WebKit GIT trees - WebKit-https.git/commit

Drawing text in an SVG font causes load events to be fired.
<https://webkit.org/b/136269>
<rdar://problem/15724915>

Source/WebCore:

Don't flush pending load events in Document::implicitClose() for frameless documents.
This is a targeted fix for an issue where parsing SVG fonts during layout would cause
event dispatch to happen in the main document, leading to arbitrary JS execution.

Note that the testcase only works in DRT/WTR, since once the SVG font is in cached
by WebCore, we won't reparse it again. Caches are cleared between tests, so it will
correctly fail if this should regress.

Longer-term, we should clean this up and get rid of the global dispatch entirely.

Reviewed by Simon Fraser.

Test: fast/text/svg-font-trigger-load-event.html

* dom/Document.cpp:
(WebCore::Document::implicitClose):

LayoutTests:

Reviewed by Simon Fraser.

* fast/text/svg-font-trigger-load-event-expected.txt: Added.
* fast/text/svg-font-trigger-load-event.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@173028 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	akling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 27 Aug 2014 22:56:06 +0000 (22:56 +0000)
committer	akling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 27 Aug 2014 22:56:06 +0000 (22:56 +0000)
commit	2cc710e6befdf5aec707f673895f17b90788cec2
tree	0c6b1262fd927cfe2f302d68209a5f6c7221c537	tree \| snapshot
parent	8d929eda4e9d90fb749ed734f19762cbb77bed86	commit \| diff

LayoutTests/ChangeLog		diff \| blob \| history
LayoutTests/fast/text/svg-font-trigger-load-event-expected.txt	[new file with mode: 0644]	blob
LayoutTests/fast/text/svg-font-trigger-load-event.html	[new file with mode: 0644]	blob
Source/WebCore/ChangeLog		diff \| blob \| history
Source/WebCore/dom/Document.cpp		diff \| blob \| history