Bug 1550881. Prevent document.open() calls from descendant subframes' unload handlers triggered by document.open() from doing anything useful. r=hsivonen

Differential Revision: https://phabricator.services.mozilla.com/D30728

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Boris Zbarsky 2019-05-17 12:45:35 +00:00
Родитель a64e4ed3bf
Коммит 3c9056d16f
4 изменённых файлов: 38 добавлений и 1 удалений

Просмотреть файл

@ -0,0 +1,13 @@
<!DOCTYPE html>
<iframe srcdoc="<iframe></iframe>"></iframe>
<script>
onload = function() {
parent = frames[0];
child = parent[0];
child.onunload = function() {
parent.document.open();
}
parent.document.open();
parent.document.write("Hello");
}
</script>

Просмотреть файл

@ -0,0 +1,14 @@
<!DOCTYPE html>
<iframe srcdoc="<iframe></iframe>"></iframe>
<script>
onload = function() {
parent = frames[0];
child = parent[0];
child.onunload = function() {
parent.document.open();
parent.document.write("Nested");
}
parent.document.open();
parent.document.write("Hello");
}
</script>

Просмотреть файл

@ -89,3 +89,5 @@ asserts(0-4) load 1401726.html
load 1412173.html
load 1440523.html
load 1547057.html
load 1550881-1.html
load 1550881-2.html

Просмотреть файл

@ -1098,7 +1098,15 @@ Document* nsHTMLDocument::Open(const Optional<nsAString>& /* unused */,
}
// Step 10 -- remove all our DOM kids without firing any mutation events.
DisconnectNodeTree();
{
// We want to ignore any recursive calls to Open() that happen while
// disconnecting the node tree. The spec doesn't say to do this, but the
// spec also doesn't envision unload events on subframes firing while we do
// this, while all browsers fire them in practice. See
// <https://github.com/whatwg/html/issues/4611>.
IgnoreOpensDuringUnload ignoreOpenGuard(this);
DisconnectNodeTree();
}
// Step 11 -- if we're the current document in our docshell, do the
// equivalent of pushState() with the new URL we should have.