[Webkit-unassigned] [Bug 50254] New: Canceled frame loads can corrupt back forward list

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=50254

           Summary: Canceled frame loads can corrupt back forward list
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Frames
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: creis at chromium.org
                CC: beidson at apple.com, fishd at chromium.org


Created an attachment (id=75173)
 --> (https://bugs.webkit.org/attachment.cgi?id=75173&action=review)
Forward and cancel frame test

If a page load is canceled, FrameLoader::checkLoadCompleteForThisFrame resets the back forward list to the previously committed history item, using:
  page->backForward()->setCurrentItem(item.get());

However, this logic only runs if the canceled page load is a main frame.  If a frame load is canceled, the back forward list is left pointing to the canceled item.  This leads to incorrect behavior if the user goes back or forward.

The attached test case can demonstrate this if copied to LayoutTests/http/tests/navigation/.  Going back after canceling the frame load copies the 3rd entry into the 2nd slot.

Not sure what the fix is yet, since calling setCurrentItem on subframe loads doesn't help.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.