[Navigation API] Fix cross-origin leak of sourceElement.

mikewest · chromium-wpt-export-bot · commit db6fcb5757d4 · 2026-04-16T05:20:36.000-07:00
This CL prevents a cross-origin initiator's Element from being exposed via NavigateEvent.sourceElement during same-document navigations. Bug: 502410911 Change-Id: I756dbd4876afc0db7617f18772e0055962804c18 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7762284 Reviewed-by: Nate Chapin <japhet@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/main@{#1615710}
diff --git a/navigation-api/navigate-event/resources/echo-sourceElement.html b/navigation-api/navigate-event/resources/echo-sourceElement.html
@@ -0,0 +1,13 @@
+<!doctype html>
+<script>
+  navigation.onnavigate = e => {
+    if (e.destination.url.includes("#test")) {
+      window.parent.postMessage({
+        type: "result",
+        sourceElementIsNull: e.sourceElement === null,
+        sourceElementName: e.sourceElement ? e.sourceElement.tagName : "null"
+      }, "*");
+    }
+  };
+  window.parent.postMessage({ type: "ready" }, "*");
+</script>
diff --git a/navigation-api/navigate-event/sourceElement-cross-origin.sub.html b/navigation-api/navigate-event/sourceElement-cross-origin.sub.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<iframe id="theFrame" name="theFrame" src="http://{{domains[www1]}}:{{ports[http][0]}}/navigation-api/navigate-event/resources/echo-sourceElement.html"></iframe>
+<script>
+async_test(t => {
+  window.addEventListener("message", t.step_func(e => {
+    if (e.data.type === "ready") {
+      const a = document.createElement("a");
+      a.href = document.getElementById("theFrame").src + "#test";
+      a.target = "theFrame";
+      document.body.appendChild(a);
+      a.click();
+    } else if (e.data.type === "result") {
+      assert_true(e.data.sourceElementIsNull, "sourceElement must be null for cross-origin initiators (it was " + e.data.sourceElementName + ")");
+      t.done();
+    }
+  }));
+}, "NavigateEvent.sourceElement should be null for cross-origin same-document initiators");
+</script>
