Skip to site navigation (Press enter)

[webkit-changes] [248175] trunk

commit-queue Fri, 02 Aug 2019 13:23:33 -0700

Title: [248175] trunk

Revision: 248175
Author: [email protected]
Date: 2019-08-02 13:22:18 -0700 (Fri, 02 Aug 2019)

Log Message

Web Inspector: Crash when interacting with Template Content in Console
https://bugs.webkit.org/show_bug.cgi?id=196280


Patch by Yury Semikhatsky <[email protected]> on 2019-08-02
Reviewed by Joseph Pecoraro.

Source/WebCore:

Test: inspector/dom/inspect-template-node.html

* bindings/js/JSDOMBindingSecurity.cpp:
(WebCore::canAccessDocument): if target element is from a
<template> use its host document to check the access. Elements
from the host document always have access to its template elements content.
* inspector/agents/InspectorDOMAgent.cpp:
(WebCore::InspectorDOMAgent::resolveNode): templates are created in
special template document which doesn't have a frame, in such case get
the frame from the host document.

LayoutTests:

* inspector/dom/inspect-template-node-expected.txt: Added.
* inspector/dom/inspect-template-node.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp
trunk/Source/WebCore/inspector/agents/InspectorDOMAgent.cpp

Added Paths

trunk/LayoutTests/inspector/dom/inspect-template-node-expected.txt
trunk/LayoutTests/inspector/dom/inspect-template-node.html

Diff

Modified: trunk/LayoutTests/ChangeLog (248174 => 248175)


--- trunk/LayoutTests/ChangeLog	2019-08-02 20:09:06 UTC (rev 248174)
+++ trunk/LayoutTests/ChangeLog	2019-08-02 20:22:18 UTC (rev 248175)
@@ -1,3 +1,13 @@
+2019-08-02  Yury Semikhatsky  <[email protected]>
+
+        Web Inspector: Crash when interacting with Template Content in Console
+        https://bugs.webkit.org/show_bug.cgi?id=196280
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/dom/inspect-template-node-expected.txt: Added.
+        * inspector/dom/inspect-template-node.html: Added.
+
 2019-08-02  Ryosuke Niwa  <[email protected]>
 
         Document::resume should delay resetting of form control elements.

Added: trunk/LayoutTests/inspector/dom/inspect-template-node-expected.txt (0 => 248175)


--- trunk/LayoutTests/inspector/dom/inspect-template-node-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/inspector/dom/inspect-template-node-expected.txt	2019-08-02 20:22:18 UTC (rev 248175)
@@ -0,0 +1,8 @@
+Test that document inside a template node can be passed to inspect() function in the console and referenced as $0.
+
+PASS: Evaluate an element in a template.
+PASS: Resolved js object id to DOM node id.
+PASS: Set $0 to the template element.
+PASS: Evaluate $0.
+PASS: Value of $0 is a <div> element.
+

Added: trunk/LayoutTests/inspector/dom/inspect-template-node.html (0 => 248175)


--- trunk/LayoutTests/inspector/dom/inspect-template-node.html	                        (rev 0)
+++ trunk/LayoutTests/inspector/dom/inspect-template-node.html	2019-08-02 20:22:18 UTC (rev 248175)
@@ -0,0 +1,48 @@
+<!doctype html>
+<html>
+<head>
+<template id="tmpl"><div>text</div></template>
+<script src=""
+<script>
+function test()
+{
+    function assertResponse(response, message) {
+        InspectorProtocol.checkForError(response);
+        ProtocolTest.log("PASS: " + message);
+    }
+
+    function evaluate$0() {
+        InspectorProtocol.sendCommand("Runtime.evaluate", {"_expression_": "$0.nodeName", "includeCommandLineAPI": true}, (response) => {
+            assertResponse(response, "Evaluate $0.");
+            ProtocolTest.expectEqual(response.result.result.value, "DIV", "Value of $0 is a <div> element.");
+            ProtocolTest.completeTest();
+        });
+    }
+
+    function setInspectedNode(nodeId) {
+        InspectorProtocol.sendCommand("DOM.setInspectedNode", {nodeId}, (response) => {
+            assertResponse(response, "Set $0 to the template element.");
+            evaluate$0();
+        });
+    }
+
+    function resolveNode(objectId) {
+        InspectorProtocol.sendCommand("DOM.requestNode", {objectId}, (response) => {
+            assertResponse(response, "Resolved js object id to DOM node id.");
+            setInspectedNode(response.result.nodeId);
+        });
+    }
+
+    InspectorProtocol.sendCommand("DOM.getDocument", {});
+    InspectorProtocol.sendCommand("Runtime.evaluate", {"_expression_": "document.getElementById('tmpl').content.firstChild", "includeCommandLineAPI": true}, (response) => {
+        assertResponse(response, "Evaluate an element in a template.");
+        resolveNode(response.result.result.objectId);
+    });
+}
+
+</script>
+</head>
+<body _onload_="runTest()">
+<p>Test that document inside a template node can be passed to inspect() function in the console and referenced as $0.</p>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (248174 => 248175)


--- trunk/Source/WebCore/ChangeLog	2019-08-02 20:09:06 UTC (rev 248174)
+++ trunk/Source/WebCore/ChangeLog	2019-08-02 20:22:18 UTC (rev 248175)
@@ -1,3 +1,21 @@
+2019-08-02  Yury Semikhatsky  <[email protected]>
+
+        Web Inspector: Crash when interacting with Template Content in Console
+        https://bugs.webkit.org/show_bug.cgi?id=196280
+
+        Reviewed by Joseph Pecoraro.
+
+        Test: inspector/dom/inspect-template-node.html
+
+        * bindings/js/JSDOMBindingSecurity.cpp:
+        (WebCore::canAccessDocument): if target element is from a
+        <template> use its host document to check the access. Elements
+        from the host document always have access to its template elements content.
+        * inspector/agents/InspectorDOMAgent.cpp:
+        (WebCore::InspectorDOMAgent::resolveNode): templates are created in
+        special template document which doesn't have a frame, in such case get
+        the frame from the host document.
+
 2019-08-02  Ryosuke Niwa  <[email protected]>
 
         Harden NodeRareData::m_connectedFrameCount

Modified: trunk/Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp (248174 => 248175)


--- trunk/Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp	2019-08-02 20:09:06 UTC (rev 248174)
+++ trunk/Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp	2019-08-02 20:22:18 UTC (rev 248175)
@@ -50,6 +50,9 @@
     if (!targetDocument)
         return false;
 
+    if (auto* templateHost = targetDocument->templateDocumentHost())
+        targetDocument = templateHost;
+
     DOMWindow& active = activeDOMWindow(*state);
 
     if (active.document()->securityOrigin().canAccess(targetDocument->securityOrigin()))

Modified: trunk/Source/WebCore/inspector/agents/InspectorDOMAgent.cpp (248174 => 248175)


--- trunk/Source/WebCore/inspector/agents/InspectorDOMAgent.cpp	2019-08-02 20:09:06 UTC (rev 248174)
+++ trunk/Source/WebCore/inspector/agents/InspectorDOMAgent.cpp	2019-08-02 20:22:18 UTC (rev 248175)
@@ -2594,7 +2594,10 @@
 
 RefPtr<Inspector::Protocol::Runtime::RemoteObject> InspectorDOMAgent::resolveNode(Node* node, const String& objectGroup)
 {
-    auto* frame = node->document().frame();
+    Document* document = &node->document();
+    if (auto* templateHost = document->templateDocumentHost())
+        document = templateHost;
+    auto* frame =  document->frame();
     if (!frame)
         return nullptr;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes