HTMLFrameOwnerElement should obey the SubframeLoadingDisabler when creating subframes
authorakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 21 Mar 2014 07:31:39 +0000 (07:31 +0000)
committerakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 21 Mar 2014 07:31:39 +0000 (07:31 +0000)
<rdar://problem/15675780>

Merge Blink r156744 by Adam Klein.

Source/WebCore:

Test: fast/frames/set-iframe-src-in-pagehide-crash.html

* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::loadSubframe):

LayoutTests:

* fast/frames/set-iframe-src-in-pagehide-crash-expected.txt: Added.
* fast/frames/set-iframe-src-in-pagehide-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@166049 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/SubframeLoader.cpp

index c2fe967..7fb61b8 100644 (file)
@@ -1,3 +1,13 @@
+2014-03-21  Andreas Kling  <akling@apple.com>
+
+        HTMLFrameOwnerElement should obey the SubframeLoadingDisabler when creating subframes
+        <rdar://problem/15675780>
+
+        Merge Blink r156744 by Adam Klein.
+
+        * fast/frames/set-iframe-src-in-pagehide-crash-expected.txt: Added.
+        * fast/frames/set-iframe-src-in-pagehide-crash.html: Added.
+
 2014-03-20  Brian Burg  <bburg@apple.com>
 
         Web Inspector: add frontend controller and models for replay sessions
diff --git a/LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash-expected.txt b/LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash-expected.txt
new file mode 100644 (file)
index 0000000..c325aec
--- /dev/null
@@ -0,0 +1,11 @@
+Setting an iframe's src in a pagehide handler should not create a frame (nor a crash)
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS subframe.contentWindow is null
+did not crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash.html b/LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash.html
new file mode 100644 (file)
index 0000000..26ab7da
--- /dev/null
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<body>
+<div id=one><iframe></iframe></div>
+<div id=two></div>
+<div id=three></div>
+<script src="../../resources/js-test-pre.js"></script>
+<script>
+
+description("Setting an iframe's src in a pagehide handler should not create a frame (nor a crash)");
+
+var div1 = document.getElementById('one');
+var div2 = document.getElementById('two');
+var div3 = document.getElementById('three');
+var subframe = document.querySelector('iframe');
+
+subframe.contentWindow.onpagehide = function() {
+    div2.appendChild(div1);
+    subframe.src = 'javascript:void(0)';
+    shouldBeNull("subframe.contentWindow");
+};
+subframe.remove();
+div3.appendChild(subframe);
+subframe.remove();
+debug("did not crash");
+</script>
+<script src="../../resources/js-test-post.js"></script>
index 333ab1a..d0c0231 100644 (file)
@@ -1,3 +1,15 @@
+2014-03-21  Andreas Kling  <akling@apple.com>
+
+        HTMLFrameOwnerElement should obey the SubframeLoadingDisabler when creating subframes
+        <rdar://problem/15675780>
+
+        Merge Blink r156744 by Adam Klein.
+
+        Test: fast/frames/set-iframe-src-in-pagehide-crash.html
+
+        * loader/SubframeLoader.cpp:
+        (WebCore::SubframeLoader::loadSubframe):
+
 2014-03-21  Darin Adler  <darin@apple.com>
 
         Improve idiom used for string building in a few places
index be08964..7fb6b10 100644 (file)
@@ -354,6 +354,9 @@ Frame* SubframeLoader::loadSubframe(HTMLFrameOwnerElement& ownerElement, const U
         return nullptr;
     }
 
+    if (!SubframeLoadingDisabler::canLoadFrame(ownerElement))
+        return nullptr;
+
     String referrerToUse = SecurityPolicy::generateReferrerHeader(ownerElement.document().referrerPolicy(), url, referrer);
     RefPtr<Frame> frame = m_frame.loader().client().createFrame(url, name, &ownerElement, referrerToUse, allowsScrolling, marginWidth, marginHeight);