[Webkit-unassigned] [Bug 76686] New: HistoryItem not updated properly when a form submission begins before a previous form submission has finished

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 19 22:52:28 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=76686

           Summary: HistoryItem not updated properly when a form
                    submission begins before a previous form submission
                    has finished
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: History
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: fishd at chromium.org
                CC: creis at chromium.org, mihaip at chromium.org


HistoryItem not updated properly when a form submission begins before a previous form submission has finished

Given content such as the following:

a.php:
  <form method="post" action="b.php">...</form>

b.php:
  <form method="post" action="c.php">...</form>
  <script>document.forms[0].submit()</script>

c.php:
  <b>hello world</b>

The submission to c.php that occurs while b.php is still loading (following the form submission from a.php to b.php) results in WebKit failing to properly update the HistoryItem.  While the browser will think it is on c.php, navigating away from c.php and then back again will actually cause a form submission to b.php to be repeated!

I believe this occurs because FrameLoader::loadPostRequest() fails to call DocumentLoader::setIsClientRedirect() in the same manner that FrameLoader::loadURL() does.  It should do so after calling loadWithNavigationAction() based on the prior value of m_quickRedirectComing.  As a result, HistoryController::updateForRedirectWithLockedBackForwardList() does not see the isClientRedirect() flag set to true, and it thus fails to call updateCurrentItem().

Incidentally, this bug does not exist if the testcase is placed in a subframe.  That appears to be due to the code in updateForRedirectWithLockedBackForwardList(), which will re-create the HistoryItems for subframes only.  I'm not sure what to make of that.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list