Setting a frame's src to a javascript URL should not run it synchronously. Firefox and Chrome appear to schedule a navigation to that javascript URL instead.
Created attachment 368683 [details] WIP Patch
Comment on attachment 368683 [details] WIP Patch Attachment 368683 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/12052645 New failing tests: fast/parser/iframe-sets-parent-to-javascript-url.html fast/dom/javascript-url-exception-isolation.html http/tests/security/contentSecurityPolicy/javascript-url-blocked.html imported/blink/loader/iframe-sync-loads.html fast/dom/Attr/only-attach-attr-once.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html fast/loader/javascript-url-in-object.html fast/dom/javascript-url-crash-function.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html http/tests/security/contentSecurityPolicy/javascript-url-allowed.html fast/dom/no-assert-for-malformed-js-url-attribute.html fast/loader/nested-document-handling.html
Created attachment 368689 [details] Archive of layout-test-results from ews106 for mac-highsierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-highsierra-wk2 Platform: Mac OS X 10.13.6
Comment on attachment 368683 [details] WIP Patch Attachment 368683 [details] did not pass mac-debug-ews (mac): Output: https://webkit-queues.webkit.org/results/12052681 New failing tests: fast/parser/iframe-sets-parent-to-javascript-url.html fast/dom/javascript-url-exception-isolation.html http/tests/security/contentSecurityPolicy/javascript-url-blocked.html imported/blink/loader/iframe-sync-loads.html fast/dom/Attr/only-attach-attr-once.html fast/loader/javascript-url-in-object.html fast/dom/javascript-url-crash-function.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html http/tests/security/contentSecurityPolicy/javascript-url-allowed.html fast/dom/no-assert-for-malformed-js-url-attribute.html fast/loader/nested-document-handling.html
Created attachment 368690 [details] Archive of layout-test-results from ews115 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews115 Port: mac-highsierra Platform: Mac OS X 10.13.6
Comment on attachment 368683 [details] WIP Patch Attachment 368683 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/12052692 New failing tests: http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html fast/loader/javascript-url-in-embed.html fast/dom/javascript-url-exception-isolation.html http/tests/security/contentSecurityPolicy/javascript-url-blocked.html imported/blink/loader/iframe-sync-loads.html fast/dom/Attr/only-attach-attr-once.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html fast/loader/javascript-url-in-object.html fast/dom/javascript-url-crash-function.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html fast/loader/nested-document-handling.html http/tests/security/contentSecurityPolicy/javascript-url-allowed.html fast/dom/no-assert-for-malformed-js-url-attribute.html fast/parser/iframe-sets-parent-to-javascript-url.html
Created attachment 368691 [details] Archive of layout-test-results from ews122 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews122 Port: ios-simulator-wk2 Platform: Mac OS X 10.14.4
Comment on attachment 368683 [details] WIP Patch Attachment 368683 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/12052921 New failing tests: fast/dom/javascript-url-exception-isolation.html http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html imported/blink/loader/iframe-sync-loads.html fast/dom/Attr/only-attach-attr-once.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html fast/loader/javascript-url-in-object.html fast/dom/javascript-url-crash-function.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html http/tests/security/contentSecurityPolicy/javascript-url-blocked.html fast/loader/nested-document-handling.html http/tests/security/contentSecurityPolicy/javascript-url-allowed.html fast/dom/no-assert-for-malformed-js-url-attribute.html fast/parser/iframe-sets-parent-to-javascript-url.html
Created attachment 368693 [details] Archive of layout-test-results from ews101 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-highsierra Platform: Mac OS X 10.13.6
Created attachment 368699 [details] WiP Patch
Created attachment 368706 [details] WiP Patch
Created attachment 368709 [details] WiP Patch
Created attachment 368710 [details] WiP Patch
Comment on attachment 368710 [details] WiP Patch Attachment 368710 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/12054620 Number of test failures exceeded the failure limit.
Created attachment 368719 [details] Archive of layout-test-results from ews103 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-highsierra Platform: Mac OS X 10.13.6
Comment on attachment 368710 [details] WiP Patch Attachment 368710 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/12054843 Number of test failures exceeded the failure limit.
Created attachment 368723 [details] Archive of layout-test-results from ews104 for mac-highsierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews104 Port: mac-highsierra-wk2 Platform: Mac OS X 10.13.6
Comment on attachment 368710 [details] WiP Patch Attachment 368710 [details] did not pass mac-debug-ews (mac): Output: https://webkit-queues.webkit.org/results/12054816 Number of test failures exceeded the failure limit.
Created attachment 368725 [details] Archive of layout-test-results from ews114 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews114 Port: mac-highsierra Platform: Mac OS X 10.13.6
Created attachment 368729 [details] WiP Patch
Attachment 368729 [details] did not pass style-queue: ERROR: Source/WebCore/loader/SubframeLoader.cpp:106: One line control clauses should not use braces. [whitespace/braces] [4] Total errors found: 1 in 22 files If any of these errors are false positives, please file a bug against check-webkit-style.
Created attachment 368732 [details] WiP Patch
Attachment 368732 [details] did not pass style-queue: ERROR: Source/WebCore/loader/SubframeLoader.cpp:106: One line control clauses should not use braces. [whitespace/braces] [4] Total errors found: 1 in 25 files If any of these errors are false positives, please file a bug against check-webkit-style.
Created attachment 368734 [details] WiP Patch
Created attachment 368736 [details] WiP Patch
Comment on attachment 368736 [details] WiP Patch Attachment 368736 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/12056530 New failing tests: webarchive/loading/javascript-url-iframe-crash.html imported/w3c/web-platform-tests/webmessaging/without-ports/018.html http/tests/navigation/lockedhistory-iframe.html js/dom/call-base-resolution.html fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html fast/loader/javascript-url-iframe-remove-on-navigate.html fast/parser/xml-error-adopted.xml
Created attachment 368741 [details] Archive of layout-test-results from ews104 for mac-highsierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews104 Port: mac-highsierra-wk2 Platform: Mac OS X 10.13.6
Comment on attachment 368736 [details] WiP Patch Attachment 368736 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/12056564 New failing tests: fast/parser/xml-error-adopted.xml webarchive/loading/javascript-url-iframe-crash.html js/dom/call-base-resolution.html imported/w3c/web-platform-tests/webmessaging/without-ports/018.html http/tests/navigation/lockedhistory-iframe.html
Created attachment 368742 [details] Archive of layout-test-results from ews101 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-highsierra Platform: Mac OS X 10.13.6
Comment on attachment 368736 [details] WiP Patch Attachment 368736 [details] did not pass mac-debug-ews (mac): Output: https://webkit-queues.webkit.org/results/12056748 New failing tests: webarchive/loading/javascript-url-iframe-crash.html js/dom/call-base-resolution.html imported/w3c/web-platform-tests/webmessaging/without-ports/018.html http/tests/navigation/lockedhistory-iframe.html
Created attachment 368750 [details] Archive of layout-test-results from ews114 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews114 Port: mac-highsierra Platform: Mac OS X 10.13.6
Comment on attachment 368736 [details] WiP Patch Attachment 368736 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/12057226 New failing tests: webarchive/loading/javascript-url-iframe-crash.html imported/w3c/web-platform-tests/webmessaging/without-ports/018.html http/tests/navigation/lockedhistory-iframe.html js/dom/call-base-resolution.html fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html fast/loader/javascript-url-iframe-remove-on-navigate.html fast/parser/xml-error-adopted.xml
Created attachment 368751 [details] Archive of layout-test-results from ews125 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews125 Port: ios-simulator-wk2 Platform: Mac OS X 10.14.4
Created attachment 368755 [details] WIP Patch
Created attachment 368756 [details] Patch
Attachment 368756 [details] did not pass style-queue: ERROR: Source/WebCore/ChangeLog:10: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 37 files If any of these errors are false positives, please file a bug against check-webkit-style.
Created attachment 368757 [details] Patch
Attachment 368757 [details] did not pass style-queue: ERROR: Source/WebCore/ChangeLog:10: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 34 files If any of these errors are false positives, please file a bug against check-webkit-style.
Created attachment 368758 [details] Patch
Attachment 368758 [details] did not pass style-queue: ERROR: Source/WebCore/ChangeLog:10: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 34 files If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 368758 [details] Patch Attachment 368758 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/12058925 Number of test failures exceeded the failure limit.
Created attachment 368762 [details] Archive of layout-test-results from ews103 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-highsierra Platform: Mac OS X 10.13.6
Comment on attachment 368758 [details] Patch Attachment 368758 [details] did not pass mac-debug-ews (mac): Output: https://webkit-queues.webkit.org/results/12058946 Number of test failures exceeded the failure limit.
Created attachment 368763 [details] Archive of layout-test-results from ews115 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews115 Port: mac-highsierra Platform: Mac OS X 10.13.6
Comment on attachment 368758 [details] Patch Attachment 368758 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/12059081 New failing tests: svg/as-object/svg-embedded-in-html-in-iframe.html imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_javascript_url_01.htm fast/dom/javascript-url-crash-function.html fast/parser/iframe-sets-parent-to-javascript-url.html webarchive/loading/javascript-url-iframe-crash.html imported/blink/loader/iframe-sync-loads.html http/tests/security/xssAuditor/non-block-javascript-url-frame.html fast/loader/javascript-url-encoding.html imported/w3c/web-platform-tests/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-query-fragment-components.html fast/loader/nested-document-handling.html http/tests/security/javascriptURL/xss-DENIED-from-javascript-url-in-foreign-domain-subframe.html fast/frames/cached-frame-counter.html imported/w3c/web-platform-tests/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-return-value-handling.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-to-javscript-url.html fast/parser/javascript-url-compat-mode.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html http/tests/misc/javascript-url-stop-loaders.html fast/events/frame-programmatic-focus.html http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-sub-frame.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html fast/dom/frame-src-javascript-url-async.html http/tests/security/javascriptURL/xss-DENIED-to-javascript-url-in-foreign-domain-subframe.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-to-javascript-url-sub-frame.html
Created attachment 368764 [details] Archive of layout-test-results from ews105 for mac-highsierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews105 Port: mac-highsierra-wk2 Platform: Mac OS X 10.13.6
Comment on attachment 368758 [details] Patch Attachment 368758 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/12059057 New failing tests: imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_javascript_url_01.htm fast/dom/javascript-url-crash-function.html fast/loader/nested-document-handling.html webarchive/loading/javascript-url-iframe-crash.html imported/blink/loader/iframe-sync-loads.html http/tests/security/xssAuditor/non-block-javascript-url-frame.html fast/loader/javascript-url-encoding.html imported/w3c/web-platform-tests/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-query-fragment-components.html fast/parser/iframe-sets-parent-to-javascript-url.html http/tests/security/javascriptURL/xss-DENIED-from-javascript-url-in-foreign-domain-subframe.html fast/frames/cached-frame-counter.html imported/w3c/web-platform-tests/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-return-value-handling.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-to-javscript-url.html fast/parser/javascript-url-compat-mode.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame.html http/tests/misc/javascript-url-stop-loaders.html http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-sub-frame.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-2-level.html fast/dom/frame-src-javascript-url-async.html http/tests/security/javascriptURL/xss-DENIED-to-javascript-url-in-foreign-domain-subframe.html http/tests/security/javascriptURL/xss-ALLOWED-from-javascript-url-sub-frame-to-javascript-url-sub-frame.html
Created attachment 368765 [details] Archive of layout-test-results from ews123 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.14.4
Comment on attachment 368758 [details] Patch Attachment 368758 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/12062769 Number of test failures exceeded the failure limit.
Created attachment 368781 [details] Archive of layout-test-results from ews210 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews210 Port: win-future Platform: CYGWIN_NT-10.0-17763-3.0.5-338.x86_64-x86_64-64bit
Created attachment 368786 [details] Patch
Attachment 368786 [details] did not pass style-queue: ERROR: Source/WebCore/ChangeLog:10: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 36 files If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 368786 [details] Patch Attachment 368786 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/12063566 New failing tests: imported/w3c/web-platform-tests/webmessaging/with-ports/018.html
Created attachment 368793 [details] Archive of layout-test-results from ews103 for mac-highsierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-highsierra Platform: Mac OS X 10.13.6
Comment on attachment 368786 [details] Patch Attachment 368786 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/12063571 New failing tests: imported/w3c/web-platform-tests/webmessaging/with-ports/018.html http/tests/security/javascriptURL/xss-ALLOWED-to-javascript-url-from-javscript-url.html
Created attachment 368796 [details] Archive of layout-test-results from ews107 for mac-highsierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-highsierra-wk2 Platform: Mac OS X 10.13.6
Comment on attachment 368786 [details] Patch Attachment 368786 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/12063864 New failing tests: imported/w3c/web-platform-tests/webmessaging/with-ports/018.html
Created attachment 368805 [details] Archive of layout-test-results from ews126 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews126 Port: ios-simulator-wk2 Platform: Mac OS X 10.14.4
Created attachment 368807 [details] Patch
Attachment 368807 [details] did not pass style-queue: ERROR: Source/WebCore/ChangeLog:10: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 33 files If any of these errors are false positives, please file a bug against check-webkit-style.
Created attachment 368813 [details] Patch
Attachment 368813 [details] did not pass style-queue: ERROR: Source/WebCore/ChangeLog:10: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 33 files If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 368813 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=368813&action=review > Source/WebCore/ChangeLog:10 > + to execute it asynchronously, which was a source of security bugs and also did asynchronously -> synchronously > Source/WebCore/loader/NavigationScheduler.cpp:425 > + return completionHandler(); Heh, the "return void" debate. I will refrain from commenting further. > Source/WebCore/loader/SubframeLoader.cpp:90 > + // If we will schedule a javascript URL load, we need to delay the firing of the load event at least until we've run the javascript URL. I think itβs strange wording to say "run the javascript URL"; maybe "run the JavaScript in the URL"?
Created attachment 368821 [details] Patch
Attachment 368821 [details] did not pass style-queue: ERROR: Source/WebCore/ChangeLog:10: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: security bug [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 33 files If any of these errors are false positives, please file a bug against check-webkit-style.
> ERROR: Source/WebCore/ChangeLog:10: Please consider whether the use of > security-sensitive phrasing could help someone exploit WebKit: security bug > [changelog/unwantedsecurityterms] [3] Slightly surprised you decided to leave the word "security" in the change log.
(In reply to Darin Adler from comment #66) > > ERROR: Source/WebCore/ChangeLog:10: Please consider whether the use of > > security-sensitive phrasing could help someone exploit WebKit: security bug > > [changelog/unwantedsecurityterms] [3] > > Slightly surprised you decided to leave the word "security" in the change > log. Ok, I will remove it. In the context, it did not particularly bother me.
Created attachment 368825 [details] Patch
Comment on attachment 368825 [details] Patch Clearing flags on attachment: 368825 Committed r244892: <https://trac.webkit.org/changeset/244892>
All reviewed patches have been landed. Closing bug.
<rdar://problem/50424426>
It looks like the new test fast/dom/frame-src-javascript-url-async.html added in https://trac.webkit.org/changeset/244892/webkit is flakey. History: https://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=fast%2Fdom%2Fframe-src-javascript-url-async.html