[Webkit-unassigned] [Bug 194131] New: Load events may occur in wrong order when JS redirects page before subresource load finishes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 31 17:38:22 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=194131

            Bug ID: 194131
           Summary: Load events may occur in wrong order when JS redirects
                    page before subresource load finishes
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at igalia.com
                CC: beidson at apple.com, bugs-noreply at webkitgtk.org,
                    cdumez at apple.com

Save the following as test.html and load it in MiniBrowser:

<img src="https://www.example.com:8080/example.png"/>
<script>
function run()
{
    location = "https://www.example.com:8080";
}

setInterval(run(),100000);
</script>

Open that with WEBKIT_DEBUG="loading" and observe the load proceeds as follows: didStartProvisionalLoadForFrame -> didCommitLoadForFrame -> didStartProvisionalLoadForFrame.

But I think the expected behavior would be  didStartProvisionalLoadForFrame -> didCommitLoadForFrame -> didFinishLoadForFrame -> didStartProvisionalLoadForFrame. Right?

Applications (at least applications using the GTK/WPE APIs) expect load events to occur in the well-defined order start -> reload (optional) -> committed -> finished. When start occurs before finished, very strange bugs occur. It would be nice to fix this in WebCore rather than papering over it at the GTK/WPE API layer. (We used to paper over weird load event quirks there, but it resulted in many bugs, and I think this is the first trouble we've found since we stopped doing so.)

Note: this is related to Epiphany CVE-2019-6251.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190201/8383911a/attachment-0001.html>

More information about the webkit-unassigned mailing list