Changeset 210474 in webkit


Ignore:
Timestamp:
Jan 6, 2017 11:14:03 PM (7 years ago)
Author:
dbates@webkit.org
Message:

Ensure navigation only allowed for documents not in the page cache
https://bugs.webkit.org/show_bug.cgi?id=166773
<rdar://problem/29762809>

Reviewed by Brent Fulgham.

It is wise to ensure that navigation is only allowed when initiated from a document that
is not in- or about to be put in- the page cache. Such a navigation would surprise a
person that had navigated away from the initiating document among other issues.

  • dom/Document.cpp:

(WebCore::Document::canNavigate): Only allow navigation if the document is not in the
page cache.

  • html/HTMLAnchorElement.cpp:

(WebCore::HTMLAnchorElement::handleClick): Ditto.

  • html/HTMLLinkElement.cpp:

(WebCore::HTMLLinkElement::handleClick): Ditto.

  • loader/FrameLoader.cpp:

(WebCore::FrameLoader::urlSelected): Assert triggering event's document is not in the
page cache.
(WebCore::FrameLoader::submitForm): Allow submission if the document is not in the
page cache.
(WebCore::FrameLoader::loadFrameRequest): Assert triggering event's document is not in
the page cache.

  • mathml/MathMLElement.cpp:

(WebCore::MathMLElement::defaultEventHandler): Only allow navigation if the document is
not in the page cache.

  • svg/SVGAElement.cpp:

(WebCore::SVGAElement::defaultEventHandler): Ditto.

Location:
trunk/Source/WebCore
Files:
7 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r210473 r210474  
     12017-01-06  Daniel Bates  <dabates@apple.com>
     2
     3        Ensure navigation only allowed for documents not in the page cache
     4        https://bugs.webkit.org/show_bug.cgi?id=166773
     5        <rdar://problem/29762809>
     6
     7        Reviewed by Brent Fulgham.
     8
     9        It is wise to ensure that navigation is only allowed when initiated from a document that
     10        is not in- or about to be put in- the page cache. Such a navigation would surprise a
     11        person that had navigated away from the initiating document among other issues.
     12
     13        * dom/Document.cpp:
     14        (WebCore::Document::canNavigate): Only allow navigation if the document is not in the
     15        page cache.
     16        * html/HTMLAnchorElement.cpp:
     17        (WebCore::HTMLAnchorElement::handleClick): Ditto.
     18        * html/HTMLLinkElement.cpp:
     19        (WebCore::HTMLLinkElement::handleClick): Ditto.
     20        * loader/FrameLoader.cpp:
     21        (WebCore::FrameLoader::urlSelected): Assert triggering event's document is not in the
     22        page cache.
     23        (WebCore::FrameLoader::submitForm): Allow submission if the document is not in the
     24        page cache.
     25        (WebCore::FrameLoader::loadFrameRequest): Assert triggering event's document is not in
     26        the page cache.
     27        * mathml/MathMLElement.cpp:
     28        (WebCore::MathMLElement::defaultEventHandler): Only allow navigation if the document is
     29        not in the page cache.
     30        * svg/SVGAElement.cpp:
     31        (WebCore::SVGAElement::defaultEventHandler): Ditto.
     32
    1332017-01-06  Jer Noble  <jer.noble@apple.com>
    234

  • trunk/Source/WebCore/dom/Document.cpp

    r210436 r210474  
    29732973        return false;
    29742974
     2975    if (pageCacheState() != Document::NotInPageCache)
     2976        return false;
     2977
    29752978    // FIXME: We shouldn't call this function without a target frame, but
    29762979    // fast/forms/submit-to-blank-multiple-times.html depends on this function

  • trunk/Source/WebCore/html/HTMLAnchorElement.cpp

    r209091 r210474  
    370370        return;
    371371
     372    if (document().pageCacheState() != Document::NotInPageCache)
     373        return;
     374
    372375    StringBuilder url;
    373376    url.append(stripLeadingAndTrailingHTMLSpaces(attributeWithoutSynchronization(hrefAttr)));

  • trunk/Source/WebCore/html/HTMLLinkElement.cpp

    r208985 r210474  
    491491    if (!frame)
    492492        return;
     493    if (document().pageCacheState() != Document::NotInPageCache)
     494        return;
    493495    frame->loader().urlSelected(url, target(), &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate());
    494496}

  • trunk/Source/WebCore/loader/FrameLoader.cpp

    r210326 r210474  
    347347void FrameLoader::urlSelected(const FrameLoadRequest& passedRequest, Event* triggeringEvent)
    348348{
     349    ASSERT_WITH_SECURITY_IMPLICATION(!triggeringEvent || !triggeringEvent->target() || !triggeringEvent->target()->toNode()
     350        || triggeringEvent->target()->toNode()->document().pageCacheState() == Document::NotInPageCache);
     351
    349352    Ref<Frame> protect(m_frame);
    350353    FrameLoadRequest frameRequest(passedRequest);
     
    370373    ASSERT(submission->state());
    371374    ASSERT(!submission->state()->sourceDocument()->frame() || submission->state()->sourceDocument()->frame() == &m_frame);
    372    
     375
    373376    if (!m_frame.page())
    374377        return;
    375    
     378
     379    if (submission->state()->sourceDocument()->pageCacheState() != Document::NotInPageCache)
     380        return;
     381
    376382    if (submission->action().isEmpty())
    377383        return;
     
    11241130
    11251131void FrameLoader::loadFrameRequest(const FrameLoadRequest& request, Event* event, FormState* formState)
    1126 {   
     1132{
     1133    ASSERT_WITH_SECURITY_IMPLICATION(!event || !event->target() || !event->target()->toNode()
     1134        || event->target()->toNode()->document().pageCacheState() == Document::NotInPageCache);
     1135
    11271136    // Protect frame from getting blown away inside dispatchBeforeLoadEvent in loadWithDocumentLoader.
    11281137    Ref<Frame> protect(m_frame);

  • trunk/Source/WebCore/mathml/MathMLElement.cpp

    r207458 r210474  
    150150            const auto& url = stripLeadingAndTrailingHTMLSpaces(href);
    151151            event.setDefaultHandled();
     152            if (document().pageCacheState() != Document::NotInPageCache)
     153                return;
    152154            if (auto* frame = document().frame())
    153155                frame->loader().urlSelected(document().completeURL(url), "_self", &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate());

  • trunk/Source/WebCore/svg/SVGAElement.cpp

    r207458 r210474  
    146146            if (!frame)
    147147                return;
     148            if (document().pageCacheState() != Document::NotInPageCache)
     149                return;
    148150            frame->loader().urlSelected(document().completeURL(url), target, &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate());
    149151            return;
Note: See TracChangeset for help on using the changeset viewer.