Changeset 209628 in webkit
- Timestamp:
- Dec 9, 2016 2:06:29 PM (7 years ago)
- Location:
- trunk
- Files:
-
- 12 added
- 16 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r209620 r209628 1 2016-12-09 Ryosuke Niwa <rniwa@webkit.org> 2 3 document.webkitFullscreenElement leaks elements inside a shadow tree 4 https://bugs.webkit.org/show_bug.cgi?id=158471 5 6 Reviewed by Chris Dumez. 7 8 Added tests for calling webkitFullscreenElement and webkitCurrentFullScreenElement on a fullscreened element 9 to make sure they return the shadow host instead. 10 11 Also added two unrelated test cases for temporal regressions I introduced while working on this patch. 12 13 Skip the fullscreen tests on iOS WK2 since eventSender doesn't work there. 14 15 * fast/shadow-dom/activeElement-for-focused-element-in-another-shadow-expected.txt: Added. 16 * fast/shadow-dom/activeElement-for-focused-element-in-another-shadow.html: Added. 17 * fast/shadow-dom/blur-on-shadow-host-with-focused-shadow-content-expected.txt: Added. 18 * fast/shadow-dom/blur-on-shadow-host-with-focused-shadow-content.html: Added. 19 * fast/shadow-dom/fullscreen-in-shadow-fullscreenElement-expected.txt: Added. 20 * fast/shadow-dom/fullscreen-in-shadow-fullscreenElement.html: Added. 21 * fast/shadow-dom/fullscreen-in-shadow-webkitCurrentFullScreenElement-expected.txt: Added. 22 * fast/shadow-dom/fullscreen-in-shadow-webkitCurrentFullScreenElement.html: Added. 23 * fast/shadow-dom/fullscreen-in-slot-fullscreenElement-expected.txt: Added. 24 * fast/shadow-dom/fullscreen-in-slot-fullscreenElement.html: Added. 25 * fast/shadow-dom/fullscreen-in-slot-webkitCurrentFullScreenElement-expected.txt: Added. 26 * fast/shadow-dom/fullscreen-in-slot-webkitCurrentFullScreenElement.html: Added. 27 * platform/ios-simulator-wk2/TestExpectations: 28 1 29 2016-12-09 Chris Dumez <cdumez@apple.com> 2 30 -
trunk/LayoutTests/platform/ios-simulator-wk2/TestExpectations
r209448 r209628 1779 1779 fast/dom/Window/post-message-user-action.html [ Skip ] 1780 1780 fast/shadow-dom/click-text-inside-linked-slot.html [ Skip ] 1781 fast/shadow-dom/fullscreen-in-shadow-fullscreenElement.html 1782 fast/shadow-dom/fullscreen-in-shadow-webkitCurrentFullScreenElement.html 1783 fast/shadow-dom/fullscreen-in-slot-fullscreenElement.html 1784 fast/shadow-dom/fullscreen-in-slot-webkitCurrentFullScreenElement.html 1781 1785 1782 1786 # No touch events -
trunk/Source/WebCore/ChangeLog
r209627 r209628 1 2016-12-09 Ryosuke Niwa <rniwa@webkit.org> 2 3 document.webkitFullscreenElement leaks elements inside a shadow tree 4 https://bugs.webkit.org/show_bug.cgi?id=158471 5 6 Reviewed by Chris Dumez. 7 8 Fixed the bug by calling the newly added ancestorElementInThisScope in webkitCurrentFullScreenElementForBindings 9 and webkitFullscreenElementForBinding. 10 11 The specification (https://fullscreen.spec.whatwg.org/#dom-document-fullscreenelement) uses "the result of 12 retargeting fullscreen element" and returns null if the result is not in the same tree as the context object. 13 14 This is equivalent to the algorithm implemented by ancestorElementInThisScope. Observe that the retargeting 15 algorithm (https://dom.spec.whatwg.org/#retarget) finds the lowest common tree scope of the retargetee and 16 the context object. There are two cases to consider. 17 18 1. The context object's tree scope is the lowest common tree scope: In this case, an ancestor shadow host or 19 the retargetee itself is in this tree scope. It's sufficient traverse every shadow host to find the one that 20 resides in the same tree scope as the context object. This is precisely what ancestorElementInThisScope does. 21 22 2. The context object's tree scope is not the lowest common tree scope: In this case, the context object is 23 inside a shadow tree whose ancestor shadow host is in the lowest common tree scope. In this case, retargeting 24 algorithm finds a node which is not in the same tree as the context object. Thus, the result is null. 25 ancestorElementInThisScope traveres ancestor shadow hosts and returns null if no shadow host's tree scope 26 matches that of the context object's tree scope. Thus, it would return null in this case as desired. 27 28 Also renamed TreeScope::focusedElement to focusedElementInScope for clarity since Document which inherits 29 from TreeScope also has a distinct member function named focusedElement called by TreeScope::focusedElement, 30 and used ancestorElementInThisScope since it uses the same algorithm. 31 32 Tests: fast/shadow-dom/activeElement-for-focused-element-in-another-shadow.html 33 fast/shadow-dom/blur-on-shadow-host-with-focused-shadow-content.html 34 fast/shadow-dom/fullscreen-in-shadow-fullscreenElement.html 35 fast/shadow-dom/fullscreen-in-shadow-webkitCurrentFullScreenElement.html 36 fast/shadow-dom/fullscreen-in-slot-fullscreenElement.html 37 fast/shadow-dom/fullscreen-in-slot-webkitCurrentFullScreenElement.html 38 39 * dom/Document.cpp: 40 (WebCore::Document::removeFocusedNodeOfSubtree): 41 (WebCore::Document::activeElement): 42 * dom/Document.h: 43 (WebCore::Document::webkitCurrentFullScreenElementForBindings): Added. 44 (WebCore::Document::webkitFullscreenElementForBindings): Added. 45 * dom/Document.idl: 46 * dom/Element.cpp: 47 (WebCore::Element::blur): 48 * dom/ShadowRoot.h: 49 (WebCore::ShadowRoot::activeElement): 50 * dom/TreeScope.cpp: 51 (WebCore::TreeScope::ancestorNodeInThisScope): Renamed from ancestorInThisScope for clarity. 52 (WebCore::TreeScope::ancestorElementInThisScope): 53 (WebCore::TreeScope::focusedElementInScope): Renamed from focusedElement to disambiguate it from Document's 54 focusedElement. 55 * dom/TreeScope.h: 56 * editing/VisibleSelection.cpp: 57 (WebCore::adjustPositionForEnd): 58 (WebCore::adjustPositionForStart): 59 * editing/htmlediting.cpp: 60 (WebCore::comparePositions): 61 (WebCore::firstEditablePositionAfterPositionInRoot): 62 (WebCore::lastEditablePositionBeforePositionInRoot): 63 * page/DOMSelection.cpp: 64 (WebCore::selectionShadowAncestor): 65 (WebCore::DOMSelection::shadowAdjustedNode): 66 (WebCore::DOMSelection::shadowAdjustedOffset): 67 * rendering/HitTestResult.cpp: 68 (WebCore::HitTestResult::addNodeToRectBasedTestResult): Added a FIXME here since this is clearly wrong for 69 shadow trees created by author scripts. 70 1 71 2016-12-09 Geoffrey Garen <ggaren@apple.com> 2 72 -
trunk/Source/WebCore/dom/Document.cpp
r209608 r209628 3541 3541 return; 3542 3542 3543 Element* focusedElement = node.treeScope().focusedElement ();3543 Element* focusedElement = node.treeScope().focusedElementInScope(); 3544 3544 if (!focusedElement) 3545 3545 return; … … 6772 6772 Element* Document::activeElement() 6773 6773 { 6774 if (Element* element = treeScope().focusedElement ())6774 if (Element* element = treeScope().focusedElementInScope()) 6775 6775 return element; 6776 6776 return bodyOrFrameset(); -
trunk/Source/WebCore/dom/Document.h
r209403 r209628 1089 1089 bool webkitFullScreenKeyboardInputAllowed() const { return m_fullScreenElement.get() && m_areKeysEnabledInFullScreen; } 1090 1090 Element* webkitCurrentFullScreenElement() const { return m_fullScreenElement.get(); } 1091 1091 Element* webkitCurrentFullScreenElementForBindings() const { return ancestorElementInThisScope(webkitCurrentFullScreenElement()); } 1092 1092 1093 enum FullScreenCheckType { 1093 1094 EnforceIFrameAllowFullScreenRequirement, … … 1116 1117 WEBCORE_EXPORT bool webkitFullscreenEnabled() const; 1117 1118 Element* webkitFullscreenElement() const { return !m_fullScreenElementStack.isEmpty() ? m_fullScreenElementStack.last().get() : nullptr; } 1119 Element* webkitFullscreenElementForBindings() const { return ancestorElementInThisScope(webkitFullscreenElement()); } 1118 1120 WEBCORE_EXPORT void webkitExitFullscreen(); 1119 1121 #endif -
trunk/Source/WebCore/dom/Document.idl
r209514 r209628 144 144 readonly attribute boolean webkitIsFullScreen; 145 145 readonly attribute boolean webkitFullScreenKeyboardInputAllowed; 146 readonly attribute Element webkitCurrentFullScreenElement;146 [ImplementedAs=webkitCurrentFullScreenElementForBindings] readonly attribute Element webkitCurrentFullScreenElement; 147 147 void webkitCancelFullScreen(); 148 148 149 149 // W3C version 150 150 readonly attribute boolean webkitFullscreenEnabled; 151 readonly attribute Element? webkitFullscreenElement;151 [ImplementedAs=webkitFullscreenElementForBindings] readonly attribute Element? webkitFullscreenElement; 152 152 void webkitExitFullscreen(); 153 153 #endif -
trunk/Source/WebCore/dom/Element.cpp
r209446 r209628 2439 2439 { 2440 2440 cancelFocusAppearanceUpdate(); 2441 if (treeScope().focusedElement () == this) {2441 if (treeScope().focusedElementInScope() == this) { 2442 2442 if (Frame* frame = document().frame()) 2443 2443 frame->page()->focusController().setFocusedElement(0, frame); -
trunk/Source/WebCore/dom/ShadowRoot.h
r208967 r209628 111 111 inline Element* ShadowRoot::activeElement() const 112 112 { 113 return treeScope().focusedElement ();113 return treeScope().focusedElementInScope(); 114 114 } 115 115 -
trunk/Source/WebCore/dom/TreeScope.cpp
r208828 r209628 196 196 } 197 197 198 Node* TreeScope::ancestor InThisScope(Node* node) const198 Node* TreeScope::ancestorNodeInThisScope(Node* node) const 199 199 { 200 200 for (; node; node = node->shadowHost()) { … … 202 202 return node; 203 203 if (!node->isInShadowTree()) 204 return nullptr; 205 } 206 return nullptr; 207 } 208 209 Element* TreeScope::ancestorElementInThisScope(Element* element) const 210 { 211 for (; element; element = element->shadowHost()) { 212 if (&element->treeScope() == this) 213 return element; 214 if (!element->isInShadowTree()) 204 215 return nullptr; 205 216 } … … 365 376 } 366 377 367 Element* TreeScope::focusedElement ()378 Element* TreeScope::focusedElementInScope() 368 379 { 369 380 Document& document = m_rootNode.document(); … … 372 383 if (!element && document.page()) 373 384 element = focusedFrameOwnerElement(document.page()->focusController().focusedFrame(), document.frame()); 374 if (!element) 375 return nullptr; 376 TreeScope* treeScope = &element->treeScope(); 377 RELEASE_ASSERT(&document == &treeScope->documentScope()); 378 while (treeScope != this && treeScope != &document) { 379 auto& rootNode = treeScope->rootNode(); 380 if (is<ShadowRoot>(rootNode)) 381 element = downcast<ShadowRoot>(rootNode).host(); 382 else 383 return nullptr; 384 treeScope = &element->treeScope(); 385 } 386 if (this != treeScope) 387 return nullptr; 388 return element; 385 386 return ancestorElementInThisScope(element); 389 387 } 390 388 -
trunk/Source/WebCore/dom/TreeScope.h
r208828 r209628 52 52 void setParentTreeScope(TreeScope&); 53 53 54 Element* focusedElement ();54 Element* focusedElementInScope(); 55 55 WEBCORE_EXPORT Element* getElementById(const AtomicString&) const; 56 56 WEBCORE_EXPORT Element* getElementById(const String&) const; … … 73 73 Node& retargetToScope(Node&) const; 74 74 75 Node* ancestorInThisScope(Node*) const; 75 Node* ancestorNodeInThisScope(Node*) const; 76 WEBCORE_EXPORT Element* ancestorElementInThisScope(Element*) const; 76 77 77 78 void addImageMap(HTMLMapElement&); -
trunk/Source/WebCore/editing/VisibleSelection.cpp
r208479 r209628 474 474 ASSERT(¤tPosition.containerNode()->treeScope() != &treeScope); 475 475 476 if (Node* ancestor = treeScope.ancestor InThisScope(currentPosition.containerNode())) {476 if (Node* ancestor = treeScope.ancestorNodeInThisScope(currentPosition.containerNode())) { 477 477 if (ancestor->contains(startContainerNode)) 478 478 return positionAfterNode(ancestor); … … 492 492 ASSERT(¤tPosition.containerNode()->treeScope() != &treeScope); 493 493 494 if (Node* ancestor = treeScope.ancestor InThisScope(currentPosition.containerNode())) {494 if (Node* ancestor = treeScope.ancestorNodeInThisScope(currentPosition.containerNode())) { 495 495 if (ancestor->contains(endContainerNode)) 496 496 return positionBeforeNode(ancestor); -
trunk/Source/WebCore/editing/htmlediting.cpp
r209436 r209628 84 84 return 0; 85 85 86 Node* nodeA = commonScope->ancestor InThisScope(a.containerNode());86 Node* nodeA = commonScope->ancestorNodeInThisScope(a.containerNode()); 87 87 ASSERT(nodeA); 88 88 bool hasDescendentA = nodeA != a.containerNode(); 89 89 int offsetA = hasDescendentA ? 0 : a.computeOffsetInContainerNode(); 90 90 91 Node* nodeB = commonScope->ancestor InThisScope(b.containerNode());91 Node* nodeB = commonScope->ancestorNodeInThisScope(b.containerNode()); 92 92 ASSERT(nodeB); 93 93 bool hasDescendentB = nodeB != b.containerNode(); … … 293 293 294 294 if (&position.deprecatedNode()->treeScope() != &highestRoot->treeScope()) { 295 auto* shadowAncestor = highestRoot->treeScope().ancestor InThisScope(position.deprecatedNode());295 auto* shadowAncestor = highestRoot->treeScope().ancestorNodeInThisScope(position.deprecatedNode()); 296 296 if (!shadowAncestor) 297 297 return { }; … … 321 321 322 322 if (&position.deprecatedNode()->treeScope() != &highestRoot->treeScope()) { 323 auto* shadowAncestor = highestRoot->treeScope().ancestor InThisScope(position.deprecatedNode());323 auto* shadowAncestor = highestRoot->treeScope().ancestorNodeInThisScope(position.deprecatedNode()); 324 324 if (!shadowAncestor) 325 325 return { }; -
trunk/Source/WebCore/page/DOMSelection.cpp
r208479 r209628 50 50 return nullptr; 51 51 // FIXME: Unclear on why this needs to be the possibly null frame.document() instead of the never null node->document(). 52 return frame.document()->ancestor InThisScope(node);52 return frame.document()->ancestorNodeInThisScope(node); 53 53 } 54 54 … … 437 437 438 438 auto* containerNode = position.containerNode(); 439 auto* adjustedNode = m_frame->document()->ancestor InThisScope(containerNode);439 auto* adjustedNode = m_frame->document()->ancestorNodeInThisScope(containerNode); 440 440 if (!adjustedNode) 441 441 return nullptr; … … 453 453 454 454 auto* containerNode = position.containerNode(); 455 auto* adjustedNode = m_frame->document()->ancestor InThisScope(containerNode);455 auto* adjustedNode = m_frame->document()->ancestorNodeInThisScope(containerNode); 456 456 if (!adjustedNode) 457 457 return 0; -
trunk/Source/WebCore/rendering/HitTestResult.cpp
r208630 r209628 669 669 return true; 670 670 671 // FIXME: This moves out of a author shadow tree. 671 672 if (request.disallowsUserAgentShadowContent()) 672 node = node->document().ancestor InThisScope(node);673 node = node->document().ancestorNodeInThisScope(node); 673 674 674 675 mutableRectBasedTestResult().add(node); … … 689 690 return true; 690 691 692 // FIXME: This moves out of a author shadow tree. 691 693 if (request.disallowsUserAgentShadowContent()) 692 node = node->document().ancestor InThisScope(node);694 node = node->document().ancestorNodeInThisScope(node); 693 695 694 696 mutableRectBasedTestResult().add(node); -
trunk/Source/WebKit/mac/ChangeLog
r209626 r209628 1 2016-12-09 Ryosuke Niwa <rniwa@webkit.org> 2 3 document.webkitFullscreenElement leaks elements inside a shadow tree 4 https://bugs.webkit.org/show_bug.cgi?id=158471 5 6 Reviewed by Chris Dumez. 7 8 Use the API for bindings to avoid exposing nodes inside a shadow tree. 9 10 * DOM/DOMDocument.mm: 11 (-[DOMDocument webkitCurrentFullScreenElement]): 12 (-[DOMDocument webkitFullscreenElement]): 13 1 14 2016-12-09 Beth Dakin <bdakin@apple.com> 2 15 -
trunk/Source/WebKit/mac/DOM/DOMDocument.mm
r208659 r209628 362 362 { 363 363 WebCore::JSMainThreadNullState state; 364 return kit(WTF::getPtr(IMPL->webkitCurrentFullScreenElement ()));364 return kit(WTF::getPtr(IMPL->webkitCurrentFullScreenElementForBindings())); 365 365 } 366 366 … … 374 374 { 375 375 WebCore::JSMainThreadNullState state; 376 return kit(WTF::getPtr(IMPL->webkitFullscreenElement ()));376 return kit(WTF::getPtr(IMPL->webkitFullscreenElementForBindings())); 377 377 } 378 378
Note: See TracChangeset
for help on using the changeset viewer.