Changeset 275474 in webkit


Ignore:
Timestamp:
Apr 5, 2021 7:12:48 PM (3 years ago)
Author:
Chris Dumez
Message:

Protect frame in WebPage::runJavaScriptInFrameInScriptWorld()
https://bugs.webkit.org/show_bug.cgi?id=224210

Reviewed by Alex Christensen.

Between the time we were getting the raw pointer to the frame, and the time were were passing it to
WebPage::runJavaScript(), we were potentially calling WebFrameLoaderClient::dispatchGlobalObjectAvailable().
It is possible in theory for those synchronous injected bundle calls to mess with the frame tree and cause
our frame to go bad. As a result, it is best to protect the frame as soon as we get it.

  • WebProcess/WebPage/WebPage.cpp:

(WebKit::WebPage::runJavaScriptInFrameInScriptWorld):

Location:
trunk/Source/WebKit
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebKit/ChangeLog

    r275473 r275474  
     12021-04-05  Chris Dumez  <cdumez@apple.com>
     2
     3        Protect frame in WebPage::runJavaScriptInFrameInScriptWorld()
     4        https://bugs.webkit.org/show_bug.cgi?id=224210
     5
     6        Reviewed by Alex Christensen.
     7
     8        Between the time we were getting the raw pointer to the frame, and the time were were passing it to
     9        WebPage::runJavaScript(), we were potentially calling WebFrameLoaderClient::dispatchGlobalObjectAvailable().
     10        It is possible in theory for those synchronous injected bundle calls to mess with the frame tree and cause
     11        our frame to go bad. As a result, it is best to protect the frame as soon as we get it.
     12
     13        * WebProcess/WebPage/WebPage.cpp:
     14        (WebKit::WebPage::runJavaScriptInFrameInScriptWorld):
     15
    1162021-04-05  Wenson Hsieh  <wenson_hsieh@apple.com>
    217

  • trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp

    r275447 r275474  
    36533653void WebPage::runJavaScriptInFrameInScriptWorld(RunJavaScriptParameters&& parameters, Optional<WebCore::FrameIdentifier> frameID, const std::pair<ContentWorldIdentifier, String>& worldData, CompletionHandler<void(const IPC::DataReference&, const Optional<WebCore::ExceptionDetails>&)>&& completionHandler)
    36543654{
    3655     auto* webFrame = frameID ? WebProcess::singleton().webFrame(*frameID) : &mainWebFrame();
     3655    auto webFrame = makeRefPtr(frameID ? WebProcess::singleton().webFrame(*frameID) : &mainWebFrame());
    36563656
    36573657    if (auto* newWorld = m_userContentController->addContentWorld(worldData)) {
     
    36613661    }
    36623662
    3663     runJavaScript(webFrame, WTFMove(parameters), worldData.first, WTFMove(completionHandler));
     3663    runJavaScript(webFrame.get(), WTFMove(parameters), worldData.first, WTFMove(completionHandler));
    36643664}
    36653665
Note: See TracChangeset for help on using the changeset viewer.