Changeset 248175 in webkit

Timestamp:

Aug 2, 2019 1:22:18 PM (5 years ago)

Author:

commit-queue@webkit.org

Message:

Web Inspector: Crash when interacting with Template Content in Console
​https://bugs.webkit.org/show_bug.cgi?id=196280

Patch by Yury Semikhatsky <​yurys@chromium.org> on 2019-08-02
Reviewed by Joseph Pecoraro.

Source/WebCore:

Test: inspector/dom/inspect-template-node.html

• bindings/js/JSDOMBindingSecurity.cpp:

(WebCore::canAccessDocument): if target element is from a
<template> use its host document to check the access. Elements
from the host document always have access to its template elements content.

• inspector/agents/InspectorDOMAgent.cpp:

(WebCore::InspectorDOMAgent::resolveNode): templates are created in
special template document which doesn't have a frame, in such case get
the frame from the host document.

LayoutTests:

• inspector/dom/inspect-template-node-expected.txt: Added.
• inspector/dom/inspect-template-node.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/inspector/dom/inspect-template-node-expected.txt (added)
• LayoutTests/inspector/dom/inspect-template-node.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp (modified) (1 diff)
• Source/WebCore/inspector/agents/InspectorDOMAgent.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2019-08-02  Yury Semikhatsky  <yurys@chromium.org>
+
+        Web Inspector: Crash when interacting with Template Content in Console
+        https://bugs.webkit.org/show_bug.cgi?id=196280
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/dom/inspect-template-node-expected.txt: Added.
+        * inspector/dom/inspect-template-node.html: Added.
+
 2019-08-02  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-08-02  Yury Semikhatsky  <yurys@chromium.org>
+
+        Web Inspector: Crash when interacting with Template Content in Console
+        https://bugs.webkit.org/show_bug.cgi?id=196280
+
+        Reviewed by Joseph Pecoraro.
+
+        Test: inspector/dom/inspect-template-node.html
+
+        * bindings/js/JSDOMBindingSecurity.cpp:
+        (WebCore::canAccessDocument): if target element is from a
+        <template> use its host document to check the access. Elements
+        from the host document always have access to its template elements content.
+        * inspector/agents/InspectorDOMAgent.cpp:
+        (WebCore::InspectorDOMAgent::resolveNode): templates are created in
+        special template document which doesn't have a frame, in such case get
+        the frame from the host document.
+
 2019-08-02  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp

@@ -50 +50 @@
     if (!targetDocument)
         return false;
+
+    if (auto* templateHost = targetDocument->templateDocumentHost())
+        targetDocument = templateHost;
 
     DOMWindow& active = activeDOMWindow(*state);

trunk/Source/WebCore/inspector/agents/InspectorDOMAgent.cpp

@@ -2595 +2595 @@
 RefPtr<Inspector::Protocol::Runtime::RemoteObject> InspectorDOMAgent::resolveNode(Node* node, const String& objectGroup)
 {
-    auto* frame = node->document().frame();
+    Document* document = &node->document();
+    if (auto* templateHost = document->templateDocumentHost())
+        document = templateHost;
+    auto* frame =  document->frame();
     if (!frame)
         return nullptr;