- Revision
- 214998
- Author
- carlo...@webkit.org
- Date
- 2017-04-06 00:38:56 -0700 (Thu, 06 Apr 2017)
Log Message
Merge r210474 - Ensure navigation only allowed for documents not in the page cache
https://bugs.webkit.org/show_bug.cgi?id=166773
<rdar://problem/29762809>
Reviewed by Brent Fulgham.
It is wise to ensure that navigation is only allowed when initiated from a document that
is not in- or about to be put in- the page cache. Such a navigation would surprise a
person that had navigated away from the initiating document among other issues.
* dom/Document.cpp:
(WebCore::Document::canNavigate): Only allow navigation if the document is not in the
page cache.
* html/HTMLAnchorElement.cpp:
(WebCore::HTMLAnchorElement::handleClick): Ditto.
* html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::handleClick): Ditto.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::urlSelected): Assert triggering event's document is not in the
page cache.
(WebCore::FrameLoader::submitForm): Allow submission if the document is not in the
page cache.
(WebCore::FrameLoader::loadFrameRequest): Assert triggering event's document is not in
the page cache.
* mathml/MathMLElement.cpp:
(WebCore::MathMLElement::defaultEventHandler): Only allow navigation if the document is
not in the page cache.
* svg/SVGAElement.cpp:
(WebCore::SVGAElement::defaultEventHandler): Ditto.
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (214997 => 214998)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-04-06 07:34:10 UTC (rev 214997)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-04-06 07:38:56 UTC (rev 214998)
@@ -1,3 +1,35 @@
+2017-01-06 Daniel Bates <daba...@apple.com>
+
+ Ensure navigation only allowed for documents not in the page cache
+ https://bugs.webkit.org/show_bug.cgi?id=166773
+ <rdar://problem/29762809>
+
+ Reviewed by Brent Fulgham.
+
+ It is wise to ensure that navigation is only allowed when initiated from a document that
+ is not in- or about to be put in- the page cache. Such a navigation would surprise a
+ person that had navigated away from the initiating document among other issues.
+
+ * dom/Document.cpp:
+ (WebCore::Document::canNavigate): Only allow navigation if the document is not in the
+ page cache.
+ * html/HTMLAnchorElement.cpp:
+ (WebCore::HTMLAnchorElement::handleClick): Ditto.
+ * html/HTMLLinkElement.cpp:
+ (WebCore::HTMLLinkElement::handleClick): Ditto.
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::urlSelected): Assert triggering event's document is not in the
+ page cache.
+ (WebCore::FrameLoader::submitForm): Allow submission if the document is not in the
+ page cache.
+ (WebCore::FrameLoader::loadFrameRequest): Assert triggering event's document is not in
+ the page cache.
+ * mathml/MathMLElement.cpp:
+ (WebCore::MathMLElement::defaultEventHandler): Only allow navigation if the document is
+ not in the page cache.
+ * svg/SVGAElement.cpp:
+ (WebCore::SVGAElement::defaultEventHandler): Ditto.
+
2017-01-09 Daniel Bates <daba...@apple.com>
Evaluating window named element may return wrong result
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/Document.cpp (214997 => 214998)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/Document.cpp 2017-04-06 07:34:10 UTC (rev 214997)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/dom/Document.cpp 2017-04-06 07:38:56 UTC (rev 214998)
@@ -3133,6 +3133,9 @@
if (!m_frame)
return false;
+ if (pageCacheState() != Document::NotInPageCache)
+ return false;
+
// FIXME: We shouldn't call this function without a target frame, but
// fast/forms/submit-to-blank-multiple-times.html depends on this function
// returning true when supplied with a 0 targetFrame.
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLAnchorElement.cpp (214997 => 214998)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLAnchorElement.cpp 2017-04-06 07:34:10 UTC (rev 214997)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLAnchorElement.cpp 2017-04-06 07:38:56 UTC (rev 214998)
@@ -360,6 +360,9 @@
if (!frame)
return;
+ if (document().pageCacheState() != Document::NotInPageCache)
+ return;
+
StringBuilder url;
url.append(stripLeadingAndTrailingHTMLSpaces(attributeWithoutSynchronization(hrefAttr)));
appendServerMapMousePosition(url, event);
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLLinkElement.cpp (214997 => 214998)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLLinkElement.cpp 2017-04-06 07:34:10 UTC (rev 214997)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLLinkElement.cpp 2017-04-06 07:38:56 UTC (rev 214998)
@@ -472,6 +472,8 @@
Frame* frame = document().frame();
if (!frame)
return;
+ if (document().pageCacheState() != Document::NotInPageCache)
+ return;
frame->loader().urlSelected(url, target(), &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate());
}
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/FrameLoader.cpp (214997 => 214998)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/FrameLoader.cpp 2017-04-06 07:34:10 UTC (rev 214997)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/FrameLoader.cpp 2017-04-06 07:38:56 UTC (rev 214998)
@@ -361,6 +361,9 @@
void FrameLoader::urlSelected(const FrameLoadRequest& passedRequest, Event* triggeringEvent)
{
+ ASSERT_WITH_SECURITY_IMPLICATION(!triggeringEvent || !triggeringEvent->target() || !triggeringEvent->target()->toNode()
+ || triggeringEvent->target()->toNode()->document().pageCacheState() == Document::NotInPageCache);
+
Ref<Frame> protect(m_frame);
FrameLoadRequest frameRequest(passedRequest);
@@ -384,10 +387,13 @@
ASSERT(submission->data());
ASSERT(submission->state());
ASSERT(!submission->state()->sourceDocument()->frame() || submission->state()->sourceDocument()->frame() == &m_frame);
-
+
if (!m_frame.page())
return;
-
+
+ if (submission->state()->sourceDocument()->pageCacheState() != Document::NotInPageCache)
+ return;
+
if (submission->action().isEmpty())
return;
@@ -1126,6 +1132,9 @@
void FrameLoader::loadFrameRequest(const FrameLoadRequest& request, Event* event, PassRefPtr<FormState> formState)
{
+ ASSERT_WITH_SECURITY_IMPLICATION(!event || !event->target() || !event->target()->toNode()
+ || event->target()->toNode()->document().pageCacheState() == Document::NotInPageCache);
+
// Protect frame from getting blown away inside dispatchBeforeLoadEvent in loadWithDocumentLoader.
Ref<Frame> protect(m_frame);
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/mathml/MathMLElement.cpp (214997 => 214998)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/mathml/MathMLElement.cpp 2017-04-06 07:34:10 UTC (rev 214997)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/mathml/MathMLElement.cpp 2017-04-06 07:38:56 UTC (rev 214998)
@@ -279,6 +279,8 @@
auto& href = ""
const auto& url = ""
event.setDefaultHandled();
+ if (document().pageCacheState() != Document::NotInPageCache)
+ return;
if (auto* frame = document().frame())
frame->loader().urlSelected(document().completeURL(url), "_self", &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate());
return;
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/svg/SVGAElement.cpp (214997 => 214998)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/svg/SVGAElement.cpp 2017-04-06 07:34:10 UTC (rev 214997)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/svg/SVGAElement.cpp 2017-04-06 07:38:56 UTC (rev 214998)
@@ -145,6 +145,8 @@
Frame* frame = document().frame();
if (!frame)
return;
+ if (document().pageCacheState() != Document::NotInPageCache)
+ return;
frame->loader().urlSelected(document().completeURL(url), target, &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate());
return;
}
