Changeset 183781 in webkit
- Timestamp:
- May 4, 2015 4:58:32 PM (9 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r183777 r183781 1 2015-05-04 Chris Dumez <cdumez@apple.com> 2 3 Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWindow + 185 4 https://bugs.webkit.org/show_bug.cgi?id=144597 5 <rdar://problem/20361579> 6 7 Reviewed by Andreas Kling. 8 9 Add a layout test to cover the case where window.open() is called on a 10 window that is different than the activeDOMWindow and where the 11 activeDOMWindow does not have a frame. 12 13 * fast/dom/Window/resources/test-frame.html: Added. 14 * fast/dom/Window/window-open-activeWindow-null-frame-expected.txt: Added. 15 * fast/dom/Window/window-open-activeWindow-null-frame.html: Added. 16 1 17 2015-05-04 Simon Fraser <simon.fraser@apple.com> 2 18 -
trunk/Source/WebCore/ChangeLog
r183778 r183781 1 2015-05-04 Chris Dumez <cdumez@apple.com> 2 3 Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWindow + 185 4 https://bugs.webkit.org/show_bug.cgi?id=144597 5 <rdar://problem/20361579> 6 7 Reviewed by Andreas Kling. 8 9 Test: fast/dom/Window/window-open-activeWindow-null-frame.html 10 11 In our implementation of window.open(), we make sure that the window 12 which window.open() is called has a frame. However, we did not have the 13 same check for the activeDOMWindow (i.e. the lexicalGlobalObject) causing 14 us to crash in WebCore::createWindow() when dereferencing it. 15 16 This patch updates WebCore::createWindow() takes a reference to the 17 openerFrame instead of a pointer to make it clear the implementation 18 expects it to be non-null. A null check is then added for the frame 19 at the call site: DOMWindow::createWindow(). 20 21 * inspector/InspectorFrontendClientLocal.cpp: 22 (WebCore::InspectorFrontendClientLocal::openInNewTab): 23 * loader/FrameLoader.cpp: 24 (WebCore::isDocumentSandboxed): 25 (WebCore::FrameLoader::submitForm): 26 (WebCore::createWindow): 27 Take a reference to openerFrame instead of a pointer as the 28 implementation expects it to be non-null. 29 30 * loader/FrameLoader.h: 31 * page/DOMWindow.cpp: 32 (WebCore::DOMWindow::createWindow): 33 Add null check for activeFrame before passing it to 34 WebCore::createWindow(). 35 1 36 2015-05-04 Dean Jackson <dino@apple.com> 2 37 -
trunk/Source/WebCore/inspector/InspectorFrontendClientLocal.cpp
r183498 r183781 215 215 bool created; 216 216 WindowFeatures windowFeatures; 217 RefPtr<Frame> frame = WebCore::createWindow( &mainFrame, &mainFrame, request, windowFeatures, created);217 RefPtr<Frame> frame = WebCore::createWindow(mainFrame, &mainFrame, request, windowFeatures, created); 218 218 if (!frame) 219 219 return; -
trunk/Source/WebCore/loader/FrameLoader.cpp
r183698 r183781 170 170 // API simpler. 171 171 // 172 static bool isDocumentSandboxed(Frame *frame, SandboxFlags mask)173 { 174 return frame ->document() && frame->document()->isSandboxed(mask);172 static bool isDocumentSandboxed(Frame& frame, SandboxFlags mask) 173 { 174 return frame.document() && frame.document()->isSandboxed(mask); 175 175 } 176 176 … … 356 356 return; 357 357 358 if (isDocumentSandboxed( &m_frame, SandboxForms)) {358 if (isDocumentSandboxed(m_frame, SandboxForms)) { 359 359 // FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists. 360 360 m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, "Blocked form submission to '" + submission->action().stringCenterEllipsizedToLength() + "' because the form's frame is sandboxed and the 'allow-forms' permission is not set."); … … 3414 3414 } 3415 3415 3416 PassRefPtr<Frame> createWindow(Frame *openerFrame, Frame* lookupFrame, const FrameLoadRequest& request, const WindowFeatures& features, bool& created)3416 PassRefPtr<Frame> createWindow(Frame& openerFrame, Frame* lookupFrame, const FrameLoadRequest& request, const WindowFeatures& features, bool& created) 3417 3417 { 3418 3418 ASSERT(!features.dialog || request.frameName().isEmpty()); … … 3421 3421 3422 3422 if (!request.frameName().isEmpty() && request.frameName() != "_blank") { 3423 if (RefPtr<Frame> frame = lookupFrame->loader().findFrameForNavigation(request.frameName(), openerFrame ->document())) {3423 if (RefPtr<Frame> frame = lookupFrame->loader().findFrameForNavigation(request.frameName(), openerFrame.document())) { 3424 3424 if (request.frameName() != "_self") { 3425 3425 if (Page* page = frame->page()) … … 3433 3433 if (isDocumentSandboxed(openerFrame, SandboxPopups)) { 3434 3434 // FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists. 3435 openerFrame ->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, "Blocked opening '" + request.resourceRequest().url().stringCenterEllipsizedToLength() + "' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.");3435 openerFrame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, "Blocked opening '" + request.resourceRequest().url().stringCenterEllipsizedToLength() + "' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set."); 3436 3436 return nullptr; 3437 3437 } … … 3439 3439 // FIXME: Setting the referrer should be the caller's responsibility. 3440 3440 FrameLoadRequest requestWithReferrer = request; 3441 String referrer = SecurityPolicy::generateReferrerHeader(openerFrame ->document()->referrerPolicy(), request.resourceRequest().url(), openerFrame->loader().outgoingReferrer());3441 String referrer = SecurityPolicy::generateReferrerHeader(openerFrame.document()->referrerPolicy(), request.resourceRequest().url(), openerFrame.loader().outgoingReferrer()); 3442 3442 if (!referrer.isEmpty()) 3443 3443 requestWithReferrer.resourceRequest().setHTTPReferrer(referrer); 3444 FrameLoader::addHTTPOriginIfNeeded(requestWithReferrer.resourceRequest(), openerFrame ->loader().outgoingOrigin());3445 3446 Page* oldPage = openerFrame ->page();3444 FrameLoader::addHTTPOriginIfNeeded(requestWithReferrer.resourceRequest(), openerFrame.loader().outgoingOrigin()); 3445 3446 Page* oldPage = openerFrame.page(); 3447 3447 if (!oldPage) 3448 3448 return nullptr; 3449 3449 3450 Page* page = oldPage->chrome().createWindow( openerFrame, requestWithReferrer, features, NavigationAction(requestWithReferrer.resourceRequest()));3450 Page* page = oldPage->chrome().createWindow(&openerFrame, requestWithReferrer, features, NavigationAction(requestWithReferrer.resourceRequest())); 3451 3451 if (!page) 3452 3452 return nullptr; … … 3454 3454 RefPtr<Frame> frame = &page->mainFrame(); 3455 3455 3456 frame->loader().forceSandboxFlags(openerFrame ->document()->sandboxFlags());3456 frame->loader().forceSandboxFlags(openerFrame.document()->sandboxFlags()); 3457 3457 3458 3458 if (request.frameName() != "_blank") -
trunk/Source/WebCore/loader/FrameLoader.h
r183698 r183781 459 459 // FIXME: Consider making this function part of an appropriate class (not FrameLoader) 460 460 // and moving it to a more appropriate location. 461 PassRefPtr<Frame> createWindow(Frame *openerFrame, Frame* lookupFrame, const FrameLoadRequest&, const WindowFeatures&, bool& created);461 PassRefPtr<Frame> createWindow(Frame& openerFrame, Frame* lookupFrame, const FrameLoadRequest&, const WindowFeatures&, bool& created); 462 462 463 463 } // namespace WebCore -
trunk/Source/WebCore/page/DOMWindow.cpp
r183498 r183781 2076 2076 { 2077 2077 Frame* activeFrame = activeWindow.frame(); 2078 if (!activeFrame) 2079 return nullptr; 2078 2080 2079 2081 URL completedURL = urlString.isEmpty() ? URL(ParsedURLString, emptyString()) : firstFrame->document()->completeURL(urlString); … … 2081 2083 // Don't expose client code to invalid URLs. 2082 2084 activeWindow.printErrorMessage("Unable to open a window with invalid URL '" + completedURL.string() + "'.\n"); 2083 return 0;2085 return nullptr; 2084 2086 } 2085 2087 … … 2094 2096 // the opener frame, and the name references a frame relative to the opener frame. 2095 2097 bool created; 2096 RefPtr<Frame> newFrame = WebCore::createWindow( activeFrame, openerFrame, frameRequest, windowFeatures, created);2098 RefPtr<Frame> newFrame = WebCore::createWindow(*activeFrame, openerFrame, frameRequest, windowFeatures, created); 2097 2099 if (!newFrame) 2098 return 0;2100 return nullptr; 2099 2101 2100 2102 newFrame->loader().setOpener(openerFrame); … … 2118 2120 // Navigating the new frame could result in it being detached from its page by a navigation policy delegate. 2119 2121 if (!newFrame->page()) 2120 return 0;2122 return nullptr; 2121 2123 2122 2124 return newFrame.release();
Note: See TracChangeset
for help on using the changeset viewer.