From 6e6202cc88b2dd6b094ce6ef81551829281cbffc Mon Sep 17 00:00:00 2001
From: "akling@apple.com"
 <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri, 21 Mar 2014 07:31:39 +0000
Subject: [PATCH] HTMLFrameOwnerElement should obey the SubframeLoadingDisabler
 when creating subframes <rdar://problem/15675780>

Merge Blink r156744 by Adam Klein.

Source/WebCore:

Test: fast/frames/set-iframe-src-in-pagehide-crash.html

* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::loadSubframe):

LayoutTests:

* fast/frames/set-iframe-src-in-pagehide-crash-expected.txt: Added.
* fast/frames/set-iframe-src-in-pagehide-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@166049 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 LayoutTests/ChangeLog                              | 10 +++++++++
 .../set-iframe-src-in-pagehide-crash-expected.txt  | 11 +++++++++
 .../frames/set-iframe-src-in-pagehide-crash.html   | 26 ++++++++++++++++++++++
 Source/WebCore/ChangeLog                           | 12 ++++++++++
 Source/WebCore/loader/SubframeLoader.cpp           |  3 +++
 5 files changed, 62 insertions(+)
 create mode 100644 LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash-expected.txt
 create mode 100644 LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash.html

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c2fe967..7fb61b8 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2014-03-21  Andreas Kling  <akling@apple.com>
+
+        HTMLFrameOwnerElement should obey the SubframeLoadingDisabler when creating subframes
+        <rdar://problem/15675780>
+
+        Merge Blink r156744 by Adam Klein.
+
+        * fast/frames/set-iframe-src-in-pagehide-crash-expected.txt: Added.
+        * fast/frames/set-iframe-src-in-pagehide-crash.html: Added.
+
 2014-03-20  Brian Burg  <bburg@apple.com>
 
         Web Inspector: add frontend controller and models for replay sessions
diff --git a/LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash-expected.txt b/LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash-expected.txt
new file mode 100644
index 0000000..c325aec
--- /dev/null
+++ b/LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash-expected.txt
@@ -0,0 +1,11 @@
+Setting an iframe's src in a pagehide handler should not create a frame (nor a crash)
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS subframe.contentWindow is null
+did not crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash.html b/LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash.html
new file mode 100644
index 0000000..26ab7da
--- /dev/null
+++ b/LayoutTests/fast/frames/set-iframe-src-in-pagehide-crash.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<body>
+<div id=one><iframe></iframe></div>
+<div id=two></div>
+<div id=three></div>
+<script src="../../resources/js-test-pre.js"></script>
+<script>
+
+description("Setting an iframe's src in a pagehide handler should not create a frame (nor a crash)");
+
+var div1 = document.getElementById('one');
+var div2 = document.getElementById('two');
+var div3 = document.getElementById('three');
+var subframe = document.querySelector('iframe');
+
+subframe.contentWindow.onpagehide = function() {
+    div2.appendChild(div1);
+    subframe.src = 'javascript:void(0)';
+    shouldBeNull("subframe.contentWindow");
+};
+subframe.remove();
+div3.appendChild(subframe);
+subframe.remove();
+debug("did not crash");
+</script>
+<script src="../../resources/js-test-post.js"></script>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 333ab1a..d0c0231 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2014-03-21  Andreas Kling  <akling@apple.com>
+
+        HTMLFrameOwnerElement should obey the SubframeLoadingDisabler when creating subframes
+        <rdar://problem/15675780>
+
+        Merge Blink r156744 by Adam Klein.
+
+        Test: fast/frames/set-iframe-src-in-pagehide-crash.html
+
+        * loader/SubframeLoader.cpp:
+        (WebCore::SubframeLoader::loadSubframe):
+
 2014-03-21  Darin Adler  <darin@apple.com>
 
         Improve idiom used for string building in a few places
diff --git a/Source/WebCore/loader/SubframeLoader.cpp b/Source/WebCore/loader/SubframeLoader.cpp
index be08964..7fb6b10 100644
--- a/Source/WebCore/loader/SubframeLoader.cpp
+++ b/Source/WebCore/loader/SubframeLoader.cpp
@@ -354,6 +354,9 @@ Frame* SubframeLoader::loadSubframe(HTMLFrameOwnerElement& ownerElement, const U
         return nullptr;
     }
 
+    if (!SubframeLoadingDisabler::canLoadFrame(ownerElement))
+        return nullptr;
+
     String referrerToUse = SecurityPolicy::generateReferrerHeader(ownerElement.document().referrerPolicy(), url, referrer);
     RefPtr<Frame> frame = m_frame.loader().client().createFrame(url, name, &ownerElement, referrerToUse, allowsScrolling, marginWidth, marginHeight);
 
-- 
1.8.3.1