Skip to site navigation (Press enter)

[webkit-changes] [134775] trunk

commit-queue Thu, 15 Nov 2012 07:41:12 -0800

Title: [134775] trunk

Revision: 134775
Author: commit-qu...@webkit.org
Date: 2012-11-15 07:42:48 -0800 (Thu, 15 Nov 2012)

Log Message

Prevent creation of detached frames in ShadowRoot
https://bugs.webkit.org/show_bug.cgi?id=102333


Patch by Elliott Sprehn <espr...@chromium.org> on 2012-11-15
Reviewed by Dimitri Glazkov.

Source/WebCore:

Similar to Bug 94717 you can create a loaded iframe in a detached
subtree using ShadowRoot. To fix this we just need to make
SubframeLoadingDisabler traverse through shadow boundaries.

Test: fast/frames/detached-shadow-frame.html

* html/HTMLFrameOwnerElement.h:
(WebCore::SubframeLoadingDisabler::canLoadFrame):

LayoutTests:

Test that you cannot create a detached frame using a ShadowRoot
and iframe unload handlers.

* fast/frames/detached-shadow-frame-expected.txt: Added.
* fast/frames/detached-shadow-frame.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/HTMLFrameOwnerElement.h

Added Paths

trunk/LayoutTests/fast/frames/detached-shadow-frame-expected.txt
trunk/LayoutTests/fast/frames/detached-shadow-frame.html

Diff

Modified: trunk/LayoutTests/ChangeLog (134774 => 134775)


--- trunk/LayoutTests/ChangeLog	2012-11-15 15:28:52 UTC (rev 134774)
+++ trunk/LayoutTests/ChangeLog	2012-11-15 15:42:48 UTC (rev 134775)
@@ -1,3 +1,16 @@
+2012-11-15  Elliott Sprehn  <espr...@chromium.org>
+
+        Prevent creation of detached frames in ShadowRoot
+        https://bugs.webkit.org/show_bug.cgi?id=102333
+
+        Reviewed by Dimitri Glazkov.
+
+        Test that you cannot create a detached frame using a ShadowRoot
+        and iframe unload handlers.
+
+        * fast/frames/detached-shadow-frame-expected.txt: Added.
+        * fast/frames/detached-shadow-frame.html: Added.
+
 2012-11-15  Shinya Kawanaka  <shin...@chromium.org>
 
         Changing pseudoClass (:visited) should cause distribution.

Added: trunk/LayoutTests/fast/frames/detached-shadow-frame-expected.txt (0 => 134775)


--- trunk/LayoutTests/fast/frames/detached-shadow-frame-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/detached-shadow-frame-expected.txt	2012-11-15 15:42:48 UTC (rev 134775)
@@ -0,0 +1,10 @@
+Should not be able to create an iframe with a loaded contentDocument that is not in the document tree.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS innerFrame.contentDocument is null
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/frames/detached-shadow-frame.html (0 => 134775)


--- trunk/LayoutTests/fast/frames/detached-shadow-frame.html	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/detached-shadow-frame.html	2012-11-15 15:42:48 UTC (rev 134775)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+
+<body>
+
+<script src=""
+
+<script>
+description('Should not be able to create an iframe with a loaded contentDocument that is not in the document tree.');
+
+container = document.body.appendChild(document.createElement("div"));
+helperDiv = container.appendChild(document.createElement("div"));
+helperFrame = container.appendChild(document.createElement("iframe"));
+
+helperFrame.contentWindow._onunload_ = function() {
+    shadowRoot = new WebKitShadowRoot(helperDiv);
+    innerFrame = shadowRoot.appendChild(document.createElement("iframe"));
+};
+
+document.body.removeChild(container);
+
+shouldBe('innerFrame.contentDocument', 'null');
+</script>
+
+<script src=""

Modified: trunk/Source/WebCore/ChangeLog (134774 => 134775)


--- trunk/Source/WebCore/ChangeLog	2012-11-15 15:28:52 UTC (rev 134774)
+++ trunk/Source/WebCore/ChangeLog	2012-11-15 15:42:48 UTC (rev 134775)
@@ -1,3 +1,19 @@
+2012-11-15  Elliott Sprehn  <espr...@chromium.org>
+
+        Prevent creation of detached frames in ShadowRoot
+        https://bugs.webkit.org/show_bug.cgi?id=102333
+
+        Reviewed by Dimitri Glazkov.
+
+        Similar to Bug 94717 you can create a loaded iframe in a detached
+        subtree using ShadowRoot. To fix this we just need to make
+        SubframeLoadingDisabler traverse through shadow boundaries.
+
+        Test: fast/frames/detached-shadow-frame.html
+
+        * html/HTMLFrameOwnerElement.h:
+        (WebCore::SubframeLoadingDisabler::canLoadFrame):
+
 2012-11-15  Shinya Kawanaka  <shin...@chromium.org>
 
         Changing pseudoClass (:visited) should cause distribution.

Modified: trunk/Source/WebCore/html/HTMLFrameOwnerElement.h (134774 => 134775)


--- trunk/Source/WebCore/html/HTMLFrameOwnerElement.h	2012-11-15 15:28:52 UTC (rev 134774)
+++ trunk/Source/WebCore/html/HTMLFrameOwnerElement.h	2012-11-15 15:42:48 UTC (rev 134775)
@@ -93,7 +93,7 @@
 
     static bool canLoadFrame(HTMLFrameOwnerElement* owner)
     {
-        for (Node* node = owner; node; node = node->parentNode()) {
+        for (Node* node = owner; node; node = node->parentOrHostNode()) {
             if (disabledSubtreeRoots().contains(node))
                 return false;
         }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes