WebKit Bugzilla
Attachment 339994 Details for
Bug 185475
: REGRESSION (r231479): com.apple.WebCore crash in WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-185475-20180509113332.patch (text/plain), 3.01 KB, created by
Daniel Bates
on 2018-05-09 11:33:32 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Daniel Bates
Created:
2018-05-09 11:33:32 PDT
Size:
3.01 KB
patch
obsolete
>Subversion Revision: 231403 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 07f59a26ac217fdf6f3b7c1f4f2927fc4c189852..79adbb4771321ecbb21a96d75c25299641dc026c 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,28 @@ >+2018-05-09 Daniel Bates <dabates@apple.com> >+ >+ REGRESSION (r231479): com.apple.WebCore crash in WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied >+ https://bugs.webkit.org/show_bug.cgi?id=185475 >+ <rdar://problem/40093853> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() must extends its lifetime >+ until completion as dispatching a DOM load event at the associated frame can cause JavaScript execution >+ that can do anything, including destroying the loader that dispatched the event. >+ >+ Following r231479 DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() is now >+ invoked by both DocumentLoader::responseReceived() and WebResourceLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(). >+ The latter only can happen when using WebKit2 and the experimental feature Restricted HTTP Response Access >+ is enabled (RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess()). Unlike DocumentLoader::responseReceived() >+ WebResourceLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() does not take out a ref >+ on the DocumentLoader before invoking DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(). >+ Therefore, DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() can cause its >+ own destruction as a result of dispatching a DOM load event at the frame. We should take out a ref on >+ the DocumentLoader when executing DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(). >+ >+ * loader/DocumentLoader.cpp: >+ (WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied): >+ > 2018-05-07 Daniel Bates <dabates@apple.com> > > Check X-Frame-Options and CSP frame-ancestors in network process >diff --git a/Source/WebCore/loader/DocumentLoader.cpp b/Source/WebCore/loader/DocumentLoader.cpp >index 04b34e5503901cba3a05440259509f1a51ad52c4..bd8e4b4d1c279823dab4063b07eb95c038b9b312 100644 >--- a/Source/WebCore/loader/DocumentLoader.cpp >+++ b/Source/WebCore/loader/DocumentLoader.cpp >@@ -727,6 +727,7 @@ void DocumentLoader::restartLoadingDueToServiceWorkerRegistrationChange(Resource > > void DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(unsigned long identifier, const ResourceResponse& response) > { >+ Ref<DocumentLoader> protectedThis { *this }; > InspectorInstrumentation::continueAfterXFrameOptionsDenied(*m_frame, identifier, *this, response); > m_frame->document()->enforceSandboxFlags(SandboxOrigin); > if (HTMLFrameOwnerElement* ownerElement = m_frame->ownerElement())
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=339994">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
aestes
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185475
: 339994