[Webkit-unassigned] [Bug 47550] New: For WebKit plug-ins, beforeload can be called recursively (esp. with AdBlock style extensions)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 12 11:54:48 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=47550
Summary: For WebKit plug-ins, beforeload can be called
recursively (esp. with AdBlock style extensions)
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Keywords: InRadar
Severity: Normal
Priority: P2
Component: Plug-ins
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: ap at webkit.org
CC: mitz at webkit.org, simon.fraser at apple.com
Created an attachment (id=70550)
--> (https://bugs.webkit.org/attachment.cgi?id=70550&action=review)
test case (change MIME type to a plug-in you have installed)
This happens with AdBlock extension and any WebKit-style plug-in:
1. Add a plug-in element to a document.
2. Access any property, e.g. myPlugin.myProperty. This makes the plug-in load, since myProperty can be defined in the plug-in. As the plug-in is loaded, a beforeload event is dispatched.
3. In beforeload handler, access e.g. myPlugin.nodeName. Since the plug-in hasn't loaded yet, we go back into HTMLObjectElement::updateWidget(), and dispatch beforeload again.
Two of the ways updateWidget is triggered are style resolution and layout. The interaction of these result in one recursive call, and also Widget object is created twice. So, the plug-in is stopped, and malfunctions in the future.
<rdar://problem/8353386>
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list