[Webkit-unassigned] [Bug 42365] HTML5 Parser: document.write in a asynchronous script which is specified to load before page finish blows away document
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 22 10:24:56 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=42365
--- Comment #7 from Tony Gentilcore <tonyg at chromium.org> 2010-07-22 10:24:56 PST ---
(In reply to comment #6)
> Adam's r63165: <http://trac.webkit.org/changeset/63165> already fixed the issue on http://www.tianya.cn/publicforum/articleslist/0/funinfo.shtml.
>
> But there is a race condition. if "show_ads.js" is the last resource of the main doc, then parser will be closed before executing the "show_ads.js". Then when executing "show_ads.js", document.write will blow away the document. (Like the test case I gave in this issue)
Here's another site that repros:
https://www.delta.com/booking/searchFlights.do?displayTripType=multicity
This appears to be the trigger that adds the async script:
<script type="text/javascript" language="JavaScript">
function embedChat(){
var chatScript = document.createElement('script');
chatScript.type = 'text/javascript';
chatScript.src = "https://kanachat.delta.com/tracker/vtc.php?orgid=1044339&ichannelid=Y91zET1044345";
get("online_chat").appendChild(chatScript);
}
addEvent(window, 'load', embedChat, false);
</script>
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list