Cherry-pick 274963@main (3935730). https://bugs.webkit.org/show_bug.c…

…gi?id=269643

    HTMLPreloadScanner should only use valid `base` urls

    https://bugs.webkit.org/show_bug.cgi?id=269643

    Reviewed by Ryosuke Niwa.

    Partial Merge: https://chromium.googlesource.com/chromium/blink/+/754b22f62f6fa5f0b938a90c0e92502eb7f5a7c3

    Before this patch, HTMLPreloadScanner accepted invalid `base` urls and
    used it to resolve urls encountered later in the scan.
    This patch ensures that only valid urls specified in `base href` are
    actually used as base urls.

    * Source/WebCore/html/parser/HTMLPreloadScanner.cpp:
    (TokenPreloadScanner::updatePredictedBaseURL):
    * LayoutTests/fast/parser/badurl-base-preloader-crash.html: Add Test Case
    * LayoutTests/fast/parser/badurl-base-preloader-crash-expected.txt: Add Test Case Expectation
    * LayoutTests/http/tests/loading/preload-ignore-invalid-base.html: Add Test Case
    * LayoutTests/http/tests/loading/resources/fail.js: Add Test Case Helper Script
    * LayoutTests/http/tests/loading/preload-ignore-invalid-base-expected.txt: Add Test Expectation

    Canonical link: https://commits.webkit.org/274963@main

LayoutTests/fast/parser/badurl-base-preloader-crash-expected.txt

@@ -0,0 +1 @@
+PASS: if scanning this document with preloader doesn't crash in debug builds

LayoutTests/fast/parser/badurl-base-preloader-crash.html

@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<base href="gopher:��&#279%�:0"></base>
+<script src=":"></script>
+<script>
+if (window.testRunner) testRunner.dumpAsText();
+</script>
+<p>PASS: if scanning this document with preloader doesn't crash in debug builds</p>

LayoutTests/http/tests/loading/preload-ignore-invalid-base-expected.txt

@@ -0,0 +1,11 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+PASS internals.isPreloaded("resources/fail.js") is false
+PASS window.fail is false
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

LayoutTests/http/tests/loading/preload-ignore-invalid-base.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<script src="/js-test-resources/js-test.js"></script>
+<script>
+window.fail = false;
+</script>
+<base href="gopher:???:"></base>
+<script src="http://127.0.0.1:8000/resources/slow-script.pl?delay=100"></script>
+<script>
+shouldBeFalse('internals.isPreloaded("resources/fail.js")')
+</script>
+<!-- The resource should not be read, as the baseUrl is now set to empty from reading invalid url -->
+<script src="resources/fail.js"></script>
+<script>
+shouldBeFalse('window.fail')
+</script>

LayoutTests/http/tests/loading/resources/fail.js

@@ -0,0 +1 @@
+window.fail=true;

Source/WebCore/html/parser/HTMLPreloadScanner.cpp

@@ -505,7 +505,7 @@ void TokenPreloadScanner::updatePredictedBaseURL(const HTMLToken& token, bool sh
         return;
     URL temp { m_documentURL, StringImpl::create8BitIfPossible(hrefAttribute->value) };
     if (!shouldRestrictBaseURLSchemes || SecurityPolicy::isBaseURLSchemeAllowed(temp))
-        m_predictedBaseElementURL = WTFMove(temp).isolatedCopy();
+        m_predictedBaseElementURL = WTFMove(temp).isValid() ? WTFMove(temp).isolatedCopy() : URL();
 }
 
 HTMLPreloadScanner::HTMLPreloadScanner(const HTMLParserOptions& options, const URL& documentURL, float deviceScaleFactor)