[webkit-changes] [212532] branches/safari-603-branch

Thu, 16 Feb 2017 21:28:13 -0800

Title: [212532] branches/safari-603-branch

Diff

Modified: branches/safari-603-branch/LayoutTests/ChangeLog (212531 => 212532)


--- branches/safari-603-branch/LayoutTests/ChangeLog	2017-02-17 05:28:21 UTC (rev 212531)
+++ branches/safari-603-branch/LayoutTests/ChangeLog	2017-02-17 05:28:26 UTC (rev 212532)
@@ -1,5 +1,22 @@
 2017-02-16  Matthew Hanson  <[email protected]>
 
+        Merge r212350. rdar://problem/30450379
+
+    2017-02-14  Brent Fulgham  <[email protected]>
+
+            Revalidate URL after events that could trigger navigations
+            https://bugs.webkit.org/show_bug.cgi?id=168071
+            <rdar://problem/30450379>
+
+            Reviewed by Ryosuke Niwa.
+
+            * http/tests/plugins/navigation-during-load-embed-expected.txt: Added.
+            * http/tests/plugins/navigation-during-load-embed.html: Added.
+            * http/tests/plugins/navigation-during-load-expected.txt: Added.
+            * http/tests/plugins/navigation-during-load.html: Added.
+
+2017-02-16  Matthew Hanson  <[email protected]>
+
         Merge r212316. rdar://problem/30504444
 
     2017-02-13  Dean Jackson  <[email protected]>

Added: branches/safari-603-branch/LayoutTests/http/tests/plugins/navigation-during-load-embed-expected.txt (0 => 212532)


--- branches/safari-603-branch/LayoutTests/http/tests/plugins/navigation-during-load-embed-expected.txt	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/http/tests/plugins/navigation-during-load-embed-expected.txt	2017-02-17 05:28:26 UTC (rev 212532)
@@ -0,0 +1,9 @@
+Check that forcing a navigation during an embed element load is well-behaved.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: branches/safari-603-branch/LayoutTests/http/tests/plugins/navigation-during-load-embed.html (0 => 212532)


--- branches/safari-603-branch/LayoutTests/http/tests/plugins/navigation-during-load-embed.html	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/http/tests/plugins/navigation-during-load-embed.html	2017-02-17 05:28:26 UTC (rev 212532)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+var embed;
+
+function embedLoad() {
+    embed = document.getElementById('embed');
+
+    embed._onbeforeload_ = () => {
+        embed._onbeforeload_ = null;
+
+        let base = document.head.appendChild(document.createElement('base'));
+        base.href = '';
+        finishJSTest();
+    };
+    embed.src = '';
+};
+</script>
+</head>
+<body>
+<script>
+description("Check that forcing a navigation during an embed element load is well-behaved.")
+
+window.jsTestIsAsync = true;
+</script>
+<embed id='embed' type='image/png' src='' _onload_='embedLoad()'>
+</embed>
+</body>
+</html>
\ No newline at end of file

Added: branches/safari-603-branch/LayoutTests/http/tests/plugins/navigation-during-load-expected.txt (0 => 212532)


--- branches/safari-603-branch/LayoutTests/http/tests/plugins/navigation-during-load-expected.txt	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/http/tests/plugins/navigation-during-load-expected.txt	2017-02-17 05:28:26 UTC (rev 212532)
@@ -0,0 +1,9 @@
+Check that forcing a navigation during an object element load is well-behaved.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: branches/safari-603-branch/LayoutTests/http/tests/plugins/navigation-during-load.html (0 => 212532)


--- branches/safari-603-branch/LayoutTests/http/tests/plugins/navigation-during-load.html	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/http/tests/plugins/navigation-during-load.html	2017-02-17 05:28:26 UTC (rev 212532)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+var object;
+
+function objectLoad() {
+    object = document.getElementById('object');
+
+    object._onbeforeload_ = () => {
+        object._onbeforeload_ = null;
+
+        let base = document.head.appendChild(document.createElement('base'));
+        base.href = '';
+        finishJSTest();
+    };
+    object.data = '';
+};
+</script>
+</head>
+<body>
+<script>
+description("Check that forcing a navigation during an object element load is well-behaved.")
+
+window.jsTestIsAsync = true;
+</script>
+<object id='object' type='text/html' data='' _onload_='objectLoad()'>
+</object>
+</body>
+</html>
\ No newline at end of file

Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (212531 => 212532)


--- branches/safari-603-branch/Source/WebCore/ChangeLog	2017-02-17 05:28:21 UTC (rev 212531)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog	2017-02-17 05:28:26 UTC (rev 212532)
@@ -1,5 +1,39 @@
 2017-02-16  Matthew Hanson  <[email protected]>
 
+        Merge r212350. rdar://problem/30450379
+
+    2017-02-14  Brent Fulgham  <[email protected]>
+
+            Revalidate URL after events that could trigger navigations
+            https://bugs.webkit.org/show_bug.cgi?id=168071
+            <rdar://problem/30450379>
+
+            Reviewed by Ryosuke Niwa.
+
+            When arbitary _javascript_ runs during a load, we should revalidate
+            the URLs involved to make sure they are still valid.
+
+            Tests: http/tests/plugins/navigation-during-load-embed.html
+                   http/tests/plugins/navigation-during-load.html
+
+            * html/HTMLEmbedElement.cpp:
+            (WebCore::HTMLEmbedElement::updateWidget): Confirm we are still allowed to
+            load the URL after executing JS callbacks.
+            * html/HTMLFrameElementBase.cpp:
+            (WebCore::HTMLFrameElementBase::isURLAllowed): Split existing function into
+            existing protected method, and a new public method that checks a passed URL
+            for validity.
+            * html/HTMLFrameElementBase.h:
+            * html/HTMLFrameOwnerElement.h:
+            (WebCore::HTMLFrameOwnerElement::isURLAllowed):
+            * html/HTMLObjectElement.cpp:
+            (WebCore::HTMLObjectElement::updateWidget): Confirm we are still allowed to
+            load the URL after executing JS callbacks.
+            * loader/SubframeLoader.cpp:
+            (WebCore::SubframeLoader::requestFrame): Ditto.
+
+2017-02-16  Matthew Hanson  <[email protected]>
+
         Merge r212335. rdar://problem/29899473
 
     2017-02-14  Brady Eidson  <[email protected]>

Modified: branches/safari-603-branch/Source/WebCore/html/HTMLEmbedElement.cpp (212531 => 212532)


--- branches/safari-603-branch/Source/WebCore/html/HTMLEmbedElement.cpp	2017-02-17 05:28:21 UTC (rev 212531)
+++ branches/safari-603-branch/Source/WebCore/html/HTMLEmbedElement.cpp	2017-02-17 05:28:26 UTC (rev 212532)
@@ -182,6 +182,10 @@
     if (!renderer()) // Do not load the plugin if beforeload removed this element or its renderer.
         return;
 
+    // beforeLoad could have changed the document. Make sure the URL is still safe to load.
+    if (!allowedToLoadFrameURL(m_url))
+        return;
+
     // FIXME: beforeLoad could have detached the renderer!  Just like in the <object> case above.
     requestObject(m_url, m_serviceType, paramNames, paramValues);
 }

Modified: branches/safari-603-branch/Source/WebCore/html/HTMLFrameElementBase.cpp (212531 => 212532)


--- branches/safari-603-branch/Source/WebCore/html/HTMLFrameElementBase.cpp	2017-02-17 05:28:21 UTC (rev 212531)
+++ branches/safari-603-branch/Source/WebCore/html/HTMLFrameElementBase.cpp	2017-02-17 05:28:26 UTC (rev 212532)
@@ -3,7 +3,7 @@
  *           (C) 1999 Antti Koivisto ([email protected])
  *           (C) 2000 Simon Hausmann ([email protected])
  *           (C) 2001 Dirk Mueller ([email protected])
- * Copyright (C) 2004, 2006, 2008, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
@@ -54,15 +54,21 @@
 
 bool HTMLFrameElementBase::isURLAllowed() const
 {
+    if (m_URL.isEmpty())
+        return true;
+
+    return isURLAllowed(document().completeURL(m_URL));
+}
+
+bool HTMLFrameElementBase::isURLAllowed(const URL& completeURL) const
+{
     if (document().page() && document().page()->subframeCount() >= Page::maxNumberOfFrames)
         return false;
 
-    if (m_URL.isEmpty())
+    if (completeURL.isEmpty())
         return true;
 
-    const URL& completeURL = document().completeURL(m_URL);
-
-    if (protocolIsJavaScript(completeURL)) { 
+    if (protocolIsJavaScript(completeURL)) {
         Document* contentDoc = this->contentDocument();
         if (contentDoc && !ScriptController::canAccessFromCurrentOrigin(contentDoc->frame()))
             return false;

Modified: branches/safari-603-branch/Source/WebCore/html/HTMLFrameElementBase.h (212531 => 212532)


--- branches/safari-603-branch/Source/WebCore/html/HTMLFrameElementBase.h	2017-02-17 05:28:21 UTC (rev 212531)
+++ branches/safari-603-branch/Source/WebCore/html/HTMLFrameElementBase.h	2017-02-17 05:28:26 UTC (rev 212532)
@@ -43,6 +43,8 @@
 
     bool canContainRangeEndPoint() const final { return false; }
 
+    bool isURLAllowed(const URL&) const override;
+
 protected:
     HTMLFrameElementBase(const QualifiedName&, Document&);

Modified: branches/safari-603-branch/Source/WebCore/html/HTMLFrameOwnerElement.h (212531 => 212532)


--- branches/safari-603-branch/Source/WebCore/html/HTMLFrameOwnerElement.h	2017-02-17 05:28:21 UTC (rev 212531)
+++ branches/safari-603-branch/Source/WebCore/html/HTMLFrameOwnerElement.h	2017-02-17 05:28:26 UTC (rev 212532)
@@ -57,6 +57,8 @@
 
     void scheduleinvalidateStyleAndLayerComposition();
 
+    virtual bool isURLAllowed(const URL&) const { return true; }
+
 protected:
     HTMLFrameOwnerElement(const QualifiedName& tagName, Document&);
     void setSandboxFlags(SandboxFlags);

Modified: branches/safari-603-branch/Source/WebCore/html/HTMLObjectElement.cpp (212531 => 212532)


--- branches/safari-603-branch/Source/WebCore/html/HTMLObjectElement.cpp	2017-02-17 05:28:21 UTC (rev 212531)
+++ branches/safari-603-branch/Source/WebCore/html/HTMLObjectElement.cpp	2017-02-17 05:28:26 UTC (rev 212532)
@@ -324,7 +324,7 @@
     if (!renderer()) // Do not load the plugin if beforeload removed this element or its renderer.
         return;
 
-    bool success = beforeLoadAllowedLoad && hasValidClassId();
+    bool success = beforeLoadAllowedLoad && hasValidClassId() && allowedToLoadFrameURL(url);
     if (success)
         success = requestObject(url, serviceType, paramNames, paramValues);
     if (!success && hasFallbackContent())

Modified: branches/safari-603-branch/Source/WebCore/loader/SubframeLoader.cpp (212531 => 212532)


--- branches/safari-603-branch/Source/WebCore/loader/SubframeLoader.cpp	2017-02-17 05:28:21 UTC (rev 212531)
+++ branches/safari-603-branch/Source/WebCore/loader/SubframeLoader.cpp	2017-02-17 05:28:26 UTC (rev 212532)
@@ -91,7 +91,7 @@
     if (!frame)
         return false;
 
-    if (!scriptURL.isEmpty())
+    if (!scriptURL.isEmpty() && ownerElement.isURLAllowed(scriptURL))
         frame->script().executeIfJavaScriptURL(scriptURL);
 
     return true;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to