Disallow navigations when page cache updates the current document of the frame
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 21 Aug 2018 16:50:20 +0000 (16:50 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 21 Aug 2018 16:50:20 +0000 (16:50 +0000)
commit1648b3ec520d0a0504b4ecc98f254c68a40b72c3
treea87da15197f4e505b0b921c45ea24edfb2a8c138
parent814e66dd621f5b452b2ba5f08b164fd80f88da9a
Disallow navigations when page cache updates the current document of the frame
https://bugs.webkit.org/show_bug.cgi?id=188422

Reviewed by Ryosuke Niwa.

Source/WebCore:

Make use of NavigationDisabler to disallow navigations when associating the cached
document back with its frame (i.e. calling Frame::setDocument()).

When we associate a cached document with its frame we will construct its render tree
and run post style resolution callbacks that can do anything, including performing
a frame load. Until page restoration is comnplete the frame tree is in a transient
state that makes reasoning about it difficult and error prone. We should not allow
navigations in this state.

Test: fast/history/go-back-to-object-subframe.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::open):

LayoutTests:

Add a test case that ensures that we do not hit the assertion ASSERT(ownerFrame || m_frame.isMainFrame())
in FrameLoader::addExtraFieldsToRequest() when navigating back to a page that loads a nested
page, whose URL contains a fragment, via an HTML object element. This assertion fails if
navigations are allowed when restoring a page from the page cache.

This change does not prevent navigations initiated from a pageshow event handler.

* fast/history/go-back-to-object-subframe-expected.txt: Added.
* fast/history/go-back-to-object-subframe.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235121 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/history/go-back-to-object-subframe-expected.txt [new file with mode: 0644]
LayoutTests/fast/history/go-back-to-object-subframe.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/FrameLoader.cpp