- Revision
- 219528
- Author
- dba...@webkit.org
- Date
- 2017-07-14 15:27:52 -0700 (Fri, 14 Jul 2017)
Log Message
REGRESSION (r219013): Compute source frame info for frameless document
https://bugs.webkit.org/show_bug.cgi?id=174385
<rdar://problem/33217736>
Reviewed by Brady Eidson.
Source/WebKit:
Fixes an issue where we would crash in WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction()
when computing the frame info for a now-frameless document. One way this can happen is when the frame
that contains the document that initiated the navigation is removed from the page.
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::decidePolicyForNavigationAction): Check that we have a valid page ID before
looking up the WebPage object corresponding to it.
* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction): Compute a FrameInfoData
object from the source document directly as opposed to using WebFrame::info() as the latter requires
that we have a valid WebCore frame and the source document may not have a frame.
LayoutTests:
* http/tests/navigation/resources/window-open-redirect-and-remove-opener.html: Added.
* http/tests/navigation/window-open-redirect-and-remove-opener-expected.txt: Added.
* http/tests/navigation/window-open-redirect-and-remove-opener.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (219527 => 219528)
--- trunk/LayoutTests/ChangeLog 2017-07-14 22:25:03 UTC (rev 219527)
+++ trunk/LayoutTests/ChangeLog 2017-07-14 22:27:52 UTC (rev 219528)
@@ -1,3 +1,15 @@
+2017-07-14 Daniel Bates <daba...@apple.com>
+
+ REGRESSION (r219013): Compute source frame info for frameless document
+ https://bugs.webkit.org/show_bug.cgi?id=174385
+ <rdar://problem/33217736>
+
+ Reviewed by Brady Eidson.
+
+ * http/tests/navigation/resources/window-open-redirect-and-remove-opener.html: Added.
+ * http/tests/navigation/window-open-redirect-and-remove-opener-expected.txt: Added.
+ * http/tests/navigation/window-open-redirect-and-remove-opener.html: Added.
+
2017-07-14 Matt Lewis <jlew...@apple.com>
Fixed expectations after Mac expectation change.
Added: trunk/LayoutTests/http/tests/navigation/resources/window-open-redirect-and-remove-opener.html (0 => 219528)
--- trunk/LayoutTests/http/tests/navigation/resources/window-open-redirect-and-remove-opener.html (rev 0)
+++ trunk/LayoutTests/http/tests/navigation/resources/window-open-redirect-and-remove-opener.html 2017-07-14 22:27:52 UTC (rev 219528)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<p>PASS did not crash.</p>
+<script>
+if (window.testRunner)
+ testRunner.notifyDone();
+</script>
+</head>
+</html>
Added: trunk/LayoutTests/http/tests/navigation/window-open-redirect-and-remove-opener-expected.txt (0 => 219528)
--- trunk/LayoutTests/http/tests/navigation/window-open-redirect-and-remove-opener-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/navigation/window-open-redirect-and-remove-opener-expected.txt 2017-07-14 22:27:52 UTC (rev 219528)
@@ -0,0 +1,8 @@
+Tests that we do not crash when removing the opener after using window.open() to load a resource that redirects.
+
+
+
+--------
+Frame: 'B'
+--------
+PASS did not crash.
Added: trunk/LayoutTests/http/tests/navigation/window-open-redirect-and-remove-opener.html (0 => 219528)
--- trunk/LayoutTests/http/tests/navigation/window-open-redirect-and-remove-opener.html (rev 0)
+++ trunk/LayoutTests/http/tests/navigation/window-open-redirect-and-remove-opener.html 2017-07-14 22:27:52 UTC (rev 219528)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+
+function removeIframeA()
+{
+ document.body.removeChild(document.querySelector("iframe[name=A]"));
+}
+</script>
+</head>
+<body>
+<p>Tests that we do not crash when removing the opener after using window.open() to load a resource that redirects.</p>
+<iframe name="A" srcdoc='
+<script>
+window.open("http://127.0.0.1:8000/cache/resources/cache-control-redirect.php?url="" "B");
+parent.removeIframeA();
+</script>
+'></iframe>
+<iframe name="B"></iframe>
+</body>
+</html>
Modified: trunk/Source/WebKit/ChangeLog (219527 => 219528)
--- trunk/Source/WebKit/ChangeLog 2017-07-14 22:25:03 UTC (rev 219527)
+++ trunk/Source/WebKit/ChangeLog 2017-07-14 22:27:52 UTC (rev 219528)
@@ -1,3 +1,23 @@
+2017-07-14 Daniel Bates <daba...@apple.com>
+
+ REGRESSION (r219013): Compute source frame info for frameless document
+ https://bugs.webkit.org/show_bug.cgi?id=174385
+ <rdar://problem/33217736>
+
+ Reviewed by Brady Eidson.
+
+ Fixes an issue where we would crash in WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction()
+ when computing the frame info for a now-frameless document. One way this can happen is when the frame
+ that contains the document that initiated the navigation is removed from the page.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::decidePolicyForNavigationAction): Check that we have a valid page ID before
+ looking up the WebPage object corresponding to it.
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+ (WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction): Compute a FrameInfoData
+ object from the source document directly as opposed to using WebFrame::info() as the latter requires
+ that we have a valid WebCore frame and the source document may not have a frame.
+
2017-07-14 Jer Noble <jer.no...@apple.com>
Allow clients to override their own hardware media requirements where no fallback media exists.
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (219527 => 219528)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2017-07-14 22:25:03 UTC (rev 219527)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2017-07-14 22:27:52 UTC (rev 219528)
@@ -3643,7 +3643,7 @@
if (!fromAPI && originatingFrame == frame)
sourceFrameInfo = destinationFrameInfo;
else if (!fromAPI)
- sourceFrameInfo = API::FrameInfo::create(originatingFrameInfoData, m_process->webPage(originatingPageID));
+ sourceFrameInfo = API::FrameInfo::create(originatingFrameInfoData, originatingPageID ? m_process->webPage(originatingPageID) : nullptr);
auto userInitiatedActivity = m_process->userInitiatedActivity(navigationActionData.userGestureTokenIdentifier);
bool shouldOpenAppLinks = !m_shouldSuppressAppLinksInNextNavigationPolicyDecision && (!destinationFrameInfo || destinationFrameInfo->isMainFrame()) && !hostsAreEqual(URL(ParsedURLString, m_mainFrame->url()), request.url()) && navigationActionData.navigationType != WebCore::NavigationType::BackForward;
Modified: trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp (219527 => 219528)
--- trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2017-07-14 22:25:03 UTC (rev 219527)
+++ trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2017-07-14 22:27:52 UTC (rev 219528)
@@ -777,8 +777,16 @@
DownloadID downloadID;
ASSERT(navigationAction.sourceDocument());
- RefPtr<WebFrame> originatingFrame = WebFrame::fromCoreFrame(*navigationAction.sourceDocument()->frame());
+ const Document& sourceDocument = *navigationAction.sourceDocument();
+ RefPtr<WebFrame> originatingFrame = sourceDocument.frame() ? WebFrame::fromCoreFrame(*sourceDocument.frame()) : nullptr;
+ FrameInfoData originatingFrameInfoData;
+ originatingFrameInfoData.isMainFrame = navigationAction.initiatedByMainFrame() == InitiatedByMainFrame::Yes;
+ originatingFrameInfoData.request = ResourceRequest(sourceDocument.url());
+ originatingFrameInfoData.securityOrigin = SecurityOriginData::fromSecurityOrigin(sourceDocument.securityOrigin());
+ if (originatingFrame)
+ originatingFrameInfoData.frameID = originatingFrame->frameID();
+
NavigationActionData navigationActionData;
navigationActionData.navigationType = action->navigationType();
navigationActionData.modifiers = action->modifiers();
@@ -803,7 +811,10 @@
// Notify the UIProcess.
Ref<WebFrame> protect(*m_frame);
WebsitePolicies websitePolicies;
- if (!webPage->sendSync(Messages::WebPageProxy::DecidePolicyForNavigationAction(m_frame->frameID(), SecurityOriginData::fromFrame(coreFrame), documentLoader->navigationID(), navigationActionData, originatingFrame ? originatingFrame->info() : FrameInfoData(), originatingFrame && originatingFrame->page() ? originatingFrame->page()->pageID() : 0, navigationAction.resourceRequest(), request, listenerID, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get())), Messages::WebPageProxy::DecidePolicyForNavigationAction::Reply(newNavigationID, policyAction, downloadID, websitePolicies))) {
+ // FIXME: Determine the originating page independently from the originating frame as it may exist even if
+ // the originating frame does not exist. This can happen if the originating frame was removed from the page.
+ // See <https://bugs.webkit.org/show_bug.cgi?id=174531>.
+ if (!webPage->sendSync(Messages::WebPageProxy::DecidePolicyForNavigationAction(m_frame->frameID(), SecurityOriginData::fromFrame(coreFrame), documentLoader->navigationID(), navigationActionData, originatingFrameInfoData, originatingFrame && originatingFrame->page() ? originatingFrame->page()->pageID() : 0, navigationAction.resourceRequest(), request, listenerID, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get())), Messages::WebPageProxy::DecidePolicyForNavigationAction::Reply(newNavigationID, policyAction, downloadID, websitePolicies))) {
m_frame->didReceivePolicyDecision(listenerID, PolicyIgnore, 0, { });
return;
}
