Changeset 244892 in webkit
- Timestamp:
- May 2, 2019 3:24:27 PM (5 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 31 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r244891 r244892 1 2019-05-02 Chris Dumez <cdumez@apple.com> 2 3 Setting a frame's src to a javascript URL should not run it synchronously 4 https://bugs.webkit.org/show_bug.cgi?id=197466 5 6 Reviewed by Darin Adler. 7 8 * fast/dom/frame-src-javascript-url-async-expected.txt: Added. 9 * fast/dom/frame-src-javascript-url-async.html: Added. 10 Add layout test coverage for the fact that the javascript URL is executed asynchronously 11 whether set during parsing or later via JS. Also makes sure that executing the javascript 12 URL asynchronously does not replace the frame's window. This test passes in both Chrome 13 and Firefox. 14 15 * imported/blink/fast/frames/navigation-in-pagehide.html: 16 Re-sync this test from the Blink repository. 17 18 * fast/dom/Element/id-in-frameset-expected.txt: 19 * fast/dom/Element/id-in-frameset.html: 20 * fast/dom/insertedIntoDocument-iframe-expected.txt: 21 * fast/dom/javascript-url-exception-isolation-expected.txt: 22 * fast/dom/javascript-url-exception-isolation.html: 23 * fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt: 24 * fast/dom/resources/javascript-url-crash-function-iframe.html: 25 * fast/frames/adopt-from-created-document.html: 26 * fast/frames/out-of-document-iframe-has-child-frame.html: 27 * fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html: 28 * fast/loader/javascript-url-iframe-remove-on-navigate.html: 29 * fast/loader/unload-mutation-crash.html: 30 * fast/parser/resources/set-parent-to-javascript-url.html: 31 * fast/parser/xml-error-adopted.xml: 32 * http/tests/navigation/lockedhistory-iframe-expected.txt: 33 * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt: 34 * http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt: 35 * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt: 36 * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt: 37 * http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html: 38 * http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html: 39 * http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html: 40 * imported/blink/loader/iframe-sync-loads-expected.txt: 41 * js/dom/call-base-resolution.html: 42 * platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt: 43 Update / Rebaseline existing tests to reflect behavior change. I ran those tests in Firefox and Chrome to confirm that our behavior 44 is indeed aligned. 45 1 46 2019-05-02 Gary Katsevman <git@gkatsev.com> 2 47 -
trunk/LayoutTests/fast/dom/Element/id-in-frameset-expected.txt
r52312 r244892 1 ALERT: 11 ALERT: 2 2 2 -
trunk/LayoutTests/fast/dom/Element/id-in-frameset.html
r120792 r244892 1 1 <html> 2 2 <script> 3 if (window.testRunner) { 4 testRunner.dumpAsText(); 5 testRunner.waitUntilDone(); 6 } 7 </script> 3 8 <frameset id="frameset"> 4 9 <frame name="frame2" src="about:blank"> … … 17 22 top.frameset.removeChild(top.frame2.frameElement); 18 23 log(top.frameset.children.length); 24 if (window.testRunner) 25 testRunner.notifyDone(); 19 26 "> 20 27 -
trunk/LayoutTests/fast/dom/insertedIntoDocument-iframe-expected.txt
r81611 r244892 1 CONSOLE MESSAGE: line 1: TypeError: Argument 1 ('child') to Node.removeChild must be an instance of Node 1 2 PASS 3 -
trunk/LayoutTests/fast/dom/javascript-url-exception-isolation-expected.txt
r217390 r244892 1 1 CONSOLE MESSAGE: line 1: 42 2 CONSOLE MESSAGE: line 25: SyntaxError: Unexpected token '<'2 CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '<' 3 3 Exceptions thrown in javascript URLs should not propagate to the main script. 4 4 -
trunk/LayoutTests/fast/dom/javascript-url-exception-isolation.html
r217390 r244892 21 21 shouldBeFalse('caughtException'); 22 22 23 var subframe2 = document.createElement("iframe"); 24 document.body.appendChild(subframe2); 25 23 26 // Compile-time exception. 24 27 try { 25 subframe .src = 'javascript:<html></html>';28 subframe2.src = 'javascript:<html></html>'; 26 29 } catch(e) { 27 30 caughtException = true; -
trunk/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt
r216259 r244892 1 CONSOLE MESSAGE: line 1 4: SyntaxError: Unexpected identifier 'orem'1 CONSOLE MESSAGE: line 1: SyntaxError: Unexpected identifier 'orem' 2 2 This tests that we do not assert when a malformed JS URL is passed to the 'src' attribute of an iframe. The test passes if it does not ASSERT. 3 3 -
trunk/LayoutTests/fast/dom/resources/javascript-url-crash-function-iframe.html
r120792 r244892 17 17 { 18 18 test(); 19 if (window.testRunner) 20 testRunner.notifyDone(); 19 top.setTimeout(() => { 20 if (window.testRunner) 21 testRunner.notifyDone(); 22 }, 0); 21 23 }, 0); 22 24 </script> -
trunk/LayoutTests/fast/frames/adopt-from-created-document.html
r121008 r244892 9 9 var ifr = doc.createElement('iframe'); 10 10 alert(3); 11 ifr.setAttribute('src', 'javascript:alert( 6)');11 ifr.setAttribute('src', 'javascript:alert(7)'); 12 12 alert(4); 13 13 var adopted = document.adoptNode(ifr) 14 14 alert(5); 15 15 document.body.appendChild(adopted); 16 alert( 7);16 alert(6); 17 17 </script> -
trunk/LayoutTests/fast/frames/out-of-document-iframe-has-child-frame.html
r155268 r244892 1 1 <html> 2 2 <head> 3 <script src="../../resources/js-test -pre.js"></script>3 <script src="../../resources/js-test.js"></script> 4 4 </head> 5 5 <body> … … 8 8 description("This tests that several ways of making an iframe that isn't inserted into a document tree" 9 9 + " but has a child frame will fail."); 10 jsTestIsAsync = true; 10 11 11 12 main = document.getElementById("main"); … … 45 46 document.body.appendChild(container); 46 47 } catch (e) { } 47 shouldBeTrue("targetFrame3.contentWindow == undefined");48 48 49 isSuccessfullyParsed(); 49 setTimeout(() => { 50 shouldBeTrue("targetFrame3.contentWindow == undefined"); 51 finishJSTest(); 52 }, 0); 50 53 </script> 51 54 </body> -
trunk/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html
r232144 r244892 9 9 10 10 let frame = document.getElementById("target"); 11 frame.contentWindow.onbeforeunload = function() {12 setTimeout(function() {13 frame.src = "javascript:alert('FAIL')";14 }, 0);15 };16 11 17 12 window.addEventListener("load", function() { 13 frame.contentWindow.onbeforeunload = function() { 14 setTimeout(function() { 15 frame.src = "javascript:alert('FAIL')"; 16 }, 0); 17 }; 18 18 19 document.write("PASS - Javascript URL blocked without crashing."); 19 20 if (window.testRunner) -
trunk/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate.html
r232144 r244892 7 7 8 8 let frame = document.getElementById("target"); 9 frame.contentWindow.onbeforeunload = function() {10 setTimeout(function() {11 frame.src = "javascript:alert('FAIL')";12 }, 0);13 };14 9 15 10 window.addEventListener("load", function() { 11 frame.contentWindow.onbeforeunload = function() { 12 setTimeout(function() { 13 frame.src = "javascript:alert('FAIL')"; 14 }, 0); 15 }; 16 16 document.write("PASS - Javascript URL blocked without crashing."); 17 17 if (window.testRunner) -
trunk/LayoutTests/fast/loader/unload-mutation-crash.html
r192947 r244892 3 3 <head> 4 4 <script> 5 if (window.testRunner) 6 window.testRunner.dumpAsText(); 5 if (window.testRunner) { 6 testRunner.dumpAsText(); 7 testRunner.waitUntilDone(); 8 } 7 9 8 10 function start() { … … 21 23 window.firstFrame.src = 'javascript:"";'; 22 24 document.write("PASS. WebKit didn't crash."); 25 if (window.testRunner) 26 testRunner.notifyDone(); 23 27 } 24 28 </script> -
trunk/LayoutTests/fast/parser/resources/set-parent-to-javascript-url.html
r236862 r244892 2 2 const parent = window.parent; 3 3 alert(1); 4 parent.document.getElementsByTagName('iframe')[0].src = "javascript:alert( 2),'PASS<script>alert(3)<\/script>'";5 alert( 4);4 parent.document.getElementsByTagName('iframe')[0].src = "javascript:alert(3),'PASS<script>alert(4)<\/script>'"; 5 alert(2); 6 6 parent.setTimeout("done()", 0); 7 7 </script> -
trunk/LayoutTests/fast/parser/xml-error-adopted.xml
r141198 r244892 16 16 } 17 17 18 setTimeout(test, 0); 18 onload = () => { 19 setTimeout(test, 0); 20 }; 19 21 </script> 20 22 <elt attr="1" attr="2"/> -
trunk/LayoutTests/http/tests/navigation/lockedhistory-iframe-expected.txt
r231450 r244892 5 5 ============== Back Forward List ============== 6 6 curr-> http://127.0.0.1:8000/navigation/lockedhistory-iframe.html **nav target** 7 about:blank (in frame "<!--frame1-->") 7 http://127.0.0.1:8000/navigation/lockedhistory-iframe.html# (in frame "<!--frame1-->") 8 about:blank (in frame "<!--frame2-->") 8 9 =============================================== -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt
r231450 r244892 7 7 frame "<!--frame2-->" - didHandleOnloadEventsForFrame 8 8 frame "<!--frame2-->" - didFinishLoadForFrame 9 frame "<!--frame2-->" - willPerformClientRedirectToURL: javascript:document.write('%3Cimg%20src=%22http://127.0.0.1:8000/security/resources/compass.jpg%22%3E'); 10 frame "<!--frame1-->" - didFinishDocumentLoadForFrame 9 11 CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy. 10 frame "<!--frame1-->" - didFinishDocumentLoadForFrame11 12 frame "<!--frame1-->" - didFinishLoadForFrame 12 13 main frame - didFinishLoadForFrame -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt
r133193 r244892 1 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect. 2 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect. 1 3 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect. 2 4 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect. 3 5 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect. 4 6 ALERT: PASS 5 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.6 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.7 7 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt
r198591 r244892 1 CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.2 1 CONSOLE MESSAGE: Refused to load javascript:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy. 3 2 CONSOLE MESSAGE: Refused to load javascript:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy. 3 CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. 4 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt
r198591 r244892 1 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect. 2 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect. 1 3 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect. 2 4 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect. 3 5 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect. 4 6 CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. 5 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.6 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.7 7 -
trunk/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html
r191652 r244892 8 8 testRunner.dumpAsText(); 9 9 testRunner.dumpChildFramesAsText(); 10 testRunner.waitUntilDone(); 10 11 } 11 12 … … 13 14 + "<scr" + "ipt>" 14 15 + 'top.document.getElementById(\\\\\\\"accessMe\\\\\\\").innerHTML = \\\\\\\"PASS: Cross frame access from a javascript: URL inside another javascript: URL was allowed!\\\\\\\";' 16 + 'top.setTimeout(() => { testRunner.notifyDone(); }, 0);' 15 17 + "</scri" + "pt>" 16 18 + "<body>" -
trunk/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html
r191652 r244892 8 8 testRunner.dumpAsText(); 9 9 testRunner.dumpChildFramesAsText(); 10 testRunner.waitUntilDone(); 10 11 } 11 12 … … 21 22 var iframe = document.getElementById("aFrame"); 22 23 iframe.src = url; 24 onload = () => { 25 setTimeout(() => { 26 if (window.testRunner) 27 testRunner.notifyDone(); 28 }, 0); 29 } 23 30 </script> 24 31 </body> -
trunk/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html
r191652 r244892 8 8 testRunner.dumpAsText(); 9 9 testRunner.dumpChildFramesAsText(); 10 testRunner.waitUntilDone(); 10 11 } 11 12 … … 31 32 var iframe = document.getElementById("aFrame"); 32 33 iframe.src = url; 34 35 onload = () => { 36 setTimeout(() => { 37 if (window.testRunner) 38 testRunner.notifyDone(); 39 }, 0); 40 }; 33 41 </script> 34 42 </body> -
trunk/LayoutTests/imported/blink/fast/frames/navigation-in-pagehide.html
r194919 r244892 18 18 firstFrame.appendChild(div); 19 19 secondFrame = document.createElement('iframe'); 20 secondFrame.src = 'javascript:window.top. maybeStart();';20 secondFrame.src = 'javascript:window.top.reallyStart();'; 21 21 div.appendChild(secondFrame); 22 22 var firstFrameRoot = firstFrame.contentDocument.documentElement; 23 23 document.documentElement.appendChild(div); 24 24 firstFrameRoot.appendChild(secondFrame); 25 }26 27 function maybeStart() {28 if (callbackCount++ > 1) {29 reallyStart();30 return;31 }32 25 } 33 26 … … 40 33 if (window.location.hash == '#done') { 41 34 if (window.testRunner) 42 window.testRunner.notifyDone();35 testRunner.notifyDone(); 43 36 return; 44 37 } -
trunk/LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt
r190629 r244892 1 sync: src = javascript:"content"1 ASYNC : src = javascript:"content" 2 2 ASYNC : src = data:text/html,content 3 3 ASYNC : srcdoc = "content" -
trunk/LayoutTests/js/dom/call-base-resolution.html
r156066 r244892 5 5 <body> 6 6 7 <script src="../../resources/js-test -pre.js"></script>7 <script src="../../resources/js-test.js"></script> 8 8 <script> 9 9 window.name = "o"; … … 78 78 "> 79 79 </iframe> 80 <script src="../../resources/js-test-post.js"></script>81 82 80 </body> 83 81 </html> -
trunk/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt
r231450 r244892 7 7 frame "<!--frame2-->" - didHandleOnloadEventsForFrame 8 8 frame "<!--frame2-->" - didFinishLoadForFrame 9 frame "<!--frame2-->" - willPerformClientRedirectToURL: javascript:document.write('<img src=%22http://127.0.0.1:8000/security/resources/compass.jpg%22>'); 10 frame "<!--frame1-->" - didFinishDocumentLoadForFrame 9 11 CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy. 10 frame "<!--frame1-->" - didFinishDocumentLoadForFrame11 12 frame "<!--frame1-->" - didFinishLoadForFrame 12 13 main frame - didFinishLoadForFrame -
trunk/Source/WebCore/ChangeLog
r244891 r244892 1 2019-05-02 Chris Dumez <cdumez@apple.com> 2 3 Setting a frame's src to a javascript URL should not run it synchronously 4 https://bugs.webkit.org/show_bug.cgi?id=197466 5 6 Reviewed by Darin Adler. 7 8 When an iframe's src attribute is set to a javascript URL, whether when parsing 9 or later on via JS, we now execute the URL's JavaScript asynchronously. We used 10 to execute it synchronously, which was a source of bugs and also did not match 11 other browsers. 12 13 I have verified that our new behavior is aligned with both Firefox and Chrome. 14 15 Note that for backward-compatibility and interoperability with Blink 16 (https://bugs.chromium.org/p/chromium/issues/detail?id=923585), the 17 "javascript:''" URL will still run synchronously. We should consider dropping 18 this quirk at some point. 19 20 Test: fast/dom/frame-src-javascript-url-async.html 21 22 * loader/NavigationScheduler.cpp: 23 (WebCore::ScheduledLocationChange::ScheduledLocationChange): 24 (WebCore::ScheduledLocationChange::~ScheduledLocationChange): 25 (WebCore::NavigationScheduler::scheduleLocationChange): 26 * loader/NavigationScheduler.h: 27 (WebCore::NavigationScheduler::scheduleLocationChange): 28 * loader/SubframeLoader.cpp: 29 (WebCore::SubframeLoader::requestFrame): 30 1 31 2019-05-02 Gary Katsevman <git@gkatsev.com> 2 32 -
trunk/Source/WebCore/loader/NavigationScheduler.cpp
r238771 r244892 194 194 class ScheduledLocationChange : public ScheduledURLNavigation { 195 195 public: 196 ScheduledLocationChange(Document& initiatingDocument, SecurityOrigin* securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, bool duringLoad) 197 : ScheduledURLNavigation(initiatingDocument, 0.0, securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, true) { } 196 ScheduledLocationChange(Document& initiatingDocument, SecurityOrigin* securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, bool duringLoad, CompletionHandler<void()>&& completionHandler) 197 : ScheduledURLNavigation(initiatingDocument, 0.0, securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, true) 198 , m_completionHandler(WTFMove(completionHandler)) 199 { 200 } 201 202 ~ScheduledLocationChange() 203 { 204 if (m_completionHandler) 205 m_completionHandler(); 206 } 198 207 199 208 void fire(Frame& frame) override … … 204 213 FrameLoadRequest frameLoadRequest { initiatingDocument(), *securityOrigin(), resourceRequest, "_self", lockHistory(), lockBackForwardList(), MaybeSendReferrer, AllowNavigationToInvalidURL::No, NewFrameOpenerPolicy::Allow, shouldOpenExternalURLs(), initiatedByMainFrame() }; 205 214 215 auto completionHandler = WTFMove(m_completionHandler); 206 216 frame.loader().changeLocation(WTFMove(frameLoadRequest)); 207 } 217 completionHandler(); 218 } 219 220 private: 221 CompletionHandler<void()> m_completionHandler; 208 222 }; 209 223 … … 406 420 } 407 421 408 void NavigationScheduler::scheduleLocationChange(Document& initiatingDocument, SecurityOrigin& securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList )422 void NavigationScheduler::scheduleLocationChange(Document& initiatingDocument, SecurityOrigin& securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, CompletionHandler<void()>&& completionHandler) 409 423 { 410 424 if (!shouldScheduleNavigation(url)) 411 return ;425 return completionHandler(); 412 426 413 427 if (lockBackForwardList == LockBackForwardList::No) … … 425 439 FrameLoadRequest frameLoadRequest { initiatingDocument, securityOrigin, resourceRequest, "_self"_s, lockHistory, lockBackForwardList, MaybeSendReferrer, AllowNavigationToInvalidURL::No, NewFrameOpenerPolicy::Allow, initiatingDocument.shouldOpenExternalURLsPolicyToPropagate(), initiatedByMainFrame }; 426 440 loader.changeLocation(WTFMove(frameLoadRequest)); 427 return ;441 return completionHandler(); 428 442 } 429 443 … … 432 446 bool duringLoad = !loader.stateMachine().committedFirstRealDocumentLoad(); 433 447 434 schedule(std::make_unique<ScheduledLocationChange>(initiatingDocument, &securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad ));448 schedule(std::make_unique<ScheduledLocationChange>(initiatingDocument, &securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, WTFMove(completionHandler))); 435 449 } 436 450 -
trunk/Source/WebCore/loader/NavigationScheduler.h
r238771 r244892 54 54 55 55 void scheduleRedirect(Document& initiatingDocument, double delay, const URL&); 56 void scheduleLocationChange(Document& initiatingDocument, SecurityOrigin&, const URL&, const String& referrer, LockHistory = LockHistory::Yes, LockBackForwardList = LockBackForwardList::Yes );56 void scheduleLocationChange(Document& initiatingDocument, SecurityOrigin&, const URL&, const String& referrer, LockHistory = LockHistory::Yes, LockBackForwardList = LockBackForwardList::Yes, CompletionHandler<void()>&& = [] { }); 57 57 void scheduleFormSubmission(Ref<FormSubmission>&&); 58 58 void scheduleRefresh(Document& initiatingDocument); -
trunk/Source/WebCore/loader/SubframeLoader.cpp
r242534 r244892 57 57 #include "SecurityPolicy.h" 58 58 #include "Settings.h" 59 #include <wtf/CompletionHandler.h> 59 60 60 61 namespace WebCore { … … 87 88 url = WTF::blankURL(); 88 89 89 bool hasExistingFrame = ownerElement.contentFrame(); 90 // If we will schedule a JavaScript URL load, we need to delay the firing of the load event at least until we've run the JavaScript in the URL. 91 CompletionHandlerCallingScope stopDelayingLoadEvent; 92 if (!scriptURL.isEmpty()) { 93 ownerElement.document().incrementLoadEventDelayCount(); 94 stopDelayingLoadEvent = CompletionHandlerCallingScope([ownerDocument = makeRef(ownerElement.document())] { 95 ownerDocument->decrementLoadEventDelayCount(); 96 }); 97 } 98 90 99 Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList); 91 100 if (!frame) 92 101 return false; 93 102 94 // If we create a new subframe then an empty document is loaded into it synchronously and may 95 // cause script execution (say, via a DOM load event handler) that can do anything, including 96 // navigating the subframe. We only want to evaluate scriptURL if the frame has not been navigated. 97 bool canExecuteScript = hasExistingFrame || (frame->loader().documentLoader() && frame->loader().documentLoader()->originalURL() == WTF::blankURL()); 98 if (!scriptURL.isEmpty() && canExecuteScript && ownerElement.isURLAllowed(scriptURL)) 99 frame->script().executeIfJavaScriptURL(scriptURL); 103 if (!scriptURL.isEmpty() && ownerElement.isURLAllowed(scriptURL)) { 104 // FIXME: Some sites rely on the javascript:'' loading synchronously, which is why we have this special case. 105 // Blink has the same workaround (https://bugs.chromium.org/p/chromium/issues/detail?id=923585). 106 if (urlString == "javascript:''" || urlString == "javascript:\"\"") 107 frame->script().executeIfJavaScriptURL(scriptURL); 108 else 109 frame->navigationScheduler().scheduleLocationChange(ownerElement.document(), ownerElement.document().securityOrigin(), scriptURL, m_frame.loader().outgoingReferrer(), lockHistory, lockBackForwardList, stopDelayingLoadEvent.release()); 110 } 100 111 101 112 return true;
Note: See TracChangeset
for help on using the changeset viewer.