git://git.webkit.org / WebKit-https.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 495ba62)
rel="noreferrer" should make window.opener null
authorap@apple.com <ap@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 14 Feb 2015 18:16:00 +0000 (18:16 +0000)
committerap@apple.com <ap@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 14 Feb 2015 18:16:00 +0000 (18:16 +0000)
https://bugs.webkit.org/show_bug.cgi?id=141579

Reviewed by Darin Adler.

Source/WebCore:

Tests: http/tests/navigation/target-blank-opener-post.html
       http/tests/navigation/target-blank-opener.html

We used to avoid passing window.opener policy by temporarily storing it in a FrameLoader
member variable. This works for some clients - ones that invoke delegate callbacks
synchronously - but not in the general case.

So, changed to passing the policy explicitly.

* WebCore.exp.in:
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::FrameLoader):
(WebCore::FrameLoader::urlSelected):
(WebCore::FrameLoader::loadURLIntoChildFrame):
(WebCore::FrameLoader::loadFrameRequest):
(WebCore::FrameLoader::loadURL):
(WebCore::FrameLoader::load):
(WebCore::FrameLoader::loadPostRequest):
(WebCore::FrameLoader::continueLoadAfterNewWindowPolicy):
* loader/FrameLoader.h:
(WebCore::FrameLoader::suppressOpenerInNewFrame): Deleted.
* loader/FrameLoaderTypes.h:
* loader/NavigationScheduler.cpp:
* page/ContextMenuController.cpp:
(WebCore::openNewWindow):
(WebCore::ContextMenuController::contextMenuItemSelected):

Source/WebKit/ios:

* WebView/WebPDFViewPlaceholder.mm:
(-[WebPDFViewPlaceholder simulateClickOnLinkToURL:]): Updated for a new WebCore
function signature. There is no rel="noreferrer" in PDF, so we can just always allow.

Source/WebKit/mac:

* WebView/WebPDFView.mm:
(-[WebPDFView PDFViewWillClickOnLink:withURL:]): Updated for a new WebCore
function signature. There is no rel="noreferrer" in PDF, so we can just always allow.

LayoutTests:

Unfortunately, these tests are not quite real, because they pass even without the
fix. There reason is that delegates respond synchronously in WKTR and DRT.

But if there is any large refactoring, there is a non-zero chance that the tests
will catch future mistakes.

* http/tests/navigation/resources/target-blank-opener-post-window.php: Added.
* http/tests/navigation/resources/target-blank-opener-window.php: Added.
* http/tests/navigation/target-blank-opener-expected.txt: Added.
* http/tests/navigation/target-blank-opener-post-expected.txt: Added.
* http/tests/navigation/target-blank-opener-post.html: Added.
* http/tests/navigation/target-blank-opener.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@180110 268f45cc-cd09-0410-ab3c-d52691b4dbfc

18 files changed:
LayoutTests/ChangeLog patch | blob | history
LayoutTests/http/tests/navigation/resources/target-blank-opener-post-window.php [new file with mode: 0644] patch | blob
LayoutTests/http/tests/navigation/resources/target-blank-opener-window.php [new file with mode: 0644] patch | blob
LayoutTests/http/tests/navigation/target-blank-opener-expected.txt [new file with mode: 0644] patch | blob
LayoutTests/http/tests/navigation/target-blank-opener-post-expected.txt [new file with mode: 0644] patch | blob
LayoutTests/http/tests/navigation/target-blank-opener-post.html [new file with mode: 0644] patch | blob
LayoutTests/http/tests/navigation/target-blank-opener.html [new file with mode: 0644] patch | blob
Source/WebCore/ChangeLog patch | blob | history
Source/WebCore/WebCore.exp.in patch | blob | history
Source/WebCore/loader/FrameLoader.cpp patch | blob | history
Source/WebCore/loader/FrameLoader.h patch | blob | history
Source/WebCore/loader/FrameLoaderTypes.h patch | blob | history
Source/WebCore/loader/NavigationScheduler.cpp patch | blob | history
Source/WebCore/page/ContextMenuController.cpp patch | blob | history
Source/WebKit/ios/ChangeLog patch | blob | history
Source/WebKit/ios/WebView/WebPDFViewPlaceholder.mm patch | blob | history
Source/WebKit/mac/ChangeLog patch | blob | history
Source/WebKit/mac/WebView/WebPDFView.mm patch | blob | history

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 80479c2326f70b82a2a416ef53da7c04a742bb97..2c6aabc86e7119ff3b63c885d7af07d77ae85b7b 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,23 @@
+2015-02-14  Alexey Proskuryakov  <ap@apple.com>
+
+        rel="noreferrer" should make window.opener null
+        https://bugs.webkit.org/show_bug.cgi?id=141579
+
+        Reviewed by Darin Adler.
+
+        Unfortunately, these tests are not quite real, because they pass even without the
+        fix. There reason is that delegates respond synchronously in WKTR and DRT.
+
+        But if there is any large refactoring, there is a non-zero chance that the tests
+        will catch future mistakes.
+
+        * http/tests/navigation/resources/target-blank-opener-post-window.php: Added.
+        * http/tests/navigation/resources/target-blank-opener-window.php: Added.
+        * http/tests/navigation/target-blank-opener-expected.txt: Added.
+        * http/tests/navigation/target-blank-opener-post-expected.txt: Added.
+        * http/tests/navigation/target-blank-opener-post.html: Added.
+        * http/tests/navigation/target-blank-opener.html: Added.
+
 2015-02-14  Myles C. Maxfield  <mmaxfield@apple.com>
 
         Re-ordering expectations.
diff --git a/LayoutTests/http/tests/navigation/resources/target-blank-opener-post-window.php b/LayoutTests/http/tests/navigation/resources/target-blank-opener-post-window.php
new file mode 100644 (file)
index 0000000..a74de20
--- /dev/null
+++ b/LayoutTests/http/tests/navigation/resources/target-blank-opener-post-window.php
@@ -0,0 +1,10 @@
+<p>Referrer: <?php echo $_SERVER['HTTP_REFERER'] ?></p>
+<script>
+console.log("Referrer: <?php echo $_SERVER['HTTP_REFERER'] ?>");
+
+var result = "window.opener: " + (window.opener ? "PASS" : "FAIL");
+document.write(result);
+console.log(result);
+if (window.testRunner)
+    testRunner.notifyDone();
+</script>
diff --git a/LayoutTests/http/tests/navigation/resources/target-blank-opener-window.php b/LayoutTests/http/tests/navigation/resources/target-blank-opener-window.php
new file mode 100644 (file)
index 0000000..dcaaa86
--- /dev/null
+++ b/LayoutTests/http/tests/navigation/resources/target-blank-opener-window.php
@@ -0,0 +1,10 @@
+<p>Referrer: <?php echo $_SERVER['HTTP_REFERER'] ?></p>
+<script>
+console.log("Referrer: <?php echo $_SERVER['HTTP_REFERER'] ?>");
+
+var result = "window.opener: " + (window.opener ? "FAIL" : "PASS");
+document.write(result);
+console.log(result);
+if (window.testRunner)
+    testRunner.notifyDone();
+</script>
diff --git a/LayoutTests/http/tests/navigation/target-blank-opener-expected.txt b/LayoutTests/http/tests/navigation/target-blank-opener-expected.txt
new file mode 100644 (file)
index 0000000..8bdd2ec
--- /dev/null
+++ b/LayoutTests/http/tests/navigation/target-blank-opener-expected.txt
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: line 3: Referrer: 
+CONSOLE MESSAGE: line 7: window.opener: PASS
+Test that a new window opened via <a target='_blank'> with rel="noreferrer" has a null opener.
+
+Click me to test.
diff --git a/LayoutTests/http/tests/navigation/target-blank-opener-post-expected.txt b/LayoutTests/http/tests/navigation/target-blank-opener-post-expected.txt
new file mode 100644 (file)
index 0000000..ba7dd67
--- /dev/null
+++ b/LayoutTests/http/tests/navigation/target-blank-opener-post-expected.txt
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: line 3: Referrer: http://127.0.0.1:8000/navigation/target-blank-opener-post.html
+CONSOLE MESSAGE: line 7: window.opener: PASS
+Test that rel="noreferrer" is unsupported by form elements, and that window.opener is available when form submission opens a new window.
+
+
diff --git a/LayoutTests/http/tests/navigation/target-blank-opener-post.html b/LayoutTests/http/tests/navigation/target-blank-opener-post.html
new file mode 100644 (file)
index 0000000..88695bf
--- /dev/null
+++ b/LayoutTests/http/tests/navigation/target-blank-opener-post.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<script src="../../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<p>Test that rel="noreferrer" is unsupported by form elements, and that window.opener is available when form submission opens a new window.</p>
+<form id="testForm" action="resources/target-blank-opener-post-window.php" target="_blank" rel="noreferrer" method="post">
+<input type="submit" value="Test"></input>
+<form>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.setCanOpenWindows(true);
+}
+
+document.forms[0].submit();
+
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/navigation/target-blank-opener.html b/LayoutTests/http/tests/navigation/target-blank-opener.html
new file mode 100644 (file)
index 0000000..4377287
--- /dev/null
+++ b/LayoutTests/http/tests/navigation/target-blank-opener.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<script src="../../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<p>Test that a new window opened via &lt;a target='_blank'&gt; with rel="noreferrer" has a null opener.</p>
+<a id="testLink" href="resources/target-blank-opener-window.php" target="_blank" rel="noreferrer">Click me to test.</a>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.setCanOpenWindows(true);
+}
+
+document.getElementById("testLink").click();
+
+</script>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 188e46452cd57769fb12dfdcb447b729f64df183..b33ffa56bdab1e15feaac8db95457c17864725a8 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,37 @@
+2015-02-14  Alexey Proskuryakov  <ap@apple.com>
+
+        rel="noreferrer" should make window.opener null
+        https://bugs.webkit.org/show_bug.cgi?id=141579
+
+        Reviewed by Darin Adler.
+
+        Tests: http/tests/navigation/target-blank-opener-post.html
+               http/tests/navigation/target-blank-opener.html
+
+        We used to avoid passing window.opener policy by temporarily storing it in a FrameLoader
+        member variable. This works for some clients - ones that invoke delegate callbacks
+        synchronously - but not in the general case.
+
+        So, changed to passing the policy explicitly.
+
+        * WebCore.exp.in:
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::FrameLoader):
+        (WebCore::FrameLoader::urlSelected):
+        (WebCore::FrameLoader::loadURLIntoChildFrame):
+        (WebCore::FrameLoader::loadFrameRequest):
+        (WebCore::FrameLoader::loadURL):
+        (WebCore::FrameLoader::load):
+        (WebCore::FrameLoader::loadPostRequest):
+        (WebCore::FrameLoader::continueLoadAfterNewWindowPolicy):
+        * loader/FrameLoader.h:
+        (WebCore::FrameLoader::suppressOpenerInNewFrame): Deleted.
+        * loader/FrameLoaderTypes.h:
+        * loader/NavigationScheduler.cpp:
+        * page/ContextMenuController.cpp:
+        (WebCore::openNewWindow):
+        (WebCore::ContextMenuController::contextMenuItemSelected):
+
 2015-02-14  David Kilzer  <ddkilzer@apple.com>
 
         REGRESSION (r180082): WebCore build on Mountain Lion fails due to weak export for i386
diff --git a/Source/WebCore/WebCore.exp.in b/Source/WebCore/WebCore.exp.in
index d71fc1e61ab1edbd506929ed0e282df3a6e671a3..439c8d6c224da6a366be6c2a5b347f716acba0f3 100644 (file)
--- a/Source/WebCore/WebCore.exp.in
+++ b/Source/WebCore/WebCore.exp.in
@@ -150,7 +150,7 @@ __ZN7WebCore11FrameLoader11urlSelectedERKNS_3URLERKN3WTF6StringENS4_10PassRefPtr
 __ZN7WebCore11FrameLoader14detachChildrenEv
 __ZN7WebCore11FrameLoader14stopAllLoadersENS_26ClearProvisionalItemPolicyE
 __ZN7WebCore11FrameLoader16detachFromParentEv
-__ZN7WebCore11FrameLoader16loadFrameRequestERKNS_16FrameLoadRequestENS_11LockHistoryENS_19LockBackForwardListEN3WTF10PassRefPtrINS_5EventEEENS7_INS_9FormStateEEENS_18ShouldSendReferrerENS_27AllowNavigationToInvalidURLE
+__ZN7WebCore11FrameLoader16loadFrameRequestERKNS_16FrameLoadRequestENS_11LockHistoryENS_19LockBackForwardListEN3WTF10PassRefPtrINS_5EventEEENS7_INS_9FormStateEEENS_18ShouldSendReferrerENS_27AllowNavigationToInvalidURLENS_20NewFrameOpenerPolicyE
 __ZN7WebCore11FrameLoader17stopForUserCancelEb
 __ZN7WebCore11FrameLoader21loadURLIntoChildFrameERKNS_3URLERKN3WTF6StringEPNS_5FrameE
 __ZN7WebCore11FrameLoader22findFrameForNavigationERKN3WTF12AtomicStringEPNS_8DocumentE
diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp
index da76f628a4b47101ffa03195c07ac9960753d073..05c820623e6b268cc947cfa9fbd2b41cedc4a88a 100644 (file)
--- a/Source/WebCore/loader/FrameLoader.cpp
+++ b/Source/WebCore/loader/FrameLoader.cpp
@@ -235,7 +235,6 @@ FrameLoader::FrameLoader(Frame& frame, FrameLoaderClient& client)
     , m_shouldCallCheckLoadComplete(false)
     , m_opener(nullptr)
     , m_loadingFromCachedPage(false)
-    , m_suppressOpenerInNewFrame(false)
     , m_currentNavigationHasShownBeforeUnloadConfirmPanel(false)
     , m_loadsSynchronously(false)
     , m_forcedSandboxFlags(SandboxNone)
@@ -330,8 +329,6 @@ void FrameLoader::urlSelected(const URL& url, const String& passedTarget, PassRe
 // corresponding parameter from ScriptController::executeIfJavaScriptURL() is addressed.
 void FrameLoader::urlSelected(const FrameLoadRequest& passedRequest, PassRefPtr<Event> triggeringEvent, LockHistory lockHistory, LockBackForwardList lockBackForwardList, ShouldSendReferrer shouldSendReferrer, ShouldReplaceDocumentIfJavaScriptURL shouldReplaceDocumentIfJavaScriptURL, AllowNavigationToInvalidURL allowNavigationToInvalidURL)
 {
-    ASSERT(!m_suppressOpenerInNewFrame);
-
     Ref<Frame> protect(m_frame);
     FrameLoadRequest frameRequest(passedRequest);
 
@@ -341,13 +338,11 @@ void FrameLoader::urlSelected(const FrameLoadRequest& passedRequest, PassRefPtr<
     if (frameRequest.frameName().isEmpty())
         frameRequest.setFrameName(m_frame.document()->baseTarget());
 
-    if (shouldSendReferrer == NeverSendReferrer)
-        m_suppressOpenerInNewFrame = true;
     addHTTPOriginIfNeeded(frameRequest.resourceRequest(), outgoingOrigin());
 
-    loadFrameRequest(frameRequest, lockHistory, lockBackForwardList, triggeringEvent, 0, shouldSendReferrer, allowNavigationToInvalidURL);
+    NewFrameOpenerPolicy openerPolicy = (shouldSendReferrer == NeverSendReferrer) ? NewFrameOpenerPolicy::Suppress : NewFrameOpenerPolicy::Allow;
 
-    m_suppressOpenerInNewFrame = false;
+    loadFrameRequest(frameRequest, lockHistory, lockBackForwardList, triggeringEvent, 0, shouldSendReferrer, allowNavigationToInvalidURL, openerPolicy);
 }
 
 void FrameLoader::submitForm(PassRefPtr<FormSubmission> submission)
@@ -925,7 +920,7 @@ void FrameLoader::loadURLIntoChildFrame(const URL& url, const String& referer, F
         }
     }
 
-    childFrame->loader().loadURL(url, referer, "_self", LockHistory::No, FrameLoadType::RedirectWithLockedBackForwardList, 0, 0, AllowNavigationToInvalidURL::Yes);
+    childFrame->loader().loadURL(url, referer, "_self", LockHistory::No, FrameLoadType::RedirectWithLockedBackForwardList, 0, 0, AllowNavigationToInvalidURL::Yes, NewFrameOpenerPolicy::Suppress);
 }
 
 #if ENABLE(WEB_ARCHIVE) || ENABLE(MHTML)
@@ -1150,7 +1145,7 @@ void FrameLoader::setupForReplace()
 }
 
 void FrameLoader::loadFrameRequest(const FrameLoadRequest& request, LockHistory lockHistory, LockBackForwardList lockBackForwardList,
-    PassRefPtr<Event> event, PassRefPtr<FormState> formState, ShouldSendReferrer shouldSendReferrer, AllowNavigationToInvalidURL allowNavigationToInvalidURL)
+    PassRefPtr<Event> event, PassRefPtr<FormState> formState, ShouldSendReferrer shouldSendReferrer, AllowNavigationToInvalidURL allowNavigationToInvalidURL, NewFrameOpenerPolicy openerPolicy)
 {    
     // Protect frame from getting blown away inside dispatchBeforeLoadEvent in loadWithDocumentLoader.
     Ref<Frame> protect(m_frame);
@@ -1180,9 +1175,9 @@ void FrameLoader::loadFrameRequest(const FrameLoadRequest& request, LockHistory
         loadType = FrameLoadType::Standard;
 
     if (request.resourceRequest().httpMethod() == "POST")
-        loadPostRequest(request.resourceRequest(), referrer, request.frameName(), lockHistory, loadType, event, formState.get(), allowNavigationToInvalidURL);
+        loadPostRequest(request.resourceRequest(), referrer, request.frameName(), lockHistory, loadType, event, formState.get(), allowNavigationToInvalidURL, openerPolicy);
     else
-        loadURL(request.resourceRequest().url(), referrer, request.frameName(), lockHistory, loadType, event, formState.get(), allowNavigationToInvalidURL);
+        loadURL(request.resourceRequest().url(), referrer, request.frameName(), lockHistory, loadType, event, formState.get(), allowNavigationToInvalidURL, openerPolicy);
 
     // FIXME: It's possible this targetFrame will not be the same frame that was targeted by the actual
     // load if frame names have changed.
@@ -1197,7 +1192,7 @@ void FrameLoader::loadFrameRequest(const FrameLoadRequest& request, LockHistory
 }
 
 void FrameLoader::loadURL(const URL& newURL, const String& referrer, const String& frameName, LockHistory lockHistory, FrameLoadType newLoadType,
-    PassRefPtr<Event> event, PassRefPtr<FormState> prpFormState, AllowNavigationToInvalidURL allowNavigationToInvalidURL)
+    PassRefPtr<Event> event, PassRefPtr<FormState> prpFormState, AllowNavigationToInvalidURL allowNavigationToInvalidURL, NewFrameOpenerPolicy openerPolicy)
 {
     if (m_inStopAllLoaders)
         return;
@@ -1226,7 +1221,7 @@ void FrameLoader::loadURL(const URL& newURL, const String& referrer, const Strin
     // The search for a target frame is done earlier in the case of form submission.
     Frame* targetFrame = isFormSubmission ? 0 : findFrameForNavigation(frameName);
     if (targetFrame && targetFrame != &m_frame) {
-        targetFrame->loader().loadURL(newURL, referrer, "_self", lockHistory, newLoadType, event, formState.release(), allowNavigationToInvalidURL);
+        targetFrame->loader().loadURL(newURL, referrer, "_self", lockHistory, newLoadType, event, formState.release(), allowNavigationToInvalidURL, openerPolicy);
         return;
     }
 
@@ -1236,8 +1231,8 @@ void FrameLoader::loadURL(const URL& newURL, const String& referrer, const Strin
     NavigationAction action(request, newLoadType, isFormSubmission, event);
 
     if (!targetFrame && !frameName.isEmpty()) {
-        policyChecker().checkNewWindowPolicy(action, request, formState.release(), frameName, [this, allowNavigationToInvalidURL](const ResourceRequest& request, PassRefPtr<FormState> formState, const String& frameName, const NavigationAction& action, bool shouldContinue) {
-            continueLoadAfterNewWindowPolicy(request, formState, frameName, action, shouldContinue, allowNavigationToInvalidURL);
+        policyChecker().checkNewWindowPolicy(action, request, formState.release(), frameName, [this, allowNavigationToInvalidURL, openerPolicy](const ResourceRequest& request, PassRefPtr<FormState> formState, const String& frameName, const NavigationAction& action, bool shouldContinue) {
+            continueLoadAfterNewWindowPolicy(request, formState, frameName, action, shouldContinue, allowNavigationToInvalidURL, openerPolicy);
         });
         return;
     }
@@ -1306,7 +1301,7 @@ void FrameLoader::load(const FrameLoadRequest& passedRequest)
 
     if (request.shouldCheckNewWindowPolicy()) {
         policyChecker().checkNewWindowPolicy(NavigationAction(request.resourceRequest(), NavigationTypeOther), request.resourceRequest(), nullptr, request.frameName(), [this](const ResourceRequest& request, PassRefPtr<FormState> formState, const String& frameName, const NavigationAction& action, bool shouldContinue) {
-            continueLoadAfterNewWindowPolicy(request, formState, frameName, action, shouldContinue, AllowNavigationToInvalidURL::Yes);
+            continueLoadAfterNewWindowPolicy(request, formState, frameName, action, shouldContinue, AllowNavigationToInvalidURL::Yes, NewFrameOpenerPolicy::Suppress);
         });
 
         return;
@@ -2612,7 +2607,7 @@ void FrameLoader::addHTTPOriginIfNeeded(ResourceRequest& request, const String&
     request.setHTTPOrigin(origin);
 }
 
-void FrameLoader::loadPostRequest(const ResourceRequest& inRequest, const String& referrer, const String& frameName, LockHistory lockHistory, FrameLoadType loadType, PassRefPtr<Event> event, PassRefPtr<FormState> prpFormState, AllowNavigationToInvalidURL allowNavigationToInvalidURL)
+void FrameLoader::loadPostRequest(const ResourceRequest& inRequest, const String& referrer, const String& frameName, LockHistory lockHistory, FrameLoadType loadType, PassRefPtr<Event> event, PassRefPtr<FormState> prpFormState, AllowNavigationToInvalidURL allowNavigationToInvalidURL, NewFrameOpenerPolicy openerPolicy)
 {
     RefPtr<FormState> formState = prpFormState;
 
@@ -2644,8 +2639,8 @@ void FrameLoader::loadPostRequest(const ResourceRequest& inRequest, const String
             return;
         }
 
-        policyChecker().checkNewWindowPolicy(action, workingResourceRequest, formState.release(), frameName, [this, allowNavigationToInvalidURL](const ResourceRequest& request, PassRefPtr<FormState> formState, const String& frameName, const NavigationAction& action, bool shouldContinue) {
-            continueLoadAfterNewWindowPolicy(request, formState, frameName, action, shouldContinue, allowNavigationToInvalidURL);
+        policyChecker().checkNewWindowPolicy(action, workingResourceRequest, formState.release(), frameName, [this, allowNavigationToInvalidURL, openerPolicy](const ResourceRequest& request, PassRefPtr<FormState> formState, const String& frameName, const NavigationAction& action, bool shouldContinue) {
+            continueLoadAfterNewWindowPolicy(request, formState, frameName, action, shouldContinue, allowNavigationToInvalidURL, openerPolicy);
         });
         return;
     }
@@ -2962,7 +2957,7 @@ void FrameLoader::continueLoadAfterNavigationPolicy(const ResourceRequest& reque
 }
 
 void FrameLoader::continueLoadAfterNewWindowPolicy(const ResourceRequest& request,
-    PassRefPtr<FormState> formState, const String& frameName, const NavigationAction& action, bool shouldContinue, AllowNavigationToInvalidURL allowNavigationToInvalidURL)
+    PassRefPtr<FormState> formState, const String& frameName, const NavigationAction& action, bool shouldContinue, AllowNavigationToInvalidURL allowNavigationToInvalidURL, NewFrameOpenerPolicy openerPolicy)
 {
     if (!shouldContinue)
         return;
@@ -2977,7 +2972,7 @@ void FrameLoader::continueLoadAfterNewWindowPolicy(const ResourceRequest& reques
 
     mainFrame->page()->setOpenedByDOM();
     mainFrame->loader().m_client.dispatchShow();
-    if (!m_suppressOpenerInNewFrame) {
+    if (openerPolicy == NewFrameOpenerPolicy::Allow) {
         mainFrame->loader().setOpener(frame.ptr());
         mainFrame->document()->setReferrerPolicy(frame->document()->referrerPolicy());
     }
diff --git a/Source/WebCore/loader/FrameLoader.h b/Source/WebCore/loader/FrameLoader.h
index 619c7c4a6367e5e2fbfa08463c478d162101d155..633407e045fa3bad196e29c2b236faacfe31eecd 100644 (file)
--- a/Source/WebCore/loader/FrameLoader.h
+++ b/Source/WebCore/loader/FrameLoader.h
@@ -107,7 +107,7 @@ public:
     // FIXME: These are all functions which start loads. We have too many.
     WEBCORE_EXPORT void loadURLIntoChildFrame(const URL&, const String& referer, Frame*);
     WEBCORE_EXPORT void loadFrameRequest(const FrameLoadRequest&, LockHistory, LockBackForwardList, // Called by submitForm, calls loadPostRequest and loadURL.
-        PassRefPtr<Event>, PassRefPtr<FormState>, ShouldSendReferrer, AllowNavigationToInvalidURL);
+        PassRefPtr<Event>, PassRefPtr<FormState>, ShouldSendReferrer, AllowNavigationToInvalidURL, NewFrameOpenerPolicy);
 
     WEBCORE_EXPORT void load(const FrameLoadRequest&);
 
@@ -265,8 +265,6 @@ public:
 
     WEBCORE_EXPORT void setOriginalURLForDownloadRequest(ResourceRequest&);
 
-    bool suppressOpenerInNewFrame() const { return m_suppressOpenerInNewFrame; }
-
     bool quickRedirectComing() const { return m_quickRedirectComing; }
 
     WEBCORE_EXPORT bool shouldClose();
@@ -318,7 +316,7 @@ private:
     bool handleBeforeUnloadEvent(Chrome&, FrameLoader* frameLoaderBeingNavigated);
 
     void continueLoadAfterNavigationPolicy(const ResourceRequest&, PassRefPtr<FormState>, bool shouldContinue, AllowNavigationToInvalidURL);
-    void continueLoadAfterNewWindowPolicy(const ResourceRequest&, PassRefPtr<FormState>, const String& frameName, const NavigationAction&, bool shouldContinue, AllowNavigationToInvalidURL);
+    void continueLoadAfterNewWindowPolicy(const ResourceRequest&, PassRefPtr<FormState>, const String& frameName, const NavigationAction&, bool shouldContinue, AllowNavigationToInvalidURL, NewFrameOpenerPolicy);
     void continueFragmentScrollAfterNavigationPolicy(const ResourceRequest&, bool shouldContinue);
 
     bool shouldPerformFragmentNavigation(bool isFormSubmission, const String& httpMethod, FrameLoadType, const URL&);
@@ -348,9 +346,9 @@ private:
         LockHistory, FrameLoadType, PassRefPtr<FormState>, AllowNavigationToInvalidURL);
 
     void loadPostRequest(const ResourceRequest&, const String& referrer,                // Called by loadFrameRequest, calls loadWithNavigationAction
-        const String& frameName, LockHistory, FrameLoadType, PassRefPtr<Event>, PassRefPtr<FormState>, AllowNavigationToInvalidURL);
+        const String& frameName, LockHistory, FrameLoadType, PassRefPtr<Event>, PassRefPtr<FormState>, AllowNavigationToInvalidURL, NewFrameOpenerPolicy);
     void loadURL(const URL&, const String& referrer, const String& frameName,          // Called by loadFrameRequest, calls loadWithNavigationAction or dispatches to navigation policy delegate
-        LockHistory, FrameLoadType, PassRefPtr<Event>, PassRefPtr<FormState>, AllowNavigationToInvalidURL);
+        LockHistory, FrameLoadType, PassRefPtr<Event>, PassRefPtr<FormState>, AllowNavigationToInvalidURL, NewFrameOpenerPolicy);
 
     bool shouldReload(const URL& currentURL, const URL& destinationURL);
 
@@ -429,7 +427,6 @@ private:
     HashSet<Frame*> m_openedFrames;
 
     bool m_loadingFromCachedPage;
-    bool m_suppressOpenerInNewFrame;
 
     bool m_currentNavigationHasShownBeforeUnloadConfirmPanel;
 
diff --git a/Source/WebCore/loader/FrameLoaderTypes.h b/Source/WebCore/loader/FrameLoaderTypes.h
index 9956d1a530ebe4f23c1d9437ef7ef93b36c87e00..e020c931d77865abb7b8456cc42e67abe05b953a 100644 (file)
--- a/Source/WebCore/loader/FrameLoaderTypes.h
+++ b/Source/WebCore/loader/FrameLoaderTypes.h
@@ -57,6 +57,11 @@ enum class FrameLoadType {
     ReloadFromOrigin,
 };
 
+enum class NewFrameOpenerPolicy {
+    Suppress,
+    Allow
+};
+
     enum NavigationType {
         NavigationTypeLinkClicked,
         NavigationTypeFormSubmitted,
diff --git a/Source/WebCore/loader/NavigationScheduler.cpp b/Source/WebCore/loader/NavigationScheduler.cpp
index 91cba066d10481174610eb63478c8ae7d89ed92b..3af28db95e5b54333f306e6d5d626ec28f6c843f 100644 (file)
--- a/Source/WebCore/loader/NavigationScheduler.cpp
+++ b/Source/WebCore/loader/NavigationScheduler.cpp
@@ -246,7 +246,7 @@ public:
             return;
         FrameLoadRequest frameRequest(requestingDocument->securityOrigin());
         m_submission->populateFrameLoadRequest(frameRequest);
-        frame.loader().loadFrameRequest(frameRequest, lockHistory(), lockBackForwardList(), m_submission->event(), m_submission->state(), MaybeSendReferrer, AllowNavigationToInvalidURL::Yes);
+        frame.loader().loadFrameRequest(frameRequest, lockHistory(), lockBackForwardList(), m_submission->event(), m_submission->state(), MaybeSendReferrer, AllowNavigationToInvalidURL::Yes, NewFrameOpenerPolicy::Allow);
     }
     
     virtual void didStartTimer(Frame& frame, Timer& timer) override
diff --git a/Source/WebCore/page/ContextMenuController.cpp b/Source/WebCore/page/ContextMenuController.cpp
index 9224eeeeaddc2eb0ad2d23606d0d0057f37c6a37..13c156ab15bc4abe4913dbcb9bd56a6c38764c35 100644 (file)
--- a/Source/WebCore/page/ContextMenuController.cpp
+++ b/Source/WebCore/page/ContextMenuController.cpp
@@ -202,7 +202,7 @@ static void openNewWindow(const URL& urlToLoad, Frame* frame)
     if (!newPage)
         return;
     newPage->chrome().show();
-    newPage->mainFrame().loader().loadFrameRequest(request, LockHistory::No, LockBackForwardList::No, 0, 0, MaybeSendReferrer, AllowNavigationToInvalidURL::Yes);
+    newPage->mainFrame().loader().loadFrameRequest(request, LockHistory::No, LockBackForwardList::No, 0, 0, MaybeSendReferrer, AllowNavigationToInvalidURL::Yes, NewFrameOpenerPolicy::Suppress);
 }
 
 #if PLATFORM(GTK)
@@ -401,12 +401,12 @@ void ContextMenuController::contextMenuItemSelected(ContextMenuItem* item)
         break;
     case ContextMenuItemTagOpenLink:
         if (Frame* targetFrame = m_context.hitTestResult().targetFrame())
-            targetFrame->loader().loadFrameRequest(FrameLoadRequest(frame->document()->securityOrigin(), ResourceRequest(m_context.hitTestResult().absoluteLinkURL(), frame->loader().outgoingReferrer())), LockHistory::No, LockBackForwardList::No, 0, 0, MaybeSendReferrer, AllowNavigationToInvalidURL::Yes);
+            targetFrame->loader().loadFrameRequest(FrameLoadRequest(frame->document()->securityOrigin(), ResourceRequest(m_context.hitTestResult().absoluteLinkURL(), frame->loader().outgoingReferrer())), LockHistory::No, LockBackForwardList::No, 0, 0, MaybeSendReferrer, AllowNavigationToInvalidURL::Yes, NewFrameOpenerPolicy::Suppress);
         else
             openNewWindow(m_context.hitTestResult().absoluteLinkURL(), frame);
         break;
     case ContextMenuItemTagOpenLinkInThisWindow:
-        frame->loader().loadFrameRequest(FrameLoadRequest(frame->document()->securityOrigin(), ResourceRequest(m_context.hitTestResult().absoluteLinkURL(), frame->loader().outgoingReferrer())), LockHistory::No, LockBackForwardList::No, 0, 0, MaybeSendReferrer, AllowNavigationToInvalidURL::Yes);
+        frame->loader().loadFrameRequest(FrameLoadRequest(frame->document()->securityOrigin(), ResourceRequest(m_context.hitTestResult().absoluteLinkURL(), frame->loader().outgoingReferrer())), LockHistory::No, LockBackForwardList::No, 0, 0, MaybeSendReferrer, AllowNavigationToInvalidURL::Yes, NewFrameOpenerPolicy::Suppress);
         break;
     case ContextMenuItemTagBold:
         frame->editor().command("ToggleBold").execute();
diff --git a/Source/WebKit/ios/ChangeLog b/Source/WebKit/ios/ChangeLog
index 3ef5f168fb018826adde34158bd1b126775d0c9b..2ed2d6fd04ece7a39ed13f03ff7a99d71ffa0f1b 100644 (file)
--- a/Source/WebKit/ios/ChangeLog
+++ b/Source/WebKit/ios/ChangeLog
@@ -1,3 +1,14 @@
+2015-02-14  Alexey Proskuryakov  <ap@apple.com>
+
+        rel="noreferrer" should make window.opener null
+        https://bugs.webkit.org/show_bug.cgi?id=141579
+
+        Reviewed by Darin Adler.
+
+        * WebView/WebPDFViewPlaceholder.mm:
+        (-[WebPDFViewPlaceholder simulateClickOnLinkToURL:]): Updated for a new WebCore
+        function signature. There is no rel="noreferrer" in PDF, so we can just always allow.
+
 2015-02-03  Enrica Casucci  <enrica@apple.com>
 
         [iOS] Add support for deleteFromInputWithFlags.
diff --git a/Source/WebKit/ios/WebView/WebPDFViewPlaceholder.mm b/Source/WebKit/ios/WebView/WebPDFViewPlaceholder.mm
index 298ef5b95beeeb12c74bf915df7deaca4346a4ad..2f468d0cf1a21c86cc84d493c247169a30ebbca8 100644 (file)
--- a/Source/WebKit/ios/WebView/WebPDFViewPlaceholder.mm
+++ b/Source/WebKit/ios/WebView/WebPDFViewPlaceholder.mm
@@ -475,7 +475,7 @@ static const float PAGE_HEIGHT_INSET = 4.0f * 2.0f;
 
     // Call to the frame loader because this is where our security checks are made.
     Frame* frame = core([_dataSource webFrame]);
-    frame->loader().loadFrameRequest(FrameLoadRequest(frame->document()->securityOrigin(), ResourceRequest(URL)), LockHistory::No, LockBackForwardList::No, event.get(), 0, MaybeSendReferrer, AllowNavigationToInvalidURL::Yes);
+    frame->loader().loadFrameRequest(FrameLoadRequest(frame->document()->securityOrigin(), ResourceRequest(URL)), LockHistory::No, LockBackForwardList::No, event.get(), 0, MaybeSendReferrer, AllowNavigationToInvalidURL::Yes, NewFrameOpenerPolicy::Allow);
 }
 
 @end
diff --git a/Source/WebKit/mac/ChangeLog b/Source/WebKit/mac/ChangeLog
index b8a266cd5fbf202fda9a0cf4c182626ed32114d6..045acab4780d4eafa7c52f1be2cac4cd9a8b5854 100644 (file)
--- a/Source/WebKit/mac/ChangeLog
+++ b/Source/WebKit/mac/ChangeLog
@@ -1,3 +1,14 @@
+2015-02-14  Alexey Proskuryakov  <ap@apple.com>
+
+        rel="noreferrer" should make window.opener null
+        https://bugs.webkit.org/show_bug.cgi?id=141579
+
+        Reviewed by Darin Adler.
+
+        * WebView/WebPDFView.mm:
+        (-[WebPDFView PDFViewWillClickOnLink:withURL:]): Updated for a new WebCore
+        function signature. There is no rel="noreferrer" in PDF, so we can just always allow.
+
 2015-02-05  Youenn Fablet  <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com>
 
         [Streams API] Implement a barebone ReadableStream interface
diff --git a/Source/WebKit/mac/WebView/WebPDFView.mm b/Source/WebKit/mac/WebView/WebPDFView.mm
index 762959bca47c346d6a96b348ffb7c5f2accbce97..bd385ad3dc9d3c5703070fdac60caeeca50f78da 100644 (file)
--- a/Source/WebKit/mac/WebView/WebPDFView.mm
+++ b/Source/WebKit/mac/WebView/WebPDFView.mm
@@ -1032,7 +1032,7 @@ static BOOL isFrameInRange(WebFrame *frame, DOMRange *range)
 
     // Call to the frame loader because this is where our security checks are made.
     Frame* frame = core([dataSource webFrame]);
-    frame->loader().loadFrameRequest(FrameLoadRequest(frame->document()->securityOrigin(), ResourceRequest(URL)), LockHistory::No, LockBackForwardList::No, event.get(), 0, MaybeSendReferrer, AllowNavigationToInvalidURL::Yes);
+    frame->loader().loadFrameRequest(FrameLoadRequest(frame->document()->securityOrigin(), ResourceRequest(URL)), LockHistory::No, LockBackForwardList::No, event.get(), 0, MaybeSendReferrer, AllowNavigationToInvalidURL::Yes, NewFrameOpenerPolicy::Allow);
 }
 
 - (void)PDFViewOpenPDFInNativeApplication:(PDFView *)sender
Mirror of the WebKit open source project from svn.webkit.org.