| Index: third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp
|
| diff --git a/third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp b/third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp
|
| index 1da4958124e614bdfc6f561cf263910b0d1ae17d..85321095933e4424773c8f8479572f85154e0093 100644
|
| --- a/third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp
|
| +++ b/third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp
|
| @@ -523,7 +523,7 @@ void LocalDOMWindow::unregisterProperty(DOMWindowProperty* property)
|
|
|
| void LocalDOMWindow::reset()
|
| {
|
| - frameDestroyed();
|
| + m_frameObserver->contextDestroyed();
|
|
|
| m_screen = nullptr;
|
| m_history = nullptr;
|
| @@ -541,8 +541,6 @@ void LocalDOMWindow::reset()
|
| m_hasBeenReset = true;
|
| #endif
|
|
|
| - resetLocation();
|
| -
|
| LocalDOMWindow::notifyContextDestroyed();
|
| }
|
|
|
| @@ -662,17 +660,8 @@ ApplicationCache* LocalDOMWindow::applicationCache() const
|
|
|
| Navigator* LocalDOMWindow::navigator() const
|
| {
|
| - if (!isCurrentlyDisplayedInFrame() && (!m_navigator || m_navigator->frame())) {
|
| - // We return a navigator with null frame instead of returning null
|
| - // pointer as other functions do, in order to allow users to access
|
| - // functions such as navigator.product.
|
| - m_navigator = Navigator::create(nullptr);
|
| - }
|
| if (!m_navigator)
|
| m_navigator = Navigator::create(frame());
|
| - // As described above, when not dispayed in the frame, the returning
|
| - // navigator should not be associated with the frame.
|
| - ASSERT(isCurrentlyDisplayedInFrame() || !m_navigator->frame());
|
| return m_navigator.get();
|
| }
|
|
|
| @@ -1387,8 +1376,9 @@ void LocalDOMWindow::dispatchLoadEvent()
|
| timing.markLoadEventStart();
|
| dispatchEvent(loadEvent, document());
|
| timing.markLoadEventEnd();
|
| - } else
|
| + } else {
|
| dispatchEvent(loadEvent, document());
|
| + }
|
|
|
| // For load events, send a separate load event to the enclosing frame only.
|
| // This is a DOM extension and is independent of bubbling/capturing rules of
|
| @@ -1474,9 +1464,9 @@ PassRefPtrWillBeRawPtr<DOMWindow> LocalDOMWindow::open(const String& urlString,
|
| // Get the target frame for the special cases of _top and _parent.
|
| // In those cases, we schedule a location change right now and return early.
|
| Frame* targetFrame = nullptr;
|
| - if (frameName == "_top")
|
| + if (frameName == "_top") {
|
| targetFrame = frame()->tree().top();
|
| - else if (frameName == "_parent") {
|
| + } else if (frameName == "_parent") {
|
| if (Frame* parent = frame()->tree().parent())
|
| targetFrame = parent;
|
| else
|
| @@ -1530,6 +1520,11 @@ DEFINE_TRACE(LocalDOMWindow)
|
|
|
| LocalFrame* LocalDOMWindow::frame() const
|
| {
|
| + // If the LocalDOMWindow still has a frame reference, that frame must point
|
| + // back to this LocalDOMWindow: otherwise, it's easy to get into a situation
|
| + // where script execution leaks between different LocalDOMWindows.
|
| + if (m_frameObserver->frame())
|
| + ASSERT_WITH_SECURITY_IMPLICATION(m_frameObserver->frame()->domWindow() == this);
|
| return m_frameObserver->frame();
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 1374533002:
Null out LocalDOMWindow::m_frame on navigation. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master