Changeset 65381 in webkit

Timestamp:

Aug 15, 2010 8:34:25 AM (14 years ago)

Author:

abarth@webkit.org

Message:

2010-08-15 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

Don't try to replace a non-existent document after executing JavaScript URLs
​https://bugs.webkit.org/show_bug.cgi?id=44024

Test what happens if a JavaScript URL returns a value after deleting
the frame it was supposed to operate on.

• fast/frames/javascript-url-for-deleted-frame-expected.txt: Added.
• fast/frames/javascript-url-for-deleted-frame.html: Added.

2010-08-15 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

Don't try to replace a non-existent document after executing JavaScript URLs
​https://bugs.webkit.org/show_bug.cgi?id=44024

Synchronous JavaScript execution is evil. Previously, the frame was
deleted after executing the JavaScript URL, so we'd get confused when
we tried to replace its document.

Test: fast/frames/javascript-url-for-deleted-frame.html

• bindings/ScriptControllerBase.cpp: (WebCore::ScriptController::executeIfJavaScriptURL):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/frames/javascript-url-for-deleted-frame-expected.txt (added)
• LayoutTests/fast/frames/javascript-url-for-deleted-frame.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/ScriptControllerBase.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-08-15  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        Don't try to replace a non-existent document after executing JavaScript URLs
+        https://bugs.webkit.org/show_bug.cgi?id=44024
+
+        Test what happens if a JavaScript URL returns a value after deleting
+        the frame it was supposed to operate on.
+
+        * fast/frames/javascript-url-for-deleted-frame-expected.txt: Added.
+        * fast/frames/javascript-url-for-deleted-frame.html: Added.
+
 2010-08-14  Martin Robinson  <mrobinson@igalia.com>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-08-15  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        Don't try to replace a non-existent document after executing JavaScript URLs
+        https://bugs.webkit.org/show_bug.cgi?id=44024
+
+        Synchronous JavaScript execution is evil.  Previously, the frame was
+        deleted after executing the JavaScript URL, so we'd get confused when
+        we tried to replace its document.
+
+        Test: fast/frames/javascript-url-for-deleted-frame.html
+
+        * bindings/ScriptControllerBase.cpp:
+        (WebCore::ScriptController::executeIfJavaScriptURL):
+
 2010-08-14  Sheriff Bot  <webkit.review.bot@gmail.com>
 

trunk/WebCore/bindings/ScriptControllerBase.cpp

@@ -73 +73 @@
         return false;
 
-    if (m_frame->page() && !m_frame->page()->javaScriptURLsAreAllowed())
+    if (!m_frame->page())
+        return true;
+
+    if (!m_frame->page()->javaScriptURLsAreAllowed())
         return true;
 
     if (m_frame->inViewSourceMode())
         return true;
+
+    // We need to hold onto the Frame here because executing script can
+    // destroy the frame.
+    RefPtr<Frame> protector(m_frame);
 
     const int javascriptSchemeLength = sizeof("javascript:") - 1;
@@ -85 +92 @@
     if (xssAuditor()->canEvaluateJavaScriptURL(decodedURL))
         result = executeScript(decodedURL.substring(javascriptSchemeLength), userGesture, AllowXSS);
+
+    // If executing script caused this frame to be removed from the page, we
+    // don't want to try to replace its document!
+    if (!m_frame->page())
+        return true;
 
     String scriptResult;