Changeset 284758 in webkit

Timestamp:

Oct 24, 2021 9:01:14 AM (9 months ago)

Author:

Alexey Shvayka

Message:

document.open() and friends use incorrect document as a source for reseted document's URL
​https://bugs.webkit.org/show_bug.cgi?id=230131

Reviewed by Chris Dumez.

LayoutTests/imported/w3c:

• web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/origin-check-in-document-open-same-origin-domain.sub-expected.txt:
• web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/resources/url-entry-document-incumbent-frame.html: Added.
• web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window-expected.txt: Added.
• web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window.html: Added.
• web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window.js: Added.

Source/WebCore:

With this patch, Document's open() / write() / writeln() methods receive entry global
object's document [1] as an argument, which is used to perform same-origin security check
and to set the URL of reseted document from. Aligns WebKit with Blink and Gecko.

Instead of maintaining consistency with FirstWindow, EntryDocument is named to match
the spec and because it's not always the "first" (topmost) document, but rather a document
of closest <script> or inline event handler.

ResponsibleDocument is removed because it's now unused and, in terms of implementation,
a poor man's IncumbentWindow. Also, the spec describes different concept by that name [2].

[1] ​https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#opening-the-input-stream:entry-global-object
[2] ​https://html.spec.whatwg.org/multipage/webappapis.html#responsible-document

Tests: http/tests/security/aboutBlank/security-context-grandchildren-lexical.html

http/tests/security/aboutBlank/security-context-grandchildren-write-lexical.html
http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical.html
imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window.html

• bindings/js/JSDOMWindowBase.cpp:

(WebCore::responsibleDocument): Deleted.

• bindings/js/JSDOMWindowBase.h:
• bindings/scripts/CodeGeneratorJS.pm:

(GenerateCallWith):

• bindings/scripts/IDLAttributes.json:
• dom/Document+HTML.idl:
• dom/Document.cpp:

(WebCore::Document::open):
(WebCore::Document::write):
(WebCore::Document::writeln):

• dom/Document.h:

LayoutTests:

• http/tests/security/aboutBlank/security-context-grandchildren-lexical.html:
• http/tests/security/aboutBlank/security-context-grandchildren-write-lexical.html:
• http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical.html:

Tweak javascript: URLs to evaluate as undefined so the tests could be run in Firefox.

• http/tests/security/aboutBlank/security-context-grandchildren-lexical-expected.txt:
• http/tests/security/aboutBlank/security-context-grandchildren-write-lexical-expected.txt:
• http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical-expected.txt:

Align expectations with Blink and Gecko.

• http/tests/security/resources/parent-document-open.html: Added.
• http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml:

The test relied on behavior that wasn't spec-compliant, causing timeouts once document.open() is fixed.
This patch preserves the test semantics of calling document.open() with iframe's global object.
Similar Blink bug: crbug.com/579493.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-lexical-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-lexical.html (modified) (1 diff)
• LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-write-lexical-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-write-lexical.html (modified) (1 diff)
• LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical.html (modified) (1 diff)
• LayoutTests/http/tests/security/resources/parent-document-open.html (added)
• LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/origin-check-in-document-open-same-origin-domain.sub-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/resources/url-entry-document-incumbent-frame.html (added)
• LayoutTests/imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window-expected.txt (added)
• LayoutTests/imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window.html (added)
• LayoutTests/imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window.js (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowBase.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowBase.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• Source/WebCore/bindings/scripts/IDLAttributes.json (modified) (1 diff)
• Source/WebCore/dom/Document+HTML.idl (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (8 diffs)
• Source/WebCore/dom/Document.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-10-24  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        document.open() and friends use incorrect document as a source for reseted document's URL
+        https://bugs.webkit.org/show_bug.cgi?id=230131
+
+        Reviewed by Chris Dumez.
+
+        * http/tests/security/aboutBlank/security-context-grandchildren-lexical.html:
+        * http/tests/security/aboutBlank/security-context-grandchildren-write-lexical.html:
+        * http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical.html:
+        Tweak javascript: URLs to evaluate as `undefined` so the tests could be run in Firefox.
+
+        * http/tests/security/aboutBlank/security-context-grandchildren-lexical-expected.txt:
+        * http/tests/security/aboutBlank/security-context-grandchildren-write-lexical-expected.txt:
+        * http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical-expected.txt:
+        Align expectations with Blink and Gecko.
+
+        * http/tests/security/resources/parent-document-open.html: Added.
+        * http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml:
+        The test relied on behavior that wasn't spec-compliant, causing timeouts once document.open() is fixed.
+        This patch preserves the test semantics of calling document.open() with iframe's global object.
+        Similar Blink bug: crbug.com/579493.
+
 2021-10-23  Rob Buis  <rbuis@igalia.com>
 

trunk/LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-lexical-expected.txt

@@ -12 +12 @@
 --- After document.open() ---
 * "about:blank"
-document.URL = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.baseURI = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.cookie = cookie=resources; cookie=parent
+document.URL = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-lexical.html
+document.baseURI = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-lexical.html
+document.cookie = cookie=parent
 * ""
-document.URL = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.baseURI = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.cookie = cookie=resources; cookie=parent
+document.URL = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-lexical.html
+document.baseURI = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-lexical.html
+document.cookie = cookie=parent
 --- After document.close() ---
 * "about:blank"
-document.URL = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.baseURI = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.cookie = cookie=resources; cookie=parent
+document.URL = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-lexical.html
+document.baseURI = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-lexical.html
+document.cookie = cookie=parent
 * ""
-document.URL = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.baseURI = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.cookie = cookie=resources; cookie=parent
+document.URL = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-lexical.html
+document.baseURI = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-lexical.html
+document.cookie = cookie=parent
 --- Test ends ---

trunk/LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-lexical.html

@@ -27 +27 @@
       "window.myclose = function(i) { frames[i].document.close(); };" +
       "parent.log('Helpers loaded!\\n');" +
-      "parent.setTimeout('continueTest()', 10);";
+      "parent.setTimeout('continueTest()', 10); undefined;";
 }
 

trunk/LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-write-lexical-expected.txt

@@ -12 +12 @@
 --- After document.open() ---
 * "about:blank"
-document.URL = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.baseURI = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.cookie = cookie=resources; cookie=parent
+document.URL = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-write-lexical.html
+document.baseURI = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-write-lexical.html
+document.cookie = cookie=parent
 * ""
-document.URL = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.baseURI = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.cookie = cookie=resources; cookie=parent
+document.URL = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-write-lexical.html
+document.baseURI = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-write-lexical.html
+document.cookie = cookie=parent
 --- After document.close() ---
 * "about:blank"
-document.URL = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.baseURI = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.cookie = cookie=resources; cookie=parent
+document.URL = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-write-lexical.html
+document.baseURI = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-write-lexical.html
+document.cookie = cookie=parent
 * ""
-document.URL = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.baseURI = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.cookie = cookie=resources; cookie=parent
+document.URL = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-write-lexical.html
+document.baseURI = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-write-lexical.html
+document.cookie = cookie=parent
 --- Test ends ---

trunk/LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-write-lexical.html

@@ -27 +27 @@
       "window.myclose = function(i) { frames[i].document.close(); };" +
       "parent.log('Helpers loaded!\\n');" +
-      "parent.setTimeout('continueTest()', 10);";
+      "parent.setTimeout('continueTest()', 10); undefined;";
 }
 

trunk/LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical-expected.txt

@@ -12 +12 @@
 --- After document.open() ---
 * "about:blank"
-document.URL = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.baseURI = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.cookie = cookie=resources; cookie=parent
+document.URL = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-writeln-lexical.html
+document.baseURI = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-writeln-lexical.html
+document.cookie = cookie=parent
 * ""
-document.URL = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.baseURI = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.cookie = cookie=resources; cookie=parent
+document.URL = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-writeln-lexical.html
+document.baseURI = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-writeln-lexical.html
+document.cookie = cookie=parent
 --- After document.close() ---
 * "about:blank"
-document.URL = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.baseURI = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.cookie = cookie=resources; cookie=parent
+document.URL = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-writeln-lexical.html
+document.baseURI = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-writeln-lexical.html
+document.cookie = cookie=parent
 * ""
-document.URL = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.baseURI = http://127.0.0.1:8000/security/aboutBlank/resources/iframe-with-about-blank-children.html
-document.cookie = cookie=resources; cookie=parent
+document.URL = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-writeln-lexical.html
+document.baseURI = http://127.0.0.1:8000/security/aboutBlank/security-context-grandchildren-writeln-lexical.html
+document.cookie = cookie=parent
 --- Test ends ---

trunk/LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical.html

@@ -27 +27 @@
       "window.myclose = function(i) { frames[i].document.close(); };" +
       "parent.log('Helpers loaded!\\n');" +
-      "parent.setTimeout('continueTest()', 10);";
+      "parent.setTimeout('continueTest()', 10); undefined;";
 }
 

trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml

@@ -18 +18 @@
         victim.src = "http://localhost:8080/security/resources/innocent-victim.html";
         victim.onload = function() { wnd.eval("location = '" + location + "'"); }
-    } else if (location != "about:blank") {
+    } else if (!location.href.includes("parent-document-open.html")) {
         url = location.href;
-        blank = document.body.appendChild(document.createElement("iframe"));
-        blank.contentWindow.eval("parent.document.open()");
+        var parentDocOpen = document.createElement("iframe");
+        parentDocOpen.src = "resources/parent-document-open.html";
+        document.body.append(parentDocOpen);
+        setTimeout(() => {
         location = "javascript:(\"\x3C?xml-stylesheet type='text/xsl' href='" + url + "'?\x3E\x3Croot/\x3E\")";
+        }, 150);
     } else {
         try {

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2021-10-24  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        document.open() and friends use incorrect document as a source for reseted document's URL
+        https://bugs.webkit.org/show_bug.cgi?id=230131
+
+        Reviewed by Chris Dumez.
+
+        * web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/origin-check-in-document-open-same-origin-domain.sub-expected.txt:
+        * web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/resources/url-entry-document-incumbent-frame.html: Added.
+        * web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window-expected.txt: Added.
+        * web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window.html: Added.
+        * web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window.js: Added.
+
 2021-10-23  Cameron McCormack  <heycam@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/origin-check-in-document-open-same-origin-domain.sub-expected.txt

@@ -1 +1 @@
 
-FAIL It should not be possible to open same origin-domain (but not same origin) documents. assert_throws_dom: Opening a same origin-domain (but not same origin) document doesn't throw. function "function open() {
-    [native code]
-}" did not throw
-FAIL It should not be possible to implicitly open same origin-domain (but not same origin) documents. assert_throws_dom: Implicitly opening a same origin-domain (but not same origin) document doesn't throw. function "function write() {
-    [native code]
-}" did not throw
+PASS It should not be possible to open same origin-domain (but not same origin) documents.
+PASS It should not be possible to implicitly open same origin-domain (but not same origin) documents.
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-10-24  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        document.open() and friends use incorrect document as a source for reseted document's URL
+        https://bugs.webkit.org/show_bug.cgi?id=230131
+
+        Reviewed by Chris Dumez.
+
+        With this patch, Document's open() / write() / writeln() methods receive entry global
+        object's document [1] as an argument, which is used to perform same-origin security check
+        and to set the URL of reseted document from. Aligns WebKit with Blink and Gecko.
+
+        Instead of maintaining consistency with FirstWindow, EntryDocument is named to match
+        the spec and because it's not always the "first" (topmost) document, but rather a document
+        of closest <script> or inline event handler.
+
+        ResponsibleDocument is removed because it's now unused and, in terms of implementation,
+        a poor man's IncumbentWindow. Also, the spec describes different concept by that name [2].
+
+        [1] https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#opening-the-input-stream:entry-global-object
+        [2] https://html.spec.whatwg.org/multipage/webappapis.html#responsible-document
+
+        Tests: http/tests/security/aboutBlank/security-context-grandchildren-lexical.html
+               http/tests/security/aboutBlank/security-context-grandchildren-write-lexical.html
+               http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical.html
+               imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window.html
+
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::responsibleDocument): Deleted.
+        * bindings/js/JSDOMWindowBase.h:
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateCallWith):
+        * bindings/scripts/IDLAttributes.json:
+        * dom/Document+HTML.idl:
+        * dom/Document.cpp:
+        (WebCore::Document::open):
+        (WebCore::Document::write):
+        (WebCore::Document::writeln):
+        * dom/Document.h:
+
 2021-10-24  Rob Buis  <rbuis@igalia.com>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp

@@ -338 +338 @@
 }
 
-Document* responsibleDocument(VM& vm, CallFrame& callFrame)
-{
-    CallerFunctor functor;
-    callFrame.iterate(vm, functor);
-    auto* callerFrame = functor.callerFrame();
-    if (!callerFrame)
-        return nullptr;
-    return asJSDOMWindow(callerFrame->lexicalGlobalObject(vm))->wrapped().document();
-}
-
 void JSDOMWindowBase::fireFrameClearedWatchpointsForWindow(DOMWindow* window)
 {

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.h

@@ -132 +132 @@
 DOMWindow& legacyActiveDOMWindowForAccessor(JSC::JSGlobalObject&);
 
-// FIXME: This should probably be removed in favor of one of the other DOMWindow accessors. It is intended
-//        to provide the document specfied as the 'responsible document' in the algorithm for document.open()
-//        (https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#document-open-steps steps 4
-//        and 23 and https://html.spec.whatwg.org/multipage/webappapis.html#responsible-document). It is only
-//        used by JSDocument.
-Document* responsibleDocument(JSC::VM&, JSC::CallFrame&);
-
 } // namespace WebCore

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -5966 +5966 @@
         push(@callWithArgs, "*incumbentDocument");
     }
-    if ($codeGenerator->ExtendedAttributeContains($callWith, "ResponsibleDocument")) {
+    if ($codeGenerator->ExtendedAttributeContains($callWith, "EntryDocument")) {
         AddToImplIncludes("DOMWindow.h");
         AddToImplIncludes("JSDOMWindowBase.h");
-        push(@callWithArgs, "responsibleDocument(${globalObject}->vm(), $callFrameReference)");
+        push(@callWithArgs, "firstDOMWindow(*$globalObject).document()");
     }
     if ($codeGenerator->ExtendedAttributeContains($callWith, "ActiveWindow")) {

trunk/Source/WebCore/bindings/scripts/IDLAttributes.json

@@ -52 +52 @@
         "CallWith": {
             "contextsAllowed": ["attribute", "operation"],
-            "values": ["Document", "ExecState", "ScriptExecutionContext", "GlobalObject", "ActiveWindow", "FirstWindow", "ResponsibleDocument", "World", "PropertyName"],
+            "values": ["Document", "ExecState", "ScriptExecutionContext", "GlobalObject", "ActiveWindow", "FirstWindow", "EntryDocument", "World", "PropertyName"],
             "supportsConjunction": true
         },

trunk/Source/WebCore/dom/Document+HTML.idl

@@ -59 +59 @@
     // that the caller document matches those semantics. It is possible we should replace it with
     // the existing 'incumbent document' concept.
-    [CEReactions, CallWith=ResponsibleDocument, ImplementedAs=openForBindings] Document open(optional DOMString unused1, optional DOMString unused2); // both arguments are ignored.
+    [CEReactions, CallWith=EntryDocument, ImplementedAs=openForBindings] Document open(optional DOMString unused1, optional DOMString unused2); // both arguments are ignored.
     [CallWith=ActiveWindow&FirstWindow, ImplementedAs=openForBindings] WindowProxy open(USVString url, DOMString name, DOMString features);
     [CEReactions, ImplementedAs=closeForBindings] undefined close();
-    [CEReactions, CallWith=ResponsibleDocument] undefined write(DOMString... text);
-    [CEReactions, CallWith=ResponsibleDocument] undefined writeln(DOMString... text);
+    [CEReactions, CallWith=EntryDocument] undefined write(DOMString... text);
+    [CEReactions, CallWith=EntryDocument] undefined writeln(DOMString... text);
 
     // user interaction

trunk/Source/WebCore/dom/Document.cpp

@@ -2918 +2918 @@
 }
 
-ExceptionOr<Document&> Document::openForBindings(Document* responsibleDocument, const String&, const String&)
+ExceptionOr<Document&> Document::openForBindings(Document* entryDocument, const String&, const String&)
 {
     if (!isHTMLDocument() || m_throwOnDynamicMarkupInsertionCount)
         return Exception { InvalidStateError };
 
-    auto result = open(responsibleDocument);
+    auto result = open(entryDocument);
     if (UNLIKELY(result.hasException()))
         return result.releaseException();
@@ -2930 +2930 @@
 }
 
-ExceptionOr<void> Document::open(Document* responsibleDocument)
-{
-    if (responsibleDocument && !responsibleDocument->securityOrigin().isSameOriginAs(securityOrigin()))
+ExceptionOr<void> Document::open(Document* entryDocument)
+{
+    if (entryDocument && !entryDocument->securityOrigin().isSameOriginAs(securityOrigin()))
         return Exception { SecurityError };
 
@@ -2961 +2961 @@
     removeAllEventListeners();
 
-    if (responsibleDocument && isFullyActive()) {
-        auto newURL = responsibleDocument->url();
-        if (responsibleDocument != this)
+    if (entryDocument && isFullyActive()) {
+        auto newURL = entryDocument->url();
+        if (entryDocument != this)
             newURL.removeFragmentIdentifier();
         setURL(newURL);
-        auto newCookieURL = responsibleDocument->cookieURL();
-        if (responsibleDocument != this)
+        auto newCookieURL = entryDocument->cookieURL();
+        if (entryDocument != this)
             newCookieURL.removeFragmentIdentifier();
         setCookieURL(newCookieURL);
-        setSecurityOriginPolicy(responsibleDocument->securityOriginPolicy());
+        setSecurityOriginPolicy(entryDocument->securityOriginPolicy());
     }
 
@@ -3309 +3309 @@
 }
 
-ExceptionOr<void> Document::write(Document* responsibleDocument, SegmentedString&& text)
+ExceptionOr<void> Document::write(Document* entryDocument, SegmentedString&& text)
 {
     if (m_activeParserWasAborted)
@@ -3327 +3327 @@
 
     if (!hasInsertionPoint) {
-        auto result = open(responsibleDocument);
+        auto result = open(entryDocument);
         if (UNLIKELY(result.hasException()))
             return result.releaseException();
@@ -3337 +3337 @@
 }
 
-ExceptionOr<void> Document::write(Document* responsibleDocument, Vector<String>&& strings)
+ExceptionOr<void> Document::write(Document* entryDocument, Vector<String>&& strings)
 {
     if (!isHTMLDocument() || m_throwOnDynamicMarkupInsertionCount)
@@ -3346 +3346 @@
         text.append(WTFMove(string));
 
-    return write(responsibleDocument, WTFMove(text));
-}
-
-ExceptionOr<void> Document::writeln(Document* responsibleDocument, Vector<String>&& strings)
+    return write(entryDocument, WTFMove(text));
+}
+
+ExceptionOr<void> Document::writeln(Document* entryDocument, Vector<String>&& strings)
 {
     if (!isHTMLDocument() || m_throwOnDynamicMarkupInsertionCount)
@@ -3359 +3359 @@
 
     text.append("\n"_s);
-    return write(responsibleDocument, WTFMove(text));
+    return write(entryDocument, WTFMove(text));
 }
 

trunk/Source/WebCore/dom/Document.h

@@ -669 +669 @@
 
     WEBCORE_EXPORT ExceptionOr<RefPtr<WindowProxy>> openForBindings(DOMWindow& activeWindow, DOMWindow& firstDOMWindow, const String& url, const AtomString& name, const String& features);
-    WEBCORE_EXPORT ExceptionOr<Document&> openForBindings(Document* responsibleDocument, const String&, const String&);
+    WEBCORE_EXPORT ExceptionOr<Document&> openForBindings(Document* entryDocument, const String&, const String&);
 
     // FIXME: We should rename this at some point and give back the name 'open' to the HTML specified ones.
-    WEBCORE_EXPORT ExceptionOr<void> open(Document* responsibleDocument = nullptr);
+    WEBCORE_EXPORT ExceptionOr<void> open(Document* entryDocument = nullptr);
     void implicitOpen();
 
@@ -688 +688 @@
     void cancelParsing();
 
-    ExceptionOr<void> write(Document* responsibleDocument, SegmentedString&&);
-    WEBCORE_EXPORT ExceptionOr<void> write(Document* responsibleDocument, Vector<String>&&);
-    WEBCORE_EXPORT ExceptionOr<void> writeln(Document* responsibleDocument, Vector<String>&&);
+    ExceptionOr<void> write(Document* entryDocument, SegmentedString&&);
+    WEBCORE_EXPORT ExceptionOr<void> write(Document* entryDocument, Vector<String>&&);
+    WEBCORE_EXPORT ExceptionOr<void> writeln(Document* entryDocument, Vector<String>&&);
 
     bool wellFormed() const { return m_wellFormed; }