Changeset 190752 in webkit

Timestamp:

Oct 8, 2015 3:43:17 PM (9 years ago)

Author:

akling@apple.com

Message:

Generated frame tree names should be kept reasonably long.
<​https://webkit.org/b/149874>

Reviewed by Darin Adler.

Source/WebCore:

Some clumsy advertising script is going around assigning JavaScript source code
to the "name" attribute of iframes. This is causing WebKit to generate way too huge
names for anonymous descendants of such iframes.

Previously, the generated name of an anonymous subframe would be its slash-separated
path from the root frame, with the "name" attribute of each ancestor between the
slashes, or "<!--frame${index in parent}-->" for anonymous ancestors.

These ad scripts are often over 100kB in size, with multiple subframes, so we'd end
up with frame names looking like this:

"<!--framePath <MONSTER BLOB OF JAVASCRIPT FROM HELL>/<!--frame0--><!--frame0-->-->"

While this is worth fixing for the memory usage alone, we've been making it way
worse by also using these paths when recording the back/forward history parts of
WebKit session state.

This patch makes generated paths always use index-in-parent as the "directory name"
for ancestors of anonymous subframes. The above example path will now instead be:

"<!--framePath <!--frame0-->/<!--frame0-->/<!--frame0-->-->"

Test: fast/frames/long-names-in-nested-subframes.html

• page/FrameTree.cpp:

(WebCore::FrameTree::indexInParent):
(WebCore::FrameTree::uniqueChildName):

• page/FrameTree.h:

LayoutTests:

Added a test to document our name generation behavior for subframes with long-named ancestors.
Also rebaselined some tests that exposed the old behavior.

• fast/forms/form-and-frame-interaction-retains-values-expected.txt:
• fast/frames/long-names-in-nested-subframes-expected.txt: Added.
• fast/frames/long-names-in-nested-subframes.html: Added.
• http/tests/navigation/image-load-in-subframe-unload-handler-expected.txt:
• http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
• http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
• http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level-expected.txt:
• http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-to-javscript-url-expected.txt:
• http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/forms/form-and-frame-interaction-retains-values-expected.txt (modified) (1 diff)
• LayoutTests/fast/frames/long-names-in-nested-subframes-expected.txt (added)
• LayoutTests/fast/frames/long-names-in-nested-subframes.html (added)
• LayoutTests/http/tests/navigation/image-load-in-subframe-unload-handler-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-to-javscript-url-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-sub-frame-2-level-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/FrameTree.cpp (modified) (3 diffs)
• Source/WebCore/page/FrameTree.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2015-10-08  Andreas Kling  <akling@apple.com>
+
+        Generated frame tree names should be kept reasonably long.
+        <https://webkit.org/b/149874>
+
+        Reviewed by Darin Adler.
+
+        Added a test to document our name generation behavior for subframes with long-named ancestors.
+        Also rebaselined some tests that exposed the old behavior.
+
+        * fast/forms/form-and-frame-interaction-retains-values-expected.txt:
+        * fast/frames/long-names-in-nested-subframes-expected.txt: Added.
+        * fast/frames/long-names-in-nested-subframes.html: Added.
+        * http/tests/navigation/image-load-in-subframe-unload-handler-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
+        * http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level-expected.txt:
+        * http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-to-javscript-url-expected.txt:
+        * http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url-expected.txt:
+
 2015-10-08  Saam barati  <sbarati@apple.com>
 

trunk/LayoutTests/fast/forms/form-and-frame-interaction-retains-values-expected.txt

@@ -14 +14 @@
 
 --------
-Frame: '<!--framePath //submitted/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 

trunk/LayoutTests/http/tests/navigation/image-load-in-subframe-unload-handler-expected.txt

@@ -1 @@
-frame "<!--framePath //target/<!--frame0-->-->" - has 1 onunload handler(s)
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - has 1 onunload handler(s)
 This test triggers an unload handler that starts an image load in a different frame (and deletes both frames), but ensures the main frame is not destroyed. We pass if we don't crash.

trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt

@@ -14 +14 @@
 
 --------
-Frame: '<!--framePath //aFrame/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 Inner-inner iframe.

trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt

@@ -15 +15 @@
 
 --------
-Frame: '<!--framePath //aFrame/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 PASS: Cross frame access to a data: URL 2 levels deep was denied.

trunk/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level-expected.txt

@@ -11 +11 @@
 
 --------
-Frame: '<!--framePath //aFrame/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 Inner-inner iframe.

trunk/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-to-javscript-url-expected.txt

@@ -10 +10 @@
 
 --------
-Frame: '<!--framePath //aFrame/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 PASS: Cross frame access from a javascript: URL was allowed!

trunk/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url-expected.txt

@@ -12 +12 @@
 
 --------
-Frame: '<!--framePath //aFrame/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 Inner-inner iframe.

trunk/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-sub-frame-2-level-expected.txt

@@ -12 +12 @@
 
 --------
-Frame: '<!--framePath //aFrame/<!--frame0-->-->'
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
 --------
 PASS: Cross frame access to a javascript: URL 2 levels deep was allowed!

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2015-10-08  Andreas Kling  <akling@apple.com>
+
+        Generated frame tree names should be kept reasonably long.
+        <https://webkit.org/b/149874>
+
+        Reviewed by Darin Adler.
+
+        Some clumsy advertising script is going around assigning JavaScript source code
+        to the "name" attribute of iframes. This is causing WebKit to generate way too huge
+        names for anonymous descendants of such iframes.
+
+        Previously, the generated name of an anonymous subframe would be its slash-separated
+        path from the root frame, with the "name" attribute of each ancestor between the
+        slashes, or "<!--frame${index in parent}-->" for anonymous ancestors.
+
+        These ad scripts are often over 100kB in size, with multiple subframes, so we'd end
+        up with frame names looking like this:
+
+        "<!--framePath //<MONSTER BLOB OF JAVASCRIPT FROM HELL>/<!--frame0--><!--frame0-->-->"
+
+        While this is worth fixing for the memory usage alone, we've been making it way
+        worse by also using these paths when recording the back/forward history parts of
+        WebKit session state.
+
+        This patch makes generated paths always use index-in-parent as the "directory name"
+        for ancestors of anonymous subframes. The above example path will now instead be:
+
+        "<!--framePath //<!--frame0-->/<!--frame0-->/<!--frame0-->-->"
+
+        Test: fast/frames/long-names-in-nested-subframes.html
+
+        * page/FrameTree.cpp:
+        (WebCore::FrameTree::indexInParent):
+        (WebCore::FrameTree::uniqueChildName):
+        * page/FrameTree.h:
+
 2015-10-08  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/WebCore/page/FrameTree.cpp

@@ -83 +83 @@
 }
 
+unsigned FrameTree::indexInParent() const
+{
+    if (!m_parent)
+        return 0;
+    unsigned index = 0;
+    for (Frame* frame = m_parent->tree().firstChild(); frame; frame = frame->tree().nextSibling()) {
+        if (&frame->tree() == this)
+            return index;
+        ++index;
+    }
+    RELEASE_ASSERT_NOT_REACHED();
+}
+
 void FrameTree::appendChild(PassRefPtr<Frame> child)
 {
@@ -129 +142 @@
 AtomicString FrameTree::uniqueChildName(const AtomicString& requestedName) const
 {
+    // If the requested name (the frame's "name" attribute) is unique, just use that.
     if (!requestedName.isEmpty() && !child(requestedName) && requestedName != "_blank")
         return requestedName;
 
-    // Create a repeatable name for a child about to be added to us. The name must be
-    // unique within the frame tree. The string we generate includes a "path" of names
-    // from the root frame down to us. For this path to be unique, each set of siblings must
-    // contribute a unique name to the path, which can't collide with any HTML-assigned names.
-    // We generate this path component by index in the child list along with an unlikely
-    // frame name that can't be set in HTML because it collides with comment syntax.
+    // The "name" attribute was not unique or absent. Generate a name based on the
+    // new frame's location in the frame tree. The name uses HTML comment syntax to
+    // avoid collisions with author names.
+
+    // An example path for the third child of the second child of the root frame:
+    // <!--framePath //<!--frame1-->/<!--frame2-->-->
 
     const char framePathPrefix[] = "<!--framePath ";
@@ -160 +174 @@
         frame = chain[i];
         name.append('/');
-        name.append(frame->tree().uniqueName());
+        if (frame->tree().parent()) {
+            name.appendLiteral("<!--frame");
+            name.appendNumber(frame->tree().indexInParent());
+            name.appendLiteral("-->");
+        }
     }
 

trunk/Source/WebCore/page/FrameTree.h

@@ -85 +85 @@
         unsigned scopedChildCount() const;
 
+        unsigned indexInParent() const;
+
     private:
         Frame* deepLastChild() const;