Changeset 70282 in webkit

Timestamp:

Oct 21, 2010 6:27:27 PM (14 years ago)

Author:

tonyg@chromium.org

Message:

2010-10-21 Tony Gentilcore <​tonyg@chromium.org>

Reviewed by Adam Barth.

Ignore document.write() when it comes from a network task
​https://bugs.webkit.org/show_bug.cgi?id=47560

write()s from deferred scripts are now ignored. This matches the latest
Firefox 4 beta behavior. The defer-write expectations are updated, and
the other tests are now all moot since deferred scrits can't write().

• fast/dom/HTMLScriptElement/defer-double-defer-write-expected.txt: Removed.
• fast/dom/HTMLScriptElement/defer-double-defer-write.html: Removed.
• fast/dom/HTMLScriptElement/defer-double-write-expected.txt: Removed.
• fast/dom/HTMLScriptElement/defer-double-write.html: Removed.
• fast/dom/HTMLScriptElement/defer-write.html: Updated to match FF4.
• fast/dom/HTMLScriptElement/remove-source-expected.txt: Added.
• fast/dom/HTMLScriptElement/remove-source.html: Added. Verifies that writes are still ignored when the src is removed after the script is requested but before it is executed.
• fast/dom/HTMLScriptElement/two-defer-writes-expected.txt: Removed.
• fast/dom/HTMLScriptElement/two-defer-writes.html: Removed.
• fast/dom/HTMLScriptElement/write-after-ignored-write-expected.txt: Added. Verifies that after a write from a network task is ignored, a write which is not from a network task still blows away the document.
• fast/dom/HTMLScriptElement/write-after-ignored-write.html: Added.

2010-10-21 Tony Gentilcore <​tonyg@chromium.org>

Reviewed by Adam Barth.

Ignore document.write() when it comes from a network task
​https://bugs.webkit.org/show_bug.cgi?id=47560

This implements the update to the spec made by:
​http://www.w3.org/Bugs/Public/show_bug.cgi?id=9767

It also matches the latest Firefox 4 beta. The notable change is that
document.write from a deferred script no longer works. This avoids
blowing the patch away.

• dom/Document.cpp: (WebCore::Document::Document): (WebCore::Document::write):
• dom/Document.h: (WebCore::DestructiveWriteCountIncrementer::DestructiveWriteCountIncrementer): (WebCore::Document::ignoreDestructiveWriteCountIncrementer):
• dom/ScriptElement.cpp: (WebCore::ScriptElement::insertedIntoDocument): (WebCore::ScriptElementData::ScriptElementData): (WebCore::ScriptElementData::evaluateScript):
• dom/ScriptElement.h:
• html/parser/HTMLScriptRunner.cpp: (WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/HTMLScriptElement/defer-double-defer-write.html (deleted)
• LayoutTests/fast/dom/HTMLScriptElement/defer-double-write-expected.txt (deleted)
• LayoutTests/fast/dom/HTMLScriptElement/defer-double-write.html (deleted)
• LayoutTests/fast/dom/HTMLScriptElement/defer-write.html (modified) (1 diff)
• LayoutTests/fast/dom/HTMLScriptElement/remove-source-expected.txt (moved) (moved from trunk/LayoutTests/fast/dom/HTMLScriptElement/defer-double-defer-write-expected.txt) (1 prop)
• LayoutTests/fast/dom/HTMLScriptElement/remove-source.html (added)
• LayoutTests/fast/dom/HTMLScriptElement/write-after-ignored-write-expected.txt (moved) (moved from trunk/LayoutTests/fast/dom/HTMLScriptElement/two-defer-writes-expected.txt)
• LayoutTests/fast/dom/HTMLScriptElement/write-after-ignored-write.html (moved) (moved from trunk/LayoutTests/fast/dom/HTMLScriptElement/two-defer-writes.html) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/GNUmakefile.am (modified) (1 diff)
• WebCore/WebCore.gypi (modified) (1 diff)
• WebCore/WebCore.vcproj/WebCore.vcproj (modified) (1 diff)
• WebCore/WebCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• WebCore/dom/Document.cpp (modified) (2 diffs)
• WebCore/dom/Document.h (modified) (3 diffs)
• WebCore/dom/IgnoreDestructiveWriteCountIncrementer.h (added)
• WebCore/dom/ScriptElement.cpp (modified) (5 diffs)
• WebCore/dom/ScriptElement.h (modified) (2 diffs)
• WebCore/html/parser/HTMLScriptRunner.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-10-21  Tony Gentilcore  <tonyg@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Ignore document.write() when it comes from a network task
+        https://bugs.webkit.org/show_bug.cgi?id=47560
+
+        write()s from deferred scripts are now ignored. This matches the latest
+        Firefox 4 beta behavior. The defer-write expectations are updated, and
+        the other tests are now all moot since deferred scrits can't write().
+
+        * fast/dom/HTMLScriptElement/defer-double-defer-write-expected.txt: Removed.
+        * fast/dom/HTMLScriptElement/defer-double-defer-write.html: Removed.
+        * fast/dom/HTMLScriptElement/defer-double-write-expected.txt: Removed.
+        * fast/dom/HTMLScriptElement/defer-double-write.html: Removed.
+        * fast/dom/HTMLScriptElement/defer-write.html: Updated to match FF4.
+        * fast/dom/HTMLScriptElement/remove-source-expected.txt: Added.
+        * fast/dom/HTMLScriptElement/remove-source.html: Added. Verifies that writes are still ignored when the src is removed after the script is requested but before it is executed.
+        * fast/dom/HTMLScriptElement/two-defer-writes-expected.txt: Removed.
+        * fast/dom/HTMLScriptElement/two-defer-writes.html: Removed.
+        * fast/dom/HTMLScriptElement/write-after-ignored-write-expected.txt: Added. Verifies that after a write from a network task is ignored, a write which is not from a network task still blows away the document.
+        * fast/dom/HTMLScriptElement/write-after-ignored-write.html: Added.
+
 2010-10-21  James Robinson  <jamesr@chromium.org>
 

trunk/LayoutTests/fast/dom/HTMLScriptElement/defer-write.html

@@ -3 +3 @@
     layoutTestController.dumpAsText();
 </script>
-FAIL
-<script defer src="data:text/javascript,document.write('PASS');"></script>
+PASS
+<script defer src="data:text/javascript,document.write('FAIL');"></script>

trunk/LayoutTests/fast/dom/HTMLScriptElement/write-after-ignored-write.html

@@ -3 +3 @@
     layoutTestController.dumpAsText();
 </script>
+<body onload="document.write('PASS')">
 FAIL
-<script defer src="data:text/javascript,document.write('PASS');"></script>
 <script defer src="data:text/javascript,document.write('FAIL');"></script>
+

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-10-21  Tony Gentilcore  <tonyg@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Ignore document.write() when it comes from a network task
+        https://bugs.webkit.org/show_bug.cgi?id=47560
+
+        This implements the update to the spec made by:
+        http://www.w3.org/Bugs/Public/show_bug.cgi?id=9767
+
+        It also matches the latest Firefox 4 beta. The notable change is that
+        document.write from a deferred script no longer works. This avoids
+        blowing the patch away.
+
+        * dom/Document.cpp:
+        (WebCore::Document::Document):
+        (WebCore::Document::write):
+        * dom/Document.h:
+        (WebCore::DestructiveWriteCountIncrementer::DestructiveWriteCountIncrementer):
+        (WebCore::Document::ignoreDestructiveWriteCountIncrementer):
+        * dom/ScriptElement.cpp:
+        (WebCore::ScriptElement::insertedIntoDocument):
+        (WebCore::ScriptElementData::ScriptElementData):
+        (WebCore::ScriptElementData::evaluateScript):
+        * dom/ScriptElement.h:
+        * html/parser/HTMLScriptRunner.cpp:
+        (WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent):
+
 2010-10-21  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/WebCore/GNUmakefile.am

@@ -1142 +1142 @@
         WebCore/dom/ExceptionCode.h \
         WebCore/dom/FragmentScriptingPermission.h \
+        WebCore/dom/IgnoreDestructiveWriteCountIncrementer.h \
         WebCore/dom/InputElement.cpp \
         WebCore/dom/InputElement.h \

trunk/WebCore/WebCore.gypi

@@ -1213 +1213 @@
             'dom/ExceptionCode.h',
             'dom/FragmentScriptingPermission.h',
+            'dom/IgnoreDestructiveWriteCountIncrementer.h',
             'dom/InputElement.cpp',
             'dom/InputElement.h',

trunk/WebCore/WebCore.vcproj/WebCore.vcproj

@@ -42204 +42204 @@
                         </File>
                         <File
+                                RelativePath="..\dom\IgnoreDestructiveWriteCountIncrementer.h"
+                                >
+                        </File>
+                        <File
                                 RelativePath="..\dom\InputElement.h"
                                 >

trunk/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -2598 +2598 @@
                 8A9A588711E84F37008ACFD1 /* JSTiming.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 8A9A587611E84C98008ACFD1 /* JSTiming.cpp */; };
                 8A9A588811E84F37008ACFD1 /* JSTiming.h in Headers */ = {isa = PBXBuildFile; fileRef = 8A9A587711E84C98008ACFD1 /* JSTiming.h */; };
+                8AB4BC77126FDB7100DEB727 /* IgnoreDestructiveWriteCountIncrementer.h in Headers */ = {isa = PBXBuildFile; fileRef = 8AB4BC76126FDB7100DEB727 /* IgnoreDestructiveWriteCountIncrementer.h */; };
                 8AF4E55511DC5A36000ED3DE /* Navigation.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 8AF4E55211DC5A36000ED3DE /* Navigation.cpp */; };
                 8AF4E55611DC5A36000ED3DE /* Navigation.h in Headers */ = {isa = PBXBuildFile; fileRef = 8AF4E55311DC5A36000ED3DE /* Navigation.h */; };
@@ -8661 +8662 @@
                 8A9A587611E84C98008ACFD1 /* JSTiming.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSTiming.cpp; sourceTree = "<group>"; };
                 8A9A587711E84C98008ACFD1 /* JSTiming.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSTiming.h; sourceTree = "<group>"; };
+                8AB4BC76126FDB7100DEB727 /* IgnoreDestructiveWriteCountIncrementer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IgnoreDestructiveWriteCountIncrementer.h; sourceTree = "<group>"; };
                 8AF4E55211DC5A36000ED3DE /* Navigation.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Navigation.cpp; sourceTree = "<group>"; };
                 8AF4E55311DC5A36000ED3DE /* Navigation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Navigation.h; sourceTree = "<group>"; };
@@ -18099 +18101 @@
                                 2442BBF81194C9D300D49469 /* HashChangeEvent.h */,
                                 8482B7441198C32E00BFB005 /* HashChangeEvent.idl */,
+                                8AB4BC76126FDB7100DEB727 /* IgnoreDestructiveWriteCountIncrementer.h */,
                                 08700BE60F086C5300919419 /* InputElement.cpp */,
                                 08591AA40F085C4E009BACB1 /* InputElement.h */,
@@ -21142 +21145 @@
                                 089021A9126EF5DE0092D5EA /* SVGAnimatedLength.h in Headers */,
                                 089021AD126EF5E90092D5EA /* SVGAnimatedLengthList.h in Headers */,
+                                8AB4BC77126FDB7100DEB727 /* IgnoreDestructiveWriteCountIncrementer.h in Headers */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;

trunk/WebCore/dom/Document.cpp

@@ -365 +365 @@
     , m_containsValidityStyleRules(false)
     , m_updateFocusAppearanceRestoresSelection(false)
-    , m_writeDisabled(false)
+    , m_ignoreDestructiveWriteCount(0)
     , m_title("")
     , m_rawTitle("")
@@ -2130 +2130 @@
 #endif
 
-    // If the insertion point is undefined and the Document has the
-    // "write-neutralised" flag set, then abort these steps.
     bool hasInsertionPoint = m_parser && m_parser->hasInsertionPoint();
-    if (!hasInsertionPoint && writeDisabled())
+    if (!hasInsertionPoint && m_ignoreDestructiveWriteCount)
         return;
 

trunk/WebCore/dom/Document.h

@@ -1031 +1031 @@
 #endif
 
-    bool writeDisabled() const { return m_writeDisabled; }
-    void setWriteDisabled(bool flag) { m_writeDisabled = flag; }
-
     // Used to allow element that loads data without going through a FrameLoader to delay the 'load' event.
     void incrementLoadEventDelayCount() { ++m_loadEventDelayCount; }
@@ -1050 +1047 @@
 
 private:
+    friend class IgnoreDestructiveWriteCountIncrementer;
+
     void detachParser();
 
@@ -1204 +1203 @@
     bool m_updateFocusAppearanceRestoresSelection;
 
-    // http://www.whatwg.org/specs/web-apps/current-work/#write-neutralised
-    bool m_writeDisabled;
+    // http://www.whatwg.org/specs/web-apps/current-work/#ignore-destructive-writes-counter
+    unsigned m_ignoreDestructiveWriteCount;
 
     String m_title;

trunk/WebCore/dom/ScriptElement.cpp

@@ -34 +34 @@
 #include "HTMLNames.h"
 #include "HTMLScriptElement.h"
+#include "IgnoreDestructiveWriteCountIncrementer.h"
 #include "MIMETypeRegistry.h"
 #include "Page.h"
@@ -57 +58 @@
 
     // http://www.whatwg.org/specs/web-apps/current-work/#script
-
-    // If the element's Document has an active parser, and the parser's script
-    // nesting level is non-zero, but this script element does not have the
-    // "parser-inserted" flag set, the user agent must set the element's
-    // "write-neutralised" flag.
-    DocumentParser* parser = data.element()->document()->parser();
-    if (parser && parser->hasInsertionPoint())
-        data.setWriteDisabled(true);
 
     if (!sourceUrl.isEmpty()) {
@@ -143 +136 @@
     , m_cachedScript(0)
     , m_createdByParser(false)
-    , m_writeDisabled(false)
     , m_requested(false)
     , m_evaluated(false)
@@ -192 +184 @@
         return;
 
-    if (Frame* frame = m_element->document()->frame()) {
+    RefPtr<Document> document = m_element->document();
+    ASSERT(document);
+    if (Frame* frame = document->frame()) {
         if (!frame->script()->canExecuteScripts(AboutToExecuteScript))
             return;
@@ -200 +194 @@
         // http://www.whatwg.org/specs/web-apps/current-work/#script
 
-        // If the script element's "write-neutralised" flag is set, then flag
-        // the Document the script element was in when the "write-neutralised"
-        // flag was set as being itself "write-neutralised". Let neutralised doc
-        // be that Document.
-        if (m_writeDisabled) {
-            ASSERT(!m_element->document()->writeDisabled());
-            m_element->document()->setWriteDisabled(true);
-        }
-
-        // Create a script from the script element node, using the script
-        // block's source and the script block's type.
-        // Note: This is where the script is compiled and actually executed.
-        frame->script()->evaluate(sourceCode);
-
-        // Remove the "write-neutralised" flag from neutralised doc, if it was
-        // set in the earlier step.
-        if (m_writeDisabled) {
-            ASSERT(m_element->document()->writeDisabled());
-            m_element->document()->setWriteDisabled(false);
+        {
+            IgnoreDestructiveWriteCountIncrementer ignoreDesctructiveWriteCountIncrementer(m_requested ? document.get() : 0);
+            // Create a script from the script element node, using the script
+            // block's source and the script block's type.
+            // Note: This is where the script is compiled and actually executed.
+            frame->script()->evaluate(sourceCode);
         }
 

trunk/WebCore/dom/ScriptElement.h

@@ -83 +83 @@
     bool createdByParser() const { return m_createdByParser; }
     void setCreatedByParser(bool value) { m_createdByParser = value; }
-    bool writeDisabled() const { return m_writeDisabled; }
-    void setWriteDisabled(bool value) { m_writeDisabled = value; }
     bool haveFiredLoadEvent() const { return m_firedLoad; }
     void setHaveFiredLoadEvent(bool firedLoad) { m_firedLoad = firedLoad; }
@@ -102 +100 @@
     CachedResourceHandle<CachedScript> m_cachedScript;
     bool m_createdByParser; // HTML5: "parser-inserted"
-    bool m_writeDisabled; // http://www.whatwg.org/specs/web-apps/current-work/#write-neutralised
     bool m_requested;
     bool m_evaluated; // HTML5: "already started"

trunk/WebCore/html/parser/HTMLScriptRunner.cpp

@@ -36 +36 @@
 #include "HTMLInputStream.h"
 #include "HTMLNames.h"
+#include "IgnoreDestructiveWriteCountIncrementer.h"
 #include "NestingLevelIncrementer.h"
 #include "NotImplemented.h"
@@ -136 +137 @@
     {
         NestingLevelIncrementer nestingLevelIncrementer(m_scriptNestingLevel);
+        IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncrementer(m_document);
         if (errorOccurred)
             scriptElement->dispatchEvent(createScriptErrorEvent());