Issue 1910403003: Don't allow scripts to run when a node is being adopted.

Issue 1910403003: Don't allow scripts to run when a node is being adopted. (Closed)

Created:
4 years, 8 months ago by Mariusz Mlynski

Modified:
4 years, 8 months ago

Reviewers:
esprehn, dominicc (has gone to gerrit)

CC:
blink-reviews, blink-reviews-dom_chromium.org, chromium-reviews, dglazkov+blink, eae+blinkwatch, rwlbuis, sof

Base URL:
https://chromium.googlesource.com/chromium/src.git@master

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

Don't allow scripts to run when a node is being adopted. Running a script in the middle of rescoping nodes can break a lot of invariants and leave DOM in an inconsistent state. This patch adds a ScriptForbiddenScope in TreeScope::adoptIfNeeded to ensure it never happens. BUG=605766 Committed: https://crrev.com/146ff1bb11c88778d466bd7a49b544f2b5806ee0 Cr-Commit-Position: refs/heads/master@{#389425}

Patch Set 1 #

Total comments: 1

Created: 4 years, 8 months ago

Download [raw] [tar.bz2]

		Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+3 lines, -1 line)			Patch
	M	third_party/WebKit/Source/core/dom/TreeScope.cpp	View		1 chunk	+3 lines, -1 line	1 comment	Download

Messages

Total messages: 11 (4 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1910403003/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1910403003/1

4 years, 8 months ago (2016-04-25 06:35:31 UTC) #4

commit-bot: I haz the power

Patchset 1 (id:??) landed as https://crrev.com/146ff1bb11c88778d466bd7a49b544f2b5806ee0 Cr-Commit-Position: refs/heads/master@{#389425}

4 years, 8 months ago (2016-04-25 07:48:23 UTC) #7

esprehn

https://codereview.chromium.org/1910403003/diff/1/third_party/WebKit/Source/core/dom/TreeScope.cpp File third_party/WebKit/Source/core/dom/TreeScope.cpp (right): https://codereview.chromium.org/1910403003/diff/1/third_party/WebKit/Source/core/dom/TreeScope.cpp#newcode377 third_party/WebKit/Source/core/dom/TreeScope.cpp:377: ScriptForbiddenScope forbidScript; This should be at the top of ...

4 years, 8 months ago (2016-04-25 20:55:22 UTC) #9

esprehn

On 2016/04/25 at 20:55:22, esprehn wrote: > https://codereview.chromium.org/1910403003/diff/1/third_party/WebKit/Source/core/dom/TreeScope.cpp > File third_party/WebKit/Source/core/dom/TreeScope.cpp (right): > > https://codereview.chromium.org/1910403003/diff/1/third_party/WebKit/Source/core/dom/TreeScope.cpp#newcode377 ...

4 years, 8 months ago (2016-04-25 20:55:40 UTC) #10

Mariusz Mlynski

4 years, 8 months ago (2016-04-26 04:22:01 UTC) #11

Message was sent while issue was closed.

On 2016/04/25 20:55:40, esprehn wrote:
> On 2016/04/25 at 20:55:22, esprehn wrote:
> >
>
https://codereview.chromium.org/1910403003/diff/1/third_party/WebKit/Source/c...
> > File third_party/WebKit/Source/core/dom/TreeScope.cpp (right):
> > 
> >
>
https://codereview.chromium.org/1910403003/diff/1/third_party/WebKit/Source/c...
> > third_party/WebKit/Source/core/dom/TreeScope.cpp:377: ScriptForbiddenScope
> forbidScript;
> > This should be at the top of the function. ScriptForbiddenScope is like an
> assert, needsScopeChange() should be able to run script either.
> 
> *shouldn't*

Thanks for the feedback. This is true, |needsScopeChange()| shouldn't be allowed
to run script, neither should the TreeScopeAdopter constructor. I decided to put
the scope within the if block because |adoptIfNeeded| is called unconditionally
during various DOM operations and I didn't want to add another operation in the
hot path unless absolutely needed. |needsScopeChange()| does a comparison
operation only, so it's verified to be safe, and I figured the chances of it
becoming more complicated in the future are very low, hence the little
optimization.

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages