Title: [255018] branches/safari-609-branch/Source/WebCore
- Revision
- 255018
- Author
- [email protected]
- Date
- 2020-01-23 13:44:01 -0800 (Thu, 23 Jan 2020)
Log Message
Cherry-pick r254700. rdar://problem/58811338
WK1: arbitrary JS execution while tearing down renderers in Element::addShadowRoot
https://bugs.webkit.org/show_bug.cgi?id=206335
Reviewed by Antti Koivisto.
Delay the widget hierarchy updates until we're done attaching a shadow root.
Otherwise, WK1 would retry to update the focus synchronously.
* dom/Element.cpp:
(WebCore::Element::addShadowRoot):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254700 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-609-branch/Source/WebCore/ChangeLog (255017 => 255018)
--- branches/safari-609-branch/Source/WebCore/ChangeLog 2020-01-23 21:43:58 UTC (rev 255017)
+++ branches/safari-609-branch/Source/WebCore/ChangeLog 2020-01-23 21:44:01 UTC (rev 255018)
@@ -1,5 +1,36 @@
2020-01-23 Russell Epstein <[email protected]>
+ Cherry-pick r254700. rdar://problem/58811338
+
+ WK1: arbitrary JS execution while tearing down renderers in Element::addShadowRoot
+ https://bugs.webkit.org/show_bug.cgi?id=206335
+
+ Reviewed by Antti Koivisto.
+
+ Delay the widget hierarchy updates until we're done attaching a shadow root.
+ Otherwise, WK1 would retry to update the focus synchronously.
+
+ * dom/Element.cpp:
+ (WebCore::Element::addShadowRoot):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254700 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-01-16 Ryosuke Niwa <[email protected]>
+
+ WK1: arbitrary JS execution while tearing down renderers in Element::addShadowRoot
+ https://bugs.webkit.org/show_bug.cgi?id=206335
+
+ Reviewed by Antti Koivisto.
+
+ Delay the widget hierarchy updates until we're done attaching a shadow root.
+ Otherwise, WK1 would retry to update the focus synchronously.
+
+ * dom/Element.cpp:
+ (WebCore::Element::addShadowRoot):
+
+2020-01-23 Russell Epstein <[email protected]>
+
Cherry-pick r254659. rdar://problem/58811354
Keep RefPtr instead of raw pointer to message queue on WebCoreResourceHandleAsOperationQueueDelegate
Modified: branches/safari-609-branch/Source/WebCore/dom/Element.cpp (255017 => 255018)
--- branches/safari-609-branch/Source/WebCore/dom/Element.cpp 2020-01-23 21:43:58 UTC (rev 255017)
+++ branches/safari-609-branch/Source/WebCore/dom/Element.cpp 2020-01-23 21:44:01 UTC (rev 255018)
@@ -2279,6 +2279,7 @@
ShadowRoot& shadowRoot = newShadowRoot;
{
+ WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates;
ScriptDisallowedScope::InMainThread scriptDisallowedScope;
if (renderer())
RenderTreeUpdater::tearDownRenderers(*this);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
