Defer iframe JavaScript URL evaluation

Source/core/html/HTMLFrameJavaScriptURLOpener.cpp

Index: Source/core/html/HTMLFrameJavaScriptURLOpener.cpp
diff --git a/Source/core/html/HTMLFrameJavaScriptURLOpener.cpp b/Source/core/html/HTMLFrameJavaScriptURLOpener.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..136a156c7501bdc6dc6ca0e1dbbe9ac667972feb
--- /dev/null
+++ b/Source/core/html/HTMLFrameJavaScriptURLOpener.cpp
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014 Google, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "core/html/HTMLFrameJavaScriptURLOpener.h"
+
+#include "core/dom/Document.h"
+#include "core/dom/Microtask.h"
+#include "core/frame/LocalFrame.h"
+#include "core/html/HTMLFrameElementBase.h"
+
+namespace WebCore {
+
+HTMLFrameJavaScriptURLOpener::Request::Request(PassRefPtr<HTMLFrameElementBase> element)
+    : m_element(element)
+    , m_document(&m_element->document())
+    , m_lastURL(m_element->url())
+{
+    m_document->didAddPendingResource();
+}
+
+HTMLFrameJavaScriptURLOpener::Request::~Request()
+{
+    m_document->didRemovePendingResource();
+}
+
+void HTMLFrameJavaScriptURLOpener::Request::setNameAndOpenURL()
+{
+    if (!m_element->inDocument())
+        return;
+    if (m_element->url() != m_lastURL)
+        return;
+    m_element->setNameAndOpenURL();

[abarth-chromium, 2014/04/02 01:02:19]

This function eventually calls isURLAllowed(), which does stack inspector to
determine whether the JavaScript URL is allowed.  You're passing the security
tests, which suggests that moving this call to this point in time doesn't cause
a security problem, but I'm unsure why that is.  I guess the microtask
checkpoint happens before we take the current script off the stack?  What if one
script calls another?  Is it possible to dispatch an event synchronously in
another frame that causes a microtask checkpoint to occur while some other
script is on the stack instead of the one that authored the JavaScript URL?

+}
+
+HTMLFrameJavaScriptURLOpener& HTMLFrameJavaScriptURLOpener::instance()
+{
+    DEFINE_STATIC_LOCAL(HTMLFrameJavaScriptURLOpener, s_instance, ());
+    return s_instance;
+}
+
+HTMLFrameJavaScriptURLOpener::HTMLFrameJavaScriptURLOpener()
+    : m_enqueued(false)
+{
+}
+
+HTMLFrameJavaScriptURLOpener::~HTMLFrameJavaScriptURLOpener()
+{
+}
+
+void HTMLFrameJavaScriptURLOpener::microtaskCallback()
+{
+    instance().processPendingRequests();
+}
+
+void HTMLFrameJavaScriptURLOpener::request(PassRefPtr<HTMLFrameElementBase> element)
+{
+    m_requests.append(adoptRef(new Request(element)));
+    if (m_enqueued)
+        return;
+
+    m_enqueued = true;
+    Microtask::enqueueMicrotask(&HTMLFrameJavaScriptURLOpener::microtaskCallback);
+}
+
+void HTMLFrameJavaScriptURLOpener::processPendingRequests()
+{
+    ASSERT(m_enqueued);
+    m_enqueued = false;
+
+    while (!m_requests.isEmpty()) {
+        Vector<RefPtr<Request> > requests;
+        m_requests.swap(requests);
+        for (size_t i = 0; i < requests.size(); ++i)
+            requests[i]->setNameAndOpenURL();
+    }
+}
+
+}