Changeset 236862 in webkit
- Timestamp:
- Oct 4, 2018 5:19:46 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 29 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r236856 r236862 1 2018-10-04 Chris Dumez <cdumez@apple.com> 2 3 A Document / Window should lose its browsing context as soon as its iframe is removed from the document 4 https://bugs.webkit.org/show_bug.cgi?id=190282 5 6 Reviewed by Ryosuke Niwa. 7 8 Update existing layout test to reflect behavior change. 9 10 * fast/dom/Window/BarInfo-after-frame-removed.html: 11 * fast/dom/Window/dom-access-from-closure-iframe-expected.txt: 12 * fast/dom/Window/dom-access-from-closure-window-expected.txt: 13 * fast/dom/Window/dom-access-from-closure-window-with-gc-expected.txt: 14 * fast/dom/Window/resources/dom-access-from-closure-iframe-child.html: 15 * fast/dom/Window/resources/dom-access-from-closure-window-child.html: 16 * fast/events/resources/before-unload-return-string-conversion-frame.html: 17 * fast/parser/resources/set-parent-to-javascript-url.html: 18 * http/tests/media/media-stream/disconnected-frame.html: 19 * http/tests/security/contentSecurityPolicy/resources/checkDidSameOriginChildWindowLoad.js: 20 (checkDidLoad): 21 * http/tests/security/named-window-property-from-same-origin-inactive-document-expected.txt: 22 * http/tests/security/named-window-property-from-same-origin-inactive-document.html: 23 * http/tests/security/xss-DENIED-contentWindow-eval-expected.txt: 24 * http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt: 25 * http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document.html: 26 1 27 2018-10-04 Ross Kirsling <ross.kirsling@sony.com> 2 28 -
trunk/LayoutTests/fast/dom/Window/BarInfo-after-frame-removed.html
r120792 r236862 16 16 var childWindow = frame.contentWindow; 17 17 frame.parentNode.removeChild(frame); 18 childWindow.toolbar.visible; 18 try { 19 childWindow.toolbar.visible; 20 } catch (e) { } 19 21 20 22 document.getElementById("console").firstChild.data = "TEST RAN"; -
trunk/LayoutTests/fast/dom/Window/dom-access-from-closure-iframe-expected.txt
r42223 r236862 1 1 document.URL: LayoutTests/fast/dom/Window/resources/dom-access-from-closure-iframe-child.html 2 2 window.document.URL: LayoutTests/fast/dom/Window/resources/notify-parent-done.html 3 name: child3 name: 4 4 window.name: child 5 5 -
trunk/LayoutTests/fast/dom/Window/dom-access-from-closure-window-expected.txt
r42223 r236862 1 1 document.URL: LayoutTests/fast/dom/Window/resources/dom-access-from-closure-window-child.html 2 2 window.document.URL: LayoutTests/fast/dom/Window/resources/notify-opener-done.html 3 name: child3 name: 4 4 window.name: child 5 5 -
trunk/LayoutTests/fast/dom/Window/dom-access-from-closure-window-with-gc-expected.txt
r125656 r236862 1 1 document.URL: LayoutTests/fast/dom/Window/resources/dom-access-from-closure-window-child.html 2 2 window.document.URL: LayoutTests/fast/dom/Window/resources/notify-opener-done.html 3 name: child3 name: 4 4 window.name: child 5 5 -
trunk/LayoutTests/fast/dom/Window/resources/dom-access-from-closure-iframe-child.html
r32853 r236862 1 1 <script> 2 const parent = window.parent; // Save parent as the window will be detached when accessFrame() is called. 3 2 4 parent.accessFrame = function() 3 5 { -
trunk/LayoutTests/fast/dom/Window/resources/dom-access-from-closure-window-child.html
r32853 r236862 1 1 <script> 2 const opener = window.opener; // Save opener as the window will be detached when accessFrame() is called. 3 2 4 opener.accessFrame = function() 3 5 { -
trunk/LayoutTests/fast/events/resources/before-unload-return-string-conversion-frame.html
r212625 r236862 15 15 parent.shouldBeEqualToString("event.returnValue", "PASS"); 16 16 parent.shouldBeTrue("toStringCalled"); 17 parent.setTimeout(function() { 18 parent.finishJSTest(); 19 }, 0); 17 parent.finishJSTest(); 20 18 } 21 19 -
trunk/LayoutTests/fast/parser/resources/set-parent-to-javascript-url.html
r65692 r236862 1 1 <script> 2 const parent = window.parent; 2 3 alert(1); 3 4 parent.document.getElementsByTagName('iframe')[0].src = "javascript:alert(2),'PASS<script>alert(3)<\/script>'"; -
trunk/LayoutTests/http/tests/media/media-stream/disconnected-frame.html
r226160 r236862 13 13 14 14 function onIframeLoaded() { 15 iframe Navigator = iframe.contentWindow.navigator;15 iframeMediaDevices = iframe.contentWindow.navigator.mediaDevices; 16 16 iframe.remove(); 17 17 onIframeUnloaded(); … … 19 19 20 20 function onIframeUnloaded() { 21 handle = setTimeout(function() { 22 testFailed('Timeout: promise resolve and reject functions not called.'); 23 finishJSTest(); 24 }, 100); 25 21 26 var options = {audio: true, video: true}; 22 iframe Navigator.mediaDevices.getUserMedia(options)27 iframeMediaDevices.getUserMedia(options) 23 28 .then(stream => { 24 29 testFailed('Promise resolved unexpectedly.'); 30 clearTimeout(handle); 25 31 finishJSTest(); 26 32 }) 27 33 .catch(err => { 28 34 testPassed('Promise rejected as expected.'); 35 clearTimeout(handle); 29 36 finishJSTest(); 30 37 }); 31 32 setTimeout(function() {33 testFailed('Timeout: promise resolve and reject functions not called.');34 finishJSTest();35 }, 100);36 38 } 37 39 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/checkDidSameOriginChildWindowLoad.js
r234149 r236862 9 9 function checkDidSameOriginChildWindowLoad(childWindow, callback) 10 10 { 11 function checkDidLoad() { 12 if (childWindow.document.location.origin !== document.location.origin) 13 return; 14 // Child window did load 15 window.clearInterval(intervalID); 16 callback() 17 } 18 intervalID = window.setInterval(checkDidLoad, 10); 11 childWindow.onload = callback; 19 12 } -
trunk/LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document-expected.txt
r217061 r236862 6 6 Lookup named element whose name corresponds to an element in the initial about:blank document: 7 7 PASS frame.contentDocument.getElementById('A') is not elementAInInactiveDocument 8 PASS elementAIn ActiveDocumentFunction() is frame.contentDocument.getElementById('A')8 PASS elementAInDetachedWindowFunction() threw exception ReferenceError: Can't find variable: A. 9 9 10 10 Lookup named element whose name does not correspond to an element in the initial about:blank document: 11 PASS elementBIn ActiveDocumentFunction() is frame.contentDocument.getElementById('B')11 PASS elementBInDetachedWindowFunction() threw exception ReferenceError: Can't find variable: B. 12 12 PASS successfullyParsed is true 13 13 -
trunk/LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document.html
r217061 r236862 18 18 frameDocument.body.appendChild(elementAInInactiveDocument); 19 19 20 var elementAIn ActiveDocumentFunction = frame.contentWindow.Function("return A;");21 var elementBIn ActiveDocumentFunction = frame.contentWindow.Function("return B;");20 var elementAInDetachedWindowFunction = frame.contentWindow.Function("return A;"); 21 var elementBInDetachedWindowFunction = frame.contentWindow.Function("return B;"); 22 22 23 23 frame.onload = function () … … 25 25 debug("Lookup named element whose name corresponds to an element in the initial about:blank document:"); 26 26 shouldNotBe("frame.contentDocument.getElementById('A')", "elementAInInactiveDocument"); 27 should Be("elementAInActiveDocumentFunction()", "frame.contentDocument.getElementById('A')");27 shouldThrowErrorName("elementAInDetachedWindowFunction()", "ReferenceError"); 28 28 29 29 debug("<br>Lookup named element whose name does not correspond to an element in the initial about:blank document:"); 30 should Be("elementBInActiveDocumentFunction()", "frame.contentDocument.getElementById('B')");30 shouldThrowErrorName("elementBInDetachedWindowFunction()", "ReferenceError"); 31 31 32 32 finishJSTest(); -
trunk/LayoutTests/http/tests/security/xss-DENIED-contentWindow-eval-expected.txt
r217895 r236862 1 CONSOLE MESSAGE: line 1: TypeError: Type error2 1 This test passes if alert() is not called. -
trunk/LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt
r230864 r236862 5 5 6 6 Lookup named element whose name corresponds to an element in the initial about:blank document: 7 PASS elementAIn ActiveDocumentFunction() threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..7 PASS elementAInDetachedWindowFunction() threw exception ReferenceError: Can't find variable: A. 8 8 9 9 Lookup named element whose name does not correspond to an element in the initial about:blank document: 10 PASS elementBIn ActiveDocumentFunction() threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..10 PASS elementBInDetachedWindowFunction() threw exception ReferenceError: Can't find variable: B. 11 11 PASS successfullyParsed is true 12 12 -
trunk/LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document.html
r219663 r236862 18 18 frameDocument.body.appendChild(elementAInInactiveDocument); 19 19 20 var elementAIn ActiveDocumentFunction = frame.contentWindow.Function("return A;");21 var elementBIn ActiveDocumentFunction = frame.contentWindow.Function("return B;");20 var elementAInDetachedWindowFunction = frame.contentWindow.Function("return A;"); 21 var elementBInDetachedWindowFunction = frame.contentWindow.Function("return B;"); 22 22 23 23 frame.onload = function () 24 24 { 25 25 debug("Lookup named element whose name corresponds to an element in the initial about:blank document:") 26 shouldThrowErrorName("elementAIn ActiveDocumentFunction()", 'SecurityError');26 shouldThrowErrorName("elementAInDetachedWindowFunction()", 'ReferenceError'); 27 27 28 28 debug("<br>Lookup named element whose name does not correspond to an element in the initial about:blank document:"); 29 shouldThrowErrorName("elementBIn ActiveDocumentFunction()", 'SecurityError');29 shouldThrowErrorName("elementBInDetachedWindowFunction()", 'ReferenceError'); 30 30 31 31 finishJSTest(); -
trunk/LayoutTests/imported/w3c/ChangeLog
r236840 r236862 1 2018-10-04 Chris Dumez <cdumez@apple.com> 2 3 A Document / Window should lose its browsing context as soon as its iframe is removed from the document 4 https://bugs.webkit.org/show_bug.cgi?id=190282 5 6 Reviewed by Ryosuke Niwa. 7 8 Rebaseline several WPT tests that are now passing. I have verified that those tests are also passing in 9 Firefox and Chrome. 10 11 * web-platform-tests/html/browsers/windows/nested-browsing-contexts/window-parent-null-expected.txt: 12 * web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-synchronously-discard-expected.txt: 13 1 14 2018-10-04 YUHAN WU <yuhan_wu@apple.com> 2 15 -
trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/windows/nested-browsing-contexts/window-parent-null-expected.txt
r213882 r236862 1 1 2 FAIL `window.parent` is null when browsing context container element removed assert_equals: expected null but got object "[object Window]" 3 FAIL `window.parent` null when parent browsing context container removed assert_equals: expected null but got object "[object Window]" 4 2 PASS `window.parent` is null when browsing context container element removed 3 PASS `window.parent` null when parent browsing context container removed 4 -
trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-synchronously-discard-expected.txt
r212202 r236862 1 1 2 FAIL IFrame discards are processed synchronously assert_equals: child window should be discarded expected null but got object "[object Window]" 2 PASS IFrame discards are processed synchronously 3 3 -
trunk/Source/WebCore/ChangeLog
r236860 r236862 1 2018-10-04 Chris Dumez <cdumez@apple.com> 2 3 A Document / Window should lose its browsing context as soon as its iframe is removed from the document 4 https://bugs.webkit.org/show_bug.cgi?id=190282 5 6 Reviewed by Ryosuke Niwa. 7 8 A Document / Window should lose its browsing context (aka Frame) as soon as its iframe is removed from 9 the document. In WebKit, a Document / Window's Frame was only getting nulled out when the frame gets 10 destroyed, which happens later usually after a GC happens. 11 12 Specification: 13 - https://html.spec.whatwg.org/#the-iframe-element 14 """ 15 When an iframe element is removed from a document, the user agent must discard the element's nested browsing 16 context, if it is not null, and then set the element's nested browsing context to null. 17 """ 18 19 This was not consistent with the specification or other browsers (tested Chrome and Firefox) so this 20 patch is aligning our behavior. 21 22 In a follow-up, I am planning to look into making the Window not be a FrameDestructionObserver, and instead 23 get its frame from the Document. This should make the code simpler. 24 25 No new tests, rebaselined existing tests. 26 27 * Modules/mediastream/MediaDevices.cpp: 28 (WebCore::MediaDevices::getUserMedia const): 29 * Modules/mediastream/MediaDevices.h: 30 Update getUserMedia() to reject a the Promise with an InvalidStateError when calling after the 31 document has been detached, instead of throwing an InvalidStateError. This behavior is as per 32 specification: 33 - https://w3c.github.io/mediacapture-main/#dom-mediadevices-getusermedia (Step 4) 34 I needed to make this change to keep one of our layout tests passing. 35 36 * dom/Document.cpp: 37 (WebCore::Document::attachToCachedFrame): 38 (WebCore::Document::detachFromFrame): 39 * dom/Document.h: 40 * page/DOMWindow.cpp: 41 (WebCore::DOMWindow::didSecureTransitionTo): 42 (WebCore::DOMWindow::willDetachDocumentFromFrame): 43 (WebCore::DOMWindow::setStatus): 44 (WebCore::DOMWindow::detachFromFrame): 45 (WebCore::DOMWindow::attachToFrame): 46 * page/DOMWindow.h: 47 * page/DOMWindowProperty.cpp: 48 (WebCore::DOMWindowProperty::disconnectFrameForDocumentSuspension): 49 (WebCore::DOMWindowProperty::willDestroyGlobalObjectInCachedFrame): 50 (WebCore::DOMWindowProperty::willDestroyGlobalObjectInFrame): 51 * page/Frame.cpp: 52 (WebCore::Frame::disconnectOwnerElement): 53 54 * platform/mock/MockRealtimeVideoSource.cpp: 55 (WebCore::MockRealtimeVideoSource::drawText): 56 Calling drawText() with a null String hits an assertion in debug. This was triggered by one of 57 our layout tests so I made sure we only call drawText when the String is not null. 58 1 59 2018-10-04 Jeremy Jones <jeremyj@apple.com> 2 60 -
trunk/Source/WebCore/Modules/mediastream/MediaDevices.cpp
r236465 r236862 97 97 } 98 98 99 ExceptionOr<void>MediaDevices::getUserMedia(const StreamConstraints& constraints, Promise&& promise) const99 void MediaDevices::getUserMedia(const StreamConstraints& constraints, Promise&& promise) const 100 100 { 101 101 auto* document = this->document(); 102 if (!document) 103 return Exception { InvalidStateError }; 102 if (!document) { 103 promise.reject(Exception { InvalidStateError }); 104 return; 105 } 104 106 105 107 auto audioConstraints = createMediaConstraints(constraints.audio); … … 112 114 request->start(); 113 115 114 return { };116 return; 115 117 } 116 118 -
trunk/Source/WebCore/Modules/mediastream/MediaDevices.h
r235900 r236862 75 75 Variant<bool, MediaTrackConstraints> audio; 76 76 }; 77 ExceptionOr<void>getUserMedia(const StreamConstraints&, Promise&&) const;77 void getUserMedia(const StreamConstraints&, Promise&&) const; 78 78 ExceptionOr<void> getDisplayMedia(const StreamConstraints&, Promise&&) const; 79 79 void enumerateDevices(EnumerateDevicesPromise&&) const; -
trunk/Source/WebCore/dom/Document.cpp
r236855 r236862 2342 2342 ASSERT(m_pageCacheState == Document::InPageCache); 2343 2343 observeFrame(&cachedFrame.view()->frame()); 2344 if (auto* window = domWindow()) 2345 window->attachToFrame(cachedFrame.view()->frame()); 2344 2346 } 2345 2347 … … 8246 8248 } 8247 8249 8250 void Document::detachFromFrame() 8251 { 8252 if (auto* window = domWindow()) 8253 window->willDetachDocumentFromFrame(); 8254 8255 observeFrame(nullptr); 8256 } 8257 8248 8258 } // namespace WebCore -
trunk/Source/WebCore/dom/Document.h
r236855 r236862 1506 1506 bool isRunningUserScripts() const { return m_isRunningUserScripts; } 1507 1507 1508 void detachFromFrame(); 1509 1508 1510 protected: 1509 1511 enum ConstructionFlags { Synthesized = 1, NonRenderedPlaceholder = 1 << 1 }; … … 1522 1524 1523 1525 bool shouldInheritContentSecurityPolicyFromOwner() const; 1524 1525 void detachFromFrame() { observeFrame(nullptr); }1526 1526 1527 1527 void updateTitleElement(Element& changingTitleElement); -
trunk/Source/WebCore/page/DOMWindow.cpp
r236762 r236862 415 415 { 416 416 observeContext(&document); 417 observeFrame(document.frame()); 417 418 } 418 419 … … 512 513 if (m_performance) 513 514 m_performance->clearResourceTimings(); 515 516 detachFromFrame(); 514 517 } 515 518 … … 1403 1406 ASSERT(m_frame->document()); // Client calls shouldn't be made when the frame is in inconsistent state. 1404 1407 page->chrome().setStatusbarText(*m_frame, m_status); 1405 } 1408 } 1409 1410 void DOMWindow::detachFromFrame() 1411 { 1412 observeFrame(nullptr); 1413 } 1414 1415 void DOMWindow::attachToFrame(Frame& frame) 1416 { 1417 observeFrame(&frame); 1418 } 1406 1419 1407 1420 void DOMWindow::setDefaultStatus(const String& string) -
trunk/Source/WebCore/page/DOMWindow.h
r235050 r236862 334 334 void willDestroyCachedFrame(); 335 335 336 void attachToFrame(Frame&); 337 void detachFromFrame(); 338 336 339 void enableSuddenTermination(); 337 340 void disableSuddenTermination(); -
trunk/Source/WebCore/page/DOMWindowProperty.cpp
r211033 r236862 58 58 void DOMWindowProperty::disconnectFrameForDocumentSuspension() 59 59 { 60 // If this property is being disconnected from its Frame to enter the PageCache, it must have61 // been created with a Frame in the first place.62 ASSERT(m_frame);63 60 ASSERT(m_associatedDOMWindow); 64 61 … … 94 91 void DOMWindowProperty::willDestroyGlobalObjectInFrame() 95 92 { 96 // If the property is getting this callback it must have been created with a Frame/DOMWindow and it should still have them.97 ASSERT(m_frame);98 93 ASSERT(m_associatedDOMWindow); 99 94 … … 108 103 void DOMWindowProperty::willDetachGlobalObjectFromFrame() 109 104 { 110 // If the property is getting this callback it must have been created with a Frame/DOMWindow and it should still have them. 111 ASSERT(m_frame); 112 ASSERT(m_associatedDOMWindow); 105 m_frame = nullptr; 113 106 } 114 107 -
trunk/Source/WebCore/page/Frame.cpp
r235758 r236862 832 832 } 833 833 m_ownerElement = nullptr; 834 835 if (auto* document = this->document()) 836 document->detachFromFrame(); 834 837 } 835 838 -
trunk/Source/WebCore/platform/mock/MockRealtimeVideoSource.cpp
r236855 r236862 373 373 statsLocation.move(0, m_statsFontSize); 374 374 context.drawText(statsFont, TextRun((StringView(string))), statsLocation); 375 } else {375 } else if (!name().isNull()) { 376 376 statsLocation.move(0, m_statsFontSize); 377 377 context.drawText(statsFont, TextRun { name() }, statsLocation);
Note: See TracChangeset
for help on using the changeset viewer.