Changeset 244892 in webkit

Timestamp:

May 2, 2019 3:24:27 PM (5 years ago)

Author:

Chris Dumez

Message:

Setting a frame's src to a javascript URL should not run it synchronously
​https://bugs.webkit.org/show_bug.cgi?id=197466

Reviewed by Darin Adler.

Source/WebCore:

When an iframe's src attribute is set to a javascript URL, whether when parsing
or later on via JS, we now execute the URL's JavaScript asynchronously. We used
to execute it synchronously, which was a source of bugs and also did not match
other browsers.

I have verified that our new behavior is aligned with both Firefox and Chrome.

Note that for backward-compatibility and interoperability with Blink
(​https://bugs.chromium.org/p/chromium/issues/detail?id=923585), the
"javascript:" URL will still run synchronously. We should consider dropping
this quirk at some point.

Test: fast/dom/frame-src-javascript-url-async.html

• loader/NavigationScheduler.cpp:

(WebCore::ScheduledLocationChange::ScheduledLocationChange):
(WebCore::ScheduledLocationChange::~ScheduledLocationChange):
(WebCore::NavigationScheduler::scheduleLocationChange):

• loader/NavigationScheduler.h:

(WebCore::NavigationScheduler::scheduleLocationChange):

• loader/SubframeLoader.cpp:

(WebCore::SubframeLoader::requestFrame):

LayoutTests:

• fast/dom/frame-src-javascript-url-async-expected.txt: Added.
• fast/dom/frame-src-javascript-url-async.html: Added.

Add layout test coverage for the fact that the javascript URL is executed asynchronously
whether set during parsing or later via JS. Also makes sure that executing the javascript
URL asynchronously does not replace the frame's window. This test passes in both Chrome
and Firefox.

• imported/blink/fast/frames/navigation-in-pagehide.html:

Re-sync this test from the Blink repository.

• fast/dom/Element/id-in-frameset-expected.txt:
• fast/dom/Element/id-in-frameset.html:
• fast/dom/insertedIntoDocument-iframe-expected.txt:
• fast/dom/javascript-url-exception-isolation-expected.txt:
• fast/dom/javascript-url-exception-isolation.html:
• fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt:
• fast/dom/resources/javascript-url-crash-function-iframe.html:
• fast/frames/adopt-from-created-document.html:
• fast/frames/out-of-document-iframe-has-child-frame.html:
• fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html:
• fast/loader/javascript-url-iframe-remove-on-navigate.html:
• fast/loader/unload-mutation-crash.html:
• fast/parser/resources/set-parent-to-javascript-url.html:
• fast/parser/xml-error-adopted.xml:
• http/tests/navigation/lockedhistory-iframe-expected.txt:
• http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt:
• http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt:
• http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt:
• http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
• http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html:
• http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html:
• http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html:
• imported/blink/loader/iframe-sync-loads-expected.txt:
• js/dom/call-base-resolution.html:
• platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt:

Update / Rebaseline existing tests to reflect behavior change. I ran those tests in Firefox and Chrome to confirm that our behavior
is indeed aligned.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/Element/id-in-frameset-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/Element/id-in-frameset.html (modified) (2 diffs)
• LayoutTests/fast/dom/frame-src-javascript-url-async-expected.txt (added)
• LayoutTests/fast/dom/frame-src-javascript-url-async.html (added)
• LayoutTests/fast/dom/insertedIntoDocument-iframe-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/javascript-url-exception-isolation-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/javascript-url-exception-isolation.html (modified) (1 diff)
• LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/resources/javascript-url-crash-function-iframe.html (modified) (1 diff)
• LayoutTests/fast/frames/adopt-from-created-document.html (modified) (1 diff)
• LayoutTests/fast/frames/out-of-document-iframe-has-child-frame.html (modified) (3 diffs)
• LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html (modified) (1 diff)
• LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate.html (modified) (1 diff)
• LayoutTests/fast/loader/unload-mutation-crash.html (modified) (2 diffs)
• LayoutTests/fast/parser/resources/set-parent-to-javascript-url.html (modified) (1 diff)
• LayoutTests/fast/parser/xml-error-adopted.xml (modified) (1 diff)
• LayoutTests/http/tests/navigation/lockedhistory-iframe-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html (modified) (2 diffs)
• LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html (modified) (2 diffs)
• LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html (modified) (2 diffs)
• LayoutTests/imported/blink/fast/frames/navigation-in-pagehide.html (modified) (2 diffs)
• LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt (modified) (1 diff)
• LayoutTests/js/dom/call-base-resolution.html (modified) (2 diffs)
• LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/NavigationScheduler.cpp (modified) (5 diffs)
• Source/WebCore/loader/NavigationScheduler.h (modified) (1 diff)
• Source/WebCore/loader/SubframeLoader.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2019-05-02  Chris Dumez  <cdumez@apple.com>
+
+        Setting a frame's src to a javascript URL should not run it synchronously
+        https://bugs.webkit.org/show_bug.cgi?id=197466
+
+        Reviewed by Darin Adler.
+
+        * fast/dom/frame-src-javascript-url-async-expected.txt: Added.
+        * fast/dom/frame-src-javascript-url-async.html: Added.
+        Add layout test coverage for the fact that the javascript URL is executed asynchronously
+        whether set during parsing or later via JS. Also makes sure that executing the javascript
+        URL asynchronously does not replace the frame's window. This test passes in both Chrome
+        and Firefox.
+
+        * imported/blink/fast/frames/navigation-in-pagehide.html:
+        Re-sync this test from the Blink repository.
+
+        * fast/dom/Element/id-in-frameset-expected.txt:
+        * fast/dom/Element/id-in-frameset.html:
+        * fast/dom/insertedIntoDocument-iframe-expected.txt:
+        * fast/dom/javascript-url-exception-isolation-expected.txt:
+        * fast/dom/javascript-url-exception-isolation.html:
+        * fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt:
+        * fast/dom/resources/javascript-url-crash-function-iframe.html:
+        * fast/frames/adopt-from-created-document.html:
+        * fast/frames/out-of-document-iframe-has-child-frame.html:
+        * fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html:
+        * fast/loader/javascript-url-iframe-remove-on-navigate.html:
+        * fast/loader/unload-mutation-crash.html:
+        * fast/parser/resources/set-parent-to-javascript-url.html:
+        * fast/parser/xml-error-adopted.xml:
+        * http/tests/navigation/lockedhistory-iframe-expected.txt:
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt:
+        * http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt:
+        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt:
+        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
+        * http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html:
+        * http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html:
+        * http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html:
+        * imported/blink/loader/iframe-sync-loads-expected.txt:
+        * js/dom/call-base-resolution.html:
+        * platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt:
+        Update / Rebaseline existing tests to reflect behavior change. I ran those tests in Firefox and Chrome to confirm that our behavior
+        is indeed aligned.
+
 2019-05-02  Gary Katsevman  <git@gkatsev.com>
 

trunk/LayoutTests/fast/dom/Element/id-in-frameset-expected.txt

@@ -1 @@
-ALERT: 1
+ALERT: 2
 

trunk/LayoutTests/fast/dom/Element/id-in-frameset.html

@@ -1 +1 @@
 <html>
-
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+</script>
 <frameset id="frameset">
   <frame name="frame2" src="about:blank">
@@ -17 +22 @@
     top.frameset.removeChild(top.frame2.frameElement);
     log(top.frameset.children.length);
+    if (window.testRunner)
+        testRunner.notifyDone();
   ">
 

trunk/LayoutTests/fast/dom/insertedIntoDocument-iframe-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: line 1: TypeError: Argument 1 ('child') to Node.removeChild must be an instance of Node
 PASS
+

trunk/LayoutTests/fast/dom/javascript-url-exception-isolation-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: line 1: 42
-CONSOLE MESSAGE: line 25: SyntaxError: Unexpected token '<'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '<'
 Exceptions thrown in javascript URLs should not propagate to the main script.
 

trunk/LayoutTests/fast/dom/javascript-url-exception-isolation.html

@@ -21 +21 @@
 shouldBeFalse('caughtException');
 
+var subframe2 = document.createElement("iframe");
+document.body.appendChild(subframe2);
+
 // Compile-time exception.
 try {
-    subframe.src = 'javascript:<html></html>';
+    subframe2.src = 'javascript:<html></html>';
 } catch(e) {
     caughtException = true;

trunk/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 14: SyntaxError: Unexpected identifier 'orem'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected identifier 'orem'
 This tests that we do not assert when a malformed JS URL is passed to the 'src' attribute of an iframe. The test passes if it does not ASSERT.
 

trunk/LayoutTests/fast/dom/resources/javascript-url-crash-function-iframe.html

@@ -17 +17 @@
 {
     test();
-    if (window.testRunner)
-        testRunner.notifyDone();
+    top.setTimeout(() => {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }, 0);
 }, 0);
 </script>

trunk/LayoutTests/fast/frames/adopt-from-created-document.html

@@ -9 +9 @@
 var ifr = doc.createElement('iframe');
 alert(3);
-ifr.setAttribute('src', 'javascript:alert(6)');
+ifr.setAttribute('src', 'javascript:alert(7)');
 alert(4);
 var adopted = document.adoptNode(ifr)
 alert(5);
 document.body.appendChild(adopted);
-alert(7);
+alert(6);
 </script>

trunk/LayoutTests/fast/frames/out-of-document-iframe-has-child-frame.html

@@ -1 +1 @@
 <html>
 <head>
-<script src="../../resources/js-test-pre.js"></script>
+<script src="../../resources/js-test.js"></script>
 </head>
 <body>
@@ -8 +8 @@
 description("This tests that several ways of making an iframe that isn't inserted into a document tree"
     + " but has a child frame will fail.");
+jsTestIsAsync = true;
 
 main = document.getElementById("main");
@@ -45 +46 @@
     document.body.appendChild(container);
 } catch (e) { }
-shouldBeTrue("targetFrame3.contentWindow == undefined");
 
-isSuccessfullyParsed();
+setTimeout(() => {
+    shouldBeTrue("targetFrame3.contentWindow == undefined");
+    finishJSTest();
+}, 0);
 </script>
 </body>

trunk/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html

@@ -9 +9 @@
 
 let frame = document.getElementById("target");
-frame.contentWindow.onbeforeunload = function() {
-    setTimeout(function() {
-        frame.src = "javascript:alert('FAIL')";
-    }, 0);
-};
 
 window.addEventListener("load", function() {
+    frame.contentWindow.onbeforeunload = function() {
+        setTimeout(function() {
+            frame.src = "javascript:alert('FAIL')";
+        }, 0);
+    };
+
     document.write("PASS - Javascript URL blocked without crashing.");
     if (window.testRunner)

trunk/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate.html

@@ -7 +7 @@
 
 let frame = document.getElementById("target");
-frame.contentWindow.onbeforeunload = function() {
-    setTimeout(function() {
-        frame.src = "javascript:alert('FAIL')";
-    }, 0);
-};
 
 window.addEventListener("load", function() {
+    frame.contentWindow.onbeforeunload = function() {
+        setTimeout(function() {
+            frame.src = "javascript:alert('FAIL')";
+        }, 0);
+    };
     document.write("PASS - Javascript URL blocked without crashing.");
     if (window.testRunner)

trunk/LayoutTests/fast/loader/unload-mutation-crash.html

@@ -3 +3 @@
 <head>
 <script>
-if (window.testRunner)
-    window.testRunner.dumpAsText();
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
 
 function start() {
@@ -21 +23 @@
     window.firstFrame.src = 'javascript:"";';
     document.write("PASS. WebKit didn't crash.");
+    if (window.testRunner)
+       testRunner.notifyDone();
 }
 </script>

trunk/LayoutTests/fast/parser/resources/set-parent-to-javascript-url.html

@@ -2 +2 @@
 const parent = window.parent;
 alert(1);
-parent.document.getElementsByTagName('iframe')[0].src = "javascript:alert(2),'PASS<script>alert(3)<\/script>'";
-alert(4);
+parent.document.getElementsByTagName('iframe')[0].src = "javascript:alert(3),'PASS<script>alert(4)<\/script>'";
+alert(2);
 parent.setTimeout("done()", 0);
 </script>

trunk/LayoutTests/fast/parser/xml-error-adopted.xml

@@ -16 +16 @@
 }
 
-setTimeout(test, 0);
+onload = () => {
+    setTimeout(test, 0);
+};
 </script>
 <elt attr="1" attr="2"/>

trunk/LayoutTests/http/tests/navigation/lockedhistory-iframe-expected.txt

@@ -5 +5 @@
 ============== Back Forward List ==============
 curr->  http://127.0.0.1:8000/navigation/lockedhistory-iframe.html  **nav target**
-            about:blank (in frame "<!--frame1-->")
+            http://127.0.0.1:8000/navigation/lockedhistory-iframe.html# (in frame "<!--frame1-->")
+                about:blank (in frame "<!--frame2-->")
 ===============================================

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt

@@ -7 +7 @@
 frame "<!--frame2-->" - didHandleOnloadEventsForFrame
 frame "<!--frame2-->" - didFinishLoadForFrame
+frame "<!--frame2-->" - willPerformClientRedirectToURL: javascript:document.write('%3Cimg%20src=%22http://127.0.0.1:8000/security/resources/compass.jpg%22%3E'); 
+frame "<!--frame1-->" - didFinishDocumentLoadForFrame
 CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
-frame "<!--frame1-->" - didFinishDocumentLoadForFrame
 frame "<!--frame1-->" - didFinishLoadForFrame
 main frame - didFinishLoadForFrame

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
 ALERT: PASS
-CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
-CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to load javascript:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to load javascript:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
 CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
-CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
 

trunk/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html

@@ -8 +8 @@
             testRunner.dumpAsText();
             testRunner.dumpChildFramesAsText();
+            testRunner.waitUntilDone();
         }
 
@@ -13 +14 @@
             + "<scr" + "ipt>"
             +     'top.document.getElementById(\\\\\\\"accessMe\\\\\\\").innerHTML = \\\\\\\"PASS: Cross frame access from a javascript: URL inside another javascript: URL was allowed!\\\\\\\";'
+            +     'top.setTimeout(() => { testRunner.notifyDone(); }, 0);'
             + "</scri" + "pt>"
             + "<body>"

trunk/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html

@@ -8 +8 @@
             testRunner.dumpAsText();
             testRunner.dumpChildFramesAsText();
+            testRunner.waitUntilDone();
         }
 
@@ -21 +22 @@
         var iframe = document.getElementById("aFrame");
         iframe.src = url;
+        onload = () => {
+            setTimeout(() => {
+                if (window.testRunner)
+                    testRunner.notifyDone();
+            }, 0);
+        }
     </script>
 </body>

trunk/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html

@@ -8 +8 @@
             testRunner.dumpAsText();
             testRunner.dumpChildFramesAsText();
+            testRunner.waitUntilDone();
         }
 
@@ -31 +32 @@
         var iframe = document.getElementById("aFrame");
         iframe.src = url;
+
+        onload = () => {
+            setTimeout(() => {
+                if (window.testRunner)
+                    testRunner.notifyDone();
+            }, 0);
+        };
     </script>
 </body>

trunk/LayoutTests/imported/blink/fast/frames/navigation-in-pagehide.html

@@ -18 +18 @@
   firstFrame.appendChild(div);
   secondFrame = document.createElement('iframe');
-  secondFrame.src = 'javascript:window.top.maybeStart();';
+  secondFrame.src = 'javascript:window.top.reallyStart();';
   div.appendChild(secondFrame);
   var firstFrameRoot = firstFrame.contentDocument.documentElement;
   document.documentElement.appendChild(div);
   firstFrameRoot.appendChild(secondFrame);
-}
-
-function maybeStart() {
-  if (callbackCount++ > 1) {
-    reallyStart();
-    return;
-  }
 }
 
@@ -40 +33 @@
   if (window.location.hash == '#done') {
     if (window.testRunner)
-      window.testRunner.notifyDone();
+      testRunner.notifyDone();
     return;
   }

trunk/LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt

@@ -1 @@
- sync : src = javascript:"content"
+ASYNC : src = javascript:"content"
 ASYNC : src = data:text/html,content
 ASYNC : srcdoc = "content"

trunk/LayoutTests/js/dom/call-base-resolution.html

@@ -5 +5 @@
 <body>
 
-<script src="../../resources/js-test-pre.js"></script>
+<script src="../../resources/js-test.js"></script>
   <script>
     window.name = "o";
@@ -78 +78 @@
     ">
   </iframe>
-<script src="../../resources/js-test-post.js"></script>
-
 </body>
 </html>

trunk/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt

@@ -7 +7 @@
 frame "<!--frame2-->" - didHandleOnloadEventsForFrame
 frame "<!--frame2-->" - didFinishLoadForFrame
+frame "<!--frame2-->" - willPerformClientRedirectToURL: javascript:document.write('<img src=%22http://127.0.0.1:8000/security/resources/compass.jpg%22>'); 
+frame "<!--frame1-->" - didFinishDocumentLoadForFrame
 CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
-frame "<!--frame1-->" - didFinishDocumentLoadForFrame
 frame "<!--frame1-->" - didFinishLoadForFrame
 main frame - didFinishLoadForFrame

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-05-02  Chris Dumez  <cdumez@apple.com>
+
+        Setting a frame's src to a javascript URL should not run it synchronously
+        https://bugs.webkit.org/show_bug.cgi?id=197466
+
+        Reviewed by Darin Adler.
+
+        When an iframe's src attribute is set to a javascript URL, whether when parsing
+        or later on via JS, we now execute the URL's JavaScript asynchronously. We used
+        to execute it synchronously, which was a source of bugs and also did not match
+        other browsers.
+
+        I have verified that our new behavior is aligned with both Firefox and Chrome.
+
+        Note that for backward-compatibility and interoperability with Blink
+        (https://bugs.chromium.org/p/chromium/issues/detail?id=923585), the
+        "javascript:''" URL will still run synchronously. We should consider dropping
+        this quirk at some point.
+
+        Test: fast/dom/frame-src-javascript-url-async.html
+
+        * loader/NavigationScheduler.cpp:
+        (WebCore::ScheduledLocationChange::ScheduledLocationChange):
+        (WebCore::ScheduledLocationChange::~ScheduledLocationChange):
+        (WebCore::NavigationScheduler::scheduleLocationChange):
+        * loader/NavigationScheduler.h:
+        (WebCore::NavigationScheduler::scheduleLocationChange):
+        * loader/SubframeLoader.cpp:
+        (WebCore::SubframeLoader::requestFrame):
+
 2019-05-02  Gary Katsevman  <git@gkatsev.com>
 

trunk/Source/WebCore/loader/NavigationScheduler.cpp

@@ -194 +194 @@
 class ScheduledLocationChange : public ScheduledURLNavigation {
 public:
-    ScheduledLocationChange(Document& initiatingDocument, SecurityOrigin* securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, bool duringLoad)
-        : ScheduledURLNavigation(initiatingDocument, 0.0, securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, true) { }
+    ScheduledLocationChange(Document& initiatingDocument, SecurityOrigin* securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, bool duringLoad, CompletionHandler<void()>&& completionHandler)
+        : ScheduledURLNavigation(initiatingDocument, 0.0, securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, true)
+        , m_completionHandler(WTFMove(completionHandler))
+    {
+    }
+
+    ~ScheduledLocationChange()
+    {
+        if (m_completionHandler)
+            m_completionHandler();
+    }
 
     void fire(Frame& frame) override
@@ -204 +213 @@
         FrameLoadRequest frameLoadRequest { initiatingDocument(), *securityOrigin(), resourceRequest, "_self", lockHistory(), lockBackForwardList(), MaybeSendReferrer, AllowNavigationToInvalidURL::No, NewFrameOpenerPolicy::Allow, shouldOpenExternalURLs(), initiatedByMainFrame() };
 
+        auto completionHandler = WTFMove(m_completionHandler);
         frame.loader().changeLocation(WTFMove(frameLoadRequest));
-    }
+        completionHandler();
+    }
+
+private:
+    CompletionHandler<void()> m_completionHandler;
 };
 
@@ -406 +420 @@
 }
 
-void NavigationScheduler::scheduleLocationChange(Document& initiatingDocument, SecurityOrigin& securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
+void NavigationScheduler::scheduleLocationChange(Document& initiatingDocument, SecurityOrigin& securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, CompletionHandler<void()>&& completionHandler)
 {
     if (!shouldScheduleNavigation(url))
-        return;
+        return completionHandler();
 
     if (lockBackForwardList == LockBackForwardList::No)
@@ -425 +439 @@
         FrameLoadRequest frameLoadRequest { initiatingDocument, securityOrigin, resourceRequest, "_self"_s, lockHistory, lockBackForwardList, MaybeSendReferrer, AllowNavigationToInvalidURL::No, NewFrameOpenerPolicy::Allow, initiatingDocument.shouldOpenExternalURLsPolicyToPropagate(), initiatedByMainFrame };
         loader.changeLocation(WTFMove(frameLoadRequest));
-        return;
+        return completionHandler();
     }
 
@@ -432 +446 @@
     bool duringLoad = !loader.stateMachine().committedFirstRealDocumentLoad();
 
-    schedule(std::make_unique<ScheduledLocationChange>(initiatingDocument, &securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad));
+    schedule(std::make_unique<ScheduledLocationChange>(initiatingDocument, &securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, WTFMove(completionHandler)));
 }
 

trunk/Source/WebCore/loader/NavigationScheduler.h

@@ -54 +54 @@
 
     void scheduleRedirect(Document& initiatingDocument, double delay, const URL&);
-    void scheduleLocationChange(Document& initiatingDocument, SecurityOrigin&, const URL&, const String& referrer, LockHistory = LockHistory::Yes, LockBackForwardList = LockBackForwardList::Yes);
+    void scheduleLocationChange(Document& initiatingDocument, SecurityOrigin&, const URL&, const String& referrer, LockHistory = LockHistory::Yes, LockBackForwardList = LockBackForwardList::Yes, CompletionHandler<void()>&& = [] { });
     void scheduleFormSubmission(Ref<FormSubmission>&&);
     void scheduleRefresh(Document& initiatingDocument);

trunk/Source/WebCore/loader/SubframeLoader.cpp

@@ -57 +57 @@
 #include "SecurityPolicy.h"
 #include "Settings.h"
+#include <wtf/CompletionHandler.h>
 
 namespace WebCore {
@@ -87 +88 @@
         url = WTF::blankURL();
 
-    bool hasExistingFrame = ownerElement.contentFrame();
+    // If we will schedule a JavaScript URL load, we need to delay the firing of the load event at least until we've run the JavaScript in the URL.
+    CompletionHandlerCallingScope stopDelayingLoadEvent;
+    if (!scriptURL.isEmpty()) {
+        ownerElement.document().incrementLoadEventDelayCount();
+        stopDelayingLoadEvent = CompletionHandlerCallingScope([ownerDocument = makeRef(ownerElement.document())] {
+            ownerDocument->decrementLoadEventDelayCount();
+        });
+    }
+
     Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList);
     if (!frame)
         return false;
 
-    // If we create a new subframe then an empty document is loaded into it synchronously and may
-    // cause script execution (say, via a DOM load event handler) that can do anything, including
-    // navigating the subframe. We only want to evaluate scriptURL if the frame has not been navigated.
-    bool canExecuteScript = hasExistingFrame || (frame->loader().documentLoader() && frame->loader().documentLoader()->originalURL() == WTF::blankURL());
-    if (!scriptURL.isEmpty() && canExecuteScript && ownerElement.isURLAllowed(scriptURL))
-        frame->script().executeIfJavaScriptURL(scriptURL);
+    if (!scriptURL.isEmpty() && ownerElement.isURLAllowed(scriptURL)) {
+        // FIXME: Some sites rely on the javascript:'' loading synchronously, which is why we have this special case.
+        // Blink has the same workaround (https://bugs.chromium.org/p/chromium/issues/detail?id=923585).
+        if (urlString == "javascript:''" || urlString == "javascript:\"\"")
+            frame->script().executeIfJavaScriptURL(scriptURL);
+        else
+            frame->navigationScheduler().scheduleLocationChange(ownerElement.document(), ownerElement.document().securityOrigin(), scriptURL, m_frame.loader().outgoingReferrer(), lockHistory, lockBackForwardList, stopDelayingLoadEvent.release());
+    }
 
     return true;