Skip to site navigation (Press enter)

[webkit-changes] [235300] releases/WebKitGTK/webkit-2.22

carlosgc Fri, 24 Aug 2018 01:11:20 -0700

Title: [235300] releases/WebKitGTK/webkit-2.22

Revision: 235300
Author: [email protected]
Date: 2018-08-24 01:09:43 -0700 (Fri, 24 Aug 2018)

Log Message

Merge r235121 - Disallow navigations when page cache updates the current document of the frame
https://bugs.webkit.org/show_bug.cgi?id=188422


Reviewed by Ryosuke Niwa.

Source/WebCore:

Make use of NavigationDisabler to disallow navigations when associating the cached
document back with its frame (i.e. calling Frame::setDocument()).

When we associate a cached document with its frame we will construct its render tree
and run post style resolution callbacks that can do anything, including performing
a frame load. Until page restoration is comnplete the frame tree is in a transient
state that makes reasoning about it difficult and error prone. We should not allow
navigations in this state.

Test: fast/history/go-back-to-object-subframe.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::open):

LayoutTests:

Add a test case that ensures that we do not hit the assertion ASSERT(ownerFrame || m_frame.isMainFrame())
in FrameLoader::addExtraFieldsToRequest() when navigating back to a page that loads a nested
page, whose URL contains a fragment, via an HTML object element. This assertion fails if
navigations are allowed when restoring a page from the page cache.

This change does not prevent navigations initiated from a pageshow event handler.

* fast/history/go-back-to-object-subframe-expected.txt: Added.
* fast/history/go-back-to-object-subframe.html: Added.

Modified Paths

releases/WebKitGTK/webkit-2.22/LayoutTests/ChangeLog
releases/WebKitGTK/webkit-2.22/Source/WebCore/ChangeLog
releases/WebKitGTK/webkit-2.22/Source/WebCore/loader/FrameLoader.cpp

Added Paths

releases/WebKitGTK/webkit-2.22/LayoutTests/fast/history/go-back-to-object-subframe-expected.txt
releases/WebKitGTK/webkit-2.22/LayoutTests/fast/history/go-back-to-object-subframe.html

Diff

Modified: releases/WebKitGTK/webkit-2.22/LayoutTests/ChangeLog (235299 => 235300)


--- releases/WebKitGTK/webkit-2.22/LayoutTests/ChangeLog	2018-08-24 08:09:35 UTC (rev 235299)
+++ releases/WebKitGTK/webkit-2.22/LayoutTests/ChangeLog	2018-08-24 08:09:43 UTC (rev 235300)
@@ -1,3 +1,20 @@
+2018-08-21  Daniel Bates  <[email protected]>
+
+        Disallow navigations when page cache updates the current document of the frame
+        https://bugs.webkit.org/show_bug.cgi?id=188422
+
+        Reviewed by Ryosuke Niwa.
+
+        Add a test case that ensures that we do not hit the assertion ASSERT(ownerFrame || m_frame.isMainFrame())
+        in FrameLoader::addExtraFieldsToRequest() when navigating back to a page that loads a nested
+        page, whose URL contains a fragment, via an HTML object element. This assertion fails if
+        navigations are allowed when restoring a page from the page cache.
+
+        This change does not prevent navigations initiated from a pageshow event handler.
+
+        * fast/history/go-back-to-object-subframe-expected.txt: Added.
+        * fast/history/go-back-to-object-subframe.html: Added.
+
 2018-08-20  Devin Rousso  <[email protected]>
 
         Web Inspector: allow breakpoints to be set for specific event listeners

Added: releases/WebKitGTK/webkit-2.22/LayoutTests/fast/history/go-back-to-object-subframe-expected.txt (0 => 235300)


--- releases/WebKitGTK/webkit-2.22/LayoutTests/fast/history/go-back-to-object-subframe-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.22/LayoutTests/fast/history/go-back-to-object-subframe-expected.txt	2018-08-24 08:09:43 UTC (rev 235300)
@@ -0,0 +1,2 @@
+PASS. You didn't crash.
+

Added: releases/WebKitGTK/webkit-2.22/LayoutTests/fast/history/go-back-to-object-subframe.html (0 => 235300)


--- releases/WebKitGTK/webkit-2.22/LayoutTests/fast/history/go-back-to-object-subframe.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.22/LayoutTests/fast/history/go-back-to-object-subframe.html	2018-08-24 08:09:43 UTC (rev 235300)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.overridePreference("WebKitUsesPageCachePreferenceKey", 1);
+    testRunner.waitUntilDone();
+}
+
+function runTest(e)
+{
+    if (e.persisted) {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    } else {
+        // Navigate using a timeout to make sure we generate a history entry that we can go back to.
+        setTimeout(() => { location.href = "" + "script>"; }, 0);
+    }
+}
+
+window._onpageshow_ = runTest;
+</script>
+</head>
+<body>
+<div>PASS. You didn't crash.</div>
+<object data=""  width="400" height="200" style="border: 1px solid black"></object>
+</body>
+</html>

Modified: releases/WebKitGTK/webkit-2.22/Source/WebCore/ChangeLog (235299 => 235300)


--- releases/WebKitGTK/webkit-2.22/Source/WebCore/ChangeLog	2018-08-24 08:09:35 UTC (rev 235299)
+++ releases/WebKitGTK/webkit-2.22/Source/WebCore/ChangeLog	2018-08-24 08:09:43 UTC (rev 235300)
@@ -1,5 +1,26 @@
 2018-08-21  Daniel Bates  <[email protected]>
 
+        Disallow navigations when page cache updates the current document of the frame
+        https://bugs.webkit.org/show_bug.cgi?id=188422
+
+        Reviewed by Ryosuke Niwa.
+
+        Make use of NavigationDisabler to disallow navigations when associating the cached
+        document back with its frame (i.e. calling Frame::setDocument()).
+
+        When we associate a cached document with its frame we will construct its render tree
+        and run post style resolution callbacks that can do anything, including performing
+        a frame load. Until page restoration is comnplete the frame tree is in a transient
+        state that makes reasoning about it difficult and error prone. We should not allow
+        navigations in this state.
+
+        Test: fast/history/go-back-to-object-subframe.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::open):
+
+2018-08-21  Daniel Bates  <[email protected]>
+
         Replace TextCheckingTypeMask with OptionSet
         https://bugs.webkit.org/show_bug.cgi?id=188678

Modified: releases/WebKitGTK/webkit-2.22/Source/WebCore/loader/FrameLoader.cpp (235299 => 235300)


--- releases/WebKitGTK/webkit-2.22/Source/WebCore/loader/FrameLoader.cpp	2018-08-24 08:09:35 UTC (rev 235299)
+++ releases/WebKitGTK/webkit-2.22/Source/WebCore/loader/FrameLoader.cpp	2018-08-24 08:09:43 UTC (rev 235300)
@@ -2270,8 +2270,15 @@
     // Use the previous ScrollView's frame rect.
     if (previousViewFrameRect)
         view->setFrameRect(previousViewFrameRect.value());
-    
-    m_frame.setDocument(document);
+
+    {
+        // Setting the document builds the render tree and runs post style resolution callbacks that can do anything,
+        // including loading a child frame before its been re-attached to the frame tree as part of this restore.
+        // For example, the HTML object element may load its content into a frame in a post style resolution callback.
+        NavigationDisabler disableNavigation { &m_frame };
+        m_frame.setDocument(document);
+    }
+
     document->domWindow()->resumeFromDocumentSuspension();
 
     updateFirstPartyForCookies();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes