RESOLVED FIXED 187411
REGRESSION (r219757): Accessing response getter of XHR instance from IFRAME sets constructor to Object from the IFRAME 
https://bugs.webkit.org/show_bug.cgi?id=187411
Summary REGRESSION (r219757): Accessing response getter of XHR instance from IFRAME s...
cvazac
Reported 2018-07-06 14:06:29 PDT
Created attachment 344453 [details] test case Scenario: base page with one same-origin IFRAME base page creates an XMLHttpRequest instance Issue: If the IFRAME adds a `readystatechange` listener to the XMLHttpRequest instance, and it reads the response getter before the `top` context does, the `constructor` of the object will be equivalent to `iframe.contentWindow.Object`, not `top.Object`. This "works" in other browsers, including Safari 10.0.1. Works in 604.5.6. Fails in 605.1.15. Code executed in the IFRAME: xhr.addEventListener('readystatechange', function(){ xhr.response }) From this point forward: xhr.response.constructor === iframe.contentWindow.Object xhr.response.constructor !== top.Object See https://cvazac.netlify.com/xhr-response-constructor/ for reproducible case.
Attachments
test case (1.51 KB, application/zip)
2018-07-06 14:06 PDT, cvazac 		no flags
Details
Patch (6.20 KB, patch)
2018-07-20 15:34 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2018-07-06 21:20:18 PDT
<rdar://problem/41920593>
cvazac
Comment 2 2018-07-09 15:03:02 PDT
I attempted to bisect the issue using: ./Tools/Scripts/bisect-builds -c release -p mac-highsierra -s 219162 -e 224949 But every build that attempts to launch gives me: Starting SafariForWebKitDevelopment with DYLD_FRAMEWORK_PATH set to point to built WebKit in /var/folders/33/prqh7l5n7fgd1l6d3kq6bq_r0000gy/T/tmpK9xc8x/Release. dyld: Symbol not found: __ZN3WTF8JSONImpl10ObjectBase6removeERKNS_6StringE Referenced from: /System/Library/PrivateFrameworks/WebInspector.framework/Versions/A/WebInspector Expected in: /var/folders/33/prqh7l5n7fgd1l6d3kq6bq_r0000gy/T/tmpK9xc8x/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore in /System/Library/PrivateFrameworks/WebInspector.framework/Versions/A/WebInspector
Alexey Proskuryakov
Comment 3 2018-07-10 09:31:30 PDT
Yes, these WebKit revisions are so old that they don't work with latest Safari. I bisected to r219757. Sam, Chris, could you take a look?
Chris Dumez
Comment 4 2018-07-10 09:47:06 PDT
Likely caused by us caching the response in the wrapper.
Chris Dumez
Comment 5 2018-07-20 15:34:38 PDT
Created attachment 345483 [details] Patch
Chris Dumez
Comment 6 2018-07-23 09:41:30 PDT
Comment on attachment 345483 [details] Patch ping review?
WebKit Commit Bot
Comment 7 2018-07-24 21:47:45 PDT
Comment on attachment 345483 [details] Patch Clearing flags on attachment: 345483 Committed r234188: <https://trac.webkit.org/changeset/234188>
WebKit Commit Bot
Comment 8 2018-07-24 21:47:46 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.