Bug 146228

Summary: [WK1] WebAllowDenyPolicyListener.denyOnlyThisRequest() should not start a new permission request
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebCore Misc.Assignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, benjamin, dbates
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Chris Dumez 2015-06-22 19:46:59 PDT 
On WebKit1, WebAllowDenyPolicyListener.denyOnlyThisRequest() currently denies the pending request (as is expected) but then starts a new permission requests right away (not expected).
This means that if the client application keeps calling WebAllowDenyPolicyListener.denyOnlyThisRequest(), we'll end up in an infinite loop, even though the application did not make any new geolocation requests.
Comment 1 Chris Dumez 2015-06-22 19:47:07 PDT 
rdar://problem/15179262
Comment 2 Chris Dumez 2015-06-22 19:58:54 PDT 
Created attachment 255391 [details]
Patch
Comment 3 Daniel Bates 2015-06-22 20:54:02 PDT 
Comment on attachment 255391 [details]
Patch

OK.
Comment 4 Chris Dumez 2015-06-22 20:55:15 PDT 
Comment on attachment 255391 [details]
Patch

Clearing flags on attachment: 255391

Committed r185860: <http://trac.webkit.org/changeset/185860>
Comment 5 Chris Dumez 2015-06-22 20:55:18 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 6 Benjamin Poulain 2015-06-22 21:25:51 PDT 
This looks fishy as hell. I have a hard time believing this is correct.

You don't even need to remove the object from the GeolocationController? Can you just leave the watcher pending like that? No need to call their callback?
Comment 7 Chris Dumez 2015-06-22 22:18:48 PDT 
(In reply to comment #6)
> This looks fishy as hell. I have a hard time believing this is correct.

Ok, we can discuss this tomorrow. The app I was testing uses getCurrentPosition(), not watchPosition(). Your comments seem to be related to watchers so it is possible I missed something there. 

> You don't even need to remove the object from the GeolocationController?
> Can you just leave the watcher pending like that? No need to call their callback?

Maybe I misunderstand the question but the watcher's error callback *does* get called with a PermissionDenied error when Geolocation::setAllowed(false) is called.

The GeoNotifier will then call Geolocation::fatalErrorOccurred(), which will unregister the watcher or the "oneShot" from Geolocation. If there are no more listeners, Geolocation will then remove itself from the GeolocationController.
Comment 8 Benjamin Poulain 2015-06-22 22:24:25 PDT 
(In reply to comment #7)
> (In reply to comment #6)
> > This looks fishy as hell. I have a hard time believing this is correct.
> 
> Ok, we can discuss this tomorrow. The app I was testing uses
> getCurrentPosition(), not watchPosition(). Your comments seem to be related
> to watchers so it is possible I missed something there. 
> 
> > You don't even need to remove the object from the GeolocationController?
> > Can you just leave the watcher pending like that? No need to call their callback?
> 
> Maybe I misunderstand the question but the watcher's error callback *does*
> get called with a PermissionDenied error when Geolocation::setAllowed(false)
> is called.
> 
> The GeoNotifier will then call Geolocation::fatalErrorOccurred(), which will
> unregister the watcher or the "oneShot" from Geolocation. If there are no
> more listeners, Geolocation will then remove itself from the
> GeolocationController.

My bad, I misunderstood what this was for. I did not see this was only called after a proper deny().