189590 – Regression(PSON): setting window.opener to null allows process swapping in cases that are not web-compatible

Bug 189590 - Regression(PSON): setting window.opener to null allows process swapping in cases that are not web-compatible

Summary: Regression(PSON): setting window.opener to null allows process swapping in ca...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:	189710
Blocks:
	Show dependency tree / graph

Reported:	2018-09-13 10:34 PDT by Chris Dumez
Modified:	2018-09-18 13:47 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (17.71 KB, patch) 2018-09-13 10:42 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (17.82 KB, patch) 2018-09-13 13:49 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (17.64 KB, patch) 2018-09-13 14:01 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (17.85 KB, patch) 2018-09-13 14:06 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2018-09-13 10:34:56 PDT

Setting window.opener to null allows process swapping in cases that are not web-compatible, because the opener may still have a handle to the WindowProxy after calling window.open().

Comment 1 Radar WebKit Bug Importer 2018-09-13 10:35:24 PDT

<rdar://problem/44422725>

Comment 2 Chris Dumez 2018-09-13 10:42:57 PDT

Created attachment 349680 [details]
Patch

Comment 3 Geoffrey Garen 2018-09-13 11:08:54 PDT

Comment on attachment 349680 [details]
Patch

r=me

Comment 4 Chris Dumez 2018-09-13 13:49:25 PDT

Created attachment 349695 [details]
Patch

Comment 5 Chris Dumez 2018-09-13 14:01:21 PDT

Created attachment 349698 [details]
Patch

Comment 6 Chris Dumez 2018-09-13 14:06:07 PDT

Created attachment 349701 [details]
Patch

Comment 7 Chris Dumez 2018-09-13 15:38:30 PDT

Comment on attachment 349701 [details]
Patch

Clearing flags on attachment: 349701

Committed r235994: <https://trac.webkit.org/changeset/235994>

Comment 8 Chris Dumez 2018-09-13 15:38:33 PDT

All reviewed patches have been landed.  Closing bug.

Comment 9 Truitt Savell 2018-09-18 13:24:50 PDT

The new test added in: https://trac.webkit.org/changeset/235994/webkit

is a flakey timeout: http/tests/navigation/window-open-cross-origin-then-navigated-back-same-origin.html

issue is occurring on WK1 Mac

History:
https://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=http%2Ftests%2Fnavigation%2Fwindow-open-cross-origin-then-navigated-back-same-origin.html

Diff:
https://build.webkit.org/results/Apple%20Sierra%20Debug%20WK1%20(Tests)/r236145%20(9582)/http/tests/navigation/window-open-cross-origin-then-navigated-back-same-origin-pretty-diff.html

Comment 10 Chris Dumez 2018-09-18 13:30:58 PDT

(In reply to Truitt Savell from comment #9)
> The new test added in: https://trac.webkit.org/changeset/235994/webkit
> 
> is a flakey timeout:
> http/tests/navigation/window-open-cross-origin-then-navigated-back-same-
> origin.html
> 
> issue is occurring on WK1 Mac
> 
> History:
> https://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.
> html#showAllRuns=true&tests=http%2Ftests%2Fnavigation%2Fwindow-open-cross-
> origin-then-navigated-back-same-origin.html
> 
> Diff:
> https://build.webkit.org/results/Apple%20Sierra%20Debug%20WK1%20(Tests)/
> r236145%20(9582)/http/tests/navigation/window-open-cross-origin-then-
> navigated-back-same-origin-pretty-diff.html

Will investigate, thanks.