WebKit Bugzilla
Attachment 368699 Details for
Bug 197466
: Setting a frame's src to a javascript URL should not run it synchronously
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
WiP Patch
197466_javascript_url_async_wip.patch (text/plain), 11.67 KB, created by
Chris Dumez
on 2019-05-01 13:35:41 PDT
(
hide
)
Description:
WiP Patch
Filename:
MIME Type:
Creator:
Chris Dumez
Created:
2019-05-01 13:35:41 PDT
Size:
11.67 KB
patch
obsolete
>diff --git a/LayoutTests/fast/dom/Attr/only-attach-attr-once.html b/LayoutTests/fast/dom/Attr/only-attach-attr-once.html >index 6ad40d1feac..f992f37d0e4 100644 >--- a/LayoutTests/fast/dom/Attr/only-attach-attr-once.html >+++ b/LayoutTests/fast/dom/Attr/only-attach-attr-once.html >@@ -6,12 +6,14 @@ > <body> > <script> > description("Test that we properly handle attempts to attach an Attribute to the same node multiple times. Test passes if there is no Debug ASSERT."); >+jsTestIsAsync = true; > > window.callback = () => { > window.callback = null; > > shouldThrowErrorName("div.setAttributeNodeNS(src)", "InUseAttributeError"); > frame.setAttributeNodeNS(document.createAttribute('src')); >+ finishJSTest(); > }; > > let src = document.createAttribute('src'); >diff --git a/LayoutTests/fast/dom/javascript-url-exception-isolation-expected.txt b/LayoutTests/fast/dom/javascript-url-exception-isolation-expected.txt >index 51b343549ee..61f724ed1d3 100644 >--- a/LayoutTests/fast/dom/javascript-url-exception-isolation-expected.txt >+++ b/LayoutTests/fast/dom/javascript-url-exception-isolation-expected.txt >@@ -1,5 +1,4 @@ > CONSOLE MESSAGE: line 1: 42 >-CONSOLE MESSAGE: line 25: SyntaxError: Unexpected token '<' > Exceptions thrown in javascript URLs should not propagate to the main script. > > On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". >diff --git a/LayoutTests/fast/dom/javascript-url-exception-isolation.html b/LayoutTests/fast/dom/javascript-url-exception-isolation.html >index 6f39b2cb9a6..c82ba18d6e7 100644 >--- a/LayoutTests/fast/dom/javascript-url-exception-isolation.html >+++ b/LayoutTests/fast/dom/javascript-url-exception-isolation.html >@@ -6,6 +6,7 @@ > <body> > <script> > description("Exceptions thrown in javascript URLs should not propagate to the main script.") >+jsTestIsAsync = true; > > var subframe = document.createElement("iframe"); > document.body.appendChild(subframe); >@@ -20,13 +21,16 @@ try { > } > shouldBeFalse('caughtException'); > >-// Compile-time exception. >-try { >- subframe.src = 'javascript:<html></html>'; >-} catch(e) { >- caughtException = true; >-} >-shouldBeFalse('caughtException'); >+setTimeout(() => { >+ // Compile-time exception. >+ try { >+ subframe.src = 'javascript:<html></html>'; >+ } catch(e) { >+ caughtException = true; >+ } >+ shouldBeFalse('caughtException'); >+ finishJSTest(); >+}, 0); > </script> > <script src="../../resources/js-test-post.js"></script> > </body> >diff --git a/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt b/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt >index e96375ae81d..2cb8efa3c99 100644 >--- a/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt >+++ b/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt >@@ -1,4 +1,4 @@ >-CONSOLE MESSAGE: line 14: SyntaxError: Unexpected identifier 'orem' >+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected identifier 'orem' > This tests that we do not assert when a malformed JS URL is passed to the 'src' attribute of an iframe. The test passes if it does not ASSERT. > > On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". >diff --git a/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute.html b/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute.html >index b6420405b41..3a48f738475 100644 >--- a/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute.html >+++ b/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute.html >@@ -5,8 +5,10 @@ > <script> > description("This tests that we do not assert when a malformed JS URL is passed to the 'src' attribute of an iframe. The test passes if it does not ASSERT."); > >-if (window.testRunner) >+if (window.testRunner) { > testRunner.dumpAsText(); >+ testRunner.waitUntilDone(); >+} > > function runTest() > { >@@ -15,6 +17,11 @@ function runTest() > > var testFrame2 = document.getElementById('testFrame2'); > testFrame2.getAttributeNode("src").value += "javascript:missingFunction(this) orem ipsum dosolorem"; >+ >+ setTimeout(() => { >+ if (window.testRunner) >+ testRunner.notifyDone(); >+ }, 0); > } > </script> > </head> >diff --git a/LayoutTests/fast/dom/resources/javascript-url-crash-function-iframe.html b/LayoutTests/fast/dom/resources/javascript-url-crash-function-iframe.html >index 1d6a49d827f..0a0154c4c25 100644 >--- a/LayoutTests/fast/dom/resources/javascript-url-crash-function-iframe.html >+++ b/LayoutTests/fast/dom/resources/javascript-url-crash-function-iframe.html >@@ -16,7 +16,9 @@ function test() > setTimeout(function () > { > test(); >- if (window.testRunner) >- testRunner.notifyDone(); >+ top.setTimeout(() => { >+ if (window.testRunner) >+ testRunner.notifyDone(); >+ }, 0); > }, 0); > </script> >diff --git a/LayoutTests/fast/loader/nested-document-handling.html b/LayoutTests/fast/loader/nested-document-handling.html >index 3e81697d537..ec9077708aa 100644 >--- a/LayoutTests/fast/loader/nested-document-handling.html >+++ b/LayoutTests/fast/loader/nested-document-handling.html >@@ -24,25 +24,27 @@ function runTest() { > aFrame.contentWindow.onunload = () => { > topFrame.src = "javascript:''"; > >- let bFrame = topFrame.contentDocument.appendChild(document.createElement("iframe")); >- bFrame.id = 'bFrame'; >+ topFrame.onload = () => { >+ let bFrame = topFrame.contentDocument.body.appendChild(document.createElement("iframe")); >+ bFrame.id = 'bFrame'; > >- bFrame.contentWindow.onunload = () => { >- topFrame.src = "javascript:''"; >+ bFrame.contentWindow.onunload = () => { >+ topFrame.src = "javascript:''"; > >- let doc = topFrame.contentDocument; >+ let doc = topFrame.contentDocument; > >- topFrame.onload = () => { > topFrame.onload = () => { >- topFrame.onload = null; >- let s = doc.createElement("form"); >- s.action = "javascript:alert(location)"; >- s.submit(); >+ topFrame.onload = () => { >+ topFrame.onload = null; >+ let s = doc.createElement("form"); >+ s.action = "javascript:alert(location)"; >+ s.submit(); >+ }; >+ >+ topFrame.src = "resources/subframe-success.html"; > }; >- >- topFrame.src = "resources/subframe-success.html"; > }; >- >+ topFrame.src = "javascript:''"; > }; > }; > >@@ -52,4 +54,4 @@ function runTest() { > </head> > <body onload="runTest()"> > </body> >-</html> >\ No newline at end of file >+</html> >diff --git a/LayoutTests/fast/parser/resources/set-parent-to-javascript-url.html b/LayoutTests/fast/parser/resources/set-parent-to-javascript-url.html >index 71d78bf68f3..4f1ebdd0301 100644 >--- a/LayoutTests/fast/parser/resources/set-parent-to-javascript-url.html >+++ b/LayoutTests/fast/parser/resources/set-parent-to-javascript-url.html >@@ -1,7 +1,7 @@ > <script> > const parent = window.parent; > alert(1); >-parent.document.getElementsByTagName('iframe')[0].src = "javascript:alert(2),'PASS<script>alert(3)<\/script>'"; >-alert(4); >+parent.document.getElementsByTagName('iframe')[0].src = "javascript:alert(3),'PASS<script>alert(4)<\/script>'"; >+alert(2); > parent.setTimeout("done()", 0); > </script> >diff --git a/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html b/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html >index 85ab9be7b72..105a7b3fda5 100644 >--- a/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html >+++ b/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html >@@ -7,6 +7,7 @@ > if (window.testRunner) { > testRunner.dumpAsText(); > testRunner.dumpChildFramesAsText(); >+ testRunner.waitUntilDone(); > } > > var innerURL = 'javascript:\\\"<html>' >@@ -27,6 +28,13 @@ > > var iframe = document.getElementById("aFrame"); > iframe.src = url; >+ >+ onload = () => { >+ setTimeout(() => { >+ if (window.testRunner) >+ testRunner.notifyDone(); >+ }, 0); >+ } > </script> > </body> > </html> >diff --git a/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html b/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html >index ce83c723a22..b94cd4e782c 100644 >--- a/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html >+++ b/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html >@@ -7,6 +7,7 @@ > if (window.testRunner) { > testRunner.dumpAsText(); > testRunner.dumpChildFramesAsText(); >+ testRunner.waitUntilDone(); > } > > var url = "javascript:\"<html>" >@@ -20,6 +21,12 @@ > > var iframe = document.getElementById("aFrame"); > iframe.src = url; >+ onload = () => { >+ setTimeout(() => { >+ if (window.testRunner) >+ testRunner.notifyDone(); >+ }); >+ } > </script> > </body> > </html> >diff --git a/LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt b/LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt >index 1159c11eb9e..686d3b3ecf2 100644 >--- a/LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt >+++ b/LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt >@@ -1,4 +1,4 @@ >- sync : src = javascript:"content" >+ASYNC : src = javascript:"content" > ASYNC : src = data:text/html,content > ASYNC : srcdoc = "content" > done >diff --git a/Source/WebCore/loader/SubframeLoader.cpp b/Source/WebCore/loader/SubframeLoader.cpp >index 1f90a83c779..8a2946a2a3f 100644 >--- a/Source/WebCore/loader/SubframeLoader.cpp >+++ b/Source/WebCore/loader/SubframeLoader.cpp >@@ -74,10 +74,12 @@ void SubframeLoader::clear() > > bool SubframeLoader::requestFrame(HTMLFrameOwnerElement& ownerElement, const String& urlString, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList) > { >+ bool hasExistingFrame = ownerElement.contentFrame(); >+ > // Support for <frame src="javascript:string"> > URL scriptURL; > URL url; >- if (WTF::protocolIsJavaScript(urlString)) { >+ if (!hasExistingFrame && WTF::protocolIsJavaScript(urlString)) { > scriptURL = completeURL(urlString); // completeURL() encodes the URL. > url = WTF::blankURL(); > } else >@@ -86,16 +88,11 @@ bool SubframeLoader::requestFrame(HTMLFrameOwnerElement& ownerElement, const Str > if (shouldConvertInvalidURLsToBlank() && !url.isValid()) > url = WTF::blankURL(); > >- bool hasExistingFrame = ownerElement.contentFrame(); > Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList); > if (!frame) > return false; > >- // If we create a new subframe then an empty document is loaded into it synchronously and may >- // cause script execution (say, via a DOM load event handler) that can do anything, including >- // navigating the subframe. We only want to evaluate scriptURL if the frame has not been navigated. >- bool canExecuteScript = hasExistingFrame || (frame->loader().documentLoader() && frame->loader().documentLoader()->originalURL() == WTF::blankURL()); >- if (!scriptURL.isEmpty() && canExecuteScript && ownerElement.isURLAllowed(scriptURL)) >+ if (!scriptURL.isEmpty() && ownerElement.isURLAllowed(scriptURL)) > frame->script().executeIfJavaScriptURL(scriptURL); > > return true;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=368699">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 197466
:
368683
|
368689
|
368690
|
368691
|
368693
|
368699
|
368706
|
368709
|
368710
|
368719
|
368723
|
368725
|
368729
|
368732
|
368734
|
368736
|
368741
|
368742
|
368750
|
368751
|
368755
|
368756
|
368757
|
368758
|
368762
|
368763
|
368764
|
368765
|
368781
|
368786
|
368793
|
368796
|
368805
|
368807
|
368813
|
368821
|
368825