Skip to content
Permalink
Browse files
Form submission after navigation fails when decidePolicyForNavigation…
…Action is async

https://bugs.webkit.org/show_bug.cgi?id=182412
<rdar://problem/35181099>

Reviewed by Alex Christensen.

Source/WebCore:

When the form is submitted and schedules the load in an iframe that is already loading,
FrameLoader::stopLoading() is called as expected. However, because policy checks can
now be asynchronous, stopLoading() also needs to stop pending policy checks. Otherwise,
continueLoadAfterNavigationPolicy() gets called for a cancelled load and we're in trouble
because the FrameLoader was reused for another load since then.

Test: http/tests/navigation/sync-form-submit-iframe.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopLoading):

LayoutTests:

Import layout test coverage from Alex's earlier patch.

* http/tests/navigation/resources/a.html: Added.
* http/tests/navigation/resources/b.html: Added.
* http/tests/navigation/sync-form-submit-iframe-expected.txt: Added.
* http/tests/navigation/sync-form-submit-iframe.html: Added.


Canonical link: https://commits.webkit.org/198430@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@228299 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
cdumez committed Feb 8, 2018
1 parent 735e616 commit c1945817d410bc1b58ed5ce059ef539cd3efe2cc
@@ -1,3 +1,18 @@
2018-02-08 Chris Dumez <cdumez@apple.com>

Form submission after navigation fails when decidePolicyForNavigationAction is async
https://bugs.webkit.org/show_bug.cgi?id=182412
<rdar://problem/35181099>

Reviewed by Alex Christensen.

Import layout test coverage from Alex's earlier patch.

* http/tests/navigation/resources/a.html: Added.
* http/tests/navigation/resources/b.html: Added.
* http/tests/navigation/sync-form-submit-iframe-expected.txt: Added.
* http/tests/navigation/sync-form-submit-iframe.html: Added.

2018-02-08 Per Arne Vollan <pvollan@apple.com>

Mark accessibility/aria-hidden-updates-alldescendants.html as a failure on Windows.
@@ -0,0 +1,3 @@
<script>
parent.postMessage('a', '*');
</script>
@@ -0,0 +1,3 @@
<script>
parent.postMessage('b', '*');
</script>
@@ -0,0 +1,3 @@
ALERT: PASS


@@ -0,0 +1,31 @@
<script>
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.waitUntilDone();
if (testRunner.setShouldDecideNavigationPolicyAfterDelay)
testRunner.setShouldDecideNavigationPolicyAfterDelay(true);
}

function receiveMessage(e)
{
alert(e.data == 'b' ? 'PASS' : 'FAIL');
if (window.testRunner)
testRunner.notifyDone();
}
window.addEventListener("message", receiveMessage, false);

function runtest() {
var iframe = document.createElement('iframe');
iframe.src = 'resources/a.html';
iframe.name = 'framename';
document.body.appendChild(iframe);

var form = document.createElement('form');
form.setAttribute('method', 'post');
form.setAttribute('action', 'resources/b.html');
form.setAttribute('target', 'framename');
document.body.appendChild(form);
form.submit();
}
</script>
<body onload='runtest()'/>
@@ -1,3 +1,22 @@
2018-02-08 Chris Dumez <cdumez@apple.com>

Form submission after navigation fails when decidePolicyForNavigationAction is async
https://bugs.webkit.org/show_bug.cgi?id=182412
<rdar://problem/35181099>

Reviewed by Alex Christensen.

When the form is submitted and schedules the load in an iframe that is already loading,
FrameLoader::stopLoading() is called as expected. However, because policy checks can
now be asynchronous, stopLoading() also needs to stop pending policy checks. Otherwise,
continueLoadAfterNavigationPolicy() gets called for a cancelled load and we're in trouble
because the FrameLoader was reused for another load since then.

Test: http/tests/navigation/sync-form-submit-iframe.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopLoading):

2018-02-08 Zalan Bujtas <zalan@apple.com>

[RenderTreeBuilder] Do not use RenderTreeBuilder::current() in RenderRubyRun::takeChild
@@ -488,6 +488,8 @@ void FrameLoader::stopLoading(UnloadEventPolicy unloadEventPolicy)
DatabaseManager::singleton().stopDatabases(*document, nullptr);
}

policyChecker().stopCheck();

// FIXME: This will cancel redirection timer, which really needs to be restarted when restoring the frame from b/f cache.
m_frame.navigationScheduler().cancel();
}

0 comments on commit c194581

Please sign in to comment.