Prevent creation of detached frames in ShadowRoot
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 15 Nov 2012 15:42:48 +0000 (15:42 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 15 Nov 2012 15:42:48 +0000 (15:42 +0000)
commitabc0c70c1dd2de89c8f8755732a8e734d4250d7d
tree0a9fcad67ae275a6942848bf089f3e2dda6da949
parent27a05ef4c09bb2ece62804667d9ef75c690d0223
Prevent creation of detached frames in ShadowRoot
https://bugs.webkit.org/show_bug.cgi?id=102333

Patch by Elliott Sprehn <esprehn@chromium.org> on 2012-11-15
Reviewed by Dimitri Glazkov.

Source/WebCore:

Similar to Bug 94717 you can create a loaded iframe in a detached
subtree using ShadowRoot. To fix this we just need to make
SubframeLoadingDisabler traverse through shadow boundaries.

Test: fast/frames/detached-shadow-frame.html

* html/HTMLFrameOwnerElement.h:
(WebCore::SubframeLoadingDisabler::canLoadFrame):

LayoutTests:

Test that you cannot create a detached frame using a ShadowRoot
and iframe unload handlers.

* fast/frames/detached-shadow-frame-expected.txt: Added.
* fast/frames/detached-shadow-frame.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@134775 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/frames/detached-shadow-frame-expected.txt [new file with mode: 0644]
LayoutTests/fast/frames/detached-shadow-frame.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLFrameOwnerElement.h