<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[245444] releases/WebKitGTK/webkit-2.24</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/245444">245444</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2019-05-17 03:15:15 -0700 (Fri, 17 May 2019)</dd>
</dl>

<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/244892">r244892</a> - Setting a frame's src to a javascript URL should not run it synchronously
https://bugs.webkit.org/show_bug.cgi?id=197466

Reviewed by Darin Adler.

Source/WebCore:

When an iframe's src attribute is set to a javascript URL, whether when parsing
or later on via JS, we now execute the URL's JavaScript asynchronously. We used
to execute it synchronously, which was a source of bugs and also did not match
other browsers.

I have verified that our new behavior is aligned with both Firefox and Chrome.

Note that for backward-compatibility and interoperability with Blink
(https://bugs.chromium.org/p/chromium/issues/detail?id=923585), the
"javascript:''" URL will still run synchronously. We should consider dropping
this quirk at some point.

Test: fast/dom/frame-src-javascript-url-async.html

* loader/NavigationScheduler.cpp:
(WebCore::ScheduledLocationChange::ScheduledLocationChange):
(WebCore::ScheduledLocationChange::~ScheduledLocationChange):
(WebCore::NavigationScheduler::scheduleLocationChange):
* loader/NavigationScheduler.h:
(WebCore::NavigationScheduler::scheduleLocationChange):
* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::requestFrame):

LayoutTests:

* fast/dom/frame-src-javascript-url-async-expected.txt: Added.
* fast/dom/frame-src-javascript-url-async.html: Added.
Add layout test coverage for the fact that the javascript URL is executed asynchronously
whether set during parsing or later via JS. Also makes sure that executing the javascript
URL asynchronously does not replace the frame's window. This test passes in both Chrome
and Firefox.

* imported/blink/fast/frames/navigation-in-pagehide.html:
Re-sync this test from the Blink repository.

* fast/dom/Element/id-in-frameset-expected.txt:
* fast/dom/Element/id-in-frameset.html:
* fast/dom/insertedIntoDocument-iframe-expected.txt:
* fast/dom/javascript-url-exception-isolation-expected.txt:
* fast/dom/javascript-url-exception-isolation.html:
* fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt:
* fast/dom/resources/javascript-url-crash-function-iframe.html:
* fast/frames/adopt-from-created-document.html:
* fast/frames/out-of-document-iframe-has-child-frame.html:
* fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html:
* fast/loader/javascript-url-iframe-remove-on-navigate.html:
* fast/loader/unload-mutation-crash.html:
* fast/parser/resources/set-parent-to-javascript-url.html:
* fast/parser/xml-error-adopted.xml:
* http/tests/navigation/lockedhistory-iframe-expected.txt:
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt:
* http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt:
* http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt:
* http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
* http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html:
* http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html:
* http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html:
* imported/blink/loader/iframe-sync-loads-expected.txt:
* js/dom/call-base-resolution.html:
* platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt:
Update / Rebaseline existing tests to reflect behavior change. I ran those tests in Firefox and Chrome to confirm that our behavior
is indeed aligned.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastdomElementidinframesetexpectedtxt">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastdomElementidinframesethtml">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastdominsertedIntoDocumentiframeexpectedtxt">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/insertedIntoDocument-iframe-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastdomjavascripturlexceptionisolationexpectedtxt">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/javascript-url-exception-isolation-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastdomjavascripturlexceptionisolationhtml">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/javascript-url-exception-isolation.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastdomnoassertformalformedjsurlattributeexpectedtxt">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastdomresourcesjavascripturlcrashfunctioniframehtml">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/resources/javascript-url-crash-function-iframe.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastframesadoptfromcreateddocumenthtml">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/adopt-from-created-document.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastframesoutofdocumentiframehaschildframehtml">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/out-of-document-iframe-has-child-frame.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastloaderjavascripturliframeremoveonnavigateasyncdelegatehtml">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastloaderjavascripturliframeremoveonnavigatehtml">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastloaderunloadmutationcrashhtml">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/unload-mutation-crash.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastparserresourcessetparenttojavascripturlhtml">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/resources/set-parent-to-javascript-url.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastparserxmlerroradoptedxml">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/xml-error-adopted.xml</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestshttptestsnavigationlockedhistoryiframeexpectedtxt">releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/navigation/lockedhistory-iframe-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinjavascripturliframeiniframeexpectedtxt">releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlallowedexpectedtxt">releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlblockedbydefaultsrcstarexpectedtxt">releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlblockedexpectedtxt">releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestshttptestssecurityjavascriptURLxssALLOWEDfromjavascripturlsubframe2levelhtml">releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestshttptestssecurityjavascriptURLxssALLOWEDfromjavascripturlsubframehtml">releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestshttptestssecurityjavascriptURLxssALLOWEDtojavascripturlfromjavscripturlhtml">releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsimportedblinkfastframesnavigationinpagehidehtml">releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/fast/frames/navigation-in-pagehide.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsimportedblinkloaderiframesyncloadsexpectedtxt">releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsjsdomcallbaseresolutionhtml">releases/WebKitGTK/webkit-2.24/LayoutTests/js/dom/call-base-resolution.html</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsplatformwk2httptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinjavascripturliframeiniframeexpectedtxt">releases/WebKitGTK/webkit-2.24/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit224SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit224SourceWebCoreloaderNavigationSchedulercpp">releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit224SourceWebCoreloaderNavigationSchedulerh">releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.h</a></li>
<li><a href="#releasesWebKitGTKwebkit224SourceWebCoreloaderSubframeLoadercpp">releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/SubframeLoader.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastdomframesrcjavascripturlasyncexpectedtxt">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-javascript-url-async-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit224LayoutTestsfastdomframesrcjavascripturlasynchtml">releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-javascript-url-async.html</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit224LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog     2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog        2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -1,3 +1,48 @@
</span><ins>+2019-05-02  Chris Dumez  <cdumez@apple.com>
+
+        Setting a frame's src to a javascript URL should not run it synchronously
+        https://bugs.webkit.org/show_bug.cgi?id=197466
+
+        Reviewed by Darin Adler.
+
+        * fast/dom/frame-src-javascript-url-async-expected.txt: Added.
+        * fast/dom/frame-src-javascript-url-async.html: Added.
+        Add layout test coverage for the fact that the javascript URL is executed asynchronously
+        whether set during parsing or later via JS. Also makes sure that executing the javascript
+        URL asynchronously does not replace the frame's window. This test passes in both Chrome
+        and Firefox.
+
+        * imported/blink/fast/frames/navigation-in-pagehide.html:
+        Re-sync this test from the Blink repository.
+
+        * fast/dom/Element/id-in-frameset-expected.txt:
+        * fast/dom/Element/id-in-frameset.html:
+        * fast/dom/insertedIntoDocument-iframe-expected.txt:
+        * fast/dom/javascript-url-exception-isolation-expected.txt:
+        * fast/dom/javascript-url-exception-isolation.html:
+        * fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt:
+        * fast/dom/resources/javascript-url-crash-function-iframe.html:
+        * fast/frames/adopt-from-created-document.html:
+        * fast/frames/out-of-document-iframe-has-child-frame.html:
+        * fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html:
+        * fast/loader/javascript-url-iframe-remove-on-navigate.html:
+        * fast/loader/unload-mutation-crash.html:
+        * fast/parser/resources/set-parent-to-javascript-url.html:
+        * fast/parser/xml-error-adopted.xml:
+        * http/tests/navigation/lockedhistory-iframe-expected.txt:
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt:
+        * http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt:
+        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt:
+        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
+        * http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html:
+        * http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html:
+        * http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html:
+        * imported/blink/loader/iframe-sync-loads-expected.txt:
+        * js/dom/call-base-resolution.html:
+        * platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt:
+        Update / Rebaseline existing tests to reflect behavior change. I ran those tests in Firefox and Chrome to confirm that our behavior
+        is indeed aligned.
+
</ins><span class="cx"> 2019-02-21  Daniel Bates  <dabates@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Fix the test failure following r241918
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastdomElementidinframesetexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset-expected.txt (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset-expected.txt  2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset-expected.txt     2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-ALERT: 1
</del><ins>+ALERT: 2
</ins><span class="cx"> 
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastdomElementidinframesethtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset.html  2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset.html     2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -1,5 +1,10 @@
</span><span class="cx"> <html>
</span><del>-
</del><ins>+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+</script>
</ins><span class="cx"> <frameset id="frameset">
</span><span class="cx">   <frame name="frame2" src="about:blank">
</span><span class="cx">   <frame name="frame1" src="javascript:
</span><span class="lines">@@ -16,6 +21,8 @@
</span><span class="cx"> 
</span><span class="cx">     top.frameset.removeChild(top.frame2.frameElement);
</span><span class="cx">     log(top.frameset.children.length);
</span><ins>+    if (window.testRunner)
+        testRunner.notifyDone();
</ins><span class="cx">   ">
</span><span class="cx"> 
</span><span class="cx">   <frame name="frame3" src="about:blank">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastdomframesrcjavascripturlasyncexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-javascript-url-async-expected.txt (0 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-javascript-url-async-expected.txt                          (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-javascript-url-async-expected.txt     2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+Checks that setting an iframe's src attribute to a javascript URL runs the javascript asynchronously
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS frame2.contentWindow is initialFrame2Window
+PASS frame2.contentDocument is initialFrame2Document
+PASS messages is "1234"
+PASS frame1.contentWindow is initialFrame1Window
+PASS frame1.contentDocument is initialFrame1Document
+PASS frame2.contentWindow is initialFrame2Window
+PASS frame2.contentDocument is initialFrame2Document
+PASS frame3.contentWindow is initialFrame3Window
+PASS frame3.contentDocument is not initialFrame3Document
+PASS frame3.contentWindow is initialFrame3Window
+PASS frame3.contentDocument is not initialFrame3Document
+PASS frame3.contentDocument.documentElement.textContent is "1"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+  
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastdomframesrcjavascripturlasynchtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-javascript-url-async.html (0 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-javascript-url-async.html                          (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-javascript-url-async.html     2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -0,0 +1,52 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<script src="../../resources/js-test.js"></script>
+<script>
+description("Checks that setting an iframe's src attribute to a javascript URL runs the javascript asynchronously");
+jsTestIsAsync = true;
+
+let messages = "";
+const expectedMessageCount = 4;
+function log(msg)
+{
+    messages += msg;
+    if (messages.length == expectedMessageCount) {
+        shouldBeEqualToString("messages", "1234");
+        shouldBe("frame1.contentWindow", "initialFrame1Window");
+        shouldBe("frame1.contentDocument", "initialFrame1Document");
+        shouldBe("frame2.contentWindow", "initialFrame2Window");
+        shouldBe("frame2.contentDocument", "initialFrame2Document");
+        shouldBe("frame3.contentWindow", "initialFrame3Window");
+        // Firefox 66 and Chrome 74 disagree here, we match Chrome.
+        shouldNotBe("frame3.contentDocument", "initialFrame3Document");
+        setTimeout(() => {
+            shouldBe("frame3.contentWindow", "initialFrame3Window");
+            shouldNotBe("frame3.contentDocument", "initialFrame3Document");
+            shouldBeEqualToString("frame3.contentDocument.documentElement.textContent", "1");
+            finishJSTest();
+        }), 0;
+    }
+}
+</script>
+<iframe id="frame1" src="javascript:parent.log('3')"></iframe>
+<iframe id="frame2"></iframe>
+<iframe id="frame3" src="javascript:'1'"></iframe>
+<script>
+frame1 = document.getElementById("frame1");
+frame2 = document.getElementById("frame2");
+frame3 = document.getElementById("frame3");
+initialFrame1Window = frame1.contentWindow;
+initialFrame1Document = frame1.contentDocument;
+initialFrame2Window = frame2.contentWindow;
+initialFrame2Document = frame2.contentDocument;
+initialFrame3Window = frame3.contentWindow;
+initialFrame3Document = frame3.contentDocument;
+log('1');
+frame2.src = "javascript:parent.log('4')";
+shouldBe("frame2.contentWindow", "initialFrame2Window");
+shouldBe("frame2.contentDocument", "initialFrame2Document");
+log('2');
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastdominsertedIntoDocumentiframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/insertedIntoDocument-iframe-expected.txt (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/insertedIntoDocument-iframe-expected.txt     2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/insertedIntoDocument-iframe-expected.txt        2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -1 +1,3 @@
</span><ins>+CONSOLE MESSAGE: line 1: TypeError: Argument 1 ('child') to Node.removeChild must be an instance of Node
</ins><span class="cx"> PASS
</span><ins>+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastdomjavascripturlexceptionisolationexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/javascript-url-exception-isolation-expected.txt (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/javascript-url-exception-isolation-expected.txt      2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/javascript-url-exception-isolation-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: 42
</span><del>-CONSOLE MESSAGE: line 25: SyntaxError: Unexpected token '<'
</del><ins>+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '<'
</ins><span class="cx"> Exceptions thrown in javascript URLs should not propagate to the main script.
</span><span class="cx"> 
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastdomjavascripturlexceptionisolationhtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/javascript-url-exception-isolation.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/javascript-url-exception-isolation.html      2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/javascript-url-exception-isolation.html 2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -20,9 +20,12 @@
</span><span class="cx"> }
</span><span class="cx"> shouldBeFalse('caughtException');
</span><span class="cx"> 
</span><ins>+var subframe2 = document.createElement("iframe");
+document.body.appendChild(subframe2);
+
</ins><span class="cx"> // Compile-time exception.
</span><span class="cx"> try {
</span><del>-    subframe.src = 'javascript:<html></html>';
</del><ins>+    subframe2.src = 'javascript:<html></html>';
</ins><span class="cx"> } catch(e) {
</span><span class="cx">     caughtException = true;
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastdomnoassertformalformedjsurlattributeexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt        2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt   2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 14: SyntaxError: Unexpected identifier 'orem'
</del><ins>+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected identifier 'orem'
</ins><span class="cx"> This tests that we do not assert when a malformed JS URL is passed to the 'src' attribute of an iframe. The test passes if it does not ASSERT.
</span><span class="cx"> 
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastdomresourcesjavascripturlcrashfunctioniframehtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/resources/javascript-url-crash-function-iframe.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/resources/javascript-url-crash-function-iframe.html  2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/resources/javascript-url-crash-function-iframe.html     2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -16,7 +16,9 @@
</span><span class="cx"> setTimeout(function ()
</span><span class="cx"> {
</span><span class="cx">     test();
</span><del>-    if (window.testRunner)
-        testRunner.notifyDone();
</del><ins>+    top.setTimeout(() => {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }, 0);
</ins><span class="cx"> }, 0);
</span><span class="cx"> </script>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastframesadoptfromcreateddocumenthtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/adopt-from-created-document.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/adopt-from-created-document.html  2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/adopt-from-created-document.html     2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -8,10 +8,10 @@
</span><span class="cx"> alert(2);
</span><span class="cx"> var ifr = doc.createElement('iframe');
</span><span class="cx"> alert(3);
</span><del>-ifr.setAttribute('src', 'javascript:alert(6)');
</del><ins>+ifr.setAttribute('src', 'javascript:alert(7)');
</ins><span class="cx"> alert(4);
</span><span class="cx"> var adopted = document.adoptNode(ifr)
</span><span class="cx"> alert(5);
</span><span class="cx"> document.body.appendChild(adopted);
</span><del>-alert(7);
</del><ins>+alert(6);
</ins><span class="cx"> </script>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastframesoutofdocumentiframehaschildframehtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/out-of-document-iframe-has-child-frame.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/out-of-document-iframe-has-child-frame.html       2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/out-of-document-iframe-has-child-frame.html  2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>-<script src="../../resources/js-test-pre.js"></script>
</del><ins>+<script src="../../resources/js-test.js"></script>
</ins><span class="cx"> </head>
</span><span class="cx"> <body>
</span><span class="cx"> <div id="main"/>
</span><span class="lines">@@ -7,6 +7,7 @@
</span><span class="cx"> <script>
</span><span class="cx"> description("This tests that several ways of making an iframe that isn't inserted into a document tree"
</span><span class="cx">     + " but has a child frame will fail.");
</span><ins>+jsTestIsAsync = true;
</ins><span class="cx"> 
</span><span class="cx"> main = document.getElementById("main");
</span><span class="cx"> 
</span><span class="lines">@@ -44,9 +45,11 @@
</span><span class="cx">     helperFrame.src = "javascript:top.container.removeChild(top.targetFrame3)";
</span><span class="cx">     document.body.appendChild(container);
</span><span class="cx"> } catch (e) { }
</span><del>-shouldBeTrue("targetFrame3.contentWindow == undefined");
</del><span class="cx"> 
</span><del>-isSuccessfullyParsed();
</del><ins>+setTimeout(() => {
+    shouldBeTrue("targetFrame3.contentWindow == undefined");
+    finishJSTest();
+}, 0);
</ins><span class="cx"> </script>
</span><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastloaderjavascripturliframeremoveonnavigateasyncdelegatehtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html      2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html 2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -8,13 +8,14 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> let frame = document.getElementById("target");
</span><del>-frame.contentWindow.onbeforeunload = function() {
-    setTimeout(function() {
-        frame.src = "javascript:alert('FAIL')";
-    }, 0);
-};
</del><span class="cx"> 
</span><span class="cx"> window.addEventListener("load", function() {
</span><ins>+    frame.contentWindow.onbeforeunload = function() {
+        setTimeout(function() {
+            frame.src = "javascript:alert('FAIL')";
+        }, 0);
+    };
+
</ins><span class="cx">     document.write("PASS - Javascript URL blocked without crashing.");
</span><span class="cx">     if (window.testRunner)
</span><span class="cx">         testRunner.notifyDone();
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastloaderjavascripturliframeremoveonnavigatehtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate.html     2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/javascript-url-iframe-remove-on-navigate.html        2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -6,13 +6,13 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> let frame = document.getElementById("target");
</span><del>-frame.contentWindow.onbeforeunload = function() {
-    setTimeout(function() {
-        frame.src = "javascript:alert('FAIL')";
-    }, 0);
-};
</del><span class="cx"> 
</span><span class="cx"> window.addEventListener("load", function() {
</span><ins>+    frame.contentWindow.onbeforeunload = function() {
+        setTimeout(function() {
+            frame.src = "javascript:alert('FAIL')";
+        }, 0);
+    };
</ins><span class="cx">     document.write("PASS - Javascript URL blocked without crashing.");
</span><span class="cx">     if (window.testRunner)
</span><span class="cx">         testRunner.notifyDone();
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastloaderunloadmutationcrashhtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/unload-mutation-crash.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/unload-mutation-crash.html        2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/unload-mutation-crash.html   2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -2,8 +2,10 @@
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><span class="cx"> <script>
</span><del>-if (window.testRunner)
-    window.testRunner.dumpAsText();
</del><ins>+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
</ins><span class="cx"> 
</span><span class="cx"> function start() {
</span><span class="cx">     window.firstFrame = document.createElement('iframe');
</span><span class="lines">@@ -20,6 +22,8 @@
</span><span class="cx"> 
</span><span class="cx">     window.firstFrame.src = 'javascript:"";';
</span><span class="cx">     document.write("PASS. WebKit didn't crash.");
</span><ins>+    if (window.testRunner)
+       testRunner.notifyDone();
</ins><span class="cx"> }
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastparserresourcessetparenttojavascripturlhtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/resources/set-parent-to-javascript-url.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/resources/set-parent-to-javascript-url.html       2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/resources/set-parent-to-javascript-url.html  2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> <script>
</span><span class="cx"> const parent = window.parent;
</span><span class="cx"> alert(1);
</span><del>-parent.document.getElementsByTagName('iframe')[0].src = "javascript:alert(2),'PASS<script>alert(3)<\/script>'";
-alert(4);
</del><ins>+parent.document.getElementsByTagName('iframe')[0].src = "javascript:alert(3),'PASS<script>alert(4)<\/script>'";
+alert(2);
</ins><span class="cx"> parent.setTimeout("done()", 0);
</span><span class="cx"> </script>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsfastparserxmlerroradoptedxml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/xml-error-adopted.xml (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/xml-error-adopted.xml     2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/xml-error-adopted.xml        2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -15,7 +15,9 @@
</span><span class="cx">         testRunner.notifyDone();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-setTimeout(test, 0);
</del><ins>+onload = () => {
+    setTimeout(test, 0);
+};
</ins><span class="cx"> </script>
</span><span class="cx"> <elt attr="1" attr="2"/>
</span><del>-</svg>
</del><span class="cx">\ No newline at end of file
</span><ins>+</svg>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestshttptestsnavigationlockedhistoryiframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/navigation/lockedhistory-iframe-expected.txt (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/navigation/lockedhistory-iframe-expected.txt       2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/navigation/lockedhistory-iframe-expected.txt  2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -4,5 +4,6 @@
</span><span class="cx"> 
</span><span class="cx"> ============== Back Forward List ==============
</span><span class="cx"> curr->  http://127.0.0.1:8000/navigation/lockedhistory-iframe.html  **nav target**
</span><del>-            about:blank (in frame "<!--frame1-->")
</del><ins>+            http://127.0.0.1:8000/navigation/lockedhistory-iframe.html# (in frame "<!--frame1-->")
+                about:blank (in frame "<!--frame2-->")
</ins><span class="cx"> ===============================================
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinjavascripturliframeiniframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt      2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -6,8 +6,9 @@
</span><span class="cx"> frame "<!--frame2-->" - didFinishDocumentLoadForFrame
</span><span class="cx"> frame "<!--frame2-->" - didHandleOnloadEventsForFrame
</span><span class="cx"> frame "<!--frame2-->" - didFinishLoadForFrame
</span><ins>+frame "<!--frame2-->" - willPerformClientRedirectToURL: javascript:document.write('%3Cimg%20src=%22http://127.0.0.1:8000/security/resources/compass.jpg%22%3E'); 
+frame "<!--frame1-->" - didFinishDocumentLoadForFrame
</ins><span class="cx"> CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
</span><del>-frame "<!--frame1-->" - didFinishDocumentLoadForFrame
</del><span class="cx"> frame "<!--frame1-->" - didFinishLoadForFrame
</span><span class="cx"> main frame - didFinishLoadForFrame
</span><span class="cx"> This test loads a secure iframe that loads an insecure image inside a JavaScript URL iframe. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content and a JavaScript URL executes in the same origin as its embedding document.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlallowedexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt    2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><del>-ALERT: PASS
</del><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><ins>+ALERT: PASS
</ins><span class="cx"> 
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlblockedbydefaultsrcstarexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt     2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt        2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
</del><span class="cx"> CONSOLE MESSAGE: Refused to load javascript:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy.
</span><span class="cx"> CONSOLE MESSAGE: Refused to load javascript:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy.
</span><ins>+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
</ins><span class="cx"> 
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt    2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><del>-CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</del><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><span class="cx"> CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
</span><ins>+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</ins><span class="cx"> 
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestshttptestssecurityjavascriptURLxssALLOWEDfromjavascripturlsubframe2levelhtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html      2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html 2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -7,11 +7,13 @@
</span><span class="cx">         if (window.testRunner) {
</span><span class="cx">             testRunner.dumpAsText();
</span><span class="cx">             testRunner.dumpChildFramesAsText();
</span><ins>+            testRunner.waitUntilDone();
</ins><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         var innerURL = 'javascript:\\\"<html>'
</span><span class="cx">             + "<scr" + "ipt>"
</span><span class="cx">             +     'top.document.getElementById(\\\\\\\"accessMe\\\\\\\").innerHTML = \\\\\\\"PASS: Cross frame access from a javascript: URL inside another javascript: URL was allowed!\\\\\\\";'
</span><ins>+            +     'top.setTimeout(() => { testRunner.notifyDone(); }, 0);'
</ins><span class="cx">             + "</scri" + "pt>"
</span><span class="cx">             + "<body>"
</span><span class="cx">             +     "<p>Inner-inner iframe.</p>"
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestshttptestssecurityjavascriptURLxssALLOWEDfromjavascripturlsubframehtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html      2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html 2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -7,6 +7,7 @@
</span><span class="cx">         if (window.testRunner) {
</span><span class="cx">             testRunner.dumpAsText();
</span><span class="cx">             testRunner.dumpChildFramesAsText();
</span><ins>+            testRunner.waitUntilDone();
</ins><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         var url = "javascript:\"<html>"
</span><span class="lines">@@ -20,6 +21,12 @@
</span><span class="cx"> 
</span><span class="cx">         var iframe = document.getElementById("aFrame");
</span><span class="cx">         iframe.src = url;
</span><ins>+        onload = () => {
+            setTimeout(() => {
+                if (window.testRunner)
+                    testRunner.notifyDone();
+            }, 0);
+        }
</ins><span class="cx">     </script>
</span><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestshttptestssecurityjavascriptURLxssALLOWEDtojavascripturlfromjavscripturlhtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html       2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html  2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -7,6 +7,7 @@
</span><span class="cx">         if (window.testRunner) {
</span><span class="cx">             testRunner.dumpAsText();
</span><span class="cx">             testRunner.dumpChildFramesAsText();
</span><ins>+            testRunner.waitUntilDone();
</ins><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         var innerURL = 'javascript:\\\"<html>'
</span><span class="lines">@@ -30,6 +31,13 @@
</span><span class="cx"> 
</span><span class="cx">         var iframe = document.getElementById("aFrame");
</span><span class="cx">         iframe.src = url;
</span><ins>+
+        onload = () => {
+            setTimeout(() => {
+                if (window.testRunner)
+                    testRunner.notifyDone();
+            }, 0);
+        };
</ins><span class="cx">     </script>
</span><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsimportedblinkfastframesnavigationinpagehidehtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/fast/frames/navigation-in-pagehide.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/fast/frames/navigation-in-pagehide.html        2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/fast/frames/navigation-in-pagehide.html   2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -17,7 +17,7 @@
</span><span class="cx">   var div = document.createElement('div');
</span><span class="cx">   firstFrame.appendChild(div);
</span><span class="cx">   secondFrame = document.createElement('iframe');
</span><del>-  secondFrame.src = 'javascript:window.top.maybeStart();';
</del><ins>+  secondFrame.src = 'javascript:window.top.reallyStart();';
</ins><span class="cx">   div.appendChild(secondFrame);
</span><span class="cx">   var firstFrameRoot = firstFrame.contentDocument.documentElement;
</span><span class="cx">   document.documentElement.appendChild(div);
</span><span class="lines">@@ -24,13 +24,6 @@
</span><span class="cx">   firstFrameRoot.appendChild(secondFrame);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-function maybeStart() {
-  if (callbackCount++ > 1) {
-    reallyStart();
-    return;
-  }
-}
-
</del><span class="cx"> function reallyStart(frame) {
</span><span class="cx">   secondFrame.contentWindow.onpagehide = function () {
</span><span class="cx">     firstFrame.src = 'javascript:window.top.navigateThere();';
</span><span class="lines">@@ -39,7 +32,7 @@
</span><span class="cx"> 
</span><span class="cx">   if (window.location.hash == '#done') {
</span><span class="cx">     if (window.testRunner)
</span><del>-      window.testRunner.notifyDone();
</del><ins>+      testRunner.notifyDone();
</ins><span class="cx">     return;
</span><span class="cx">   }
</span><span class="cx"> 
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsimportedblinkloaderiframesyncloadsexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt  2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt     2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>- sync : src = javascript:"content"
</del><ins>+ASYNC : src = javascript:"content"
</ins><span class="cx"> ASYNC : src = data:text/html,content
</span><span class="cx"> ASYNC : srcdoc = "content"
</span><span class="cx"> done
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsjsdomcallbaseresolutionhtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/js/dom/call-base-resolution.html (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/js/dom/call-base-resolution.html      2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/js/dom/call-base-resolution.html 2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -4,7 +4,7 @@
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><span class="cx"> 
</span><del>-<script src="../../resources/js-test-pre.js"></script>
</del><ins>+<script src="../../resources/js-test.js"></script>
</ins><span class="cx">   <script>
</span><span class="cx">     window.name = "o";
</span><span class="cx">     function f() { 
</span><span class="lines">@@ -77,7 +77,5 @@
</span><span class="cx">             parent.testFailed(results + ' should be ' + expected + ', but was not.');
</span><span class="cx">     ">
</span><span class="cx">   </iframe>
</span><del>-<script src="../../resources/js-test-post.js"></script>
-
</del><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224LayoutTestsplatformwk2httptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinjavascripturliframeiniframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt    2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -6,8 +6,9 @@
</span><span class="cx"> frame "<!--frame2-->" - didFinishDocumentLoadForFrame
</span><span class="cx"> frame "<!--frame2-->" - didHandleOnloadEventsForFrame
</span><span class="cx"> frame "<!--frame2-->" - didFinishLoadForFrame
</span><ins>+frame "<!--frame2-->" - willPerformClientRedirectToURL: javascript:document.write('<img src=%22http://127.0.0.1:8000/security/resources/compass.jpg%22>'); 
+frame "<!--frame1-->" - didFinishDocumentLoadForFrame
</ins><span class="cx"> CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
</span><del>-frame "<!--frame1-->" - didFinishDocumentLoadForFrame
</del><span class="cx"> frame "<!--frame1-->" - didFinishLoadForFrame
</span><span class="cx"> main frame - didFinishLoadForFrame
</span><span class="cx"> This test loads a secure iframe that loads an insecure image inside a JavaScript URL iframe. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content and a JavaScript URL executes in the same origin as its embedding document.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog  2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog     2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -1,3 +1,33 @@
</span><ins>+2019-05-02  Chris Dumez  <cdumez@apple.com>
+
+        Setting a frame's src to a javascript URL should not run it synchronously
+        https://bugs.webkit.org/show_bug.cgi?id=197466
+
+        Reviewed by Darin Adler.
+
+        When an iframe's src attribute is set to a javascript URL, whether when parsing
+        or later on via JS, we now execute the URL's JavaScript asynchronously. We used
+        to execute it synchronously, which was a source of bugs and also did not match
+        other browsers.
+
+        I have verified that our new behavior is aligned with both Firefox and Chrome.
+
+        Note that for backward-compatibility and interoperability with Blink
+        (https://bugs.chromium.org/p/chromium/issues/detail?id=923585), the
+        "javascript:''" URL will still run synchronously. We should consider dropping
+        this quirk at some point.
+
+        Test: fast/dom/frame-src-javascript-url-async.html
+
+        * loader/NavigationScheduler.cpp:
+        (WebCore::ScheduledLocationChange::ScheduledLocationChange):
+        (WebCore::ScheduledLocationChange::~ScheduledLocationChange):
+        (WebCore::NavigationScheduler::scheduleLocationChange):
+        * loader/NavigationScheduler.h:
+        (WebCore::NavigationScheduler::scheduleLocationChange):
+        * loader/SubframeLoader.cpp:
+        (WebCore::SubframeLoader::requestFrame):
+
</ins><span class="cx"> 2019-02-21  Daniel Bates  <dabates@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Same Site Lax cookies are not sent with cross-site redirect from client-initiated load
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224SourceWebCoreloaderNavigationSchedulercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.cpp (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.cpp     2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.cpp        2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -193,9 +193,18 @@
</span><span class="cx"> 
</span><span class="cx"> class ScheduledLocationChange : public ScheduledURLNavigation {
</span><span class="cx"> public:
</span><del>-    ScheduledLocationChange(Document& initiatingDocument, SecurityOrigin* securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, bool duringLoad)
-        : ScheduledURLNavigation(initiatingDocument, 0.0, securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, true) { }
</del><ins>+    ScheduledLocationChange(Document& initiatingDocument, SecurityOrigin* securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, bool duringLoad, CompletionHandler<void()>&& completionHandler)
+        : ScheduledURLNavigation(initiatingDocument, 0.0, securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, true)
+        , m_completionHandler(WTFMove(completionHandler))
+    {
+    }
</ins><span class="cx"> 
</span><ins>+    ~ScheduledLocationChange()
+    {
+        if (m_completionHandler)
+            m_completionHandler();
+    }
+
</ins><span class="cx">     void fire(Frame& frame) override
</span><span class="cx">     {
</span><span class="cx">         UserGestureIndicator gestureIndicator { userGestureToForward() };
</span><span class="lines">@@ -203,8 +212,13 @@
</span><span class="cx">         ResourceRequest resourceRequest { url(), referrer(), ResourceRequestCachePolicy::UseProtocolCachePolicy };
</span><span class="cx">         FrameLoadRequest frameLoadRequest { initiatingDocument(), *securityOrigin(), resourceRequest, "_self", lockHistory(), lockBackForwardList(), MaybeSendReferrer, AllowNavigationToInvalidURL::No, NewFrameOpenerPolicy::Allow, shouldOpenExternalURLs(), initiatedByMainFrame() };
</span><span class="cx"> 
</span><ins>+        auto completionHandler = WTFMove(m_completionHandler);
</ins><span class="cx">         frame.loader().changeLocation(WTFMove(frameLoadRequest));
</span><ins>+        completionHandler();
</ins><span class="cx">     }
</span><ins>+
+private:
+    CompletionHandler<void()> m_completionHandler;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> class ScheduledRefresh : public ScheduledURLNavigation {
</span><span class="lines">@@ -405,10 +419,10 @@
</span><span class="cx">     return LockBackForwardList::No;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void NavigationScheduler::scheduleLocationChange(Document& initiatingDocument, SecurityOrigin& securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
</del><ins>+void NavigationScheduler::scheduleLocationChange(Document& initiatingDocument, SecurityOrigin& securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, CompletionHandler<void()>&& completionHandler)
</ins><span class="cx"> {
</span><span class="cx">     if (!shouldScheduleNavigation(url))
</span><del>-        return;
</del><ins>+        return completionHandler();
</ins><span class="cx"> 
</span><span class="cx">     if (lockBackForwardList == LockBackForwardList::No)
</span><span class="cx">         lockBackForwardList = mustLockBackForwardList(m_frame);
</span><span class="lines">@@ -424,7 +438,7 @@
</span><span class="cx">         
</span><span class="cx">         FrameLoadRequest frameLoadRequest { initiatingDocument, securityOrigin, resourceRequest, "_self"_s, lockHistory, lockBackForwardList, MaybeSendReferrer, AllowNavigationToInvalidURL::No, NewFrameOpenerPolicy::Allow, initiatingDocument.shouldOpenExternalURLsPolicyToPropagate(), initiatedByMainFrame };
</span><span class="cx">         loader.changeLocation(WTFMove(frameLoadRequest));
</span><del>-        return;
</del><ins>+        return completionHandler();
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // Handle a location change of a page with no document as a special case.
</span><span class="lines">@@ -431,7 +445,7 @@
</span><span class="cx">     // This may happen when a frame changes the location of another frame.
</span><span class="cx">     bool duringLoad = !loader.stateMachine().committedFirstRealDocumentLoad();
</span><span class="cx"> 
</span><del>-    schedule(std::make_unique<ScheduledLocationChange>(initiatingDocument, &securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad));
</del><ins>+    schedule(std::make_unique<ScheduledLocationChange>(initiatingDocument, &securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, WTFMove(completionHandler)));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void NavigationScheduler::scheduleFormSubmission(Ref<FormSubmission>&& submission)
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224SourceWebCoreloaderNavigationSchedulerh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.h (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.h       2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.h  2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -53,7 +53,7 @@
</span><span class="cx">     bool locationChangePending();
</span><span class="cx"> 
</span><span class="cx">     void scheduleRedirect(Document& initiatingDocument, double delay, const URL&);
</span><del>-    void scheduleLocationChange(Document& initiatingDocument, SecurityOrigin&, const URL&, const String& referrer, LockHistory = LockHistory::Yes, LockBackForwardList = LockBackForwardList::Yes);
</del><ins>+    void scheduleLocationChange(Document& initiatingDocument, SecurityOrigin&, const URL&, const String& referrer, LockHistory = LockHistory::Yes, LockBackForwardList = LockBackForwardList::Yes, CompletionHandler<void()>&& = [] { });
</ins><span class="cx">     void scheduleFormSubmission(Ref<FormSubmission>&&);
</span><span class="cx">     void scheduleRefresh(Document& initiatingDocument);
</span><span class="cx">     void scheduleHistoryNavigation(int steps);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224SourceWebCoreloaderSubframeLoadercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/SubframeLoader.cpp (245443 => 245444)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/SubframeLoader.cpp  2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/SubframeLoader.cpp     2019-05-17 10:15:15 UTC (rev 245444)
</span><span class="lines">@@ -56,6 +56,7 @@
</span><span class="cx"> #include "SecurityOrigin.h"
</span><span class="cx"> #include "SecurityPolicy.h"
</span><span class="cx"> #include "Settings.h"
</span><ins>+#include <wtf/CompletionHandler.h>
</ins><span class="cx"> 
</span><span class="cx"> namespace WebCore {
</span><span class="cx">     
</span><span class="lines">@@ -86,17 +87,27 @@
</span><span class="cx">     if (shouldConvertInvalidURLsToBlank() && !url.isValid())
</span><span class="cx">         url = WTF::blankURL();
</span><span class="cx"> 
</span><del>-    bool hasExistingFrame = ownerElement.contentFrame();
</del><ins>+    // If we will schedule a JavaScript URL load, we need to delay the firing of the load event at least until we've run the JavaScript in the URL.
+    CompletionHandlerCallingScope stopDelayingLoadEvent;
+    if (!scriptURL.isEmpty()) {
+        ownerElement.document().incrementLoadEventDelayCount();
+        stopDelayingLoadEvent = CompletionHandlerCallingScope([ownerDocument = makeRef(ownerElement.document())] {
+            ownerDocument->decrementLoadEventDelayCount();
+        });
+    }
+
</ins><span class="cx">     Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList);
</span><span class="cx">     if (!frame)
</span><span class="cx">         return false;
</span><span class="cx"> 
</span><del>-    // If we create a new subframe then an empty document is loaded into it synchronously and may
-    // cause script execution (say, via a DOM load event handler) that can do anything, including
-    // navigating the subframe. We only want to evaluate scriptURL if the frame has not been navigated.
-    bool canExecuteScript = hasExistingFrame || (frame->loader().documentLoader() && frame->loader().documentLoader()->originalURL() == WTF::blankURL());
-    if (!scriptURL.isEmpty() && canExecuteScript && ownerElement.isURLAllowed(scriptURL))
-        frame->script().executeIfJavaScriptURL(scriptURL);
</del><ins>+    if (!scriptURL.isEmpty() && ownerElement.isURLAllowed(scriptURL)) {
+        // FIXME: Some sites rely on the javascript:'' loading synchronously, which is why we have this special case.
+        // Blink has the same workaround (https://bugs.chromium.org/p/chromium/issues/detail?id=923585).
+        if (urlString == "javascript:''" || urlString == "javascript:\"\"")
+            frame->script().executeIfJavaScriptURL(scriptURL);
+        else
+            frame->navigationScheduler().scheduleLocationChange(ownerElement.document(), ownerElement.document().securityOrigin(), scriptURL, m_frame.loader().outgoingReferrer(), lockHistory, lockBackForwardList, stopDelayingLoadEvent.release());
+    }
</ins><span class="cx"> 
</span><span class="cx">     return true;
</span><span class="cx"> }
</span></span></pre>
</div>
</div>

</body>
</html>