[Webkit-unassigned] [Bug 16855] Multiple correctness issues with javascript URLs
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jun 4 17:15:56 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=16855
michaeln at google.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |michaeln at google.com
------- Comment #5 from michaeln at google.com 2009-06-04 17:15 PDT -------
Also see http://code.google.com/p/chromium/issues/detail?id=12161
Chrome has a P1 crashing bug around this. In cases where the script url
constructs a document that initiates subresource loads as follows...
<head>
<script language="JavaScript">
function FrameContents()
{
var doc = theFrame.document;
doc.open();
doc.write('<img src=image.png>');
doc.close();
return "";
}
</script>
</head>
<frameset>
<frame name="theFrame" target=menu src="javascript:parent.FrameContents()">
</frameset>
I have a patch addresses both the crash and the correctness issue... the
constructed document should take precedence of the script's return value in
this case (IE and FF do that).
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list