Changeset 93567 in webkit


Ignore:
Timestamp:
Aug 22, 2011 5:43:32 PM (13 years ago)
Author:
ap@apple.com
Message:

showModalDialog does not correctly return the defined returnValue in case domain relaxing is used
https://bugs.webkit.org/show_bug.cgi?id=53191
<rdar://problem/8629478>

Reviewed by Geoff Garen.

Cannot test domain relaxing, we only have 127.0.0.1 and localhost.

  • bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::getOwnPropertySlot): Added a FIXME about a difference with Firefox.

(WebCore::DialogHandler::DialogHandler):
(WebCore::DialogHandler::dialogCreated):
(WebCore::DialogHandler::returnValue):
Changed to fetch returnValue from the global object that's in the frame when the dialog is
dismissed. A dialog can navigate itself, and it also creates a new JSDOMWindow on first load
if the origin doesn't match opener origin (which the case with domain relaxing).
Re-added a security check for returnValue that got lost in r73829, so that we don't send the
result across origins. This matches Firefox.

  • bindings/js/JSDOMWindowShell.cpp: (WebCore::JSDOMWindowShell::setWindow): Added an assertion against a very confusing case that should no longer occur.
  • page/Frame.cpp: (WebCore::Frame::pageDestroyed): Don't clear the window shell, it doesn't seem necessary, but prevents DialogHandler from fetching the return value. Added a keepAlive call to avoid changing life support timer behavior in this patch.
Location:
trunk/Source/WebCore
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r93565 r93567  
     12011-08-22  Alexey Proskuryakov  <ap@apple.com>
     2
     3        showModalDialog does not correctly return the defined returnValue in case domain relaxing is used
     4        https://bugs.webkit.org/show_bug.cgi?id=53191
     5        <rdar://problem/8629478>
     6
     7        Reviewed by Geoff Garen.
     8
     9        Cannot test domain relaxing, we only have 127.0.0.1 and localhost.
     10
     11        * bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::getOwnPropertySlot):
     12        Added a FIXME about a difference with Firefox.
     13
     14        (WebCore::DialogHandler::DialogHandler):
     15        (WebCore::DialogHandler::dialogCreated):
     16        (WebCore::DialogHandler::returnValue):
     17        Changed to fetch returnValue from the global object that's in the frame when the dialog is
     18        dismissed. A dialog can navigate itself, and it also creates a new JSDOMWindow on first load
     19        if the origin doesn't match opener origin (which the case with domain relaxing).
     20        Re-added a security check for returnValue that got lost in r73829, so that we don't send the
     21        result across origins. This matches Firefox.
     22
     23        * bindings/js/JSDOMWindowShell.cpp: (WebCore::JSDOMWindowShell::setWindow): Added an assertion
     24        against a very confusing case that should no longer occur.
     25
     26        * page/Frame.cpp: (WebCore::Frame::pageDestroyed): Don't clear the window shell, it doesn't
     27        seem necessary, but prevents DialogHandler from fetching the return value. Added a keepAlive
     28        call to avoid changing life support timer behavior in this patch.
     29
    1302011-08-22  Alice Boxhall  <aboxhall@chromium.org>
    231

  • trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

    r93558 r93567  
    128128    const HashEntry* entry;
    129129
    130     // We don't want any properties other than "close" and "closed" on a closed window.
     130    // We don't want any properties other than "close" and "closed" on a frameless window (i.e. one whose page got closed,
     131    // or whose iframe got removed).
     132    // FIXME: This doesn't fully match Firefox, which allows at least toString in addition to those.
    131133    if (!impl()->frame()) {
    132134        // The following code is safe for cross-domain and same domain use.
     
    645647    explicit DialogHandler(ExecState* exec)
    646648        : m_exec(exec)
    647         , m_globalObject(0)
    648649    {
    649650    }
     
    654655private:
    655656    ExecState* m_exec;
    656     JSDOMWindow* m_globalObject;
     657    RefPtr<Frame> m_frame;
    657658};
    658659
    659660inline void DialogHandler::dialogCreated(DOMWindow* dialog)
    660661{
     662    m_frame = dialog->frame();
    661663    // FIXME: This looks like a leak between the normal world and an isolated
    662664    //        world if dialogArguments comes from an isolated world.
    663     m_globalObject = toJSDOMWindow(dialog->frame(), normalWorld(m_exec->globalData()));
     665    JSDOMWindow* globalObject = toJSDOMWindow(m_frame.get(), normalWorld(m_exec->globalData()));
    664666    if (JSValue dialogArguments = m_exec->argument(1))
    665         m_globalObject->putDirect(m_exec->globalData(), Identifier(m_exec, "dialogArguments"), dialogArguments);
     667        globalObject->putDirect(m_exec->globalData(), Identifier(m_exec, "dialogArguments"), dialogArguments);
    666668}
    667669
    668670inline JSValue DialogHandler::returnValue() const
    669671{
    670     if (!m_globalObject)
     672    JSDOMWindow* globalObject = toJSDOMWindow(m_frame.get(), normalWorld(m_exec->globalData()));
     673    if (!globalObject)
    671674        return jsUndefined();
    672675    Identifier identifier(m_exec, "returnValue");
    673676    PropertySlot slot;
    674     if (!m_globalObject->JSGlobalObject::getOwnPropertySlot(m_exec, identifier, slot))
     677    if (!globalObject->getOwnPropertySlot(m_exec, identifier, slot))
    675678        return jsUndefined();
    676679    return slot.getValue(m_exec, identifier);

  • trunk/Source/WebCore/bindings/js/JSDOMWindowShell.cpp

    r92788 r93567  
    5858void JSDOMWindowShell::setWindow(PassRefPtr<DOMWindow> domWindow)
    5959{
     60    // Replacing JSDOMWindow via telling JSDOMWindowShell to use the same DOMWindow it already uses makes no sense,
     61    // so we'd better never try to.
     62    ASSERT(!m_window || domWindow.get() != m_window->impl());
    6063    // Explicitly protect the global object's prototype so it isn't collected
    6164    // when we allocate the global object. (Once the global object is fully

  • trunk/Source/WebCore/page/Frame.cpp

    r93303 r93567  
    732732void Frame::pageDestroyed()
    733733{
     734    // FIXME: Rename this function, since it's called not only from Page destructor, but in several other cases.
     735    // This cleanup is needed whenever we remove a frame from page.
     736
    734737    if (Frame* parent = tree()->parent())
    735738        parent->loader()->checkLoadComplete();
     
    750753        page()->focusController()->setFocusedFrame(0);
    751754
    752     script()->clearWindowShell();
     755    // FIXME: Removing keepalive will make behavior better match Firefox.
     756    // Some code that used to be here indirectly triggered keepalive, and we don't want to change behavior at the moment.
     757    keepAlive();
     758
    753759    script()->clearScriptObjects();
    754760    script()->updatePlatformScriptObjects();
Note: See TracChangeset for help on using the changeset viewer.