Merge r228299 - Form submission after navigation fails when decidePol…

…icyForNavigationAction is async https://bugs.webkit.org/show_bug.cgi?id=182412 <rdar://problem/35181099> Reviewed by Alex Christensen. Source/WebCore: When the form is submitted and schedules the load in an iframe that is already loading, FrameLoader::stopLoading() is called as expected. However, because policy checks can now be asynchronous, stopLoading() also needs to stop pending policy checks. Otherwise, continueLoadAfterNavigationPolicy() gets called for a cancelled load and we're in trouble because the FrameLoader was reused for another load since then. Test: http/tests/navigation/sync-form-submit-iframe.html * loader/FrameLoader.cpp: (WebCore::FrameLoader::stopLoading): LayoutTests: Import layout test coverage from Alex's earlier patch. * http/tests/navigation/resources/a.html: Added. * http/tests/navigation/resources/b.html: Added. * http/tests/navigation/sync-form-submit-iframe-expected.txt: Added. * http/tests/navigation/sync-form-submit-iframe.html: Added.
WebKit · Feb 19, 2018 · bb6b712 · bb6b712
1 parent d9ee9ab
commit bb6b712
Show file tree

Hide file tree

Showing 7 changed files with 76 additions and 0 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2018-02-08  Chris Dumez  <cdumez@apple.com>
+
+        Form submission after navigation fails when decidePolicyForNavigationAction is async
+        https://bugs.webkit.org/show_bug.cgi?id=182412
+        <rdar://problem/35181099>
+
+        Reviewed by Alex Christensen.
+
+        Import layout test coverage from Alex's earlier patch.
+
+        * http/tests/navigation/resources/a.html: Added.
+        * http/tests/navigation/resources/b.html: Added.
+        * http/tests/navigation/sync-form-submit-iframe-expected.txt: Added.
+        * http/tests/navigation/sync-form-submit-iframe.html: Added.
+
 2018-02-08  Chris Fleizach  <cfleizach@apple.com>
 
         AX: Defer attribute computation until needed.

diff --git a/LayoutTests/http/tests/navigation/resources/a.html b/LayoutTests/http/tests/navigation/resources/a.html
@@ -0,0 +1,3 @@
+<script>
+parent.postMessage('a', '*');
+</script>
diff --git a/LayoutTests/http/tests/navigation/resources/b.html b/LayoutTests/http/tests/navigation/resources/b.html
@@ -0,0 +1,3 @@
+<script>
+parent.postMessage('b', '*');
+</script>
diff --git a/LayoutTests/http/tests/navigation/sync-form-submit-iframe-expected.txt b/LayoutTests/http/tests/navigation/sync-form-submit-iframe-expected.txt
@@ -0,0 +1,3 @@
+ALERT: PASS
+
+
diff --git a/LayoutTests/http/tests/navigation/sync-form-submit-iframe.html b/LayoutTests/http/tests/navigation/sync-form-submit-iframe.html
@@ -0,0 +1,31 @@
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+    if (testRunner.setShouldDecideNavigationPolicyAfterDelay)
+        testRunner.setShouldDecideNavigationPolicyAfterDelay(true);
+}
+
+function receiveMessage(e)
+{
+    alert(e.data == 'b' ? 'PASS' : 'FAIL');
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+window.addEventListener("message", receiveMessage, false);
+
+function runtest() {
+    var iframe = document.createElement('iframe');
+    iframe.src = 'resources/a.html';
+    iframe.name = 'framename';
+    document.body.appendChild(iframe);
+
+    var form = document.createElement('form');
+    form.setAttribute('method', 'post');
+    form.setAttribute('action', 'resources/b.html');
+    form.setAttribute('target', 'framename');
+    document.body.appendChild(form);
+    form.submit();
+}
+</script>
+<body onload='runtest()'/>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2018-02-08  Chris Dumez  <cdumez@apple.com>
+
+        Form submission after navigation fails when decidePolicyForNavigationAction is async
+        https://bugs.webkit.org/show_bug.cgi?id=182412
+        <rdar://problem/35181099>
+
+        Reviewed by Alex Christensen.
+
+        When the form is submitted and schedules the load in an iframe that is already loading,
+        FrameLoader::stopLoading() is called as expected. However, because policy checks can
+        now be asynchronous, stopLoading() also needs to stop pending policy checks. Otherwise,
+        continueLoadAfterNavigationPolicy() gets called for a cancelled load and we're in trouble
+        because the FrameLoader was reused for another load since then.
+
+        Test: http/tests/navigation/sync-form-submit-iframe.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::stopLoading):
+
 2018-02-08  Zalan Bujtas  <zalan@apple.com>
 
         [RenderTreeBuilder] Do not use RenderTreeBuilder::current() in RenderRubyRun::takeChild

diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp
@@ -487,6 +487,8 @@ void FrameLoader::stopLoading(UnloadEventPolicy unloadEventPolicy)
         DatabaseManager::singleton().stopDatabases(*document, nullptr);
     }
 
+    policyChecker().stopCheck();
+
     // FIXME: This will cancel redirection timer, which really needs to be restarted when restoring the frame from b/f cache.
     m_frame.navigationScheduler().cancel();
 }