Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cherry-pick 274097.9@webkit-2024.2-embargoed (f81d56c47751). https://…
…bugs.webkit.org/show_bug.cgi?id=268769 HTMLPlugInImageElement: verify that element is in same document before requesting a load https://bugs.webkit.org/show_bug.cgi?id=268769 Reviewed by Ryosuke Niwa. The testcase shows a scenario where a plugin is set up to start loading the plugin contents from an event loop, however before the event loop is started the rest of the script will run, which moves the plugin to a different document, thus hitting an ASSERT in WebFrame::createSubframe when the load is performed. Protect against this by returning early when this situation is detected in the event loop. * LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash-expected.txt: Added. * LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash.html: Added. * Source/WebCore/html/HTMLPlugInImageElement.cpp: (WebCore::HTMLPlugInImageElement::requestObject): Canonical link: https://commits.webkit.org/274097.9@webkit-2024.2-embargoed Canonical link: https://commits.webkit.org/272448.695@safari-7618-branch Canonical link: https://commits.webkit.org/274313.227@webkitglib/2.44
- Loading branch information