Diff
Modified: releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-05-08 08:47:36 UTC (rev 216364)
@@ -1,3 +1,19 @@
+2017-04-18 Brent Fulgham <[email protected]>
+
+ Correct handling of isolatedWorld in event handling
+ https://bugs.webkit.org/show_bug.cgi?id=65589
+ <rdar://problem/24097804>
+
+ Reviewed by Geoffrey Garen.
+
+ This following test cases are from the following Blink change:
+ https://src.chromium.org/viewvc/blink?revision=152377&view=revision
+
+ * fast/dom/event-attrs-isolated-world-expected.txt: Added.
+ * fast/dom/event-attrs-isolated-world.html: Added.
+ * http/tests/security/isolatedWorld/onclick-attribute-expected.txt: Added.
+ * http/tests/security/isolatedWorld/onclick-attribute.html: Added.
+
2017-04-16 Chris Dumez <[email protected]>
CMD+R / CMD+Q is considered as user interaction and beforeunload alert is shown
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/dom/event-attrs-isolated-world-expected.txt (0 => 216364)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/dom/event-attrs-isolated-world-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/dom/event-attrs-isolated-world-expected.txt 2017-05-08 08:47:36 UTC (rev 216364)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: line 1: PASS: Main world object not visible in isolated world
+CONSOLE MESSAGE: line 1: PASS: Got back isolated world wrapper
+CONSOLE MESSAGE: line 1: PASS: Declarative onclick handler did not leak to the isolated world
+DOM wrappers should not leak across world boundaries via onevent attributes
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Got back main world wrapper
+PASS successfullyParsed is true
+
+TEST COMPLETE
+DOM wrappers should not leak across world boundaries via onevent attributes
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/dom/event-attrs-isolated-world.html (0 => 216364)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/dom/event-attrs-isolated-world.html (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/dom/event-attrs-isolated-world.html 2017-05-08 08:47:36 UTC (rev 216364)
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<head>
+ <script src=""
+ <script>
+ description("DOM wrappers should not leak across world boundaries via onevent attributes");
+ </script>
+</head>
+<body>
+ <div _onclick_="console.log('clicked')">DOM wrappers should not leak across world boundaries via onevent attributes</div>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ document._onload_ = document;
+
+ testRunner.evaluateScriptInIsolatedWorld(1,
+ 'if (document._onload_ === null) {' +
+ ' console.log("PASS: Main world object not visible in isolated world");' +
+ '} else {' +
+ ' console.log("FAIL: Main world object visible in isolated world!");' +
+ '}' +
+ 'document._onload_ = document;' +
+ 'if (document._onload_ === document) {' +
+ ' console.log("PASS: Got back isolated world wrapper");' +
+ '} else {' +
+ ' console.log("FAIL! Got back:" + document.onload);' +
+ '}' +
+ 'if (document.querySelector("div")._onclick_ === null) {' +
+ ' console.log("PASS: Declarative onclick handler did not leak to the isolated world");' +
+ '} else {' +
+ ' console.log("FAIL: onclick handler leaked to isolated world");' +
+ '}'
+ );
+
+ if (document._onload_ === document)
+ testPassed("Got back main world wrapper");
+ else
+ testFailed("Got back: " + document.onload);
+ </script>
+</body>
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/security/isolatedWorld/onclick-attribute-expected.txt (0 => 216364)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/security/isolatedWorld/onclick-attribute-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/security/isolatedWorld/onclick-attribute-expected.txt 2017-05-08 08:47:36 UTC (rev 216364)
@@ -0,0 +1,11 @@
+CONSOLE MESSAGE: line 1: PASS: onclick handler is not visible in isolated world.
+ALERT: undefined
+Event handlers should be unique in isolated worlds.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+link
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/security/isolatedWorld/onclick-attribute.html (0 => 216364)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/security/isolatedWorld/onclick-attribute.html (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/security/isolatedWorld/onclick-attribute.html 2017-05-08 08:47:36 UTC (rev 216364)
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src=""
+ <script>
+ description("Event handlers should be unique in isolated worlds.");
+ </script>
+</head>
+<body>
+ <a _onclick_="setTimeout('alert(window.extension_private); top.postMessage(\'done\', \'*\')');">link</a>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ Object.prototype.foo = 'FAIL: Main world property visible in isolated world.';
+
+ if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.evaluateScriptInIsolatedWorld(0,
+ "var extension_private = 'FAIL: Isolated world variable visible in main world.';" +
+ "if (document.body.getElementsByTagName('a')[0]._onclick_ === null) {" +
+ " console.log('PASS: onclick handler is not visible in isolated world.');" +
+ "} else {" +
+ " console.log('FAIL: onclick handler was visible.');" +
+ "}");
+ document.body.getElementsByTagName('a')[0].onclick();
+ }
+
+ addEventListener('message', function() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, false);
+ </script>
+</body>
+</html>
\ No newline at end of file
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-05-08 08:47:36 UTC (rev 216364)
@@ -1,3 +1,61 @@
+2017-04-18 Ryan Haddad <[email protected]>
+
+ Rebaseline bindings tests after r215486.
+
+ Unreviewed test gardening.
+
+ * bindings/scripts/test/JS/JSTestObj.cpp:
+ (WebCore::jsTestObjOnfooGetter):
+ (WebCore::jsTestObjOnwebkitfooGetter):
+
+2017-04-18 Brent Fulgham <[email protected]>
+
+ Correct handling of isolatedWorld in event handling
+ https://bugs.webkit.org/show_bug.cgi?id=65589
+ <rdar://problem/24097804>
+
+ Reviewed by Geoffrey Garen.
+
+ This patch was inspired by Adam's original patch as well as the
+ following Blink change:
+ https://src.chromium.org/viewvc/blink?revision=152377&view=revision
+
+ Thread isolatedWorld state through event handling logic.
+
+ Tests: fast/dom/event-attrs-isolated-world.html
+ http/tests/security/isolatedWorld/onclick-attribute.html
+
+ * bindings/js/JSEventListener.cpp:
+ (WebCore::JSEventListener::initializeJSFunction):
+ (WebCore::JSEventListener::world):
+ (WebCore::eventHandlerAttribute):
+ (WebCore::setEventHandlerAttribute):
+ (WebCore::windowEventHandlerAttribute):
+ (WebCore::setWindowEventHandlerAttribute):
+ (WebCore::documentEventHandlerAttribute):
+ (WebCore::setDocumentEventHandlerAttribute):
+ * bindings/js/JSEventListener.h:
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateImplementation):
+ * dom/Document.cpp:
+ (WebCore::Document::setWindowAttributeEventListener):
+ (WebCore::Document::getWindowAttributeEventListener):
+ * dom/Document.h:
+ * dom/Element.cpp:
+ (WebCore::Element::setAttributeEventListener):
+ * dom/EventTarget.cpp:
+ (WebCore::EventTarget::setAttributeEventListener):
+ (WebCore::EventTarget::attributeEventListener):
+ * dom/EventTarget.h:
+ * editing/ReplaceSelectionCommand.cpp:
+ (WebCore::ReplacementFragment::ReplacementFragment):
+ * html/HTMLBodyElement.cpp:
+ (WebCore::HTMLBodyElement::parseAttribute):
+ * html/HTMLFrameSetElement.cpp:
+ (WebCore::HTMLFrameSetElement::parseAttribute):
+ * svg/SVGSVGElement.cpp:
+ (WebCore::SVGSVGElement::parseAttribute):
+
2017-04-18 Andreas Kling <[email protected]>
Break Document::m_associatedFormControls reference cycle.
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/js/JSEventListener.cpp (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/js/JSEventListener.cpp 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/js/JSEventListener.cpp 2017-05-08 08:47:36 UTC (rev 216364)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2001 Peter Kelly ([email protected])
- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2013 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2003-2017 Apple Inc. All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -62,7 +62,7 @@
JSObject* JSEventListener::initializeJSFunction(ScriptExecutionContext*) const
{
- return 0;
+ return nullptr;
}
void JSEventListener::visitJSFunction(SlotVisitor& visitor)
@@ -216,31 +216,31 @@
return JSEventListener::create(asObject(listener), &wrapper, true, currentWorld(&state));
}
-JSC::JSValue eventHandlerAttribute(EventTarget& target, const AtomicString& eventType)
+JSC::JSValue eventHandlerAttribute(EventTarget& target, const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
{
- return eventHandlerAttribute(target.attributeEventListener(eventType), *target.scriptExecutionContext());
+ return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), *target.scriptExecutionContext());
}
void setEventHandlerAttribute(JSC::ExecState& state, JSC::JSObject& wrapper, EventTarget& target, const AtomicString& eventType, JSC::JSValue value)
{
- target.setAttributeEventListener(eventType, createEventListenerForEventHandlerAttribute(state, value, wrapper));
+ target.setAttributeEventListener(eventType, createEventListenerForEventHandlerAttribute(state, value, wrapper), currentWorld(&state));
}
-JSC::JSValue windowEventHandlerAttribute(HTMLElement& element, const AtomicString& eventType)
+JSC::JSValue windowEventHandlerAttribute(HTMLElement& element, const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
{
auto& document = element.document();
- return eventHandlerAttribute(document.getWindowAttributeEventListener(eventType), document);
+ return eventHandlerAttribute(document.getWindowAttributeEventListener(eventType, isolatedWorld), document);
}
void setWindowEventHandlerAttribute(JSC::ExecState& state, JSC::JSObject& wrapper, HTMLElement& element, const AtomicString& eventType, JSC::JSValue value)
{
ASSERT(wrapper.globalObject());
- element.document().setWindowAttributeEventListener(eventType, createEventListenerForEventHandlerAttribute(state, value, *wrapper.globalObject()));
+ element.document().setWindowAttributeEventListener(eventType, createEventListenerForEventHandlerAttribute(state, value, *wrapper.globalObject()), currentWorld(&state));
}
-JSC::JSValue windowEventHandlerAttribute(DOMWindow& window, const AtomicString& eventType)
+JSC::JSValue windowEventHandlerAttribute(DOMWindow& window, const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
{
- return eventHandlerAttribute(window, eventType);
+ return eventHandlerAttribute(window, eventType, isolatedWorld);
}
void setWindowEventHandlerAttribute(JSC::ExecState& state, JSC::JSObject& wrapper, DOMWindow& window, const AtomicString& eventType, JSC::JSValue value)
@@ -248,10 +248,10 @@
setEventHandlerAttribute(state, wrapper, window, eventType, value);
}
-JSC::JSValue documentEventHandlerAttribute(HTMLElement& element, const AtomicString& eventType)
+JSC::JSValue documentEventHandlerAttribute(HTMLElement& element, const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
{
auto& document = element.document();
- return eventHandlerAttribute(document.attributeEventListener(eventType), document);
+ return eventHandlerAttribute(document.attributeEventListener(eventType, isolatedWorld), document);
}
void setDocumentEventHandlerAttribute(JSC::ExecState& state, JSC::JSObject& wrapper, HTMLElement& element, const AtomicString& eventType, JSC::JSValue value)
@@ -260,12 +260,12 @@
auto& document = element.document();
auto* documentWrapper = JSC::jsCast<JSDocument*>(toJS(&state, JSC::jsCast<JSDOMGlobalObject*>(wrapper.globalObject()), document));
ASSERT(documentWrapper);
- document.setAttributeEventListener(eventType, createEventListenerForEventHandlerAttribute(state, value, *documentWrapper));
+ document.setAttributeEventListener(eventType, createEventListenerForEventHandlerAttribute(state, value, *documentWrapper), currentWorld(&state));
}
-JSC::JSValue documentEventHandlerAttribute(Document& document, const AtomicString& eventType)
+JSC::JSValue documentEventHandlerAttribute(Document& document, const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
{
- return eventHandlerAttribute(document, eventType);
+ return eventHandlerAttribute(document, eventType, isolatedWorld);
}
void setDocumentEventHandlerAttribute(JSC::ExecState& state, JSC::JSObject& wrapper, Document& document, const AtomicString& eventType, JSC::JSValue value)
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/js/JSEventListener.h (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/js/JSEventListener.h 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/js/JSEventListener.h 2017-05-08 08:47:36 UTC (rev 216364)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2001 Peter Kelly ([email protected])
- * Copyright (C) 2003, 2008, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2017 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -25,6 +25,7 @@
#include <heap/Weak.h>
#include <heap/WeakInlines.h>
#include <wtf/Ref.h>
+#include <wtf/TypeCasts.h>
#include <wtf/text/TextPosition.h>
#include <wtf/text/WTFString.h>
@@ -91,19 +92,19 @@
};
// For "onxxx" attributes that automatically set up _javascript_ event listeners.
-JSC::JSValue eventHandlerAttribute(EventTarget&, const AtomicString& eventType);
+JSC::JSValue eventHandlerAttribute(EventTarget&, const AtomicString& eventType, DOMWrapperWorld&);
void setEventHandlerAttribute(JSC::ExecState&, JSC::JSObject&, EventTarget&, const AtomicString& eventType, JSC::JSValue);
// Like the functions above, but for attributes that forward event handlers to the window object rather than setting them on the target.
-JSC::JSValue windowEventHandlerAttribute(HTMLElement&, const AtomicString& eventType);
+JSC::JSValue windowEventHandlerAttribute(HTMLElement&, const AtomicString& eventType, DOMWrapperWorld&);
void setWindowEventHandlerAttribute(JSC::ExecState&, JSC::JSObject&, HTMLElement&, const AtomicString& eventType, JSC::JSValue);
-JSC::JSValue windowEventHandlerAttribute(DOMWindow&, const AtomicString& eventType);
+JSC::JSValue windowEventHandlerAttribute(DOMWindow&, const AtomicString& eventType, DOMWrapperWorld&);
void setWindowEventHandlerAttribute(JSC::ExecState&, JSC::JSObject&, DOMWindow&, const AtomicString& eventType, JSC::JSValue);
// Like the functions above, but for attributes that forward event handlers to the document rather than setting them on the target.
-JSC::JSValue documentEventHandlerAttribute(HTMLElement&, const AtomicString& eventType);
+JSC::JSValue documentEventHandlerAttribute(HTMLElement&, const AtomicString& eventType, DOMWrapperWorld&);
void setDocumentEventHandlerAttribute(JSC::ExecState&, JSC::JSObject&, HTMLElement&, const AtomicString& eventType, JSC::JSValue);
-JSC::JSValue documentEventHandlerAttribute(Document&, const AtomicString& eventType);
+JSC::JSValue documentEventHandlerAttribute(Document&, const AtomicString& eventType, DOMWrapperWorld&);
void setDocumentEventHandlerAttribute(JSC::ExecState&, JSC::JSObject&, Document&, const AtomicString& eventType, JSC::JSValue);
inline JSC::JSObject* JSEventListener::jsFunction(ScriptExecutionContext* scriptExecutionContext) const
@@ -138,3 +139,7 @@
}
} // namespace WebCore
+
+SPECIALIZE_TYPE_TRAITS_BEGIN(WebCore::JSEventListener)
+static bool isType(const WebCore::EventListener& input) { return input.type() == WebCore::JSEventListener::JSEventListenerType; }
+SPECIALIZE_TYPE_TRAITS_END()
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2017-05-08 08:47:36 UTC (rev 216364)
@@ -3662,7 +3662,7 @@
: $attribute->extendedAttributes->{DocumentEventHandler} ? "documentEventHandlerAttribute"
: "eventHandlerAttribute";
my $eventName = EventHandlerAttributeEventName($attribute);
- push(@implContent, " return $getter(thisObject.wrapped(), $eventName);\n");
+ push(@implContent, " return $getter(thisObject.wrapped(), $eventName, worldForDOMObject(&thisObject));\n");
} elsif ($codeGenerator->IsConstructorType($attribute->type)) {
my $constructorType = $attribute->type->name;
$constructorType =~ s/Constructor$//;
@@ -3834,7 +3834,7 @@
# FIXME: Find a way to do this special case without hardcoding the class and attribute names here.
if ((($interfaceName eq "DOMWindow") or ($interfaceName eq "WorkerGlobalScope")) and $name eq "onerror") {
$implIncludes{"JSErrorHandler.h"} = 1;
- push(@implContent, " thisObject.wrapped().setAttributeEventListener($eventName, createJSErrorHandler(&state, value, &thisObject));\n");
+ push(@implContent, " thisObject.wrapped().setAttributeEventListener($eventName, createJSErrorHandler(&state, value, &thisObject), worldForDOMObject(&thisObject));\n");
} else {
$implIncludes{"JSEventListener.h"} = 1;
my $setter = $attribute->extendedAttributes->{WindowEventHandler} ? "setWindowEventHandlerAttribute"
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp 2017-05-08 08:47:36 UTC (rev 216364)
@@ -2863,7 +2863,7 @@
{
UNUSED_PARAM(throwScope);
UNUSED_PARAM(state);
- return eventHandlerAttribute(thisObject.wrapped(), eventNames().fooEvent);
+ return eventHandlerAttribute(thisObject.wrapped(), eventNames().fooEvent, worldForDOMObject(&thisObject));
}
static inline JSValue jsTestObjOnwebkitfooGetter(ExecState&, JSTestObj&, ThrowScope& throwScope);
@@ -2877,7 +2877,7 @@
{
UNUSED_PARAM(throwScope);
UNUSED_PARAM(state);
- return eventHandlerAttribute(thisObject.wrapped(), eventNames().fooEvent);
+ return eventHandlerAttribute(thisObject.wrapped(), eventNames().fooEvent, worldForDOMObject(&thisObject));
}
static inline JSValue jsTestObjWithScriptStateAttributeGetter(ExecState&, JSTestObj&, ThrowScope& throwScope);
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Document.cpp (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Document.cpp 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Document.cpp 2017-05-08 08:47:36 UTC (rev 216364)
@@ -4051,30 +4051,30 @@
return const_cast<Document&>(*this);
}
-void Document::setAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& attributeValue)
+void Document::setAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& attributeValue, DOMWrapperWorld& isolatedWorld)
{
- setAttributeEventListener(eventType, JSLazyEventListener::create(*this, attributeName, attributeValue));
+ setAttributeEventListener(eventType, JSLazyEventListener::create(*this, attributeName, attributeValue), isolatedWorld);
}
-void Document::setWindowAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&& listener)
+void Document::setWindowAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&& listener, DOMWrapperWorld& isolatedWorld)
{
if (!m_domWindow)
return;
- m_domWindow->setAttributeEventListener(eventType, WTFMove(listener));
+ m_domWindow->setAttributeEventListener(eventType, WTFMove(listener), isolatedWorld);
}
-void Document::setWindowAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& attributeValue)
+void Document::setWindowAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& attributeValue, DOMWrapperWorld& isolatedWorld)
{
if (!m_domWindow)
return;
- setWindowAttributeEventListener(eventType, JSLazyEventListener::create(*m_domWindow, attributeName, attributeValue));
+ setWindowAttributeEventListener(eventType, JSLazyEventListener::create(*m_domWindow, attributeName, attributeValue), isolatedWorld);
}
-EventListener* Document::getWindowAttributeEventListener(const AtomicString& eventType)
+EventListener* Document::getWindowAttributeEventListener(const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
{
if (!m_domWindow)
return nullptr;
- return m_domWindow->attributeEventListener(eventType);
+ return m_domWindow->attributeEventListener(eventType, isolatedWorld);
}
void Document::dispatchWindowEvent(Event& event, EventTarget* target)
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Document.h (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Document.h 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Document.h 2017-05-08 08:47:36 UTC (rev 216364)
@@ -757,9 +757,9 @@
void setContextDocument(Document& document) { m_contextDocument = document.createWeakPtr(); }
// Helper functions for forwarding DOMWindow event related tasks to the DOMWindow if it exists.
- void setWindowAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& value);
- void setWindowAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&&);
- EventListener* getWindowAttributeEventListener(const AtomicString& eventType);
+ void setWindowAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& value, DOMWrapperWorld&);
+ void setWindowAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&&, DOMWrapperWorld&);
+ EventListener* getWindowAttributeEventListener(const AtomicString& eventType, DOMWrapperWorld&);
WEBCORE_EXPORT void dispatchWindowEvent(Event&, EventTarget* = nullptr);
void dispatchWindowLoadEvent();
@@ -1275,7 +1275,7 @@
#endif
using ContainerNode::setAttributeEventListener;
- void setAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& value);
+ void setAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& value, DOMWrapperWorld& isolatedWorld);
DOMSelection* getSelection();
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Element.cpp (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Element.cpp 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Element.cpp 2017-05-08 08:47:36 UTC (rev 216364)
@@ -4,7 +4,7 @@
* (C) 2001 Peter Kelly ([email protected])
* (C) 2001 Dirk Mueller ([email protected])
* (C) 2007 David Smith ([email protected])
- * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
* (C) 2007 Eric Seidel ([email protected])
*
* This library is free software; you can redistribute it and/or
@@ -2055,7 +2055,7 @@
void Element::setAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& attributeValue)
{
- setAttributeEventListener(eventType, JSLazyEventListener::create(*this, attributeName, attributeValue));
+ setAttributeEventListener(eventType, JSLazyEventListener::create(*this, attributeName, attributeValue), mainThreadNormalWorld());
}
void Element::setIsNamedFlowContentElement()
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/EventTarget.cpp (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/EventTarget.cpp 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/EventTarget.cpp 2017-05-08 08:47:36 UTC (rev 216364)
@@ -2,7 +2,7 @@
* Copyright (C) 1999 Lars Knoll ([email protected])
* (C) 1999 Antti Koivisto ([email protected])
* (C) 2001 Dirk Mueller ([email protected])
- * Copyright (C) 2004, 2005, 2006, 2007 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
* Copyright (C) 2006 Alexey Proskuryakov ([email protected])
* (C) 2007, 2008 Nikolas Zimmermann <[email protected]>
*
@@ -32,9 +32,11 @@
#include "config.h"
#include "EventTarget.h"
+#include "DOMWrapperWorld.h"
#include "EventNames.h"
#include "ExceptionCode.h"
#include "InspectorInstrumentation.h"
+#include "JSEventListener.h"
#include "NoEventDispatchAssertion.h"
#include "ScriptController.h"
#include "WebKitAnimationEvent.h"
@@ -104,9 +106,9 @@
return data && data->eventListenerMap.remove(eventType, listener, options.capture);
}
-bool EventTarget::setAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&& listener)
+bool EventTarget::setAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&& listener, DOMWrapperWorld& isolatedWorld)
{
- auto* existingListener = attributeEventListener(eventType);
+ auto* existingListener = attributeEventListener(eventType, isolatedWorld);
if (!listener) {
if (existingListener)
removeEventListener(eventType, *existingListener, false);
@@ -119,12 +121,18 @@
return addEventListener(eventType, listener.releaseNonNull());
}
-EventListener* EventTarget::attributeEventListener(const AtomicString& eventType)
+EventListener* EventTarget::attributeEventListener(const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
{
for (auto& eventListener : eventListeners(eventType)) {
- if (eventListener->callback().isAttribute())
- return &eventListener->callback();
+ auto& listener = eventListener->callback();
+ if (!listener.isAttribute())
+ continue;
+
+ auto& listenerWorld = downcast<JSEventListener>(listener).isolatedWorld();
+ if (&listenerWorld == &isolatedWorld)
+ return &listener;
}
+
return nullptr;
}
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/EventTarget.h (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/EventTarget.h 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/EventTarget.h 2017-05-08 08:47:36 UTC (rev 216364)
@@ -2,7 +2,7 @@
* Copyright (C) 1999 Lars Knoll ([email protected])
* (C) 1999 Antti Koivisto ([email protected])
* (C) 2001 Dirk Mueller ([email protected])
- * Copyright (C) 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
* Copyright (C) 2006 Alexey Proskuryakov ([email protected])
* (C) 2007, 2008 Nikolas Zimmermann <[email protected]>
*
@@ -41,6 +41,7 @@
namespace WebCore {
class DOMWindow;
+class DOMWrapperWorld;
class Node;
struct EventTargetData {
@@ -104,8 +105,8 @@
virtual void uncaughtExceptionInEventHandler();
// Used for legacy "onevent" attributes.
- bool setAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&&);
- EventListener* attributeEventListener(const AtomicString& eventType);
+ bool setAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&&, DOMWrapperWorld&);
+ EventListener* attributeEventListener(const AtomicString& eventType, DOMWrapperWorld&);
bool hasEventListeners() const;
bool hasEventListeners(const AtomicString& eventType) const;
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/editing/ReplaceSelectionCommand.cpp (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2017-05-08 08:47:36 UTC (rev 216364)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005, 2006, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2005-2017 Apple Inc. All rights reserved.
* Copyright (C) 2009, 2010, 2011 Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -32,6 +32,7 @@
#include "BeforeTextInsertedEvent.h"
#include "BreakBlockquoteCommand.h"
#include "CSSStyleDeclaration.h"
+#include "DOMWrapperWorld.h"
#include "DataTransfer.h"
#include "Document.h"
#include "DocumentFragment.h"
@@ -167,7 +168,7 @@
Node* shadowAncestorNode = editableRoot->deprecatedShadowAncestorNode();
- if (!editableRoot->attributeEventListener(eventNames().webkitBeforeTextInsertedEvent)
+ if (!editableRoot->attributeEventListener(eventNames().webkitBeforeTextInsertedEvent, mainThreadNormalWorld())
&& !(shadowAncestorNode && shadowAncestorNode->renderer() && shadowAncestorNode->renderer()->isTextControl())
&& editableRoot->hasRichlyEditableStyle()) {
removeInterchangeNodes(m_fragment.get());
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/html/HTMLBodyElement.cpp (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/html/HTMLBodyElement.cpp 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/html/HTMLBodyElement.cpp 2017-05-08 08:47:36 UTC (rev 216364)
@@ -3,7 +3,7 @@
* (C) 1999 Antti Koivisto ([email protected])
* (C) 2000 Simon Hausmann ([email protected])
* (C) 2001 Dirk Mueller ([email protected])
- * Copyright (C) 2004, 2006-2010, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -28,6 +28,7 @@
#include "CSSParser.h"
#include "CSSValueKeywords.h"
#include "DOMWindow.h"
+#include "DOMWrapperWorld.h"
#include "EventNames.h"
#include "Frame.h"
#include "FrameView.h"
@@ -173,13 +174,13 @@
}
if (name == onselectionchangeAttr) {
- document().setAttributeEventListener(eventNames().selectionchangeEvent, name, value);
+ document().setAttributeEventListener(eventNames().selectionchangeEvent, name, value, mainThreadNormalWorld());
return;
}
auto& eventName = eventNameForWindowEventHandlerAttribute(name);
if (!eventName.isNull()) {
- document().setWindowAttributeEventListener(eventName, name, value);
+ document().setWindowAttributeEventListener(eventName, name, value, mainThreadNormalWorld());
return;
}
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/html/HTMLFrameSetElement.cpp (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/html/HTMLFrameSetElement.cpp 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/html/HTMLFrameSetElement.cpp 2017-05-08 08:47:36 UTC (rev 216364)
@@ -3,7 +3,7 @@
* (C) 1999 Antti Koivisto ([email protected])
* (C) 2000 Simon Hausmann ([email protected])
* (C) 2001 Dirk Mueller ([email protected])
- * Copyright (C) 2004, 2006, 2009, 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -25,6 +25,7 @@
#include "HTMLFrameSetElement.h"
#include "CSSPropertyNames.h"
+#include "DOMWrapperWorld.h"
#include "Document.h"
#include "ElementIterator.h"
#include "Event.h"
@@ -142,7 +143,7 @@
auto& eventName = HTMLBodyElement::eventNameForWindowEventHandlerAttribute(name);
if (!eventName.isNull()) {
- document().setWindowAttributeEventListener(eventName, name, value);
+ document().setWindowAttributeEventListener(eventName, name, value, mainThreadNormalWorld());
return;
}
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/svg/SVGSVGElement.cpp (216363 => 216364)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/svg/SVGSVGElement.cpp 2017-05-08 08:24:36 UTC (rev 216363)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/svg/SVGSVGElement.cpp 2017-05-08 08:47:36 UTC (rev 216364)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2004, 2005, 2006 Nikolas Zimmermann <[email protected]>
* Copyright (C) 2004, 2005, 2006, 2007, 2008, 2010 Rob Buis <[email protected]>
- * Copyright (C) 2007, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2007-2017 Apple Inc. All rights reserved.
* Copyright (C) 2014 Adobe Systems Incorporated. All rights reserved.
*
* This library is free software; you can redistribute it and/or
@@ -24,6 +24,7 @@
#include "SVGSVGElement.h"
#include "CSSHelper.h"
+#include "DOMWrapperWorld.h"
#include "ElementIterator.h"
#include "EventNames.h"
#include "FrameSelection.h"
@@ -215,19 +216,19 @@
// For these events, the outermost <svg> element works like a <body> element does,
// setting certain event handlers directly on the window object.
if (name == HTMLNames::onunloadAttr) {
- document().setWindowAttributeEventListener(eventNames().unloadEvent, name, value);
+ document().setWindowAttributeEventListener(eventNames().unloadEvent, name, value, mainThreadNormalWorld());
return;
}
if (name == HTMLNames::onresizeAttr) {
- document().setWindowAttributeEventListener(eventNames().resizeEvent, name, value);
+ document().setWindowAttributeEventListener(eventNames().resizeEvent, name, value, mainThreadNormalWorld());
return;
}
if (name == HTMLNames::onscrollAttr) {
- document().setWindowAttributeEventListener(eventNames().scrollEvent, name, value);
+ document().setWindowAttributeEventListener(eventNames().scrollEvent, name, value, mainThreadNormalWorld());
return;
}
if (name == SVGNames::onzoomAttr) {
- document().setWindowAttributeEventListener(eventNames().zoomEvent, name, value);
+ document().setWindowAttributeEventListener(eventNames().zoomEvent, name, value, mainThreadNormalWorld());
return;
}
}
@@ -236,11 +237,11 @@
// setting certain event handlers directly on the window object.
// FIXME: Why different from the events above that work only on the outermost <svg> element?
if (name == HTMLNames::onabortAttr) {
- document().setWindowAttributeEventListener(eventNames().abortEvent, name, value);
+ document().setWindowAttributeEventListener(eventNames().abortEvent, name, value, mainThreadNormalWorld());
return;
}
if (name == HTMLNames::onerrorAttr) {
- document().setWindowAttributeEventListener(eventNames().errorEvent, name, value);
+ document().setWindowAttributeEventListener(eventNames().errorEvent, name, value, mainThreadNormalWorld());
return;
}
