[7] [WebCore] Validate SameSite initiator in FrameLoader::load

Severity: High | Component: WebCore FrameLoader | 093f346

Rated High because the diff adds the initiator argument to addSameSiteInfoToRequestIfNeeded in FrameLoader::load; without it, every navigation request was classified same-site (isSameSiteUnspecified=false, isSameSite=true) and attached the destination's SameSite=Strict cookies regardless of the cross-site initiator.

FrameLoader::load now calls the initiator-aware addSameSiteInfoToRequestIfNeeded(loader->request(), initiator), allowing the downstream updateRequestAndAddExtraFields to recompute the SameSite disposition correctly.

Source/WebCore/loader/FrameLoader.cpp

- addSameSiteInfoToRequestIfNeeded(loader->request());

+ addSameSiteInfoToRequestIfNeeded(loader->request(), initiator);

SameSite cookie policy bypass: the omitted-initiator overload unconditionally marks the request same-site and "specified", suppressing later cross-site recomputation.

Patch Details

A single call-site widens the argument list. The helper's two-arg form already classifies correctly when the initiator is supplied; the one-arg overload's defaults are what produced the bypass.

Background

SameSite cookie attribution is computed at request preparation: isSameSite decides whether SameSite=Strict / SameSite=Lax cookies are attached. The disposition can be unspecified, in which case downstream layers compute it from the initiator; if specified, downstream takes the field as-is.

Analysis

Pre-fix, the one-arg form of addSameSiteInfoToRequestIfNeeded set isSameSite=true and isSameSiteUnspecified=false. updateRequestAndAddExtraFields only performs the proper initiator-aware recomputation when isSameSiteUnspecified is true; with disposition already specified, recomputation was suppressed. A navigation initiated from attacker.example to victim.example was classified same-site, and the network layer attached victim.example's SameSite=Strict cookies to the outgoing request.

Aaa Aaaaaaaaaaaaa Aaa Aaa Aaaaaa Aa Aaa Aaaaaaaaa Aaaaaaaaaa Aaaaa Aaaaaaaaa Aaaaaaa Aaaa Aaa Aaaaaaaaaaaa Aaa Aaaaaa Aa Aaa Aaaaaaaa Aaaa Aaaaaa Aaaa Aaaaaaaaaaaaaaa Aa Aaaaaaaa Aa Aaaaaa Aaa Aaa Aa Aaa Aaaaaaaa Aaaaaa Aaa Aaaaaaaaa Aaaaaaa Aa Aaa Aaaaaaaaaa Aaaaaaaaaaa Aaaaa

Aaaa Aaaaaaa Aaaaaaaa Aaaaaaaaaaa Aa Aaa Aaaaaaaaaaa Aaaaaa Aaaaaaaaa Aaa Aaaaaaaaaaaaaaaaa Aaaaaaaa Aaa Aaaaaaaaaa Aaaaaaaaa Aaaaaaaaaaaa

🔒

How a missing argument to a single helper call silently overrode the entire SameSite=Strict cookie defense for cross-site navigations — and what the broader two-phase policy stamping pattern means for cookie boundary integrity.

Subscribe to read more

Audit directions

a Aaaaa Aaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaaaaaa Aaaa Aa a Aaaaaa Aaaaaa Aaaa Aaa Aaaa Aaaaaa
a Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaa Aaaaaaaaaa Aaa Aaaa Aaaa Aaaaa Aaa Aaaa Aa Aaaaaaaaaaa Aaaaaaa Aaaaa Aaaaaaaaa Aaa Aaaaaaaaaaa Aaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaa Aaaaaaaaa Aaaaa
a Aaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaa Aaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaa Aaa Aaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa

🔒

Four reusable audit patterns covering SameSite stamping call sites, navigation entry points that drop the initiator, initial-document predicates, and cross-platform cookie policy parity.

Subscribe to read more