[webkit-changes] [248136] branches/safari-608-branch

Thu, 01 Aug 2019 15:20:11 -0700

Title: [248136] branches/safari-608-branch

Diff

Modified: branches/safari-608-branch/LayoutTests/ChangeLog (248135 => 248136)


--- branches/safari-608-branch/LayoutTests/ChangeLog	2019-08-01 22:10:30 UTC (rev 248135)
+++ branches/safari-608-branch/LayoutTests/ChangeLog	2019-08-01 22:18:04 UTC (rev 248136)
@@ -1,3 +1,18 @@
+2019-08-01  Alan Coon  <[email protected]>
+
+        Apply patch. rdar://problem/53764238
+
+    2019-08-01  Sergei Glazunov  <[email protected]>
+
+            The maximum subframe count check should not be skipped for empty URLs.
+            https://bugs.webkit.org/show_bug.cgi?id=200032
+
+            Reviewed by Ryosuke Niwa.
+
+            * fast/dom/connected-subframe-counter-overflow-expected.txt: Added.
+            * fast/dom/connected-subframe-counter-overflow.html: Added.
+            * fast/frames/lots-of-iframes-expected.txt:
+
 2019-08-01  Ryan Haddad  <[email protected]>
 
         Cherry-pick r248111. rdar://problem/53829560

Modified: branches/safari-608-branch/LayoutTests/fast/frames/lots-of-iframes-expected.txt (248135 => 248136)


--- branches/safari-608-branch/LayoutTests/fast/frames/lots-of-iframes-expected.txt	2019-08-01 22:10:30 UTC (rev 248135)
+++ branches/safari-608-branch/LayoutTests/fast/frames/lots-of-iframes-expected.txt	2019-08-01 22:18:04 UTC (rev 248136)
@@ -1,2 +1,3 @@
 Sucessfully created 1000 frames.
 Successfully blocked creation of frame number 1001.
+

Modified: branches/safari-608-branch/Source/WebCore/ChangeLog (248135 => 248136)


--- branches/safari-608-branch/Source/WebCore/ChangeLog	2019-08-01 22:10:30 UTC (rev 248135)
+++ branches/safari-608-branch/Source/WebCore/ChangeLog	2019-08-01 22:18:04 UTC (rev 248136)
@@ -1,3 +1,26 @@
+2019-08-01  Alan Coon  <[email protected]>
+
+        Apply patch. rdar://problem/53764238
+
+    2019-08-01  Ryosuke Niwa  <[email protected]>
+
+            The maximum subframe count check should not be skipped for empty URLs.
+            https://bugs.webkit.org/show_bug.cgi?id=200032
+
+            Based on the patch by Sergei Glazunov (r247924).
+            Move the check closer to the actual frame creation code in loadSubframe.
+
+            Tests: fast/dom/connected-subframe-counter-overflow.html
+
+            * dom/Document.cpp:
+            (WebCore::Document::prepareForDestruction): Assert that all child frames have been detached.
+            * html/HTMLFrameElementBase.cpp:
+            (WebCore::HTMLFrameElementBase::isURLAllowed const):
+            * loader/SubframeLoader.cpp:
+            (WebCore::SubframeLoader::loadSubframe): Added the check here.
+            * page/Frame.cpp:
+            (WebCore::Frame::isURLAllowed const):
+
 2019-07-31  Alan Coon  <[email protected]>
 
         Cherry-pick r248080. rdar://problem/53788956

Modified: branches/safari-608-branch/Source/WebCore/dom/Document.cpp (248135 => 248136)


--- branches/safari-608-branch/Source/WebCore/dom/Document.cpp	2019-08-01 22:10:30 UTC (rev 248135)
+++ branches/safari-608-branch/Source/WebCore/dom/Document.cpp	2019-08-01 22:18:04 UTC (rev 248136)
@@ -2491,6 +2491,7 @@
         NavigationDisabler navigationDisabler(m_frame);
         disconnectDescendantFrames();
     }
+    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!m_frame || !m_frame->tree().childCount());
 
     if (m_domWindow && m_frame)
         m_domWindow->willDetachDocumentFromFrame();

Modified: branches/safari-608-branch/Source/WebCore/html/HTMLFrameElementBase.cpp (248135 => 248136)


--- branches/safari-608-branch/Source/WebCore/html/HTMLFrameElementBase.cpp	2019-08-01 22:10:30 UTC (rev 248135)
+++ branches/safari-608-branch/Source/WebCore/html/HTMLFrameElementBase.cpp	2019-08-01 22:18:04 UTC (rev 248136)
@@ -65,9 +65,6 @@
 
 bool HTMLFrameElementBase::isURLAllowed(const URL& completeURL) const
 {
-    if (document().page() && document().page()->subframeCount() >= Page::maxNumberOfFrames)
-        return false;
-
     if (completeURL.isEmpty())
         return true;

Modified: branches/safari-608-branch/Source/WebCore/loader/SubframeLoader.cpp (248135 => 248136)


--- branches/safari-608-branch/Source/WebCore/loader/SubframeLoader.cpp	2019-08-01 22:10:30 UTC (rev 248135)
+++ branches/safari-608-branch/Source/WebCore/loader/SubframeLoader.cpp	2019-08-01 22:18:04 UTC (rev 248136)
@@ -329,6 +329,9 @@
     if (!SubframeLoadingDisabler::canLoadFrame(ownerElement))
         return nullptr;
 
+    if (!m_frame.page() || m_frame.page()->subframeCount() >= Page::maxNumberOfFrames)
+        return nullptr;
+
     ReferrerPolicy policy = ownerElement.referrerPolicy();
     if (policy == ReferrerPolicy::EmptyString)
         policy = document->referrerPolicy();

Modified: branches/safari-608-branch/Source/WebCore/page/Frame.cpp (248135 => 248136)


--- branches/safari-608-branch/Source/WebCore/page/Frame.cpp	2019-08-01 22:10:30 UTC (rev 248135)
+++ branches/safari-608-branch/Source/WebCore/page/Frame.cpp	2019-08-01 22:18:04 UTC (rev 248136)
@@ -968,10 +968,6 @@
 
 bool Frame::isURLAllowed(const URL& url) const
 {
-    // We allow one level of self-reference because some sites depend on that,
-    // but we don't allow more than one.
-    if (m_page->subframeCount() >= Page::maxNumberOfFrames)
-        return false;
     bool foundSelfReference = false;
     for (const Frame* frame = this; frame; frame = frame->tree().parent()) {
         if (equalIgnoringFragmentIdentifier(frame->document()->url(), url)) {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to