[Webkit-unassigned] [Bug 167421] Crash when navigating back to a page in PacheCache when one of its frames has been removed

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 25 09:23:53 PST 2017


https://bugs.webkit.org/show_bug.cgi?id=167421

Chris Dumez <cdumez at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ggaren at apple.com

--- Comment #1 from Chris Dumez <cdumez at apple.com> ---
My short-term proposal would be to lock this down by preventing page-caching if:
1. The window has an opener (because that opener might script us after we go into the cache)
2. The window has ever called window.open() (because those windows might script their opener and that opener's document may enter PageCache on navigation). <- Thanks Alexey for pointing this out.

We may be able to come up with a more precise way of detecting that another window can script a document that is about to enter PageCache (i.e. that other window hold a wrapper to the about-to-be-cached document or one of its Nodes). But short term, this would lock prevent this class of bugs.

If we allow page caching here, we would have to somehow make sure that:
- We never run script in that PageCached document
- DOM mutations to PageCached documents do not cause crashes (May end up being difficult because this is not something we have handled in the past and I suspect there is a lot of code that will not deal properly with mutating the tree while in PageCache).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170125/201c4f74/attachment.html>


More information about the webkit-unassigned mailing list