Iframes and dissimilar origin windows weird stuff - Layout thread panic related

[gterzian]

I think this might point towards a solution for #22507

I'm doing some debugging of the iframe navigation stuff, and I noted some potential weird stuff.

When adding an cross-site iframe to a WPT test document(for example <iframe src="https://github.com"></iframe>), the following sequence seems to happen:

1. An "about:blank" iframe is created in the same script-thread of the parent. Note that this creates a layout thread, and a document/window/windowproxy.
2. This "about:blank" iframe is navigated across site, for example to "https://github.com".
3. This creates a new pipeline, in a new event-loop/script-thread, because the site is different.
4. Inside the new script-thread, a document/window/windowproxy/layout-thread is created, with a WindowProxy::new_dissimilar_origin used for the "parent" of the document.
5. When the pipeline created at 4 is activated, the pipeline created at 1 is destroyed(I think as part of the history change).
6. At some point, the parent window loses access to the child window, and instead is handed a dissimilar origin proxy.

I have this really ugly test below, and intermittently it hits three situations:

1. All those bounding rect calls succeeded, printing:

4 Can still access iframe: [object Document]
 0:03.51 pid:9234 Boundingrect 2: [object DOMRect]
 0:04.51 pid:9234 Boundingrect 3: [object DOMRect]

2. Those last calls fails, printing:

 0:03.24 pid:9061 Boundingrect 1: [object DOMRect]
(...)
 0:04.25 pid:9061 [2020-06-21T08:42:50Z ERROR script::dom::bindings::error] Error at :0:0 SecurityError: The operation is insecure.

3. Crash on layout, usually in the third call:

 0:03.32 pid:9254 Boundingrect 2: [object DOMRect]
(...)
 0:04.31 pid:9254 Layout thread disconnected.: "SendError(..)" (thread ScriptThread PipelineId { namespace_id: PipelineNamespaceId(1), index: PipelineIndex(1) }, at components/script/dom/window.rs:1699)

<!doctype html>
<html class="reftest-wait">
    <head>
        <meta charset=utf-8>
        <title>(Repurposed to crash layout thread)Dynamically growing an iframe element</title>
        <link rel=match href=/_mozilla/mozilla/iframe/resize_after_load_ref.html>
    </head>

    <body>
        <iframe style="border: 0px; display: block; height: 100px; width: 50px" src="https://github.com"></iframe>
        <script>
            var iframe = document.getElementsByTagName('iframe')[0];
            var d = iframe.contentDocument;
             var e = d.createElement('div');
             console.log("Boundingrect 1: " + e.getBoundingClientRect());
            iframe.onload = function() {
            }
            setTimeout(function() {
                console.log("Can still access iframe: " + iframe.contentWindow.document)
                console.log("Boundingrect 2: " + e.getBoundingClientRect());
                setTimeout(function() {
                    console.log("Boundingrect 3: " + e.getBoundingClientRect());
                }, 1000);
            }, 100);
        </script>
    </body>
</html>

[gterzian]

So to recap, I think there are a few problems:

1. The parent can still access the "full" local window of the child, until at some point it becomes a remote "dissimilar origin" window. Actually I haven't figured out when or how the switch happen, but it appears intermittent and my guess the local window is available for a bit too long.
2. There seems to be a point, where the local layout thread of the child has been shut-down, yet the parent can still call apis of a "full" local window(whereas I would assume at that point it should have been a remote dissimilar one, with a layout thread in the other script).

So essentially, when navigating a local "about:blank" iframe to another site, it gets messy with regards to when the iframe element in the parent only has access to a dissimilar origin proxy, and when the local layout thread of the "about:blank" initial pipeline is shut-down.

Crashes on layout seem to happen when the parent has access to a local window, whereas the layout thread has already been shut-down.

[gterzian]

Correction: it seems the local window does switch to being a dissimilar origin proxy, however any references to dom elements of the origin pipeline can still attempt to communicate with a non-existent layout thread.

So this is actually the same as #23053, except that the iframe is not disconnected, it is rather navigated to a different origin so the local pipeline and layout threads a closed(and replaced with remote ones running in another script-thread).

[gterzian]

Ok this is actually fixed by the fix proposed in #23053