See https://github.com/WebKit/webkit/blob/ba62d1cc832b5c357da6532708c0db83a2d8216e/Source/WebCore/dom/Document.cpp#L2670-L2686: if (responsibleDocument) { setURL(responsibleDocument->url()); setCookieURL(responsibleDocument->cookieURL()); setSecurityOriginPolicy(responsibleDocument->securityOriginPolicy()); } if (m_frame) { if (ScriptableDocumentParser* parser = scriptableDocumentParser()) { if (parser->isParsing()) { // FIXME: HTML5 doesn't tell us to check this, it might not be correct. if (parser->isExecutingScript()) return; if (!parser->wasCreatedByScript() && parser->hasInsertionPoint()) return; } } ... } The URL updates should not happen until the active parser checks. Per https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#document-open-steps, URL updating happens in step 11, while the parser returns are step 5. > 5. If document has an active parser whose script nesting level is greater than 0, then return document. > > ... > > 11. If document is fully active, then: > 1. Let newURL be a copy of entryDocument's URL. > 2. If entryDocument is not document, then set newURL's fragment to null. > 3. Run the URL and history update steps with document and newURL. Test: https://github.com/web-platform-tests/wpt/blob/master/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/bailout-side-effects-synchronous-script.window.js
<rdar://problem/44282702>
Created attachment 350450 [details] WIP Patch
Created attachment 350665 [details] Patch
Comment on attachment 350665 [details] Patch r=me
Thanks for the bug report and the investigation Timothy. This was extremely helpful.
Comment on attachment 350665 [details] Patch Clearing flags on attachment: 350665 Committed r236433: <https://trac.webkit.org/changeset/236433>
All reviewed patches have been landed. Closing bug.