- Revision
- 210474
- Author
- [email protected]
- Date
- 2017-01-06 23:14:03 -0800 (Fri, 06 Jan 2017)
Log Message
Ensure navigation only allowed for documents not in the page cache
https://bugs.webkit.org/show_bug.cgi?id=166773
<rdar://problem/29762809>
Reviewed by Brent Fulgham.
It is wise to ensure that navigation is only allowed when initiated from a document that
is not in- or about to be put in- the page cache. Such a navigation would surprise a
person that had navigated away from the initiating document among other issues.
* dom/Document.cpp:
(WebCore::Document::canNavigate): Only allow navigation if the document is not in the
page cache.
* html/HTMLAnchorElement.cpp:
(WebCore::HTMLAnchorElement::handleClick): Ditto.
* html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::handleClick): Ditto.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::urlSelected): Assert triggering event's document is not in the
page cache.
(WebCore::FrameLoader::submitForm): Allow submission if the document is not in the
page cache.
(WebCore::FrameLoader::loadFrameRequest): Assert triggering event's document is not in
the page cache.
* mathml/MathMLElement.cpp:
(WebCore::MathMLElement::defaultEventHandler): Only allow navigation if the document is
not in the page cache.
* svg/SVGAElement.cpp:
(WebCore::SVGAElement::defaultEventHandler): Ditto.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (210473 => 210474)
--- trunk/Source/WebCore/ChangeLog 2017-01-07 07:12:00 UTC (rev 210473)
+++ trunk/Source/WebCore/ChangeLog 2017-01-07 07:14:03 UTC (rev 210474)
@@ -1,3 +1,35 @@
+2017-01-06 Daniel Bates <[email protected]>
+
+ Ensure navigation only allowed for documents not in the page cache
+ https://bugs.webkit.org/show_bug.cgi?id=166773
+ <rdar://problem/29762809>
+
+ Reviewed by Brent Fulgham.
+
+ It is wise to ensure that navigation is only allowed when initiated from a document that
+ is not in- or about to be put in- the page cache. Such a navigation would surprise a
+ person that had navigated away from the initiating document among other issues.
+
+ * dom/Document.cpp:
+ (WebCore::Document::canNavigate): Only allow navigation if the document is not in the
+ page cache.
+ * html/HTMLAnchorElement.cpp:
+ (WebCore::HTMLAnchorElement::handleClick): Ditto.
+ * html/HTMLLinkElement.cpp:
+ (WebCore::HTMLLinkElement::handleClick): Ditto.
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::urlSelected): Assert triggering event's document is not in the
+ page cache.
+ (WebCore::FrameLoader::submitForm): Allow submission if the document is not in the
+ page cache.
+ (WebCore::FrameLoader::loadFrameRequest): Assert triggering event's document is not in
+ the page cache.
+ * mathml/MathMLElement.cpp:
+ (WebCore::MathMLElement::defaultEventHandler): Only allow navigation if the document is
+ not in the page cache.
+ * svg/SVGAElement.cpp:
+ (WebCore::SVGAElement::defaultEventHandler): Ditto.
+
2017-01-06 Jer Noble <[email protected]>
Crash in WebCore::MediaPlayerPrivateMediaSourceAVFObjC::sizeWillChangeAtTime(const MediaTime&, const FloatSize&)::block_invoke
Modified: trunk/Source/WebCore/dom/Document.cpp (210473 => 210474)
--- trunk/Source/WebCore/dom/Document.cpp 2017-01-07 07:12:00 UTC (rev 210473)
+++ trunk/Source/WebCore/dom/Document.cpp 2017-01-07 07:14:03 UTC (rev 210474)
@@ -2972,6 +2972,9 @@
if (!m_frame)
return false;
+ if (pageCacheState() != Document::NotInPageCache)
+ return false;
+
// FIXME: We shouldn't call this function without a target frame, but
// fast/forms/submit-to-blank-multiple-times.html depends on this function
// returning true when supplied with a 0 targetFrame.
Modified: trunk/Source/WebCore/html/HTMLAnchorElement.cpp (210473 => 210474)
--- trunk/Source/WebCore/html/HTMLAnchorElement.cpp 2017-01-07 07:12:00 UTC (rev 210473)
+++ trunk/Source/WebCore/html/HTMLAnchorElement.cpp 2017-01-07 07:14:03 UTC (rev 210474)
@@ -369,6 +369,9 @@
if (!frame)
return;
+ if (document().pageCacheState() != Document::NotInPageCache)
+ return;
+
StringBuilder url;
url.append(stripLeadingAndTrailingHTMLSpaces(attributeWithoutSynchronization(hrefAttr)));
appendServerMapMousePosition(url, event);
Modified: trunk/Source/WebCore/html/HTMLLinkElement.cpp (210473 => 210474)
--- trunk/Source/WebCore/html/HTMLLinkElement.cpp 2017-01-07 07:12:00 UTC (rev 210473)
+++ trunk/Source/WebCore/html/HTMLLinkElement.cpp 2017-01-07 07:14:03 UTC (rev 210474)
@@ -490,6 +490,8 @@
Frame* frame = document().frame();
if (!frame)
return;
+ if (document().pageCacheState() != Document::NotInPageCache)
+ return;
frame->loader().urlSelected(url, target(), &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate());
}
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (210473 => 210474)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2017-01-07 07:12:00 UTC (rev 210473)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2017-01-07 07:14:03 UTC (rev 210474)
@@ -346,6 +346,9 @@
void FrameLoader::urlSelected(const FrameLoadRequest& passedRequest, Event* triggeringEvent)
{
+ ASSERT_WITH_SECURITY_IMPLICATION(!triggeringEvent || !triggeringEvent->target() || !triggeringEvent->target()->toNode()
+ || triggeringEvent->target()->toNode()->document().pageCacheState() == Document::NotInPageCache);
+
Ref<Frame> protect(m_frame);
FrameLoadRequest frameRequest(passedRequest);
@@ -369,10 +372,13 @@
ASSERT(submission->data());
ASSERT(submission->state());
ASSERT(!submission->state()->sourceDocument()->frame() || submission->state()->sourceDocument()->frame() == &m_frame);
-
+
if (!m_frame.page())
return;
-
+
+ if (submission->state()->sourceDocument()->pageCacheState() != Document::NotInPageCache)
+ return;
+
if (submission->action().isEmpty())
return;
@@ -1123,7 +1129,10 @@
}
void FrameLoader::loadFrameRequest(const FrameLoadRequest& request, Event* event, FormState* formState)
-{
+{
+ ASSERT_WITH_SECURITY_IMPLICATION(!event || !event->target() || !event->target()->toNode()
+ || event->target()->toNode()->document().pageCacheState() == Document::NotInPageCache);
+
// Protect frame from getting blown away inside dispatchBeforeLoadEvent in loadWithDocumentLoader.
Ref<Frame> protect(m_frame);
Modified: trunk/Source/WebCore/mathml/MathMLElement.cpp (210473 => 210474)
--- trunk/Source/WebCore/mathml/MathMLElement.cpp 2017-01-07 07:12:00 UTC (rev 210473)
+++ trunk/Source/WebCore/mathml/MathMLElement.cpp 2017-01-07 07:14:03 UTC (rev 210474)
@@ -149,6 +149,8 @@
auto& href = ""
const auto& url = ""
event.setDefaultHandled();
+ if (document().pageCacheState() != Document::NotInPageCache)
+ return;
if (auto* frame = document().frame())
frame->loader().urlSelected(document().completeURL(url), "_self", &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate());
return;
Modified: trunk/Source/WebCore/svg/SVGAElement.cpp (210473 => 210474)
--- trunk/Source/WebCore/svg/SVGAElement.cpp 2017-01-07 07:12:00 UTC (rev 210473)
+++ trunk/Source/WebCore/svg/SVGAElement.cpp 2017-01-07 07:14:03 UTC (rev 210474)
@@ -145,6 +145,8 @@
Frame* frame = document().frame();
if (!frame)
return;
+ if (document().pageCacheState() != Document::NotInPageCache)
+ return;
frame->loader().urlSelected(document().completeURL(url), target, &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate());
return;
}
