OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 /* | 5 /* |
6 * Copyright (C) 2006, 2007, 2008, 2009 Apple Inc. All rights reserved. | 6 * Copyright (C) 2006, 2007, 2008, 2009 Apple Inc. All rights reserved. |
7 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) | 7 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) |
8 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. | 8 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. |
9 * (http://www.torchmobile.com/) | 9 * (http://www.torchmobile.com/) |
10 * | 10 * |
(...skipping 170 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
181 } | 181 } |
182 | 182 |
183 void HistoryController::UpdateForCommit(RenderFrameImpl* frame, | 183 void HistoryController::UpdateForCommit(RenderFrameImpl* frame, |
184 const WebHistoryItem& item, | 184 const WebHistoryItem& item, |
185 WebHistoryCommitType commit_type, | 185 WebHistoryCommitType commit_type, |
186 bool navigation_within_page) { | 186 bool navigation_within_page) { |
187 switch (commit_type) { | 187 switch (commit_type) { |
188 case blink::WebBackForwardCommit: | 188 case blink::WebBackForwardCommit: |
189 if (!provisional_entry_) | 189 if (!provisional_entry_) |
190 return; | 190 return; |
191 current_entry_.reset(provisional_entry_.release()); | 191 |
| 192 // If the current entry is null, this must be a main frame commit. |
| 193 DCHECK(current_entry_ || frame->IsMainFrame()); |
| 194 |
| 195 // Commit the provisional entry, but only if it is a plausible transition. |
| 196 // Do not commit it if the navigation is in a subframe and the provisional |
| 197 // entry's main frame item does not match the current entry's main frame, |
| 198 // which can happen if multiple forward navigations occur. In that case, |
| 199 // committing the provisional entry would corrupt it, leading to a URL |
| 200 // spoof. See https://crbug.com/597322. (Note that the race in this bug |
| 201 // does not affect main frame navigations, only navigations in subframes.) |
| 202 // |
| 203 // Note that we cannot compare the provisional entry against |item|, since |
| 204 // |item| may have redirected to a different URL and ISN. We also cannot |
| 205 // compare against the main frame's URL, since that may have changed due |
| 206 // to a replaceState. (Even origin can change on replaceState in certain |
| 207 // modes.) |
| 208 // |
| 209 // It would be safe to additionally check the ISNs of all parent frames |
| 210 // (and not just the root), but that is less critical because it won't |
| 211 // lead to a URL spoof. |
| 212 if (frame->IsMainFrame() || |
| 213 current_entry_->root().itemSequenceNumber() == |
| 214 provisional_entry_->root().itemSequenceNumber()) { |
| 215 current_entry_.reset(provisional_entry_.release()); |
| 216 } |
| 217 |
| 218 // We're guaranteed to have a current entry now. |
| 219 DCHECK(current_entry_); |
| 220 |
192 if (HistoryEntry::HistoryNode* node = | 221 if (HistoryEntry::HistoryNode* node = |
193 current_entry_->GetHistoryNodeForFrame(frame)) { | 222 current_entry_->GetHistoryNodeForFrame(frame)) { |
194 node->set_item(item); | 223 node->set_item(item); |
195 } | 224 } |
196 break; | 225 break; |
197 case blink::WebStandardCommit: | 226 case blink::WebStandardCommit: |
198 CreateNewBackForwardItem(frame, item, navigation_within_page); | 227 CreateNewBackForwardItem(frame, item, navigation_within_page); |
199 break; | 228 break; |
200 case blink::WebInitialCommitInChildFrame: | 229 case blink::WebInitialCommitInChildFrame: |
201 UpdateForInitialLoadInChildFrame(frame, item); | 230 UpdateForInitialLoadInChildFrame(frame, item); |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
249 bool clone_children_of_target) { | 278 bool clone_children_of_target) { |
250 if (!current_entry_) { | 279 if (!current_entry_) { |
251 current_entry_.reset(new HistoryEntry(new_item)); | 280 current_entry_.reset(new HistoryEntry(new_item)); |
252 } else { | 281 } else { |
253 current_entry_.reset(current_entry_->CloneAndReplace( | 282 current_entry_.reset(current_entry_->CloneAndReplace( |
254 new_item, clone_children_of_target, target_frame, render_view_)); | 283 new_item, clone_children_of_target, target_frame, render_view_)); |
255 } | 284 } |
256 } | 285 } |
257 | 286 |
258 } // namespace content | 287 } // namespace content |
OLD | NEW |