Prevent hidden documents from locking the screen orientation

https://bugs.webkit.org/show_bug.cgi?id=247248 rdar://102019707 Reviewed by Youenn Fablet. * LayoutTests/fast/screen-orientation/hidden-document-check-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/resources/testdriver-vendor.js: (window.test_driver_internal.action_sequence): (async if): (window.test_driver_internal.minimize_window): (window.test_driver_internal.set_window_rect): * LayoutTests/imported/w3c/web-platform-tests/screen-orientation/hidden_document-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/screen-orientation/hidden_document.html: Added. * LayoutTests/platform/ios/TestExpectations: * Source/WebCore/page/ScreenOrientation.cpp: (WebCore::ScreenOrientation::lock): Canonical link: https://commits.webkit.org/257019@main
WebKit · Nov 25, 2022 · a68ef76884df02cb25c760874bfc38df99c09783 · a68ef76
1 parent c8c8117
commit a68ef76884df02cb25c760874bfc38df99c09783
Show file tree

Hide file tree

Showing 6 changed files with 119 additions and 1 deletion.
diff --git a/LayoutTests/fast/screen-orientation/hidden-document-check-expected.txt b/LayoutTests/fast/screen-orientation/hidden-document-check-expected.txt
@@ -0,0 +1,12 @@
+This test checks that trying to lock or unlock a hidden document results in a SecurityError.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS document.hidden is true
+PASS SecurityError rejected promise  with SecurityError: Only visible documents can lock the screen orientation.
+PASS screen.orientation.unlock() threw exception SecurityError: Only visible documents can unlock the screen orientation.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/resources/testdriver-vendor.js b/LayoutTests/imported/w3c/web-platform-tests/resources/testdriver-vendor.js
@@ -250,7 +250,7 @@ window.test_driver_internal.click = function (element, coords)
 
 window.test_driver_internal.action_sequence = function(sources)
 {
-    // https://w3c.github.io/webdriver/#processing-actions    
+    // https://w3c.github.io/webdriver/#processing-actions
 
     let noneSource;
     let pointerSource;
@@ -338,3 +338,57 @@ window.test_driver_internal.consume_user_activation = async function(context)
         throw new Error("unimplemented");
     return context.internals.consumeTransientActivation();
 }
+
+/**
+ *
+ * @param {Window} context
+ * @returns {Promise<DOMRect>}
+ */
+window.test_driver_internal.minimize_window = async function (context=null)
+{
+    if (context === null)
+        context = window;
+
+    if (context.document?.fullscreenElement)
+        await context.document.exitFullscreen();
+
+    const rect = internals.visualViewportRect();
+
+    if (context.document.visibilityState === "hidden")
+        return rect;
+
+    await new Promise(resolve => {
+        context.addEventListener("visibilitychange", resolve, { once: true });
+        testRunner.setPageVisibility("hidden");
+    });
+
+    return rect;
+}
+
+/**
+ *
+ * @param {DOMRect} rect
+ * @param {Window} context
+ * @returns {Promise<void>}
+ */
+window.test_driver_internal.set_window_rect = async function (rect, context=null)
+{
+    if (typeof rect !== "object" || typeof rect.width !== "number" || typeof rect.height !== "number")
+        throw new Error("Invalid rect");
+
+    if (context === null)
+        context = window;
+
+    if (context.document?.fullscreenElement)
+        await context.document.exitFullscreen();
+
+    context.testRunner.setViewSize(rect.width, rect.height);
+
+    if (context.document.visibilityState === "visible")
+        return;
+
+    await new Promise(resolve => {
+        context.addEventListener("visibilitychange", resolve, { once: true });
+        testRunner.setPageVisibility("visible");
+    });
+}
diff --git a/LayoutTests/imported/w3c/web-platform-tests/screen-orientation/hidden_document-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/screen-orientation/hidden_document-expected.txt
@@ -0,0 +1,3 @@
+
+PASS test locking the orientation when document is hidden
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/screen-orientation/hidden_document.html b/LayoutTests/imported/w3c/web-platform-tests/screen-orientation/hidden_document.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<meta name="timeout" content="long" />
+<title>Prevent hidden documents from locking orientation</title>
+<link rel="help" href="https://github.com/w3c/screen-orientation/pull/232" />
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<script type="module">
+  import { getOppositeOrientation } from "./resources/orientation-utils.js";
+  let rect;
+
+  promise_setup(async (t) => {
+    rect = await test_driver.minimize_window();
+    assert_true(document.hidden, "document must be hidden");
+  });
+
+  promise_test(async (t) => {
+    await promise_rejects_dom(
+      t,
+      "SecurityError",
+      screen.orientation.lock("landscape"),
+      "Locking orientation must reject when the document is hidden"
+    );
+
+    assert_throws_dom(
+      "SecurityError",
+      () => {
+        screen.orientation.unlock();
+      },
+      "Unlocking orientation must throw when the document is hidden"
+    );
+
+    await test_driver.set_window_rect(rect);
+    assert_false(document.hidden, "document must not be hidden");
+    // not longer throws
+    screen.orientation.unlock();
+  }, "test locking the orientation when document is hidden");
+</script>
diff --git a/LayoutTests/platform/ios/TestExpectations b/LayoutTests/platform/ios/TestExpectations
@@ -367,6 +367,7 @@ webkit.org/b/165799 svg/animations/animations-paused-page-non-visible.html [ Ski
 webkit.org/b/165799 svg/animations/animations-paused-in-background-page-iframe.html [ Skip ]
 webkit.org/b/165799 svg/animations/animations-paused-in-background-page.html [ Skip ]
 webkit.org/b/165799 webaudio/silent-audio-interrupted-in-background.html [ Skip ]
+webkit.org/b/165799 imported/w3c/web-platform-tests/screen-orientation/hidden_document.html
 
 # AutoFill button is not supported
 fast/forms/auto-fill-button/mouse-down-input-mouse-release-auto-fill-button.html

diff --git a/Source/WebCore/page/ScreenOrientation.cpp b/Source/WebCore/page/ScreenOrientation.cpp
@@ -110,6 +110,12 @@ void ScreenOrientation::lock(LockType lockType, Ref<DeferredPromise>&& promise)
         promise->reject(Exception { SecurityError, "Only first party documents can lock the screen orientation"_s });
         return;
     }
+
+    if (document->page() && !document->page()->isVisible()) {
+        promise->reject(Exception { SecurityError, "Only visible documents can lock the screen orientation"_s });
+        return;
+    }
+
     if (document->settings().fullscreenRequirementForScreenOrientationLockingEnabled()) {
 #if ENABLE(FULLSCREEN_API)
         if (!document->fullscreenManager().isFullscreen()) {
@@ -157,6 +163,9 @@ ExceptionOr<void> ScreenOrientation::unlock()
     if (!document->isSameOriginAsTopDocument())
         return { };
 
+    if (document->page() && !document->page()->isVisible())
+        return Exception { SecurityError, "Only visible documents can unlock the screen orientation"_s };
+
     if (auto* manager = this->manager())
         manager->unlock();
     return { };