Changeset 215486 in webkit

Timestamp:

Apr 18, 2017 4:27:04 PM (7 years ago)

Author:

Brent Fulgham

Message:

Correct handling of isolatedWorld in event handling
​https://bugs.webkit.org/show_bug.cgi?id=65589
<rdar://problem/24097804>

Reviewed by Geoffrey Garen.

Source/WebCore:

This patch was inspired by Adam's original patch as well as the
following Blink change:
​https://src.chromium.org/viewvc/blink?revision=152377&view=revision

Thread isolatedWorld state through event handling logic.

Tests: fast/dom/event-attrs-isolated-world.html

http/tests/security/isolatedWorld/onclick-attribute.html

• bindings/js/JSEventListener.cpp:

(WebCore::JSEventListener::initializeJSFunction):
(WebCore::JSEventListener::world):
(WebCore::eventHandlerAttribute):
(WebCore::setEventHandlerAttribute):
(WebCore::windowEventHandlerAttribute):
(WebCore::setWindowEventHandlerAttribute):
(WebCore::documentEventHandlerAttribute):
(WebCore::setDocumentEventHandlerAttribute):

• bindings/js/JSEventListener.h:
• bindings/scripts/CodeGeneratorJS.pm:

(GenerateImplementation):

• dom/Document.cpp:

(WebCore::Document::setWindowAttributeEventListener):
(WebCore::Document::getWindowAttributeEventListener):

• dom/Document.h:
• dom/Element.cpp:

(WebCore::Element::setAttributeEventListener):

• dom/EventTarget.cpp:

(WebCore::EventTarget::setAttributeEventListener):
(WebCore::EventTarget::attributeEventListener):

• dom/EventTarget.h:
• editing/ReplaceSelectionCommand.cpp:

(WebCore::ReplacementFragment::ReplacementFragment):

• html/HTMLBodyElement.cpp:

(WebCore::HTMLBodyElement::parseAttribute):

• html/HTMLFrameSetElement.cpp:

(WebCore::HTMLFrameSetElement::parseAttribute):

• svg/SVGSVGElement.cpp:

(WebCore::SVGSVGElement::parseAttribute):

LayoutTests:

This following test cases are from the following Blink change:
​https://src.chromium.org/viewvc/blink?revision=152377&view=revision

• fast/dom/event-attrs-isolated-world-expected.txt: Added.
• fast/dom/event-attrs-isolated-world.html: Added.
• http/tests/security/isolatedWorld/onclick-attribute-expected.txt: Added.
• http/tests/security/isolatedWorld/onclick-attribute.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/event-attrs-isolated-world-expected.txt (added)
• LayoutTests/fast/dom/event-attrs-isolated-world.html (added)
• LayoutTests/http/tests/security/isolatedWorld/onclick-attribute-expected.txt (added)
• LayoutTests/http/tests/security/isolatedWorld/onclick-attribute.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSEventListener.cpp (modified) (6 diffs)
• Source/WebCore/bindings/js/JSEventListener.h (modified) (4 diffs)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (2 diffs)
• Source/WebCore/dom/Document.cpp (modified) (1 diff)
• Source/WebCore/dom/Document.h (modified) (2 diffs)
• Source/WebCore/dom/Element.cpp (modified) (2 diffs)
• Source/WebCore/dom/EventTarget.cpp (modified) (4 diffs)
• Source/WebCore/dom/EventTarget.h (modified) (3 diffs)
• Source/WebCore/editing/ReplaceSelectionCommand.cpp (modified) (3 diffs)
• Source/WebCore/html/HTMLBodyElement.cpp (modified) (4 diffs)
• Source/WebCore/html/HTMLFrameSetElement.cpp (modified) (3 diffs)
• Source/WebCore/svg/SVGSVGElement.cpp (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-04-18  Brent Fulgham  <bfulgham@apple.com>
+
+        Correct handling of isolatedWorld in event handling
+        https://bugs.webkit.org/show_bug.cgi?id=65589
+        <rdar://problem/24097804>
+
+        Reviewed by Geoffrey Garen.
+
+        This following test cases are from the following Blink change:
+        https://src.chromium.org/viewvc/blink?revision=152377&view=revision
+
+        * fast/dom/event-attrs-isolated-world-expected.txt: Added.
+        * fast/dom/event-attrs-isolated-world.html: Added.
+        * http/tests/security/isolatedWorld/onclick-attribute-expected.txt: Added.
+        * http/tests/security/isolatedWorld/onclick-attribute.html: Added.
+
 2017-04-18  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-04-18  Brent Fulgham  <bfulgham@apple.com>
+
+        Correct handling of isolatedWorld in event handling
+        https://bugs.webkit.org/show_bug.cgi?id=65589
+        <rdar://problem/24097804>
+
+        Reviewed by Geoffrey Garen.
+
+        This patch was inspired by Adam's original patch as well as the
+        following Blink change:
+        https://src.chromium.org/viewvc/blink?revision=152377&view=revision
+
+        Thread isolatedWorld state through event handling logic.
+
+        Tests: fast/dom/event-attrs-isolated-world.html
+               http/tests/security/isolatedWorld/onclick-attribute.html
+
+        * bindings/js/JSEventListener.cpp:
+        (WebCore::JSEventListener::initializeJSFunction):
+        (WebCore::JSEventListener::world):
+        (WebCore::eventHandlerAttribute):
+        (WebCore::setEventHandlerAttribute):
+        (WebCore::windowEventHandlerAttribute):
+        (WebCore::setWindowEventHandlerAttribute):
+        (WebCore::documentEventHandlerAttribute):
+        (WebCore::setDocumentEventHandlerAttribute):
+        * bindings/js/JSEventListener.h:
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateImplementation):
+        * dom/Document.cpp:
+        (WebCore::Document::setWindowAttributeEventListener):
+        (WebCore::Document::getWindowAttributeEventListener):
+        * dom/Document.h:
+        * dom/Element.cpp:
+        (WebCore::Element::setAttributeEventListener):
+        * dom/EventTarget.cpp:
+        (WebCore::EventTarget::setAttributeEventListener):
+        (WebCore::EventTarget::attributeEventListener):
+        * dom/EventTarget.h:
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplacementFragment::ReplacementFragment):
+        * html/HTMLBodyElement.cpp:
+        (WebCore::HTMLBodyElement::parseAttribute):
+        * html/HTMLFrameSetElement.cpp:
+        (WebCore::HTMLFrameSetElement::parseAttribute):
+        * svg/SVGSVGElement.cpp:
+        (WebCore::SVGSVGElement::parseAttribute):
+
 2017-04-18  Jeremy Jones  <jeremyj@apple.com>
 

trunk/Source/WebCore/bindings/js/JSEventListener.cpp

@@ -1 +1 @@
 /*
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2013 Apple Inc. All Rights Reserved.
+ *  Copyright (C) 2003-2017 Apple Inc. All Rights Reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -63 +63 @@
 JSObject* JSEventListener::initializeJSFunction(ScriptExecutionContext*) const
 {
-    return 0;
+    return nullptr;
 }
 
@@ -217 +217 @@
 }
 
-JSC::JSValue eventHandlerAttribute(EventTarget& target, const AtomicString& eventType)
-{
-    return eventHandlerAttribute(target.attributeEventListener(eventType), *target.scriptExecutionContext());
+JSC::JSValue eventHandlerAttribute(EventTarget& target, const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
+{
+    return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), *target.scriptExecutionContext());
 }
 
 void setEventHandlerAttribute(JSC::ExecState& state, JSC::JSObject& wrapper, EventTarget& target, const AtomicString& eventType, JSC::JSValue value)
 {
-    target.setAttributeEventListener(eventType, createEventListenerForEventHandlerAttribute(state, value, wrapper));
-}
-
-JSC::JSValue windowEventHandlerAttribute(HTMLElement& element, const AtomicString& eventType)
+    target.setAttributeEventListener(eventType, createEventListenerForEventHandlerAttribute(state, value, wrapper), currentWorld(&state));
+}
+
+JSC::JSValue windowEventHandlerAttribute(HTMLElement& element, const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
 {
     auto& document = element.document();
-    return eventHandlerAttribute(document.getWindowAttributeEventListener(eventType), document);
+    return eventHandlerAttribute(document.getWindowAttributeEventListener(eventType, isolatedWorld), document);
 }
 
@@ -236 +236 @@
 {
     ASSERT(wrapper.globalObject());
-    element.document().setWindowAttributeEventListener(eventType, createEventListenerForEventHandlerAttribute(state, value, *wrapper.globalObject()));
-}
-
-JSC::JSValue windowEventHandlerAttribute(DOMWindow& window, const AtomicString& eventType)
-{
-    return eventHandlerAttribute(window, eventType);
+    element.document().setWindowAttributeEventListener(eventType, createEventListenerForEventHandlerAttribute(state, value, *wrapper.globalObject()), currentWorld(&state));
+}
+
+JSC::JSValue windowEventHandlerAttribute(DOMWindow& window, const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
+{
+    return eventHandlerAttribute(window, eventType, isolatedWorld);
 }
 
@@ -249 +249 @@
 }
 
-JSC::JSValue documentEventHandlerAttribute(HTMLElement& element, const AtomicString& eventType)
+JSC::JSValue documentEventHandlerAttribute(HTMLElement& element, const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
 {
     auto& document = element.document();
-    return eventHandlerAttribute(document.attributeEventListener(eventType), document);
+    return eventHandlerAttribute(document.attributeEventListener(eventType, isolatedWorld), document);
 }
 
@@ -261 +261 @@
     auto* documentWrapper = JSC::jsCast<JSDocument*>(toJS(&state, JSC::jsCast<JSDOMGlobalObject*>(wrapper.globalObject()), document));
     ASSERT(documentWrapper);
-    document.setAttributeEventListener(eventType, createEventListenerForEventHandlerAttribute(state, value, *documentWrapper));
-}
-
-JSC::JSValue documentEventHandlerAttribute(Document& document, const AtomicString& eventType)
-{
-    return eventHandlerAttribute(document, eventType);
+    document.setAttributeEventListener(eventType, createEventListenerForEventHandlerAttribute(state, value, *documentWrapper), currentWorld(&state));
+}
+
+JSC::JSValue documentEventHandlerAttribute(Document& document, const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
+{
+    return eventHandlerAttribute(document, eventType, isolatedWorld);
 }
 

trunk/Source/WebCore/bindings/js/JSEventListener.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003, 2008, 2009 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2017 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -26 +26 @@
 #include <heap/WeakInlines.h>
 #include <wtf/Ref.h>
+#include <wtf/TypeCasts.h>
 #include <wtf/text/TextPosition.h>
 #include <wtf/text/WTFString.h>
@@ -92 +93 @@
 
 // For "onxxx" attributes that automatically set up JavaScript event listeners.
-JSC::JSValue eventHandlerAttribute(EventTarget&, const AtomicString& eventType);
+JSC::JSValue eventHandlerAttribute(EventTarget&, const AtomicString& eventType, DOMWrapperWorld&);
 void setEventHandlerAttribute(JSC::ExecState&, JSC::JSObject&, EventTarget&, const AtomicString& eventType, JSC::JSValue);
 
 // Like the functions above, but for attributes that forward event handlers to the window object rather than setting them on the target.
-JSC::JSValue windowEventHandlerAttribute(HTMLElement&, const AtomicString& eventType);
+JSC::JSValue windowEventHandlerAttribute(HTMLElement&, const AtomicString& eventType, DOMWrapperWorld&);
 void setWindowEventHandlerAttribute(JSC::ExecState&, JSC::JSObject&, HTMLElement&, const AtomicString& eventType, JSC::JSValue);
-JSC::JSValue windowEventHandlerAttribute(DOMWindow&, const AtomicString& eventType);
+JSC::JSValue windowEventHandlerAttribute(DOMWindow&, const AtomicString& eventType, DOMWrapperWorld&);
 void setWindowEventHandlerAttribute(JSC::ExecState&, JSC::JSObject&, DOMWindow&, const AtomicString& eventType, JSC::JSValue);
 
 // Like the functions above, but for attributes that forward event handlers to the document rather than setting them on the target.
-JSC::JSValue documentEventHandlerAttribute(HTMLElement&, const AtomicString& eventType);
+JSC::JSValue documentEventHandlerAttribute(HTMLElement&, const AtomicString& eventType, DOMWrapperWorld&);
 void setDocumentEventHandlerAttribute(JSC::ExecState&, JSC::JSObject&, HTMLElement&, const AtomicString& eventType, JSC::JSValue);
-JSC::JSValue documentEventHandlerAttribute(Document&, const AtomicString& eventType);
+JSC::JSValue documentEventHandlerAttribute(Document&, const AtomicString& eventType, DOMWrapperWorld&);
 void setDocumentEventHandlerAttribute(JSC::ExecState&, JSC::JSObject&, Document&, const AtomicString& eventType, JSC::JSValue);
 
@@ -139 +140 @@
 
 } // namespace WebCore
+
+SPECIALIZE_TYPE_TRAITS_BEGIN(WebCore::JSEventListener)
+static bool isType(const WebCore::EventListener& input) { return input.type() == WebCore::JSEventListener::JSEventListenerType; }
+SPECIALIZE_TYPE_TRAITS_END()

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -3687 +3687 @@
                     : "eventHandlerAttribute";
                 my $eventName = EventHandlerAttributeEventName($attribute);
-                push(@implContent, "    return $getter(thisObject.wrapped(), $eventName);\n");
+                push(@implContent, "    return $getter(thisObject.wrapped(), $eventName, worldForDOMObject(&thisObject));\n");
             } elsif ($codeGenerator->IsConstructorType($attribute->type)) {
                 my $constructorType = $attribute->type->name;
@@ -3864 +3864 @@
                 if ((($interfaceName eq "DOMWindow") or ($interfaceName eq "WorkerGlobalScope")) and $name eq "onerror") {
                     $implIncludes{"JSErrorHandler.h"} = 1;
-                    push(@implContent, "    thisObject.wrapped().setAttributeEventListener($eventName, createJSErrorHandler(&state, value, &thisObject));\n");
+                    push(@implContent, "    thisObject.wrapped().setAttributeEventListener($eventName, createJSErrorHandler(&state, value, &thisObject), worldForDOMObject(&thisObject));\n");
                 } else {
                     $implIncludes{"JSEventListener.h"} = 1;

trunk/Source/WebCore/dom/Document.cpp

@@ -3994 +3994 @@
 }
 
-void Document::setAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& attributeValue)
-{
-    setAttributeEventListener(eventType, JSLazyEventListener::create(*this, attributeName, attributeValue));
-}
-
-void Document::setWindowAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&& listener)
+void Document::setAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& attributeValue, DOMWrapperWorld& isolatedWorld)
+{
+    setAttributeEventListener(eventType, JSLazyEventListener::create(*this, attributeName, attributeValue), isolatedWorld);
+}
+
+void Document::setWindowAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&& listener, DOMWrapperWorld& isolatedWorld)
 {
     if (!m_domWindow)
         return;
-    m_domWindow->setAttributeEventListener(eventType, WTFMove(listener));
-}
-
-void Document::setWindowAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& attributeValue)
+    m_domWindow->setAttributeEventListener(eventType, WTFMove(listener), isolatedWorld);
+}
+
+void Document::setWindowAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& attributeValue, DOMWrapperWorld& isolatedWorld)
 {
     if (!m_domWindow)
         return;
-    setWindowAttributeEventListener(eventType, JSLazyEventListener::create(*m_domWindow, attributeName, attributeValue));
-}
-
-EventListener* Document::getWindowAttributeEventListener(const AtomicString& eventType)
+    setWindowAttributeEventListener(eventType, JSLazyEventListener::create(*m_domWindow, attributeName, attributeValue), isolatedWorld);
+}
+
+EventListener* Document::getWindowAttributeEventListener(const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
 {
     if (!m_domWindow)
         return nullptr;
-    return m_domWindow->attributeEventListener(eventType);
+    return m_domWindow->attributeEventListener(eventType, isolatedWorld);
 }
 

trunk/Source/WebCore/dom/Document.h

@@ -759 +759 @@
 
     // Helper functions for forwarding DOMWindow event related tasks to the DOMWindow if it exists.
-    void setWindowAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& value);
-    void setWindowAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&&);
-    EventListener* getWindowAttributeEventListener(const AtomicString& eventType);
+    void setWindowAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& value, DOMWrapperWorld&);
+    void setWindowAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&&, DOMWrapperWorld&);
+    EventListener* getWindowAttributeEventListener(const AtomicString& eventType, DOMWrapperWorld&);
     WEBCORE_EXPORT void dispatchWindowEvent(Event&, EventTarget* = nullptr);
     void dispatchWindowLoadEvent();
@@ -1289 +1289 @@
 
     using ContainerNode::setAttributeEventListener;
-    void setAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& value);
+    void setAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& value, DOMWrapperWorld& isolatedWorld);
 
     DOMSelection* getSelection();

trunk/Source/WebCore/dom/Element.cpp

@@ -5 +5 @@
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  *           (C) 2007 David Smith (catfish.man@gmail.com)
- * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
  *           (C) 2007 Eric Seidel (eric@webkit.org)
  *
@@ -2056 +2056 @@
 void Element::setAttributeEventListener(const AtomicString& eventType, const QualifiedName& attributeName, const AtomicString& attributeValue)
 {
-    setAttributeEventListener(eventType, JSLazyEventListener::create(*this, attributeName, attributeValue));
+    setAttributeEventListener(eventType, JSLazyEventListener::create(*this, attributeName, attributeValue), mainThreadNormalWorld());
 }
 

trunk/Source/WebCore/dom/EventTarget.cpp

@@ -3 +3 @@
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2004, 2005, 2006, 2007 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
  * Copyright (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  *           (C) 2007, 2008 Nikolas Zimmermann <zimmermann@kde.org>
@@ -33 +33 @@
 #include "EventTarget.h"
 
+#include "DOMWrapperWorld.h"
 #include "EventNames.h"
 #include "ExceptionCode.h"
 #include "InspectorInstrumentation.h"
+#include "JSEventListener.h"
 #include "NoEventDispatchAssertion.h"
 #include "ScriptController.h"
@@ -105 +107 @@
 }
 
-bool EventTarget::setAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&& listener)
-{
-    auto* existingListener = attributeEventListener(eventType);
+bool EventTarget::setAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&& listener, DOMWrapperWorld& isolatedWorld)
+{
+    auto* existingListener = attributeEventListener(eventType, isolatedWorld);
     if (!listener) {
         if (existingListener)
@@ -120 +122 @@
 }
 
-EventListener* EventTarget::attributeEventListener(const AtomicString& eventType)
+EventListener* EventTarget::attributeEventListener(const AtomicString& eventType, DOMWrapperWorld& isolatedWorld)
 {
     for (auto& eventListener : eventListeners(eventType)) {
-        if (eventListener->callback().isAttribute())
-            return &eventListener->callback();
-    }
+        auto& listener = eventListener->callback();
+        if (!listener.isAttribute())
+            continue;
+
+        auto& listenerWorld = downcast<JSEventListener>(listener).isolatedWorld();
+        if (&listenerWorld == &isolatedWorld)
+            return &listener;
+    }
+
     return nullptr;
 }

trunk/Source/WebCore/dom/EventTarget.h

@@ -3 +3 @@
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
  * Copyright (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  *           (C) 2007, 2008 Nikolas Zimmermann <zimmermann@kde.org>
@@ -42 +42 @@
 
 class DOMWindow;
+class DOMWrapperWorld;
 class Node;
 
@@ -105 +106 @@
 
     // Used for legacy "onevent" attributes.
-    bool setAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&&);
-    EventListener* attributeEventListener(const AtomicString& eventType);
+    bool setAttributeEventListener(const AtomicString& eventType, RefPtr<EventListener>&&, DOMWrapperWorld&);
+    EventListener* attributeEventListener(const AtomicString& eventType, DOMWrapperWorld&);
 
     bool hasEventListeners() const;

trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2005, 2006, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2005-2017 Apple Inc. All rights reserved.
  * Copyright (C) 2009, 2010, 2011 Google Inc. All rights reserved.
  *
@@ -33 +33 @@
 #include "BreakBlockquoteCommand.h"
 #include "CSSStyleDeclaration.h"
+#include "DOMWrapperWorld.h"
 #include "DataTransfer.h"
 #include "Document.h"
@@ -168 +169 @@
     Node* shadowAncestorNode = editableRoot->deprecatedShadowAncestorNode();
     
-    if (!editableRoot->attributeEventListener(eventNames().webkitBeforeTextInsertedEvent)
+    if (!editableRoot->attributeEventListener(eventNames().webkitBeforeTextInsertedEvent, mainThreadNormalWorld())
         && !(shadowAncestorNode && shadowAncestorNode->renderer() && shadowAncestorNode->renderer()->isTextControl())
         && editableRoot->hasRichlyEditableStyle()) {

trunk/Source/WebCore/html/HTMLBodyElement.cpp

@@ -4 +4 @@
  *           (C) 2000 Simon Hausmann (hausmann@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2004, 2006-2010, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -29 +29 @@
 #include "CSSValueKeywords.h"
 #include "DOMWindow.h"
+#include "DOMWrapperWorld.h"
 #include "EventNames.h"
 #include "Frame.h"
@@ -174 +175 @@
 
     if (name == onselectionchangeAttr) {
-        document().setAttributeEventListener(eventNames().selectionchangeEvent, name, value);
+        document().setAttributeEventListener(eventNames().selectionchangeEvent, name, value, mainThreadNormalWorld());
         return;
     }
@@ -180 +181 @@
     auto& eventName = eventNameForWindowEventHandlerAttribute(name);
     if (!eventName.isNull()) {
-        document().setWindowAttributeEventListener(eventName, name, value);
+        document().setWindowAttributeEventListener(eventName, name, value, mainThreadNormalWorld());
         return;
     }

trunk/Source/WebCore/html/HTMLFrameSetElement.cpp

@@ -4 +4 @@
  *           (C) 2000 Simon Hausmann (hausmann@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2004, 2006, 2009, 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -26 +26 @@
 
 #include "CSSPropertyNames.h"
+#include "DOMWrapperWorld.h"
 #include "Document.h"
 #include "ElementIterator.h"
@@ -143 +144 @@
     auto& eventName = HTMLBodyElement::eventNameForWindowEventHandlerAttribute(name);
     if (!eventName.isNull()) {
-        document().setWindowAttributeEventListener(eventName, name, value);
+        document().setWindowAttributeEventListener(eventName, name, value, mainThreadNormalWorld());
         return;
     }

trunk/Source/WebCore/svg/SVGSVGElement.cpp

@@ -2 +2 @@
  * Copyright (C) 2004, 2005, 2006 Nikolas Zimmermann <zimmermann@kde.org>
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2010 Rob Buis <buis@kde.org>
- * Copyright (C) 2007, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2007-2017 Apple Inc. All rights reserved.
  * Copyright (C) 2014 Adobe Systems Incorporated. All rights reserved.
  *
@@ -25 +25 @@
 
 #include "CSSHelper.h"
+#include "DOMWrapperWorld.h"
 #include "ElementIterator.h"
 #include "EventNames.h"
@@ -216 +217 @@
         // setting certain event handlers directly on the window object.
         if (name == HTMLNames::onunloadAttr) {
-            document().setWindowAttributeEventListener(eventNames().unloadEvent, name, value);
+            document().setWindowAttributeEventListener(eventNames().unloadEvent, name, value, mainThreadNormalWorld());
             return;
         }
         if (name == HTMLNames::onresizeAttr) {
-            document().setWindowAttributeEventListener(eventNames().resizeEvent, name, value);
+            document().setWindowAttributeEventListener(eventNames().resizeEvent, name, value, mainThreadNormalWorld());
             return;
         }
         if (name == HTMLNames::onscrollAttr) {
-            document().setWindowAttributeEventListener(eventNames().scrollEvent, name, value);
+            document().setWindowAttributeEventListener(eventNames().scrollEvent, name, value, mainThreadNormalWorld());
             return;
         }
         if (name == SVGNames::onzoomAttr) {
-            document().setWindowAttributeEventListener(eventNames().zoomEvent, name, value);
+            document().setWindowAttributeEventListener(eventNames().zoomEvent, name, value, mainThreadNormalWorld());
             return;
         }
@@ -237 +238 @@
     // FIXME: Why different from the events above that work only on the outermost <svg> element?
     if (name == HTMLNames::onabortAttr) {
-        document().setWindowAttributeEventListener(eventNames().abortEvent, name, value);
+        document().setWindowAttributeEventListener(eventNames().abortEvent, name, value, mainThreadNormalWorld());
         return;
     }
     if (name == HTMLNames::onerrorAttr) {
-        document().setWindowAttributeEventListener(eventNames().errorEvent, name, value);
+        document().setWindowAttributeEventListener(eventNames().errorEvent, name, value, mainThreadNormalWorld());
         return;
     }