Title: [191199] branches/safari-601.1.46-branch
Revision
191199
Author
matthew_han...@apple.com
Date
2015-10-16 13:05:20 -0700 (Fri, 16 Oct 2015)

Log Message

Merge r190752. rdar://problem/23110932

Modified Paths

Added Paths

Diff

Modified: branches/safari-601.1.46-branch/LayoutTests/ChangeLog (191198 => 191199)


--- branches/safari-601.1.46-branch/LayoutTests/ChangeLog	2015-10-16 20:04:13 UTC (rev 191198)
+++ branches/safari-601.1.46-branch/LayoutTests/ChangeLog	2015-10-16 20:05:20 UTC (rev 191199)
@@ -1,3 +1,27 @@
+2015-10-16  Matthew Hanson  <matthew_han...@apple.com>
+
+        Merge r190752. rdar://problem/23110932
+
+    2015-10-08  Andreas Kling  <akl...@apple.com>
+
+            Generated frame tree names should be kept reasonably long.
+            <https://webkit.org/b/149874>
+
+            Reviewed by Darin Adler.
+
+            Added a test to document our name generation behavior for subframes with long-named ancestors.
+            Also rebaselined some tests that exposed the old behavior.
+
+            * fast/forms/form-and-frame-interaction-retains-values-expected.txt:
+            * fast/frames/long-names-in-nested-subframes-expected.txt: Added.
+            * fast/frames/long-names-in-nested-subframes.html: Added.
+            * http/tests/navigation/image-load-in-subframe-unload-handler-expected.txt:
+            * http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
+            * http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
+            * http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-sub-frame-2-level-expected.txt:
+            * http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-to-javscript-url-expected.txt:
+            * http/tests/security/_javascript_URL/xss-ALLOWED-to-_javascript_-url-from-javscript-url-expected.txt:
+
 2015-10-15  Matthew Hanson  <matthew_han...@apple.com>
 
         Merge r190604. rdar://problem/22993012

Modified: branches/safari-601.1.46-branch/LayoutTests/fast/forms/form-and-frame-interaction-retains-values-expected.txt (191198 => 191199)


--- branches/safari-601.1.46-branch/LayoutTests/fast/forms/form-and-frame-interaction-retains-values-expected.txt	2015-10-16 20:04:13 UTC (rev 191198)
+++ branches/safari-601.1.46-branch/LayoutTests/fast/forms/form-and-frame-interaction-retains-values-expected.txt	2015-10-16 20:05:20 UTC (rev 191199)
@@ -13,6 +13,6 @@
 
 
 --------
-Frame: '<!--framePath //submitted/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 

Added: branches/safari-601.1.46-branch/LayoutTests/fast/frames/long-names-in-nested-subframes-expected.txt (0 => 191199)


--- branches/safari-601.1.46-branch/LayoutTests/fast/frames/long-names-in-nested-subframes-expected.txt	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/fast/frames/long-names-in-nested-subframes-expected.txt	2015-10-16 20:05:20 UTC (rev 191199)
@@ -0,0 +1,31 @@
+
+
+--------
+Frame: 'since_this_name_is_very_long_it_would_not_be_great_to_repeat_it_in_every_frame_path'
+--------
+
+
+--------
+Frame: 'and_this_name_is_long_too_so_we_would_get_pretty_long_names'
+--------
+   
+
+--------
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->/<!--frame0-->-->'
+--------
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->/<!--frame1-->-->'
+--------
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->/<!--frame2-->-->'
+--------
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->/<!--frame3-->-->'
+--------
+

Added: branches/safari-601.1.46-branch/LayoutTests/fast/frames/long-names-in-nested-subframes.html (0 => 191199)


--- branches/safari-601.1.46-branch/LayoutTests/fast/frames/long-names-in-nested-subframes.html	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/fast/frames/long-names-in-nested-subframes.html	2015-10-16 20:05:20 UTC (rev 191199)
@@ -0,0 +1,23 @@
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+<iframe
+    name="since_this_name_is_very_long_it_would_not_be_great_to_repeat_it_in_every_frame_path"
+    src=""
+        <iframe name=and_this_name_is_long_too_so_we_would_get_pretty_long_names src=''></iframe>">
+</iframe>
+</body>
+</html>

Modified: branches/safari-601.1.46-branch/LayoutTests/http/tests/navigation/image-load-in-subframe-unload-handler-expected.txt (191198 => 191199)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/navigation/image-load-in-subframe-unload-handler-expected.txt	2015-10-16 20:04:13 UTC (rev 191198)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/navigation/image-load-in-subframe-unload-handler-expected.txt	2015-10-16 20:05:20 UTC (rev 191199)
@@ -1,2 +1,2 @@
-frame "<!--framePath //target/<!--frame0-->-->" - has 1 onunload handler(s)
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - has 1 onunload handler(s)
 This test triggers an unload handler that starts an image load in a different frame (and deletes both frames), but ensures the main frame is not destroyed. We pass if we don't crash.

Modified: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt (191198 => 191199)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt	2015-10-16 20:04:13 UTC (rev 191198)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt	2015-10-16 20:05:20 UTC (rev 191199)
@@ -13,6 +13,6 @@
 
 
 --------
-Frame: '<!--framePath //aFrame/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 Inner-inner iframe.

Modified: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt (191198 => 191199)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt	2015-10-16 20:04:13 UTC (rev 191198)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt	2015-10-16 20:05:20 UTC (rev 191199)
@@ -14,7 +14,7 @@
 
 
 --------
-Frame: '<!--framePath //aFrame/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 PASS: Cross frame access to a data: URL 2 levels deep was denied.
 

Modified: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-sub-frame-2-level-expected.txt (191198 => 191199)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-sub-frame-2-level-expected.txt	2015-10-16 20:04:13 UTC (rev 191198)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-sub-frame-2-level-expected.txt	2015-10-16 20:05:20 UTC (rev 191199)
@@ -10,6 +10,6 @@
 Inner iframe.
 
 --------
-Frame: '<!--framePath //aFrame/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 Inner-inner iframe.

Modified: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-to-javscript-url-expected.txt (191198 => 191199)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-to-javscript-url-expected.txt	2015-10-16 20:04:13 UTC (rev 191198)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-to-javscript-url-expected.txt	2015-10-16 20:05:20 UTC (rev 191199)
@@ -9,7 +9,7 @@
 Inner iframe.
 
 --------
-Frame: '<!--framePath //aFrame/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 PASS: Cross frame access from a _javascript_: URL was allowed!
 

Modified: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-to-_javascript_-url-from-javscript-url-expected.txt (191198 => 191199)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-to-_javascript_-url-from-javscript-url-expected.txt	2015-10-16 20:04:13 UTC (rev 191198)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-to-_javascript_-url-from-javscript-url-expected.txt	2015-10-16 20:05:20 UTC (rev 191199)
@@ -11,6 +11,6 @@
 Inner iframe.
 
 --------
-Frame: '<!--framePath //aFrame/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 Inner-inner iframe.

Modified: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-to-_javascript_-url-sub-frame-2-level-expected.txt (191198 => 191199)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-to-_javascript_-url-sub-frame-2-level-expected.txt	2015-10-16 20:04:13 UTC (rev 191198)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-to-_javascript_-url-sub-frame-2-level-expected.txt	2015-10-16 20:05:20 UTC (rev 191199)
@@ -11,7 +11,7 @@
 Inner iframe.
 
 --------
-Frame: '<!--framePath //aFrame/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 PASS: Cross frame access to a _javascript_: URL 2 levels deep was allowed!
 

Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (191198 => 191199)


--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2015-10-16 20:04:13 UTC (rev 191198)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2015-10-16 20:05:20 UTC (rev 191199)
@@ -1,3 +1,43 @@
+2015-10-16  Matthew Hanson  <matthew_han...@apple.com>
+
+        Merge r190752. rdar://problem/23110932
+
+    2015-10-08  Andreas Kling  <akl...@apple.com>
+
+            Generated frame tree names should be kept reasonably long.
+            <https://webkit.org/b/149874>
+
+            Reviewed by Darin Adler.
+
+            Some clumsy advertising script is going around assigning _javascript_ source code
+            to the "name" attribute of iframes. This is causing WebKit to generate way too huge
+            names for anonymous descendants of such iframes.
+
+            Previously, the generated name of an anonymous subframe would be its slash-separated
+            path from the root frame, with the "name" attribute of each ancestor between the
+            slashes, or "<!--frame${index in parent}-->" for anonymous ancestors.
+
+            These ad scripts are often over 100kB in size, with multiple subframes, so we'd end
+            up with frame names looking like this:
+
+            "<!--framePath //<MONSTER BLOB OF _javascript_ FROM HELL>/<!--frame0--><!--frame0-->-->"
+
+            While this is worth fixing for the memory usage alone, we've been making it way
+            worse by also using these paths when recording the back/forward history parts of
+            WebKit session state.
+
+            This patch makes generated paths always use index-in-parent as the "directory name"
+            for ancestors of anonymous subframes. The above example path will now instead be:
+
+            "<!--framePath //<!--frame0-->/<!--frame0-->/<!--frame0-->-->"
+
+            Test: fast/frames/long-names-in-nested-subframes.html
+
+            * page/FrameTree.cpp:
+            (WebCore::FrameTree::indexInParent):
+            (WebCore::FrameTree::uniqueChildName):
+            * page/FrameTree.h:
+
 2015-10-15  Matthew Hanson  <matthew_han...@apple.com>
 
         Merge r190604. rdar://problem/22993012

Modified: branches/safari-601.1.46-branch/Source/WebCore/page/FrameTree.cpp (191198 => 191199)


--- branches/safari-601.1.46-branch/Source/WebCore/page/FrameTree.cpp	2015-10-16 20:04:13 UTC (rev 191198)
+++ branches/safari-601.1.46-branch/Source/WebCore/page/FrameTree.cpp	2015-10-16 20:05:20 UTC (rev 191199)
@@ -82,6 +82,19 @@
     return true;
 }
 
+unsigned FrameTree::indexInParent() const
+{
+    if (!m_parent)
+        return 0;
+    unsigned index = 0;
+    for (Frame* frame = m_parent->tree().firstChild(); frame; frame = frame->tree().nextSibling()) {
+        if (&frame->tree() == this)
+            return index;
+        ++index;
+    }
+    RELEASE_ASSERT_NOT_REACHED();
+}
+
 void FrameTree::appendChild(PassRefPtr<Frame> child)
 {
     ASSERT(child->page() == m_thisFrame.page());
@@ -128,16 +141,17 @@
 
 AtomicString FrameTree::uniqueChildName(const AtomicString& requestedName) const
 {
+    // If the requested name (the frame's "name" attribute) is unique, just use that.
     if (!requestedName.isEmpty() && !child(requestedName) && requestedName != "_blank")
         return requestedName;
 
-    // Create a repeatable name for a child about to be added to us. The name must be
-    // unique within the frame tree. The string we generate includes a "path" of names
-    // from the root frame down to us. For this path to be unique, each set of siblings must
-    // contribute a unique name to the path, which can't collide with any HTML-assigned names.
-    // We generate this path component by index in the child list along with an unlikely
-    // frame name that can't be set in HTML because it collides with comment syntax.
+    // The "name" attribute was not unique or absent. Generate a name based on the
+    // new frame's location in the frame tree. The name uses HTML comment syntax to
+    // avoid collisions with author names.
 
+    // An example path for the third child of the second child of the root frame:
+    // <!--framePath //<!--frame1-->/<!--frame2-->-->
+
     const char framePathPrefix[] = "<!--framePath ";
     const int framePathPrefixLength = 14;
     const int framePathSuffixLength = 3;
@@ -159,7 +173,11 @@
     for (int i = chain.size() - 1; i >= 0; --i) {
         frame = chain[i];
         name.append('/');
-        name.append(frame->tree().uniqueName());
+        if (frame->tree().parent()) {
+            name.appendLiteral("<!--frame");
+            name.appendNumber(frame->tree().indexInParent());
+            name.appendLiteral("-->");
+        }
     }
 
     name.appendLiteral("/<!--frame");

Modified: branches/safari-601.1.46-branch/Source/WebCore/page/FrameTree.h (191198 => 191199)


--- branches/safari-601.1.46-branch/Source/WebCore/page/FrameTree.h	2015-10-16 20:04:13 UTC (rev 191198)
+++ branches/safari-601.1.46-branch/Source/WebCore/page/FrameTree.h	2015-10-16 20:05:20 UTC (rev 191199)
@@ -84,6 +84,8 @@
         Frame* scopedChild(const AtomicString& name) const;
         unsigned scopedChildCount() const;
 
+        unsigned indexInParent() const;
+
     private:
         Frame* deepLastChild() const;
         void actuallyAppendChild(PassRefPtr<Frame>);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to