[Webkit-unassigned] [Bug 189373] New: No-op document.open() calls should not have any side effects

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Sep 6 14:26:32 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=189373

            Bug ID: 189373
           Summary: No-op document.open() calls should not have any side
                    effects
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: timothygu99 at gmail.com
                CC: cdumez at apple.com

See https://github.com/WebKit/webkit/blob/ba62d1cc832b5c357da6532708c0db83a2d8216e/Source/WebCore/dom/Document.cpp#L2670-L2686:

    if (responsibleDocument) {
        setURL(responsibleDocument->url());
        setCookieURL(responsibleDocument->cookieURL());
        setSecurityOriginPolicy(responsibleDocument->securityOriginPolicy());
    }

    if (m_frame) {
        if (ScriptableDocumentParser* parser = scriptableDocumentParser()) {
            if (parser->isParsing()) {
                // FIXME: HTML5 doesn't tell us to check this, it might not be correct.
                if (parser->isExecutingScript())
                    return;

                if (!parser->wasCreatedByScript() && parser->hasInsertionPoint())
                    return;
            }
        }
        ...
    }

The URL updates should not happen until the active parser checks. Per https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#document-open-steps, URL updating happens in step 11, while the parser returns are step 5.

>  5. If document has an active parser whose script nesting level is greater than 0, then return document.
>
> ...
>
> 11. If document is fully active, then:
>    1. Let newURL be a copy of entryDocument's URL.
>    2. If entryDocument is not document, then set newURL's fragment to null.
>    3. Run the URL and history update steps with document and newURL.

Test: https://github.com/web-platform-tests/wpt/blob/master/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/bailout-side-effects-synchronous-script.window.js

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180906/ba2a69e3/attachment.html>

More information about the webkit-unassigned mailing list