Diff
Modified: trunk/LayoutTests/ChangeLog (97109 => 97110)
--- trunk/LayoutTests/ChangeLog 2011-10-11 00:11:14 UTC (rev 97109)
+++ trunk/LayoutTests/ChangeLog 2011-10-11 00:18:47 UTC (rev 97110)
@@ -1,3 +1,15 @@
+2011-10-10 Sheriff Bot <[email protected]>
+
+ Unreviewed, rolling out r97087.
+ http://trac.webkit.org/changeset/97087
+ https://bugs.webkit.org/show_bug.cgi?id=69805
+
+ failing assert on debug builds (Requested by simonjam on
+ #webkit).
+
+ * http/tests/security/xss-DENIED-synchronous-frame-load-in-_javascript_-url-expected.txt: Removed.
+ * http/tests/security/xss-DENIED-synchronous-frame-load-in-_javascript_-url.html: Removed.
+
2011-10-10 Nico Weber <[email protected]>
PluginDocumentParser uses incorrect syntax for background color
Deleted: trunk/LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-_javascript_-url-expected.txt (97109 => 97110)
--- trunk/LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-_javascript_-url-expected.txt 2011-10-11 00:11:14 UTC (rev 97109)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-_javascript_-url-expected.txt 2011-10-11 00:18:47 UTC (rev 97110)
@@ -1,3 +0,0 @@
-CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL about:blank. Domains, protocols and ports must match.
-
-This test passes if there's no alert dialog.
Deleted: trunk/LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-_javascript_-url.html (97109 => 97110)
--- trunk/LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-_javascript_-url.html 2011-10-11 00:11:14 UTC (rev 97109)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-_javascript_-url.html 2011-10-11 00:18:47 UTC (rev 97110)
@@ -1,42 +0,0 @@
-<html>
-<head>
-<script>
-if (window.layoutTestController) {
- layoutTestController.dumpAsText();
- layoutTestController.waitUntilDone();
- layoutTestController.setCanOpenWindows();
- layoutTestController.setCloseRemainingWindowsWhenComplete(true);
-}
-
-window._onload_ = function()
-{
- victim = document.body.appendChild(document.createElement("iframe"));
- wnd = victim.contentWindow.open();
- victim.src = ""
- victim._onload_ = function() {
- victim._onload_ = null;
-
- wnd.eval("(" + function() {
- location = "_javascript_:(" + function() {
- a = document.createElement("a");
- a.href = ""
- e = document.createEvent("MouseEvent");
- e.initMouseEvent("click");
- a.dispatchEvent(e);
-
- return "<script>(" + function() {
- opener.location = "_javascript_:alert(document.body.innerHTML)";
-
- if (window.layoutTestController)
- setTimeout("layoutTestController.notifyDone()", 0);
- } + ")()<\/script>";
- } + ")()";
- } + ")()");
- }
-}
-</script>
-</head>
-<body>
-This test passes if there's no alert dialog.
-</body>
-</html>
Modified: trunk/Source/WebCore/ChangeLog (97109 => 97110)
--- trunk/Source/WebCore/ChangeLog 2011-10-11 00:11:14 UTC (rev 97109)
+++ trunk/Source/WebCore/ChangeLog 2011-10-11 00:18:47 UTC (rev 97110)
@@ -1,3 +1,19 @@
+2011-10-10 Sheriff Bot <[email protected]>
+
+ Unreviewed, rolling out r97087.
+ http://trac.webkit.org/changeset/97087
+ https://bugs.webkit.org/show_bug.cgi?id=69805
+
+ failing assert on debug builds (Requested by simonjam on
+ #webkit).
+
+ * bindings/ScriptControllerBase.cpp:
+ (WebCore::ScriptController::executeIfJavaScriptURL):
+ * loader/DocumentWriter.cpp:
+ (WebCore::DocumentWriter::replaceDocument):
+ (WebCore::DocumentWriter::begin):
+ * loader/DocumentWriter.h:
+
2011-10-10 Adam Barth <[email protected]>
[V8] CodeGeneratorV8 shouldn't hardcode the list of ActiveDOMObjects
Modified: trunk/Source/WebCore/bindings/ScriptControllerBase.cpp (97109 => 97110)
--- trunk/Source/WebCore/bindings/ScriptControllerBase.cpp 2011-10-11 00:11:14 UTC (rev 97109)
+++ trunk/Source/WebCore/bindings/ScriptControllerBase.cpp 2011-10-11 00:18:47 UTC (rev 97110)
@@ -93,7 +93,6 @@
// We need to hold onto the Frame here because executing script can
// destroy the frame.
RefPtr<Frame> protector(m_frame);
- RefPtr<Document> ownerDocument(m_frame->document());
const int _javascript_SchemeLength = sizeof("_javascript_:") - 1;
@@ -126,7 +125,7 @@
// DocumentWriter::replaceDocument can cause the DocumentLoader to get deref'ed and possible destroyed,
// so protect it with a RefPtr.
if (RefPtr<DocumentLoader> loader = m_frame->document()->loader())
- loader->writer()->replaceDocument(scriptResult, ownerDocument.get());
+ loader->writer()->replaceDocument(scriptResult);
}
return true;
}
Modified: trunk/Source/WebCore/loader/DocumentWriter.cpp (97109 => 97110)
--- trunk/Source/WebCore/loader/DocumentWriter.cpp 2011-10-11 00:11:14 UTC (rev 97109)
+++ trunk/Source/WebCore/loader/DocumentWriter.cpp 2011-10-11 00:18:47 UTC (rev 97110)
@@ -64,10 +64,10 @@
// This is only called by ScriptController::executeIfJavaScriptURL
// and always contains the result of evaluating a _javascript_: url.
// This is the <iframe src="" case.
-void DocumentWriter::replaceDocument(const String& source, Document* ownerDocument)
+void DocumentWriter::replaceDocument(const String& source)
{
m_frame->loader()->stopAllLoaders();
- begin(m_frame->document()->url(), true, ownerDocument);
+ begin(m_frame->document()->url(), true, InheritSecurityOrigin);
if (!source.isNull()) {
if (!m_hasReceivedSomeData) {
@@ -106,8 +106,10 @@
return DOMImplementation::createDocument(m_mimeType, m_frame, url, m_frame->inViewSourceMode());
}
-void DocumentWriter::begin(const KURL& urlReference, bool dispatch, Document* ownerDocument)
+void DocumentWriter::begin(const KURL& urlReference, bool dispatch, SecurityOriginSource originSource)
{
+ RefPtr<Document> oldDocument = m_frame->document();
+
// We grab a local copy of the URL because it's easy for callers to supply
// a URL that will be deallocated during the execution of this function.
// For example, see <https://bugs.webkit.org/show_bug.cgi?id=66360>.
@@ -135,9 +137,9 @@
if (m_decoder)
document->setDecoder(m_decoder.get());
- if (ownerDocument) {
- document->setCookieURL(ownerDocument->cookieURL());
- document->setSecurityOrigin(ownerDocument->securityOrigin());
+ if (originSource == InheritSecurityOrigin) {
+ document->setCookieURL(oldDocument->cookieURL());
+ document->setSecurityOrigin(oldDocument->securityOrigin());
}
m_frame->domWindow()->setURL(document->url());
Modified: trunk/Source/WebCore/loader/DocumentWriter.h (97109 => 97110)
--- trunk/Source/WebCore/loader/DocumentWriter.h 2011-10-11 00:11:14 UTC (rev 97109)
+++ trunk/Source/WebCore/loader/DocumentWriter.h 2011-10-11 00:18:47 UTC (rev 97110)
@@ -47,10 +47,12 @@
// This is only called by ScriptController::executeIfJavaScriptURL
// and always contains the result of evaluating a _javascript_: url.
- void replaceDocument(const String&, Document* ownerDocument);
+ void replaceDocument(const String&);
+ enum SecurityOriginSource { CreateNewSecurityOrigin, InheritSecurityOrigin };
+
void begin();
- void begin(const KURL&, bool dispatchWindowObjectAvailable = true, Document* ownerDocument = 0);
+ void begin(const KURL&, bool dispatchWindowObjectAvailable = true, SecurityOriginSource = CreateNewSecurityOrigin);
void addData(const char* bytes, size_t length);
void end();
void endIfNotLoadingMainResource();
Modified: trunk/Source/WebKit/chromium/ChangeLog (97109 => 97110)
--- trunk/Source/WebKit/chromium/ChangeLog 2011-10-11 00:11:14 UTC (rev 97109)
+++ trunk/Source/WebKit/chromium/ChangeLog 2011-10-11 00:18:47 UTC (rev 97110)
@@ -1,3 +1,15 @@
+2011-10-10 Sheriff Bot <[email protected]>
+
+ Unreviewed, rolling out r97087.
+ http://trac.webkit.org/changeset/97087
+ https://bugs.webkit.org/show_bug.cgi?id=69805
+
+ failing assert on debug builds (Requested by simonjam on
+ #webkit).
+
+ * src/WebFrameImpl.cpp:
+ (WebKit::WebFrameImpl::loadJavaScriptURL):
+
2011-10-10 Nico Weber <[email protected]>
[chromium] Pull tools/clang from upstream.
Modified: trunk/Source/WebKit/chromium/src/WebFrameImpl.cpp (97109 => 97110)
--- trunk/Source/WebKit/chromium/src/WebFrameImpl.cpp 2011-10-11 00:11:14 UTC (rev 97109)
+++ trunk/Source/WebKit/chromium/src/WebFrameImpl.cpp 2011-10-11 00:18:47 UTC (rev 97110)
@@ -2255,8 +2255,6 @@
if (!m_frame->document() || !m_frame->page())
return;
- RefPtr<Document> ownerDocument(m_frame->document());
-
// Protect privileged pages against bookmarklets and other _javascript_ manipulations.
if (SchemeRegistry::shouldTreatURLSchemeAsNotAllowingJavascriptURLs(m_frame->document()->url().protocol()))
return;
@@ -2269,7 +2267,7 @@
return;
if (!m_frame->navigationScheduler()->locationChangePending())
- m_frame->document()->loader()->writer()->replaceDocument(scriptResult, ownerDocument.get());
+ m_frame->document()->loader()->writer()->replaceDocument(scriptResult);
}
} // namespace WebKit
