Title: [258147] branches/safari-609-branch/Source/WebCore
- Revision
- 258147
- Author
- [email protected]
- Date
- 2020-03-09 11:58:13 -0700 (Mon, 09 Mar 2020)
Log Message
Cherry-pick r257746. rdar://problem/60183767
ScriptController::executeIfJavaScriptURL() uses wrong JSGlobalObject.
https://bugs.webkit.org/show_bug.cgi?id=208290
<rdar://problem/59839476>
Reviewed by Chris Dumez.
The call to executeScriptIgnoringException() may have changed the current global
object of the window. We should be using the original global object that produced
the result string.
Also added a missing exception check needed after a potential rope resolution.
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::executeIfJavaScriptURL):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@257746 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-609-branch/Source/WebCore/ChangeLog (258146 => 258147)
--- branches/safari-609-branch/Source/WebCore/ChangeLog 2020-03-09 17:30:36 UTC (rev 258146)
+++ branches/safari-609-branch/Source/WebCore/ChangeLog 2020-03-09 18:58:13 UTC (rev 258147)
@@ -1,3 +1,43 @@
+2020-03-09 Alan Coon <[email protected]>
+
+ Cherry-pick r257746. rdar://problem/60183767
+
+ ScriptController::executeIfJavaScriptURL() uses wrong JSGlobalObject.
+ https://bugs.webkit.org/show_bug.cgi?id=208290
+ <rdar://problem/59839476>
+
+ Reviewed by Chris Dumez.
+
+ The call to executeScriptIgnoringException() may have changed the current global
+ object of the window. We should be using the original global object that produced
+ the result string.
+
+ Also added a missing exception check needed after a potential rope resolution.
+
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::executeIfJavaScriptURL):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@257746 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-03-02 Mark Lam <[email protected]>
+
+ ScriptController::executeIfJavaScriptURL() uses wrong JSGlobalObject.
+ https://bugs.webkit.org/show_bug.cgi?id=208290
+ <rdar://problem/59839476>
+
+ Reviewed by Chris Dumez.
+
+ The call to executeScriptIgnoringException() may have changed the current global
+ object of the window. We should be using the original global object that produced
+ the result string.
+
+ Also added a missing exception check needed after a potential rope resolution.
+
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::executeIfJavaScriptURL):
+
2020-02-21 Russell Epstein <[email protected]>
Cherry-pick r256856. rdar://problem/59654783
Modified: branches/safari-609-branch/Source/WebCore/bindings/js/ScriptController.cpp (258146 => 258147)
--- branches/safari-609-branch/Source/WebCore/bindings/js/ScriptController.cpp 2020-03-09 17:30:36 UTC (rev 258146)
+++ branches/safari-609-branch/Source/WebCore/bindings/js/ScriptController.cpp 2020-03-09 18:58:13 UTC (rev 258147)
@@ -754,8 +754,13 @@
const int _javascript_SchemeLength = sizeof("_javascript_:") - 1;
+ JSDOMGlobalObject* globalObject = jsWindowProxy(mainThreadNormalWorld()).window();
+ VM& vm = globalObject->vm();
+ auto throwScope = DECLARE_THROW_SCOPE(vm);
+
String decodedURL = decodeURLEscapeSequences(url.string());
auto result = executeScriptIgnoringException(decodedURL.substring(_javascript_SchemeLength));
+ RELEASE_ASSERT(&vm == &jsWindowProxy(mainThreadNormalWorld()).window()->vm());
// If executing script caused this frame to be removed from the page, we
// don't want to try to replace its document!
@@ -762,8 +767,14 @@
if (!m_frame.page())
return true;
+ if (!result)
+ return true;
+
String scriptResult;
- if (!result || !result.getString(jsWindowProxy(mainThreadNormalWorld()).window(), scriptResult))
+ bool isString = result.getString(globalObject, scriptResult);
+ RETURN_IF_EXCEPTION(throwScope, true);
+
+ if (!isString)
return true;
// FIXME: We should always replace the document, but doing so
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
