Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
HTMLPlugInImageElement: verify that element is in same document befor…
…e requesting a load https://bugs.webkit.org/show_bug.cgi?id=268769 rdar://121960561 Reviewed by Ryosuke Niwa. The testcase shows a scenario where a plugin is set up to start loading the plugin contents from an event loop, however before the event loop is started the rest of the script will run, which moves the plugin to a different document, thus hitting an ASSERT in WebFrame::createSubframe when the load is performed. Protect against this by returning early when this situation is detected in the event loop. * LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash-expected.txt: Added. * LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash.html: Added. * Source/WebCore/html/HTMLPlugInImageElement.cpp: (WebCore::HTMLPlugInImageElement::requestObject): Originally-landed-as: 274097.9@webkit-2024.2-embargoed (f81d56c47751). rdar://128089895 Canonical link: https://commits.webkit.org/278884@main
- Loading branch information