Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(133)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/WebCore/bindings/ScriptControllerBase.cpp

Issue 8223012: Merge 97087 - ScriptController::executeIfJavaScriptURL gets confused by synchronous frame loads (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/874/
Patch Set: Created 9 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-javascript-url-expected.txt ('k') | Source/WebCore/loader/DocumentWriter.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999-2001 Harri Porten (porten@kde.org) 2 * Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
3 * Copyright (C) 2001 Peter Kelly (pmk@post.com) 3 * Copyright (C) 2001 Peter Kelly (pmk@post.com)
4 * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved. 4 * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
5 * 5 *
6 * This library is free software; you can redistribute it and/or 6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public 7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either 8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version. 9 * version 2 of the License, or (at your option) any later version.
10 * 10 *
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after
86 86
87 if (!m_frame->page() 87 if (!m_frame->page()
88 || !m_frame->page()->javaScriptURLsAreAllowed() 88 || !m_frame->page()->javaScriptURLsAreAllowed()
89 || !m_frame->document()->contentSecurityPolicy()->allowJavaScriptURLs() 89 || !m_frame->document()->contentSecurityPolicy()->allowJavaScriptURLs()
90 || m_frame->inViewSourceMode()) 90 || m_frame->inViewSourceMode())
91 return true; 91 return true;
92 92
93 // We need to hold onto the Frame here because executing script can 93 // We need to hold onto the Frame here because executing script can
94 // destroy the frame. 94 // destroy the frame.
95 RefPtr<Frame> protector(m_frame); 95 RefPtr<Frame> protector(m_frame);
96 RefPtr<Document> ownerDocument(m_frame->document());
96 97
97 const int javascriptSchemeLength = sizeof("javascript:") - 1; 98 const int javascriptSchemeLength = sizeof("javascript:") - 1;
98 99
99 String decodedURL = decodeURLEscapeSequences(url.string()); 100 String decodedURL = decodeURLEscapeSequences(url.string());
100 ScriptValue result = executeScript(decodedURL.substring(javascriptSchemeLeng th)); 101 ScriptValue result = executeScript(decodedURL.substring(javascriptSchemeLeng th));
101 102
102 // If executing script caused this frame to be removed from the page, we 103 // If executing script caused this frame to be removed from the page, we
103 // don't want to try to replace its document! 104 // don't want to try to replace its document!
104 if (!m_frame->page()) 105 if (!m_frame->page())
105 return true; 106 return true;
(...skipping 12 matching lines...) Expand all
118 // FIXME: We should always replace the document, but doing so 119 // FIXME: We should always replace the document, but doing so
119 // synchronously can cause crashes: 120 // synchronously can cause crashes:
120 // http://bugs.webkit.org/show_bug.cgi?id=16782 121 // http://bugs.webkit.org/show_bug.cgi?id=16782
121 if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) { 122 if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) {
122 // We're still in a frame, so there should be a DocumentLoader. 123 // We're still in a frame, so there should be a DocumentLoader.
123 ASSERT(m_frame->document()->loader()); 124 ASSERT(m_frame->document()->loader());
124 125
125 // DocumentWriter::replaceDocument can cause the DocumentLoader to get d eref'ed and possible destroyed, 126 // DocumentWriter::replaceDocument can cause the DocumentLoader to get d eref'ed and possible destroyed,
126 // so protect it with a RefPtr. 127 // so protect it with a RefPtr.
127 if (RefPtr<DocumentLoader> loader = m_frame->document()->loader()) 128 if (RefPtr<DocumentLoader> loader = m_frame->document()->loader())
128 loader->writer()->replaceDocument(scriptResult); 129 loader->writer()->replaceDocument(scriptResult, ownerDocument.get()) ;
129 } 130 }
130 return true; 131 return true;
131 } 132 }
132 133
133 } // namespace WebCore 134 } // namespace WebCore
OLDNEW
« no previous file with comments | « LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-javascript-url-expected.txt ('k') | Source/WebCore/loader/DocumentWriter.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698