Changeset 210474 in webkit
- Timestamp:
- Jan 6, 2017 11:14:03 PM (7 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r210473 r210474 1 2017-01-06 Daniel Bates <dabates@apple.com> 2 3 Ensure navigation only allowed for documents not in the page cache 4 https://bugs.webkit.org/show_bug.cgi?id=166773 5 <rdar://problem/29762809> 6 7 Reviewed by Brent Fulgham. 8 9 It is wise to ensure that navigation is only allowed when initiated from a document that 10 is not in- or about to be put in- the page cache. Such a navigation would surprise a 11 person that had navigated away from the initiating document among other issues. 12 13 * dom/Document.cpp: 14 (WebCore::Document::canNavigate): Only allow navigation if the document is not in the 15 page cache. 16 * html/HTMLAnchorElement.cpp: 17 (WebCore::HTMLAnchorElement::handleClick): Ditto. 18 * html/HTMLLinkElement.cpp: 19 (WebCore::HTMLLinkElement::handleClick): Ditto. 20 * loader/FrameLoader.cpp: 21 (WebCore::FrameLoader::urlSelected): Assert triggering event's document is not in the 22 page cache. 23 (WebCore::FrameLoader::submitForm): Allow submission if the document is not in the 24 page cache. 25 (WebCore::FrameLoader::loadFrameRequest): Assert triggering event's document is not in 26 the page cache. 27 * mathml/MathMLElement.cpp: 28 (WebCore::MathMLElement::defaultEventHandler): Only allow navigation if the document is 29 not in the page cache. 30 * svg/SVGAElement.cpp: 31 (WebCore::SVGAElement::defaultEventHandler): Ditto. 32 1 33 2017-01-06 Jer Noble <jer.noble@apple.com> 2 34 -
trunk/Source/WebCore/dom/Document.cpp
r210436 r210474 2973 2973 return false; 2974 2974 2975 if (pageCacheState() != Document::NotInPageCache) 2976 return false; 2977 2975 2978 // FIXME: We shouldn't call this function without a target frame, but 2976 2979 // fast/forms/submit-to-blank-multiple-times.html depends on this function -
trunk/Source/WebCore/html/HTMLAnchorElement.cpp
r209091 r210474 370 370 return; 371 371 372 if (document().pageCacheState() != Document::NotInPageCache) 373 return; 374 372 375 StringBuilder url; 373 376 url.append(stripLeadingAndTrailingHTMLSpaces(attributeWithoutSynchronization(hrefAttr))); -
trunk/Source/WebCore/html/HTMLLinkElement.cpp
r208985 r210474 491 491 if (!frame) 492 492 return; 493 if (document().pageCacheState() != Document::NotInPageCache) 494 return; 493 495 frame->loader().urlSelected(url, target(), &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate()); 494 496 } -
trunk/Source/WebCore/loader/FrameLoader.cpp
r210326 r210474 347 347 void FrameLoader::urlSelected(const FrameLoadRequest& passedRequest, Event* triggeringEvent) 348 348 { 349 ASSERT_WITH_SECURITY_IMPLICATION(!triggeringEvent || !triggeringEvent->target() || !triggeringEvent->target()->toNode() 350 || triggeringEvent->target()->toNode()->document().pageCacheState() == Document::NotInPageCache); 351 349 352 Ref<Frame> protect(m_frame); 350 353 FrameLoadRequest frameRequest(passedRequest); … … 370 373 ASSERT(submission->state()); 371 374 ASSERT(!submission->state()->sourceDocument()->frame() || submission->state()->sourceDocument()->frame() == &m_frame); 372 375 373 376 if (!m_frame.page()) 374 377 return; 375 378 379 if (submission->state()->sourceDocument()->pageCacheState() != Document::NotInPageCache) 380 return; 381 376 382 if (submission->action().isEmpty()) 377 383 return; … … 1124 1130 1125 1131 void FrameLoader::loadFrameRequest(const FrameLoadRequest& request, Event* event, FormState* formState) 1126 { 1132 { 1133 ASSERT_WITH_SECURITY_IMPLICATION(!event || !event->target() || !event->target()->toNode() 1134 || event->target()->toNode()->document().pageCacheState() == Document::NotInPageCache); 1135 1127 1136 // Protect frame from getting blown away inside dispatchBeforeLoadEvent in loadWithDocumentLoader. 1128 1137 Ref<Frame> protect(m_frame); -
trunk/Source/WebCore/mathml/MathMLElement.cpp
r207458 r210474 150 150 const auto& url = stripLeadingAndTrailingHTMLSpaces(href); 151 151 event.setDefaultHandled(); 152 if (document().pageCacheState() != Document::NotInPageCache) 153 return; 152 154 if (auto* frame = document().frame()) 153 155 frame->loader().urlSelected(document().completeURL(url), "_self", &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate()); -
trunk/Source/WebCore/svg/SVGAElement.cpp
r207458 r210474 146 146 if (!frame) 147 147 return; 148 if (document().pageCacheState() != Document::NotInPageCache) 149 return; 148 150 frame->loader().urlSelected(document().completeURL(url), target, &event, LockHistory::No, LockBackForwardList::No, MaybeSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate()); 149 151 return;
Note: See TracChangeset
for help on using the changeset viewer.