diff options
Diffstat (limited to 'Source/WebCore/page')
-rw-r--r-- | Source/WebCore/page/DOMWindow.cpp | 2 | ||||
-rw-r--r-- | Source/WebCore/page/EventHandler.cpp | 29 | ||||
-rw-r--r-- | Source/WebCore/page/Frame.cpp | 4 | ||||
-rw-r--r-- | Source/WebCore/page/FrameView.cpp | 10 | ||||
-rw-r--r-- | Source/WebCore/page/History.cpp | 9 | ||||
-rw-r--r-- | Source/WebCore/page/Location.cpp | 10 | ||||
-rw-r--r-- | Source/WebCore/page/SecurityOrigin.cpp | 5 | ||||
-rw-r--r-- | Source/WebCore/page/Settings.in | 1 | ||||
-rw-r--r-- | Source/WebCore/page/animation/AnimationController.cpp | 2 |
9 files changed, 53 insertions, 19 deletions
diff --git a/Source/WebCore/page/DOMWindow.cpp b/Source/WebCore/page/DOMWindow.cpp index d91420c58..9bc231ca2 100644 --- a/Source/WebCore/page/DOMWindow.cpp +++ b/Source/WebCore/page/DOMWindow.cpp @@ -477,6 +477,8 @@ Page* DOMWindow::page() void DOMWindow::frameDestroyed() { + Ref<DOMWindow> protectedThis(*this); + willDestroyDocumentInFrame(); FrameDestructionObserver::frameDestroyed(); resetDOMWindowProperties(); diff --git a/Source/WebCore/page/EventHandler.cpp b/Source/WebCore/page/EventHandler.cpp index f13749ba0..e8aa9dfb3 100644 --- a/Source/WebCore/page/EventHandler.cpp +++ b/Source/WebCore/page/EventHandler.cpp @@ -1128,14 +1128,14 @@ HitTestResult EventHandler::hitTestResultAtPoint(const LayoutPoint& point, HitTe } } + // We should always start hit testing a clean tree. + if (m_frame.document()) + m_frame.document()->updateLayoutIgnorePendingStylesheets(); HitTestResult result(point, padding.height(), padding.width(), padding.height(), padding.width()); - RenderView* renderView = m_frame.contentRenderer(); if (!renderView) return result; - - // We should always start hittesting a clean tree. - renderView->document().updateLayoutIgnorePendingStylesheets(); + // hitTestResultAtPoint is specifically used to hitTest into all frames, thus it always allows child frame content. HitTestRequest request(hitType | HitTestRequest::AllowChildFrameContent); renderView->hitTest(request, result); @@ -1948,6 +1948,24 @@ void EventHandler::invalidateClick() m_clickNode = nullptr; } +static Node* targetNodeForClickEvent(Node* mousePressNode, Node* mouseReleaseNode) +{ + if (!mousePressNode || !mouseReleaseNode) + return nullptr; + + if (mousePressNode == mouseReleaseNode) + return mouseReleaseNode; + + Element* mouseReleaseShadowHost = mouseReleaseNode->shadowHost(); + if (mouseReleaseShadowHost && mouseReleaseShadowHost == mousePressNode->shadowHost()) { + // We want to dispatch the click to the shadow tree host element to give listeners the illusion that the + // shadom tree is a single element. For example, we want to give the illusion that <input type="range"> + // is a single element even though it is a composition of multiple shadom tree elements. + return mouseReleaseShadowHost; + } + return nullptr; +} + bool EventHandler::handleMouseReleaseEvent(const PlatformMouseEvent& platformMouseEvent) { RefPtr<FrameView> protector(m_frame.view()); @@ -2009,8 +2027,7 @@ bool EventHandler::handleMouseReleaseEvent(const PlatformMouseEvent& platformMou bool contextMenuEvent = platformMouseEvent.button() == RightButton; - Node* targetNode = mouseEvent.targetNode(); - Node* nodeToClick = (m_clickNode && targetNode) ? commonAncestorCrossingShadowBoundary(*m_clickNode, *targetNode) : nullptr; + Node* nodeToClick = targetNodeForClickEvent(m_clickNode.get(), mouseEvent.targetNode()); bool swallowClickEvent = m_clickCount > 0 && !contextMenuEvent && nodeToClick && !dispatchMouseEvent(eventNames().clickEvent, nodeToClick, true, m_clickCount, platformMouseEvent, true); if (m_resizeLayer) { diff --git a/Source/WebCore/page/Frame.cpp b/Source/WebCore/page/Frame.cpp index c3b46c920..b1b84a462 100644 --- a/Source/WebCore/page/Frame.cpp +++ b/Source/WebCore/page/Frame.cpp @@ -217,8 +217,8 @@ Frame::~Frame() disconnectOwnerElement(); - for (auto& observer : m_destructionObservers) - observer->frameDestroyed(); + while (auto* destructionObserver = m_destructionObservers.takeAny()) + destructionObserver->frameDestroyed(); if (!isMainFrame()) m_mainFrame.selfOnlyDeref(); diff --git a/Source/WebCore/page/FrameView.cpp b/Source/WebCore/page/FrameView.cpp index e1dd28906..4bae77613 100644 --- a/Source/WebCore/page/FrameView.cpp +++ b/Source/WebCore/page/FrameView.cpp @@ -2649,7 +2649,9 @@ void FrameView::scheduleRelayoutOfSubtree(RenderElement& newRelayoutRoot) ASSERT(!renderView.documentBeingDestroyed()); ASSERT(frame().view() == this); - if (renderView.needsLayout()) { + // When m_layoutRoot is already set, ignore the renderView's needsLayout bit + // since we need to resolve the conflict between the m_layoutRoot and newRelayoutRoot layouts. + if (renderView.needsLayout() && !m_layoutRoot) { m_layoutRoot = &newRelayoutRoot; convertSubtreeLayoutToFullLayout(); return; @@ -2657,7 +2659,7 @@ void FrameView::scheduleRelayoutOfSubtree(RenderElement& newRelayoutRoot) if (!layoutPending() && m_layoutSchedulingEnabled) { std::chrono::milliseconds delay = renderView.document().minimumLayoutDelay(); - ASSERT(!newRelayoutRoot.container() || !newRelayoutRoot.container()->needsLayout()); + ASSERT(!newRelayoutRoot.container() || is<RenderView>(newRelayoutRoot.container()) || !newRelayoutRoot.container()->needsLayout()); m_layoutRoot = &newRelayoutRoot; InspectorInstrumentation::didInvalidateLayout(frame()); m_delayedLayout = delay.count(); @@ -2678,7 +2680,7 @@ void FrameView::scheduleRelayoutOfSubtree(RenderElement& newRelayoutRoot) if (isObjectAncestorContainerOf(m_layoutRoot, &newRelayoutRoot)) { // Keep the current root. newRelayoutRoot.markContainingBlocksForLayout(ScheduleRelayout::No, m_layoutRoot); - ASSERT(!m_layoutRoot->container() || !m_layoutRoot->container()->needsLayout()); + ASSERT(!m_layoutRoot->container() || is<RenderView>(m_layoutRoot->container()) || !m_layoutRoot->container()->needsLayout()); return; } @@ -2686,7 +2688,7 @@ void FrameView::scheduleRelayoutOfSubtree(RenderElement& newRelayoutRoot) // Re-root at newRelayoutRoot. m_layoutRoot->markContainingBlocksForLayout(ScheduleRelayout::No, &newRelayoutRoot); m_layoutRoot = &newRelayoutRoot; - ASSERT(!m_layoutRoot->container() || !m_layoutRoot->container()->needsLayout()); + ASSERT(!m_layoutRoot->container() || is<RenderView>(m_layoutRoot->container()) || !m_layoutRoot->container()->needsLayout()); InspectorInstrumentation::didInvalidateLayout(frame()); return; } diff --git a/Source/WebCore/page/History.cpp b/Source/WebCore/page/History.cpp index b9571c1d4..d4f184ced 100644 --- a/Source/WebCore/page/History.cpp +++ b/Source/WebCore/page/History.cpp @@ -154,6 +154,15 @@ void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const Str return; } + if (fullURL.hasUsername() || fullURL.hasPassword()) { + ec.code = SECURITY_ERR; + if (stateObjectType == StateObjectType::Replace) + ec.message = makeString("Attempt to use history.replaceState() to change session history URL to ", fullURL.string(), " is insecure; Username/passwords aren't allowed in state object URLs"); + else + ec.message = makeString("Attempt to use history.pushState() to add URL ", fullURL.string(), " to session history is insecure; Username/passwords aren't allowed in state object URLs"); + return; + } + Document* mainDocument = m_frame->page()->mainFrame().document(); History* mainHistory = nullptr; if (mainDocument) { diff --git a/Source/WebCore/page/Location.cpp b/Source/WebCore/page/Location.cpp index fea54e4af..7eb40017a 100644 --- a/Source/WebCore/page/Location.cpp +++ b/Source/WebCore/page/Location.cpp @@ -60,7 +60,15 @@ String Location::href() const if (!m_frame) return String(); - return url().string(); + auto& url = this->url(); + + if (!url.hasUsername() && !url.hasPassword()) + return url.string(); + + URL urlWithoutCredentials(url); + urlWithoutCredentials.setUser(WTF::emptyString()); + urlWithoutCredentials.setPass(WTF::emptyString()); + return urlWithoutCredentials.string(); } String Location::protocol() const diff --git a/Source/WebCore/page/SecurityOrigin.cpp b/Source/WebCore/page/SecurityOrigin.cpp index 976c33f3f..997a74882 100644 --- a/Source/WebCore/page/SecurityOrigin.cpp +++ b/Source/WebCore/page/SecurityOrigin.cpp @@ -375,11 +375,6 @@ bool SecurityOrigin::canAccessStorage(const SecurityOrigin* topOrigin, ShouldAll if (m_storageBlockingPolicy == BlockAllStorage) return false; - // We allow access to local storage from file URLs also when allowFileAccessFromFileURLs setting is enabled, - // for backwards compatibility only in WebKitGTK+ 2.12 branch, this should not be backported to any other branch, nor trunk. - if (isLocal() && !m_universalAccess && m_enforceFilePathSeparation && shouldAllowFromThirdParty != AlwaysAllowFromThirdParty) - return false; - // FIXME: This check should be replaced with an ASSERT once we can guarantee that topOrigin is not null. if (!topOrigin) return true; diff --git a/Source/WebCore/page/Settings.in b/Source/WebCore/page/Settings.in index b54f8d31d..24f7e40ec 100644 --- a/Source/WebCore/page/Settings.in +++ b/Source/WebCore/page/Settings.in @@ -79,6 +79,7 @@ needsSiteSpecificQuirks initial=false domTimersThrottlingEnabled initial=true webArchiveDebugModeEnabled initial=false, conditional=WEB_ARCHIVE localFileContentSniffingEnabled initial=false +offlineStorageDatabaseEnabled initial=false offlineWebApplicationCacheEnabled initial=false enforceCSSMIMETypeInNoQuirksMode initial=true usesEncodingDetector initial=false diff --git a/Source/WebCore/page/animation/AnimationController.cpp b/Source/WebCore/page/animation/AnimationController.cpp index 9bcb2fed1..e1d7f4a50 100644 --- a/Source/WebCore/page/animation/AnimationController.cpp +++ b/Source/WebCore/page/animation/AnimationController.cpp @@ -48,7 +48,7 @@ namespace WebCore { -static const double cAnimationTimerDelay = 0.025; +static const double cAnimationTimerDelay = 1.0 / 60; static const double cBeginAnimationUpdateTimeNotSet = -1; class AnimationPrivateUpdateBlock { |