[webkit-changes] [210723] branches/safari-603-branch/Source/WebCore

Thu, 12 Jan 2017 23:05:26 -0800

Title: [210723] branches/safari-603-branch/Source/WebCore

Diff

Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (210722 => 210723)


--- branches/safari-603-branch/Source/WebCore/ChangeLog	2017-01-13 07:05:11 UTC (rev 210722)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog	2017-01-13 07:05:15 UTC (rev 210723)
@@ -1,5 +1,41 @@
 2017-01-12  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r210474. rdar://problem/29762809
+
+    2017-01-06  Daniel Bates  <daba...@apple.com>
+
+            Ensure navigation only allowed for documents not in the page cache
+            https://bugs.webkit.org/show_bug.cgi?id=166773
+            <rdar://problem/29762809>
+
+            Reviewed by Brent Fulgham.
+
+            It is wise to ensure that navigation is only allowed when initiated from a document that
+            is not in- or about to be put in- the page cache. Such a navigation would surprise a
+            person that had navigated away from the initiating document among other issues.
+
+            * dom/Document.cpp:
+            (WebCore::Document::canNavigate): Only allow navigation if the document is not in the
+            page cache.
+            * html/HTMLAnchorElement.cpp:
+            (WebCore::HTMLAnchorElement::handleClick): Ditto.
+            * html/HTMLLinkElement.cpp:
+            (WebCore::HTMLLinkElement::handleClick): Ditto.
+            * loader/FrameLoader.cpp:
+            (WebCore::FrameLoader::urlSelected): Assert triggering event's document is not in the
+            page cache.
+            (WebCore::FrameLoader::submitForm): Allow submission if the document is not in the
+            page cache.
+            (WebCore::FrameLoader::loadFrameRequest): Assert triggering event's document is not in
+            the page cache.
+            * mathml/MathMLElement.cpp:
+            (WebCore::MathMLElement::defaultEventHandler): Only allow navigation if the document is
+            not in the page cache.
+            * svg/SVGAElement.cpp:
+            (WebCore::SVGAElement::defaultEventHandler): Ditto.
+
+2017-01-12  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r210536. rdar://problem/29939970
 
     2017-01-09  Chris Dumez  <cdu...@apple.com>

Modified: branches/safari-603-branch/Source/WebCore/dom/Document.cpp (210722 => 210723)


--- branches/safari-603-branch/Source/WebCore/dom/Document.cpp	2017-01-13 07:05:11 UTC (rev 210722)
+++ branches/safari-603-branch/Source/WebCore/dom/Document.cpp	2017-01-13 07:05:15 UTC (rev 210723)
@@ -2990,6 +2990,9 @@
     if (!m_frame)
         return false;
 
+    if (pageCacheState() != Document::NotInPageCache)
+        return false;
+
     // FIXME: We shouldn't call this function without a target frame, but
     // fast/forms/submit-to-blank-multiple-times.html depends on this function
     // returning true when supplied with a 0 targetFrame.

Modified: branches/safari-603-branch/Source/WebCore/html/HTMLAnchorElement.cpp (210722 => 210723)


--- branches/safari-603-branch/Source/WebCore/html/HTMLAnchorElement.cpp	2017-01-13 07:05:11 UTC (rev 210722)
+++ branches/safari-603-branch/Source/WebCore/html/HTMLAnchorElement.cpp	2017-01-13 07:05:15 UTC (rev 210723)
@@ -369,6 +369,9 @@
     if (!frame)
         return;
 
+    if (document().pageCacheState() != Document::NotInPageCache)
+        return;
+
     StringBuilder url;
     url.append(stripLeadingAndTrailingHTMLSpaces(attributeWithoutSynchronization(hrefAttr)));
     appendServerMapMousePosition(url, event);

Modified: branches/safari-603-branch/Source/WebCore/html/HTMLLinkElement.cpp (210722 => 210723)


--- branches/safari-603-branch/Source/WebCore/html/HTMLLinkElement.cpp	2017-01-13 07:05:11 UTC (rev 210722)
+++ branches/safari-603-branch/Source/WebCore/html/HTMLLinkElement.cpp	2017-01-13 07:05:15 UTC (rev 210723)
@@ -490,6 +490,8 @@
     Frame* frame = document().frame();
     if (!frame)
         return;
+    if (document().pageCacheState() != Document::NotInPageCache)
+        return;
     frame->loader().urlSelected(url, target(), &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate());
 }

Modified: branches/safari-603-branch/Source/WebCore/loader/FrameLoader.cpp (210722 => 210723)


--- branches/safari-603-branch/Source/WebCore/loader/FrameLoader.cpp	2017-01-13 07:05:11 UTC (rev 210722)
+++ branches/safari-603-branch/Source/WebCore/loader/FrameLoader.cpp	2017-01-13 07:05:15 UTC (rev 210723)
@@ -346,6 +346,9 @@
 
 void FrameLoader::urlSelected(const FrameLoadRequest& passedRequest, Event* triggeringEvent)
 {
+    ASSERT_WITH_SECURITY_IMPLICATION(!triggeringEvent || !triggeringEvent->target() || !triggeringEvent->target()->toNode()
+        || triggeringEvent->target()->toNode()->document().pageCacheState() == Document::NotInPageCache);
+
     Ref<Frame> protect(m_frame);
     FrameLoadRequest frameRequest(passedRequest);
 
@@ -369,10 +372,13 @@
     ASSERT(submission->data());
     ASSERT(submission->state());
     ASSERT(!submission->state()->sourceDocument()->frame() || submission->state()->sourceDocument()->frame() == &m_frame);
-    
+
     if (!m_frame.page())
         return;
-    
+
+    if (submission->state()->sourceDocument()->pageCacheState() != Document::NotInPageCache)
+        return;
+
     if (submission->action().isEmpty())
         return;
 
@@ -1125,6 +1131,9 @@
 
 void FrameLoader::loadFrameRequest(const FrameLoadRequest& request, Event* event, PassRefPtr<FormState> formState)
 {    
+    ASSERT_WITH_SECURITY_IMPLICATION(!event || !event->target() || !event->target()->toNode()
+        || event->target()->toNode()->document().pageCacheState() == Document::NotInPageCache);
+
     // Protect frame from getting blown away inside dispatchBeforeLoadEvent in loadWithDocumentLoader.
     Ref<Frame> protect(m_frame);

Modified: branches/safari-603-branch/Source/WebCore/mathml/MathMLElement.cpp (210722 => 210723)


--- branches/safari-603-branch/Source/WebCore/mathml/MathMLElement.cpp	2017-01-13 07:05:11 UTC (rev 210722)
+++ branches/safari-603-branch/Source/WebCore/mathml/MathMLElement.cpp	2017-01-13 07:05:15 UTC (rev 210723)
@@ -149,6 +149,8 @@
             auto& href = ""
             const auto& url = ""
             event.setDefaultHandled();
+            if (document().pageCacheState() != Document::NotInPageCache)
+                return;
             if (auto* frame = document().frame())
                 frame->loader().urlSelected(document().completeURL(url), "_self", &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate());
             return;

Modified: branches/safari-603-branch/Source/WebCore/svg/SVGAElement.cpp (210722 => 210723)


--- branches/safari-603-branch/Source/WebCore/svg/SVGAElement.cpp	2017-01-13 07:05:11 UTC (rev 210722)
+++ branches/safari-603-branch/Source/WebCore/svg/SVGAElement.cpp	2017-01-13 07:05:15 UTC (rev 210723)
@@ -145,6 +145,8 @@
             Frame* frame = document().frame();
             if (!frame)
                 return;
+            if (document().pageCacheState() != Document::NotInPageCache)
+                return;
             frame->loader().urlSelected(document().completeURL(url), target, &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate());
             return;
         }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to