[Webkit-unassigned] [Bug 42827] New: Use the js-execute-active(entered) Frame to check the user gesture of page instead of checking the top frame
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 22 08:19:08 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=42827
Summary: Use the js-execute-active(entered) Frame to check the
user gesture of page instead of checking the top frame
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
URL: http://watchthesimpsons.com/
OS/Version: Mac OS X 10.5
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: Frames
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: jnd at chromium.org
CC: darin at apple.com, abarth at webkit.org, yurys at chromium.org
Created an attachment (id=62300)
--> (https://bugs.webkit.org/attachment.cgi?id=62300)
test case
On chromium with enabling popup blocker, http://watchthesimpsons.com/ bypassed the popup blocker [firefox does block it]
The attachment is the test case to reproduce this issue.
The following is my investigation.
The window.open is called in the iframe without user-initiated.
On Safari, it uses WebCore::Setting::m_javaScriptCanOpenWindowsAutomatically flag to do the popup blocker, when enabling popup blocker, m_javaScriptCanOpenWindowsAutomatically is set to true, so DOMWindow::allowPopUp returns false to deny to open the window. So this issue can not be reproduced on Safari.
On Chromium, the flag WebCore::Setting::m_javaScriptCanOpenWindowsAutomatically is always true, the request of opening window is always passed to browser process to do the popup check. When enabling chromium's popup blocker, only user-initiated open request can be allowed.
In this issue, the window.open was called in the iframe without user-initiated. but when calling WebFrame::isProcessingUserGesture in RenderView::createView, in the function FrameLoader::isProcessingUserGesture, it checked top frame's user gesture status, since there was no script executed in top frame, ScriptController::processingUserGesture assumed it's user-initiated (line 166-167). Then chromium treated the opening window request is legal and granted the opening.
I think the current behavior in the frameloader is wrong, we should check the js-execute-active frame (entered frame in V8) instead of the top frame since the script execution can be initiated in any frame not only the top frame. Please refer to the right implementation of the WebCore::processingUserGesture (both JS and V8 version)
The issue does not reproduce on Chromium v5 stable and popup is blocked, but reproducible on the latest Chrome trunk. After digging in the WebKit trunk, I found before r62380 (http://trac.webkit.org/changeset/62380), the function ScriptController::processingUserGesture did only check the active frame's user gesture status not current frame, so even we call the function to check the top frame's user gesture status, it still can returned the right status. But just because the function tested if there are any Frame on the stack where JS is executing, it caused bug https://bugs.webkit.org/show_bug.cgi?id=41511, that's why Yury changed it in r62380.
My solution is adding a function in ScriptController to get the active/entered frame, so the function FrameLoader::isProcessingUserGesture can correctly test the user gesture status of the page.
Any comments?
@Darin, your are the author of FrameLoader(according to http://trac.webkit.org/changeset/17652/), would you please give your comments?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list