<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Possible null pointer dereference in WebSocket::connect"

   href="https://bugs.webkit.org/show_bug.cgi?id=149864">149864</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Possible null pointer dereference in WebSocket::connect

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>Other

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebCore Misc.

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>mcatanzaro&#64;igalia.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>I noticed this issue due to the fix for <a class="bz_bug_link 

          bz_status_RESOLVED  bz_closed"

   title="RESOLVED FIXED - Null dereference loading Blink layout test http/tests/websocket/construct-in-detached-frame.html"

   href="show_bug.cgi?id=149311">bug #149311</a>.

Later down in WebSocket::connect() there is a call to document.frame()-&gt;loader().mixedContentChecker(). I don't see why that doesn't crash now, since it occurs if (is&lt;Document&gt;(*scriptExecutionContext()), the same condition as the null dereference of frame up above, which was problematic in <a class="bz_bug_link 

          bz_status_RESOLVED  bz_closed"

   title="RESOLVED FIXED - Null dereference loading Blink layout test http/tests/websocket/construct-in-detached-frame.html"

   href="show_bug.cgi?id=149311">bug #149311</a>. That was &quot;safe&quot; when I added it because document.frame() was assumed to be nonnull up above, but clearly that was wrong and is now no longer the case.

I guess if it's not crashing (is it returning early on an error path?), then it might not be a problem, but it looks dangerous in light of this change... do we need to add a check to make sure frame is not null there? If so, do we need to rethink how to gain access to the mixed content checker, or is the content in a detached frame not going to be loaded? We need to be careful not to accidentally allow loading insecure content here.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>