• commit-queue@webkit.org's avatar
    Frame element doesn't always unload its child frame. · 4f074eea
    commit-queue@webkit.org authored
    https://bugs.webkit.org/show_bug.cgi?id=94717
    
    Patch by Sergey Glazunov <serg.glazunov@gmail.com> on 2012-09-04
    Reviewed by Hajime Morita.
    
    Source/WebCore:
    
    It's possible for a frame element that has been removed from the document
    to retain an active child frame. This inconsistent state may become a source
    of security vulnerabilities.
    
    The patch adds a global HashSet to store the nodes currently processed by
    ChildFrameDisconnector. Insertion into these nodes' subtrees is not allowed until
    the processing is complete.
    
    Also, the ChildFrameDisconnector call in removeChild(ren) is now immediately
    followed by the actual removal.
    
    Test: fast/frames/out-of-document-iframe-has-child-frame.html
    
    * dom/ContainerNode.cpp:
    (WebCore::willRemoveChildren): Move the ChildFrameDisconnector call out of a loop.
    (WebCore::ContainerNode::removeChild): Rearrange some event firing code.
    (WebCore::ContainerNode::removeChildren): Ditto.
    * dom/ContainerNodeAlgorithms.cpp:
    (WebCore::ChildFrameDisconnector::collectDescendant): Pass a new parameter to collectDescendant(Node*).
    * dom/ContainerNodeAlgorithms.h:
    (WebCore::ChildFrameDisconnector::ChildFrameDisconnector):
    (ChildFrameDisconnector): Maintain a list of nodes that have an active ChildFrameDisconnector.
    (WebCore::ChildFrameDisconnector::~ChildFrameDisconnector):
    (WebCore::ChildFrameDisconnector::rootNodes):
    (WebCore::ChildFrameDisconnector::collectDescendant): Add ShouldIncludeRoot parameter.
    (WebCore::ChildFrameDisconnector::nodeHasDisconnector):
    (WebCore):
    * dom/Node.cpp:
    (WebCore::checkAcceptChild): Reject a parent node if it or one of its parents has an active ChildFrameDisconnector.
    * html/HTMLFrameElementBase.cpp:
    (WebCore::HTMLFrameElementBase::didNotifySubtreeInsertions): Check if an element is still in the document.
    
    LayoutTests:
    
    * fast/frames/out-of-document-iframe-has-child-frame-expected.txt: Added.
    * fast/frames/out-of-document-iframe-has-child-frame.html: Added.
    * fast/innerHTML/innerHTML-iframe-expected.txt:
    * platform/chromium/fast/frames/out-of-document-iframe-has-child-frame-expected.txt: Added.
    * platform/chromium/fast/innerHTML: Added.
    * platform/chromium/fast/innerHTML/innerHTML-iframe-expected.txt: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127534 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    4f074eea
ChangeLog 3.62 MB