Diff
Modified: trunk/LayoutTests/ChangeLog (104256 => 104257)
--- trunk/LayoutTests/ChangeLog 2012-01-06 01:32:00 UTC (rev 104256)
+++ trunk/LayoutTests/ChangeLog 2012-01-06 01:32:45 UTC (rev 104257)
@@ -1,3 +1,14 @@
+2012-01-05 Jochen Eisinger <[email protected]>
+
+ Unskip fast/storage/storage-detached-iframe.html on chromium
+ https://bugs.webkit.org/show_bug.cgi?id=61326
+
+ Reviewed by Adam Barth.
+
+ * fast/storage/storage-detached-iframe-expected.txt:
+ * fast/storage/storage-detached-iframe.html:
+ * platform/chromium/test_expectations.txt:
+
2012-01-05 David Grogan <[email protected]>
IndexedDB: fix cursor prefetch crash
Modified: trunk/LayoutTests/fast/storage/storage-detached-iframe-expected.txt (104256 => 104257)
--- trunk/LayoutTests/fast/storage/storage-detached-iframe-expected.txt 2012-01-06 01:32:00 UTC (rev 104256)
+++ trunk/LayoutTests/fast/storage/storage-detached-iframe-expected.txt 2012-01-06 01:32:45 UTC (rev 104257)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: line 25: Expected exception caught.
Bug: https://bugs.webkit.org/show_bug.cgi?id=57140
Description: Crash from null pointer dereference below WebCore::StorageAreaImpl::setItem()
Modified: trunk/LayoutTests/fast/storage/storage-detached-iframe.html (104256 => 104257)
--- trunk/LayoutTests/fast/storage/storage-detached-iframe.html 2012-01-06 01:32:00 UTC (rev 104256)
+++ trunk/LayoutTests/fast/storage/storage-detached-iframe.html 2012-01-06 01:32:45 UTC (rev 104257)
@@ -19,7 +19,11 @@
first_attr = t1.attributes.item(undefined, undefined, undefined, undefined);
first_attr_value_replaced = first_attr.firstChild.replaceWholeText(undefined, undefined, undefined, undefined);
first_attr_value_replaced.DOCUMENT_FRAGMENT_NODE = a;
- first_attr.firstChild.DOCUMENT_FRAGMENT_NODE.localStorage.fuzz3_visited="test";
+ try {
+ first_attr.firstChild.DOCUMENT_FRAGMENT_NODE.localStorage.fuzz3_visited="test";
+ } catch (e) {
+ console.log("Expected exception caught.");
+ }
}
function runTestOuterText() {
Modified: trunk/LayoutTests/platform/chromium/test_expectations.txt (104256 => 104257)
--- trunk/LayoutTests/platform/chromium/test_expectations.txt 2012-01-06 01:32:00 UTC (rev 104256)
+++ trunk/LayoutTests/platform/chromium/test_expectations.txt 2012-01-06 01:32:45 UTC (rev 104257)
@@ -3311,8 +3311,6 @@
BUGCR88588 : fast/lists/inlineBoxWrapperNullCheck.html = PASS TEXT
-BUGWK61326 : fast/storage/storage-detached-iframe.html = CRASH TIMEOUT
-
BUGCR88894 SLOW WIN : http/tests/cache/subresource-expiration-1.html = PASS
BUGCR88894 SLOW WIN : http/tests/cache/subresource-expiration-2.html = PASS
Modified: trunk/Source/WebCore/ChangeLog (104256 => 104257)
--- trunk/Source/WebCore/ChangeLog 2012-01-06 01:32:00 UTC (rev 104256)
+++ trunk/Source/WebCore/ChangeLog 2012-01-06 01:32:45 UTC (rev 104257)
@@ -1,3 +1,13 @@
+2012-01-05 Jochen Eisinger <[email protected]>
+
+ Disallow access to DOM storage from detached frames.
+ https://bugs.webkit.org/show_bug.cgi?id=61326
+
+ Reviewed by Adam Barth.
+
+ * storage/StorageAreaImpl.cpp:
+ (WebCore::StorageAreaImpl::disabledByPrivateBrowsingInFrame):
+
2012-01-05 No'am Rosenthal <[email protected]>
[Qt][Texmap] Convert shaders in TextureMapperGL to use a macro
Modified: trunk/Source/WebCore/storage/StorageAreaImpl.cpp (104256 => 104257)
--- trunk/Source/WebCore/storage/StorageAreaImpl.cpp 2012-01-06 01:32:00 UTC (rev 104256)
+++ trunk/Source/WebCore/storage/StorageAreaImpl.cpp 2012-01-06 01:32:45 UTC (rev 104257)
@@ -109,7 +109,9 @@
ASSERT(!frame);
return false;
#else
- if (!frame->page() || !frame->page()->settings()->privateBrowsingEnabled())
+ if (!frame->page())
+ return true;
+ if (!frame->page()->settings()->privateBrowsingEnabled())
return false;
if (m_storageType != LocalStorage)
return true;
Modified: trunk/Source/WebKit/chromium/ChangeLog (104256 => 104257)
--- trunk/Source/WebKit/chromium/ChangeLog 2012-01-06 01:32:00 UTC (rev 104256)
+++ trunk/Source/WebKit/chromium/ChangeLog 2012-01-06 01:32:45 UTC (rev 104257)
@@ -1,3 +1,13 @@
+2012-01-05 Jochen Eisinger <[email protected]>
+
+ Check whether a WebView exists before accessing it in StorageAreaProxy. This is not necessarily the case, e.g. for detached iframes.
+ https://bugs.webkit.org/show_bug.cgi?id=61326
+
+ Reviewed by Adam Barth.
+
+ * src/StorageAreaProxy.cpp:
+ (WebCore::StorageAreaProxy::canAccessStorage):
+
2012-01-04 James Robinson <[email protected]>
[chromium] Route all animate calls through CCLayerTreeHost in composited mode to simplify rate limiting logic
Modified: trunk/Source/WebKit/chromium/src/StorageAreaProxy.cpp (104256 => 104257)
--- trunk/Source/WebKit/chromium/src/StorageAreaProxy.cpp 2012-01-06 01:32:00 UTC (rev 104256)
+++ trunk/Source/WebKit/chromium/src/StorageAreaProxy.cpp 2012-01-06 01:32:45 UTC (rev 104257)
@@ -167,6 +167,8 @@
bool StorageAreaProxy::canAccessStorage(Frame* frame) const
{
+ if (!frame->page())
+ return false;
WebKit::WebFrameImpl* webFrame = WebKit::WebFrameImpl::fromFrame(frame);
WebKit::WebViewImpl* webView = webFrame->viewImpl();
return !webView->permissionClient() || webView->permissionClient()->allowStorage(webFrame, m_storageType == LocalStorage);
