent):
diff --git a/LayoutTests/imported/w3c/web-platform-tests/navigation-api/navigate-event/navigate-anchor-with-target.html b/LayoutTests/imported/w3c/web-platform-tests/navigation-api/navigate-event/navigate-anchor-with-target.html
@@ -20,10 +20,10 @@
       assert_equals(new URL(e.destination.url).pathname,
                     "/navigation-api/navigate-event/foo.html");
       assert_false(e.destination.sameDocument);
-    assert_equals(e.destination.key, "");
-    assert_equals(e.destination.id, "");
+      assert_equals(e.destination.key, "");
+      assert_equals(e.destination.id, "");
       assert_equals(e.destination.index, -1);
-      assert_equals(e.sourceElement, null);
+      assert_equals(e.sourceElement, a);
       e.preventDefault();
     });
     a.click();
diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp
@@ -4426,11 +4426,6 @@ bool FrameLoader::dispatchNavigateEvent(FrameLoadType loadType, const FrameLoadR
 
     RefPtr sourceElement = event ? dynamicDowncast<Element>(event->target()) : nullptr;
 
-    // For non-form navigations, if sourceElement is from a different frame, it should be null.
-    // For form submissions, sourceElement can be from a different frame (when form has target attribute).
-    if (!formState && sourceElement && sourceElement->document().frame() != m_frame.ptr())
-        sourceElement = nullptr;
-
     return window->protectedNavigation()->dispatchPushReplaceReloadNavigateEvent(newURL, navigationType, isSameDocument, formState, classicHistoryAPIState, sourceElement.get());
 }
 

Original file line number	Diff line number	Diff line change
`@@ -4426,11 +4426,6 @@ bool FrameLoader::dispatchNavigateEvent(FrameLoadType loadType, const FrameLoadR`
`4426`	`4426`
`4427`	`4427`	`RefPtr sourceElement = event ? dynamicDowncast<Element>(event->target()) : nullptr;`
`4428`	`4428`
`4429`		`- // For non-form navigations, if sourceElement is from a different frame, it should be null.`
`4430`		`- // For form submissions, sourceElement can be from a different frame (when form has target attribute).`
`4431`		`- if (!formState && sourceElement && sourceElement->document().frame() != m_frame.ptr())`
`4432`		`- sourceElement = nullptr;`
`4433`		`-`
`4434`	`4429`	`return window->protectedNavigation()->dispatchPushReplaceReloadNavigateEvent(newURL, navigationType, isSameDocument, formState, classicHistoryAPIState, sourceElement.get());`
`4435`	`4430`	`}`
`4436`	`4431`