Bug 197466

Summary:

Setting a frame's src to a javascript URL should not run it synchronously

Product:

WebKit

Reporter:

Chris Dumez <cdumez>

Component:

WebCore Misc.

Assignee:

Chris Dumez <cdumez>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, ap, beidson, bfulgham, commit-queue, darin, dbates, ews-watchlist, ggaren, japhet, koivisto, mkwst, rniwa, tsavell, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

197664

Bug Blocks:

Attachments:

Description	Flags
WIP Patch	ews-watchlist: commit-queue-
Archive of layout-test-results from ews106 for mac-highsierra-wk2	none
Archive of layout-test-results from ews115 for mac-highsierra	none
Archive of layout-test-results from ews122 for ios-simulator-wk2	none
Archive of layout-test-results from ews101 for mac-highsierra	none
WiP Patch	none
WiP Patch	none
WiP Patch	none
WiP Patch	ews-watchlist: commit-queue-
Archive of layout-test-results from ews103 for mac-highsierra	none
Archive of layout-test-results from ews104 for mac-highsierra-wk2	none
Archive of layout-test-results from ews114 for mac-highsierra	none
WiP Patch	none
WiP Patch	none
WiP Patch	none
WiP Patch	ews-watchlist: commit-queue-
Archive of layout-test-results from ews104 for mac-highsierra-wk2	none
Archive of layout-test-results from ews101 for mac-highsierra	none
Archive of layout-test-results from ews114 for mac-highsierra	none
Archive of layout-test-results from ews125 for ios-simulator-wk2	none
WIP Patch	none
Patch	none
Patch	none
Patch	none
Archive of layout-test-results from ews103 for mac-highsierra	none
Archive of layout-test-results from ews115 for mac-highsierra	none
Archive of layout-test-results from ews105 for mac-highsierra-wk2	none
Archive of layout-test-results from ews123 for ios-simulator-wk2	none
Archive of layout-test-results from ews210 for win-future	none
Patch	none
Archive of layout-test-results from ews103 for mac-highsierra	none
Archive of layout-test-results from ews107 for mac-highsierra-wk2	none
Archive of layout-test-results from ews126 for ios-simulator-wk2	none
Patch	none
Patch	none
Patch	none
Patch	none

Description Chris Dumez 2019-05-01 10:23:12 PDT

Setting a frame's src to a javascript URL should not run it synchronously. Firefox and Chrome appear to schedule a navigation to that javascript URL instead.

Comment 1 Chris Dumez 2019-05-01 10:24:42 PDT

Created attachment 368683 [details]
WIP Patch

Comment 2 EWS Watchlist 2019-05-01 11:44:36 PDT

Comment on attachment 368683 [details]
WIP Patch

Attachment 368683 [details] did not pass mac-wk2-ews (mac-wk2):
Output: https://webkit-queues.webkit.org/results/12052645

New failing tests:
fast/parser/iframe-sets-parent-to-javascript-url.html
fast/dom/javascript-url-exception-isolation.html
http/tests/security/contentSecurityPolicy/javascript-url-blocked.html
imported/blink/loader/iframe-sync-loads.html
fast/dom/Attr/only-attach-attr-once.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html
fast/loader/javascript-url-in-object.html
fast/dom/javascript-url-crash-function.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html
http/tests/security/contentSecurityPolicy/javascript-url-allowed.html
fast/dom/no-assert-for-malformed-js-url-attribute.html
fast/loader/nested-document-handling.html

Comment 3 EWS Watchlist 2019-05-01 11:44:37 PDT

Created attachment 368689 [details]
Archive of layout-test-results from ews106 for mac-highsierra-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-highsierra-wk2  Platform: Mac OS X 10.13.6

Comment 4 EWS Watchlist 2019-05-01 12:14:30 PDT

Comment on attachment 368683 [details]
WIP Patch

Attachment 368683 [details] did not pass mac-debug-ews (mac):
Output: https://webkit-queues.webkit.org/results/12052681

New failing tests:
fast/parser/iframe-sets-parent-to-javascript-url.html
fast/dom/javascript-url-exception-isolation.html
http/tests/security/contentSecurityPolicy/javascript-url-blocked.html
imported/blink/loader/iframe-sync-loads.html
fast/dom/Attr/only-attach-attr-once.html
fast/loader/javascript-url-in-object.html
fast/dom/javascript-url-crash-function.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html
http/tests/security/contentSecurityPolicy/javascript-url-allowed.html
fast/dom/no-assert-for-malformed-js-url-attribute.html
fast/loader/nested-document-handling.html

Comment 5 EWS Watchlist 2019-05-01 12:14:32 PDT

Created attachment 368690 [details]
Archive of layout-test-results from ews115 for mac-highsierra

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews115  Port: mac-highsierra  Platform: Mac OS X 10.13.6

Comment 6 EWS Watchlist 2019-05-01 12:22:18 PDT

Comment on attachment 368683 [details]
WIP Patch

Attachment 368683 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: https://webkit-queues.webkit.org/results/12052692

New failing tests:
http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html
fast/loader/javascript-url-in-embed.html
fast/dom/javascript-url-exception-isolation.html
http/tests/security/contentSecurityPolicy/javascript-url-blocked.html
imported/blink/loader/iframe-sync-loads.html
fast/dom/Attr/only-attach-attr-once.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html
fast/loader/javascript-url-in-object.html
fast/dom/javascript-url-crash-function.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html
fast/loader/nested-document-handling.html
http/tests/security/contentSecurityPolicy/javascript-url-allowed.html
fast/dom/no-assert-for-malformed-js-url-attribute.html
fast/parser/iframe-sets-parent-to-javascript-url.html

Comment 7 EWS Watchlist 2019-05-01 12:22:20 PDT

Created attachment 368691 [details]
Archive of layout-test-results from ews122 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews122  Port: ios-simulator-wk2  Platform: Mac OS X 10.14.4

Comment 8 EWS Watchlist 2019-05-01 12:34:54 PDT

Comment on attachment 368683 [details]
WIP Patch

Attachment 368683 [details] did not pass mac-ews (mac):
Output: https://webkit-queues.webkit.org/results/12052921

New failing tests:
fast/dom/javascript-url-exception-isolation.html
http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html
imported/blink/loader/iframe-sync-loads.html
fast/dom/Attr/only-attach-attr-once.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html
fast/loader/javascript-url-in-object.html
fast/dom/javascript-url-crash-function.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html
http/tests/security/contentSecurityPolicy/javascript-url-blocked.html
fast/loader/nested-document-handling.html
http/tests/security/contentSecurityPolicy/javascript-url-allowed.html
fast/dom/no-assert-for-malformed-js-url-attribute.html
fast/parser/iframe-sets-parent-to-javascript-url.html

Comment 9 EWS Watchlist 2019-05-01 12:34:56 PDT

Created attachment 368693 [details]
Archive of layout-test-results from ews101 for mac-highsierra

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-highsierra  Platform: Mac OS X 10.13.6

Comment 10 Chris Dumez 2019-05-01 13:35:41 PDT

Created attachment 368699 [details]
WiP Patch

Comment 11 Chris Dumez 2019-05-01 14:10:24 PDT

Created attachment 368706 [details]
WiP Patch

Comment 12 Chris Dumez 2019-05-01 14:18:56 PDT

Created attachment 368709 [details]
WiP Patch

Comment 13 Chris Dumez 2019-05-01 14:20:01 PDT

Created attachment 368710 [details]
WiP Patch

Comment 14 EWS Watchlist 2019-05-01 15:11:21 PDT

Comment on attachment 368710 [details]
WiP Patch

Attachment 368710 [details] did not pass mac-ews (mac):
Output: https://webkit-queues.webkit.org/results/12054620

Number of test failures exceeded the failure limit.

Comment 15 EWS Watchlist 2019-05-01 15:11:23 PDT

Created attachment 368719 [details]
Archive of layout-test-results from ews103 for mac-highsierra

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-highsierra  Platform: Mac OS X 10.13.6

Comment 16 EWS Watchlist 2019-05-01 15:43:38 PDT

Comment on attachment 368710 [details]
WiP Patch

Attachment 368710 [details] did not pass mac-wk2-ews (mac-wk2):
Output: https://webkit-queues.webkit.org/results/12054843

Number of test failures exceeded the failure limit.

Comment 17 EWS Watchlist 2019-05-01 15:43:39 PDT

Created attachment 368723 [details]
Archive of layout-test-results from ews104 for mac-highsierra-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews104  Port: mac-highsierra-wk2  Platform: Mac OS X 10.13.6

Comment 18 EWS Watchlist 2019-05-01 15:59:33 PDT

Comment on attachment 368710 [details]
WiP Patch

Attachment 368710 [details] did not pass mac-debug-ews (mac):
Output: https://webkit-queues.webkit.org/results/12054816

Number of test failures exceeded the failure limit.

Comment 19 EWS Watchlist 2019-05-01 15:59:35 PDT

Created attachment 368725 [details]
Archive of layout-test-results from ews114 for mac-highsierra

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews114  Port: mac-highsierra  Platform: Mac OS X 10.13.6

Comment 20 Chris Dumez 2019-05-01 16:10:52 PDT

Created attachment 368729 [details]
WiP Patch

Comment 21 EWS Watchlist 2019-05-01 16:13:33 PDT

Attachment 368729 [details] did not pass style-queue:


ERROR: Source/WebCore/loader/SubframeLoader.cpp:106:  One line control clauses should not use braces.  [whitespace/braces] [4]
Total errors found: 1 in 22 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 22 Chris Dumez 2019-05-01 16:27:49 PDT

Created attachment 368732 [details]
WiP Patch

Comment 23 EWS Watchlist 2019-05-01 16:29:26 PDT

Attachment 368732 [details] did not pass style-queue:


ERROR: Source/WebCore/loader/SubframeLoader.cpp:106:  One line control clauses should not use braces.  [whitespace/braces] [4]
Total errors found: 1 in 25 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 24 Chris Dumez 2019-05-01 16:44:40 PDT

Created attachment 368734 [details]
WiP Patch

Comment 25 Chris Dumez 2019-05-01 17:00:46 PDT

Created attachment 368736 [details]
WiP Patch

Comment 26 EWS Watchlist 2019-05-01 18:06:31 PDT

Comment on attachment 368736 [details]
WiP Patch

Attachment 368736 [details] did not pass mac-wk2-ews (mac-wk2):
Output: https://webkit-queues.webkit.org/results/12056530

New failing tests:
webarchive/loading/javascript-url-iframe-crash.html
imported/w3c/web-platform-tests/webmessaging/without-ports/018.html
http/tests/navigation/lockedhistory-iframe.html
js/dom/call-base-resolution.html
fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html
fast/loader/javascript-url-iframe-remove-on-navigate.html
fast/parser/xml-error-adopted.xml

Comment 27 EWS Watchlist 2019-05-01 18:06:33 PDT

Created attachment 368741 [details]
Archive of layout-test-results from ews104 for mac-highsierra-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews104  Port: mac-highsierra-wk2  Platform: Mac OS X 10.13.6

Comment 28 EWS Watchlist 2019-05-01 18:08:16 PDT

Comment on attachment 368736 [details]
WiP Patch

Attachment 368736 [details] did not pass mac-ews (mac):
Output: https://webkit-queues.webkit.org/results/12056564

New failing tests:
fast/parser/xml-error-adopted.xml
webarchive/loading/javascript-url-iframe-crash.html
js/dom/call-base-resolution.html
imported/w3c/web-platform-tests/webmessaging/without-ports/018.html
http/tests/navigation/lockedhistory-iframe.html

Comment 29 EWS Watchlist 2019-05-01 18:08:18 PDT

Created attachment 368742 [details]
Archive of layout-test-results from ews101 for mac-highsierra

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-highsierra  Platform: Mac OS X 10.13.6

Comment 30 EWS Watchlist 2019-05-01 19:01:48 PDT

Comment on attachment 368736 [details]
WiP Patch

Attachment 368736 [details] did not pass mac-debug-ews (mac):
Output: https://webkit-queues.webkit.org/results/12056748

New failing tests:
webarchive/loading/javascript-url-iframe-crash.html
js/dom/call-base-resolution.html
imported/w3c/web-platform-tests/webmessaging/without-ports/018.html
http/tests/navigation/lockedhistory-iframe.html

Comment 31 EWS Watchlist 2019-05-01 19:01:50 PDT

Created attachment 368750 [details]
Archive of layout-test-results from ews114 for mac-highsierra

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews114  Port: mac-highsierra  Platform: Mac OS X 10.13.6

Comment 32 EWS Watchlist 2019-05-01 19:38:26 PDT

Comment on attachment 368736 [details]
WiP Patch

Attachment 368736 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: https://webkit-queues.webkit.org/results/12057226

New failing tests:
webarchive/loading/javascript-url-iframe-crash.html
imported/w3c/web-platform-tests/webmessaging/without-ports/018.html
http/tests/navigation/lockedhistory-iframe.html
js/dom/call-base-resolution.html
fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html
fast/loader/javascript-url-iframe-remove-on-navigate.html
fast/parser/xml-error-adopted.xml

Comment 33 EWS Watchlist 2019-05-01 19:38:28 PDT

Created attachment 368751 [details]
Archive of layout-test-results from ews125 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews125  Port: ios-simulator-wk2  Platform: Mac OS X 10.14.4

Comment 34 Chris Dumez 2019-05-01 20:26:24 PDT

Created attachment 368755 [details]
WIP Patch

Comment 35 Chris Dumez 2019-05-01 20:38:23 PDT

Created attachment 368756 [details]
Patch

Comment 36 EWS Watchlist 2019-05-01 20:41:45 PDT

Attachment 368756 [details] did not pass style-queue:


ERROR: Source/WebCore/ChangeLog:10:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 37 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 37 Chris Dumez 2019-05-01 21:01:30 PDT

Created attachment 368757 [details]
Patch

Comment 38 EWS Watchlist 2019-05-01 21:03:58 PDT

Attachment 368757 [details] did not pass style-queue:


ERROR: Source/WebCore/ChangeLog:10:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 34 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 39 Chris Dumez 2019-05-01 21:06:10 PDT

Created attachment 368758 [details]
Patch

Comment 40 EWS Watchlist 2019-05-01 21:07:42 PDT

Attachment 368758 [details] did not pass style-queue:


ERROR: Source/WebCore/ChangeLog:10:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 34 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 41 EWS Watchlist 2019-05-01 22:00:37 PDT

Comment on attachment 368758 [details]
Patch

Attachment 368758 [details] did not pass mac-ews (mac):
Output: https://webkit-queues.webkit.org/results/12058925

Number of test failures exceeded the failure limit.

Comment 42 EWS Watchlist 2019-05-01 22:00:39 PDT

Created attachment 368762 [details]
Archive of layout-test-results from ews103 for mac-highsierra

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-highsierra  Platform: Mac OS X 10.13.6

Comment 43 EWS Watchlist 2019-05-01 22:31:48 PDT

Comment on attachment 368758 [details]
Patch

Attachment 368758 [details] did not pass mac-debug-ews (mac):
Output: https://webkit-queues.webkit.org/results/12058946

Number of test failures exceeded the failure limit.

Comment 44 EWS Watchlist 2019-05-01 22:31:50 PDT

Created attachment 368763 [details]
Archive of layout-test-results from ews115 for mac-highsierra

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews115  Port: mac-highsierra  Platform: Mac OS X 10.13.6

Comment 45 EWS Watchlist 2019-05-01 22:45:07 PDT

Comment on attachment 368758 [details]
Patch

Attachment 368758 [details] did not pass mac-wk2-ews (mac-wk2):
Output: https://webkit-queues.webkit.org/results/12059081

New failing tests:
svg/as-object/svg-embedded-in-html-in-iframe.html
imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_javascript_url_01.htm
fast/dom/javascript-url-crash-function.html
fast/parser/iframe-sets-parent-to-javascript-url.html
webarchive/loading/javascript-url-iframe-crash.html
imported/blink/loader/iframe-sync-loads.html
http/tests/security/xssAuditor/non-block-javascript-url-frame.html
fast/loader/javascript-url-encoding.html
imported/w3c/web-platform-tests/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-query-fragment-components.html
fast/loader/nested-document-handling.html
http/tests/security/javascriptURL/xss-DENIED-from-javascript-url-in-foreign-domain-subframe.html
fast/frames/cached-frame-counter.html
imported/w3c/web-platform-tests/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-return-value-handling.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-to-javscript-url.html
fast/parser/javascript-url-compat-mode.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html
http/tests/misc/javascript-url-stop-loaders.html
fast/events/frame-programmatic-focus.html
http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html
http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-sub-frame.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html
fast/dom/frame-src-javascript-url-async.html
http/tests/security/javascriptURL/xss-DENIED-to-javascript-url-in-foreign-domain-subframe.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-to-javascript-url-sub-frame.html

Comment 46 EWS Watchlist 2019-05-01 22:45:09 PDT

Created attachment 368764 [details]
Archive of layout-test-results from ews105 for mac-highsierra-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105  Port: mac-highsierra-wk2  Platform: Mac OS X 10.13.6

Comment 47 EWS Watchlist 2019-05-01 23:16:42 PDT

Comment on attachment 368758 [details]
Patch

Attachment 368758 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: https://webkit-queues.webkit.org/results/12059057

New failing tests:
imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_javascript_url_01.htm
fast/dom/javascript-url-crash-function.html
fast/loader/nested-document-handling.html
webarchive/loading/javascript-url-iframe-crash.html
imported/blink/loader/iframe-sync-loads.html
http/tests/security/xssAuditor/non-block-javascript-url-frame.html
fast/loader/javascript-url-encoding.html
imported/w3c/web-platform-tests/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-query-fragment-components.html
fast/parser/iframe-sets-parent-to-javascript-url.html
http/tests/security/javascriptURL/xss-DENIED-from-javascript-url-in-foreign-domain-subframe.html
fast/frames/cached-frame-counter.html
imported/w3c/web-platform-tests/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-return-value-handling.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-to-javscript-url.html
fast/parser/javascript-url-compat-mode.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html
http/tests/misc/javascript-url-stop-loaders.html
http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html
http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-sub-frame.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html
fast/dom/frame-src-javascript-url-async.html
http/tests/security/javascriptURL/xss-DENIED-to-javascript-url-in-foreign-domain-subframe.html
http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-to-javascript-url-sub-frame.html

Comment 48 EWS Watchlist 2019-05-01 23:16:47 PDT

Created attachment 368765 [details]
Archive of layout-test-results from ews123 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews123  Port: ios-simulator-wk2  Platform: Mac OS X 10.14.4

Comment 49 EWS Watchlist 2019-05-02 10:10:59 PDT

Comment on attachment 368758 [details]
Patch

Attachment 368758 [details] did not pass win-ews (win):
Output: https://webkit-queues.webkit.org/results/12062769

Number of test failures exceeded the failure limit.

Comment 50 EWS Watchlist 2019-05-02 10:11:07 PDT

Created attachment 368781 [details]
Archive of layout-test-results from ews210 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews210  Port: win-future  Platform: CYGWIN_NT-10.0-17763-3.0.5-338.x86_64-x86_64-64bit

Comment 51 Chris Dumez 2019-05-02 10:35:56 PDT

Created attachment 368786 [details]
Patch

Comment 52 EWS Watchlist 2019-05-02 10:37:49 PDT

Attachment 368786 [details] did not pass style-queue:


ERROR: Source/WebCore/ChangeLog:10:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 36 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 53 EWS Watchlist 2019-05-02 11:20:34 PDT

Comment on attachment 368786 [details]
Patch

Attachment 368786 [details] did not pass mac-ews (mac):
Output: https://webkit-queues.webkit.org/results/12063566

New failing tests:
imported/w3c/web-platform-tests/webmessaging/with-ports/018.html

Comment 54 EWS Watchlist 2019-05-02 11:20:37 PDT

Created attachment 368793 [details]
Archive of layout-test-results from ews103 for mac-highsierra

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-highsierra  Platform: Mac OS X 10.13.6

Comment 55 EWS Watchlist 2019-05-02 11:30:08 PDT

Comment on attachment 368786 [details]
Patch

Attachment 368786 [details] did not pass mac-wk2-ews (mac-wk2):
Output: https://webkit-queues.webkit.org/results/12063571

New failing tests:
imported/w3c/web-platform-tests/webmessaging/with-ports/018.html
http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html

Comment 56 EWS Watchlist 2019-05-02 11:30:11 PDT

Created attachment 368796 [details]
Archive of layout-test-results from ews107 for mac-highsierra-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-highsierra-wk2  Platform: Mac OS X 10.13.6

Comment 57 EWS Watchlist 2019-05-02 12:32:57 PDT

Comment on attachment 368786 [details]
Patch

Attachment 368786 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: https://webkit-queues.webkit.org/results/12063864

New failing tests:
imported/w3c/web-platform-tests/webmessaging/with-ports/018.html

Comment 58 EWS Watchlist 2019-05-02 12:33:00 PDT

Created attachment 368805 [details]
Archive of layout-test-results from ews126 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews126  Port: ios-simulator-wk2  Platform: Mac OS X 10.14.4

Comment 59 Chris Dumez 2019-05-02 12:34:13 PDT

Created attachment 368807 [details]
Patch

Comment 60 EWS Watchlist 2019-05-02 12:37:52 PDT

Attachment 368807 [details] did not pass style-queue:


ERROR: Source/WebCore/ChangeLog:10:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 33 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 61 Chris Dumez 2019-05-02 13:25:20 PDT

Created attachment 368813 [details]
Patch

Comment 62 EWS Watchlist 2019-05-02 13:27:55 PDT

Attachment 368813 [details] did not pass style-queue:


ERROR: Source/WebCore/ChangeLog:10:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 33 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 63 Darin Adler 2019-05-02 14:26:29 PDT

Comment on attachment 368813 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=368813&action=review

> Source/WebCore/ChangeLog:10
> +        to execute it asynchronously, which was a source of security bugs and also did

asynchronously -> synchronously

> Source/WebCore/loader/NavigationScheduler.cpp:425
> +        return completionHandler();

Heh, the "return void" debate. I will refrain from commenting further.

> Source/WebCore/loader/SubframeLoader.cpp:90
> +    // If we will schedule a javascript URL load, we need to delay the firing of the load event at least until we've run the javascript URL.

I think it’s strange wording to say "run the javascript URL"; maybe "run the JavaScript in the URL"?

Comment 64 Chris Dumez 2019-05-02 14:29:16 PDT

Created attachment 368821 [details]
Patch

Comment 65 EWS Watchlist 2019-05-02 14:32:15 PDT

Attachment 368821 [details] did not pass style-queue:


ERROR: Source/WebCore/ChangeLog:10:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 33 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 66 Darin Adler 2019-05-02 14:41:33 PDT

> ERROR: Source/WebCore/ChangeLog:10:  Please consider whether the use of
> security-sensitive phrasing could help someone exploit WebKit: security bug 
> [changelog/unwantedsecurityterms] [3]

Slightly surprised you decided to leave the word "security" in the change log.

Comment 67 Chris Dumez 2019-05-02 15:06:54 PDT

(In reply to Darin Adler from comment #66)
> > ERROR: Source/WebCore/ChangeLog:10:  Please consider whether the use of
> > security-sensitive phrasing could help someone exploit WebKit: security bug 
> > [changelog/unwantedsecurityterms] [3]
> 
> Slightly surprised you decided to leave the word "security" in the change
> log.

Ok, I will remove it. In the context, it did not particularly bother me.

Comment 68 Chris Dumez 2019-05-02 15:08:42 PDT

Created attachment 368825 [details]
Patch

Comment 69 WebKit Commit Bot 2019-05-02 15:24:34 PDT

Comment on attachment 368825 [details]
Patch

Clearing flags on attachment: 368825

Committed r244892: <https://trac.webkit.org/changeset/244892>

Comment 70 WebKit Commit Bot 2019-05-02 15:24:37 PDT

All reviewed patches have been landed.  Closing bug.

Comment 71 Radar WebKit Bug Importer 2019-05-02 15:26:41 PDT

<rdar://problem/50424426>

Comment 72 Truitt Savell 2019-05-07 09:05:26 PDT

It looks like the new test fast/dom/frame-src-javascript-url-async.html

added in https://trac.webkit.org/changeset/244892/webkit

is flakey. History:
https://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=fast%2Fdom%2Fframe-src-javascript-url-async.html