[webkit-changes] [WebKit/WebKit] d3e11a: Window named getter behaves incorrectly in some ca...
Chris Dumez
noreply at github.com
Thu Jun 15 15:25:48 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d3e11a7a1e593d505b2f582ccd48635f4d7ee56c
https://github.com/WebKit/WebKit/commit/d3e11a7a1e593d505b2f582ccd48635f4d7ee56c
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-06-15 (Thu, 15 Jun 2023)
Changed paths:
A LayoutTests/http/tests/frames/frames-with-same-name-cross-origin-expected.txt
A LayoutTests/http/tests/frames/frames-with-same-name-cross-origin.html
A LayoutTests/http/tests/frames/frames-with-same-name-expected.txt
A LayoutTests/http/tests/frames/frames-with-same-name.html
A LayoutTests/http/tests/frames/resources/frames-with-same-name-cross-origin-frame.html
A LayoutTests/http/tests/frames/resources/set-window-name-to-foo.html
M Source/WebCore/bindings/js/JSDOMWindowProperties.cpp
M Source/WebCore/bindings/js/JSLocalDOMWindowCustom.cpp
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/loader/HistoryController.cpp
M Source/WebCore/page/FrameTree.cpp
M Source/WebCore/page/FrameTree.h
M Source/WebCore/page/LocalDOMWindow.cpp
M Source/WebCore/rendering/HitTestResult.cpp
M Source/WebKit/WebProcess/Automation/WebAutomationSessionProxy.cpp
M Source/WebKit/WebProcess/WebPage/WebFoundTextRangeController.cpp
M Source/WebKit/WebProcess/WebPage/WebFrame.cpp
M Source/WebKitLegacy/mac/WebView/WebFrame.mm
Log Message:
-----------
Window named getter behaves incorrectly in some cases when there are duplicate frame names
https://bugs.webkit.org/show_bug.cgi?id=258108
Reviewed by Darin Adler and Ryosuke Niwa.
When several frames gave the same name, WebKit will generate unique frame names
internally. As a result, if a frame gets created with the name "foo", it will
get "foo" as unique name. If a second frame gets created with the name "foo",
we will generate a unique name for this frame (in the "<!-- frame1 -->" format)
instead if using the already taken "foo" name.
The issue is that this is Web-observable when using the named property getter
on Window. `window.foo` is supposed to return the *first* frame with the name
"foo" in tree order. WebKit was previously looking up the frame "foo" via its
unique name, as a result, it would return the frame was assigned the name "foo"
first, which is not necessarily the first frame with the name "foo" in tree
order. The same issue affects `window.open('', 'foo')`.
To address the issue, we now look up the frame by name instead of unique name.
This aligns our behavior with both Chrome and Firefox. The newly added tests
are passing in Chrome & Firefox but fails in shipping Safari.
* LayoutTests/http/tests/frames/frames-with-same-name-cross-origin-expected.txt: Added.
* LayoutTests/http/tests/frames/frames-with-same-name-cross-origin.html: Added.
* LayoutTests/http/tests/frames/frames-with-same-name-expected.txt: Added.
* LayoutTests/http/tests/frames/frames-with-same-name.html: Added.
* LayoutTests/http/tests/frames/resources/frames-with-same-name-cross-origin-frame.html: Added.
* LayoutTests/http/tests/frames/resources/set-window-name-to-foo.html: Added.
* Source/WebCore/bindings/js/JSDOMWindowProperties.cpp:
(WebCore::jsDOMWindowPropertiesGetOwnPropertySlotNamedItemGetter):
* Source/WebCore/bindings/js/JSLocalDOMWindowCustom.cpp:
(WebCore::jsLocalDOMWindowGetOwnPropertySlotRestrictedAccess):
* Source/WebCore/page/FrameTree.cpp:
(WebCore::FrameTree::scopedChild const):
(WebCore::FrameTree::scopedChildByUniqueName const):
(WebCore::FrameTree::scopedChildByName const):
* Source/WebCore/page/FrameTree.h:
* Source/WebKit/WebProcess/Automation/WebAutomationSessionProxy.cpp:
(WebKit::WebAutomationSessionProxy::resolveChildFrameWithName):
Canonical link: https://commits.webkit.org/265211@main
More information about the webkit-changes
mailing list