Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0b66d56fa5dc4649dbe651b6215b6874e9e57aa3
https://github.com/WebKit/WebKit/commit/0b66d56fa5dc4649dbe651b6215b6874e9e57aa3
Author: Rupin Mittal <ru...@apple.com>
Date: 2025-08-09 (Sat, 09 Aug 2025)
Changed paths:
A
LayoutTests/http/tests/navigation-api/form-submission-post-request-iframe-expected.txt
A
LayoutTests/http/tests/navigation-api/form-submission-post-request-iframe.html
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/page/Navigation.cpp
Log Message:
-----------
Navigation API causing webpage crashes on Brightspace quiz
https://bugs.webkit.org/show_bug.cgi?id=287808
rdar://145088211
Reviewed by Charlie Wolfe.
The brightspace site has buttons that submit a form. The form is
submitted via a POST request. And this happens inside an iframe.
When we press the first button, since the form is submitted via
a POST request, it's loaded using FrameLoader::loadPostRequest().
This function erroneously does not set the Navigation API
navigation type (should be a Push navigation). As a result, when
we get to Navigation::initializeForNewWindow(), the code path we
go down is:
1. Frame is not a MainFrame
2. Should process previous navigation entries since there was
a previous window
3. Navigation type is not Push or Traverse
In this code path, we end up not finding the current history entry
in the list of entries, and thus, we don't set m_currentEntryIndex.
Now we press the second button and we go down the same exact code path.
In Step 3, we dereference the previous window's m_currentEntryIndex,
which is of course not set, and so we crash.
The issue is that the navigation should have had a navigation type.
So we set this in FrameLoader::loadPostRequest() the same way we do in
FrameLoader::loadURL().
Now the first button press goes down the path:
1. Frame is not a MainFrame
2. Should process previous navigation entries since there was
a previous window
3. Navigation type is a Push
And then m_currentEntryIndex gets set.
Then, when the second button is pressed, m_currentEntryIndex can be
safely dereferenced.
The crash from the site can be minimized to this:
"""
<iframe srcdoc="<form method='post'><input type='submit'
value='Submit'></form>"></iframe>
"""
Load this HTML in Safari, press the submit button twice, and it'll crash.
This patch converts this manual test case into a new layout test that passes
if it doesn't crash.
*
LayoutTests/http/tests/navigation-api/form-submission-post-request-iframe-expected.txt:
Added.
*
LayoutTests/http/tests/navigation-api/form-submission-post-request-iframe.html:
Added.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadPostRequest):
* Source/WebCore/page/Navigation.cpp:
(WebCore::Navigation::initializeForNewWindow):
The spec does not say that a POST request or form submission
should not have a navigation type.
Canonical link: https://commits.webkit.org/298480@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
