RESOLVED FIXED Bug 45369
Need to check the target frame and restore the right gesture state during the asynchronous history navigation 
https://bugs.webkit.org/show_bug.cgi?id=45369
Summary Need to check the target frame and restore the right gesture state during the...
Johnny(Jianning) Ding
Reported 2010-09-07 23:21:41 PDT
The following html can bypass popup blocker in both chromium and safari. (You can also run the attached test case) <base target="some"> <script> history.go() </script> This bugs is to opening a page in a new frame by using history.go(0), there are two problems in this bug. 1. WebKit needs to check the target frame to see whether it is a new frame and is allowed to open. 2. WebKit needs to restore the correct gesture state during the asynchronous history navigation. The cause of this problem is same as bug 44969, so again a Chromium test will also be added to address the popup blocker issue in Chromium side. A patch will be sent soon.
Attachments
fix patch v1 (10.90 KB, patch)
2010-09-08 05:52 PDT, Johnny(Jianning) Ding 		no flags
DetailsFormatted DiffDiff
fix patch v1 (11.20 KB, patch)
2010-09-08 06:15 PDT, Johnny(Jianning) Ding 		no flags
DetailsFormatted DiffDiff
patch v2 (11.10 KB, patch)
2010-09-13 04:19 PDT, Johnny(Jianning) Ding 		no flags
DetailsFormatted DiffDiff
patch v3, only allow the history reload to navigate in the self frame. (10.51 KB, patch)
2010-09-16 05:07 PDT, Johnny(Jianning) Ding 		abarth: review+
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Johnny(Jianning) Ding
Comment 1 2010-09-08 05:52:33 PDT
Created attachment 66886 [details] fix patch v1
WebKit Review Bot
Comment 2 2010-09-08 05:54:11 PDT
Attachment 66886 [details] did not pass style-queue: Failed to run "['WebKitTools/Scripts/check-webkit-style']" exit_code: 1 WebCore/loader/RedirectScheduler.cpp:85: Tab found; better to use spaces [whitespace/tab] [1] Total errors found: 1 in 7 files If any of these errors are false positives, please file a bug against check-webkit-style.
Johnny(Jianning) Ding
Comment 3 2010-09-08 06:15:10 PDT
Created attachment 66889 [details] fix patch v1 fix style warning.
Abhishek Arya
Comment 4 2010-09-08 07:10:50 PDT
Thanks a lot Johnny for neutralizing yet another popup blocker bypass.
Adam Barth
Comment 5 2010-09-09 21:19:07 PDT
Comment on attachment 66889 [details] fix patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=66889&action=prettypatch > WebCore/loader/FrameLoader.cpp:296 > + // Check whether a new window is allowed to create for navigation. > + Frame* targetFrame = m_frame->tree()->find(target); > + if (!targetFrame && !DOMWindow::allowPopUp(m_frame) && !isProcessingUserGesture()) > + return; It's lame that we need to find the targetFrame again. What if we get a different answer the second time? Can we move this check closing to where we actually know the targetFrame?
Johnny(Jianning) Ding
Comment 6 2010-09-13 04:19:42 PDT
Created attachment 67396 [details] patch v2 (In reply to comment #5) > It's lame that we need to find the targetFrame again. What if we get a different answer the second time? Can we move this check closing to where we actually know the targetFrame? Thanks, Adam. I agree with you that we need to put the the check in right place. So the way is to check the name of targetFrame in where we actually know the targetFrame as early as possible, like currently WebKit puts block popup logic in the following situations, a). window.open, WebKit checks the name of targetFrame immediately in DOMWindow:open before starting creating the window and loading the URL. b). form.submit, WebKit checks the name of targetFrame in FrameLoader::submitForm before adding it to RedirectScheduler c). history.go(0) (what this patch wants to do), so I guess I should put the logic in RedirectScheduler::scheduleHistoryNavigation before starting the RedirectScheduler. Please take a look at the new patch.
Adam Barth
Comment 7 2010-09-15 17:57:03 PDT
Comment on attachment 67396 [details] patch v2 View in context: https://bugs.webkit.org/attachment.cgi?id=67396&action=prettypatch > WebCore/loader/RedirectScheduler.cpp:355 > + // History reload uses the base target as target frame. > + Frame* targetFrame = m_frame->tree()->find(m_frame->document()->baseTarget()); > + if (!targetFrame && !DOMWindow::allowPopUp(m_frame) && !isUserGesture) > + return; Is there a race condition where the target frame changes between when the navigation is scheduled and when it fires?
Johnny(Jianning) Ding
Comment 8 2010-09-16 04:54:04 PDT
(In reply to comment #7) > Is there a race condition where the target frame changes between when the navigation is scheduled and when it fires? Adam, you are right, there could be a race condition. So I am interested in how IE and Firefox handle this situation. The investigation result is that they didn't allow history reload to navigate to another frame. The history reload can only be navigate to the self frame. I think we should follow the main-stream browsers' behavior, so I drop the old patch and wrote the patch V3, please take a look. Thanks!
Johnny(Jianning) Ding
Comment 9 2010-09-16 05:07:06 PDT
Created attachment 67782 [details] patch v3, only allow the history reload to navigate in the self frame.
Eric Seidel (no email)
Comment 10 2010-09-16 12:35:51 PDT
Comment on attachment 67396 [details] patch v2 Cleared Adam Barth's review+ from obsolete attachment 67396 [details] so that this bug does not appear in http://webkit.org/pending-commit.
Adam Barth
Comment 11 2010-09-16 23:08:30 PDT
Comment on attachment 67782 [details] patch v3, only allow the history reload to navigate in the self frame. View in context: https://bugs.webkit.org/attachment.cgi?id=67782&action=prettypatch > WebCore/loader/RedirectScheduler.cpp:164 > + // To follow Firefox and IE's behavior, history reload can only be navigated to the self frame. I'd say "can only navigate the self frame"
Johnny(Jianning) Ding
Comment 12 2010-09-16 23:54:19 PDT
(In reply to comment #11) > (From update of attachment 67782 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=67782&action=prettypatch > > > WebCore/loader/RedirectScheduler.cpp:164 > > + // To follow Firefox and IE's behavior, history reload can only be navigated to the self frame. > > I'd say "can only navigate the self frame" Thanks Adam! Abhishek will help on landing it with taking your comment soon.
Abhishek Arya
Comment 13 2010-09-17 09:37:56 PDT
Committed r67716: <http://trac.webkit.org/changeset/67716>
Note You need to log in before you can comment on or make changes to this bug.