[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
ap at apple.com
ap at apple.com
Wed Dec 22 14:32:04 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 8e7ef1fe9ce00f45dbdd5cd515899390b16e878e
Author: ap at apple.com <ap at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Oct 12 20:28:30 2010 +0000
Reviewed by Simon Fraser.
https://bugs.webkit.org/show_bug.cgi?id=47550
<rdar://problem/8353386> For WebKit plug-ins, beforeload can be called recursively
(esp. with AdBlock style extensions)
No test - we don't have a WebKit-style plugin in DRT, and don't care enough to add one.
The fix is to block plug-in scripting while in beforeload event - the plug-in is obviously
not available yet, so scripting could only attempt to load it recursively.
This didn't affect NPAPI plug-ins, because of a completely different code path taken in
updateWidget(), see <https://bugs.webkit.org/show_bug.cgi?id=44575#c8>.
* html/HTMLEmbedElement.cpp: (WebCore::HTMLEmbedElement::updateWidget):
* html/HTMLObjectElement.cpp: (WebCore::HTMLObjectElement::updateWidget):
* html/HTMLPlugInElement.cpp:
(WebCore::HTMLPlugInElement::HTMLPlugInElement):
(WebCore::HTMLPlugInElement::pluginWidget):
* html/HTMLPlugInElement.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69596 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index c214b99..dce2062 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,26 @@
+2010-10-12 Alexey Proskuryakov <ap at apple.com>
+
+ Reviewed by Simon Fraser.
+
+ https://bugs.webkit.org/show_bug.cgi?id=47550
+ <rdar://problem/8353386> For WebKit plug-ins, beforeload can be called recursively
+ (esp. with AdBlock style extensions)
+
+ No test - we don't have a WebKit-style plugin in DRT, and don't care enough to add one.
+
+ The fix is to block plug-in scripting while in beforeload event - the plug-in is obviously
+ not available yet, so scripting could only attempt to load it recursively.
+
+ This didn't affect NPAPI plug-ins, because of a completely different code path taken in
+ updateWidget(), see <https://bugs.webkit.org/show_bug.cgi?id=44575#c8>.
+
+ * html/HTMLEmbedElement.cpp: (WebCore::HTMLEmbedElement::updateWidget):
+ * html/HTMLObjectElement.cpp: (WebCore::HTMLObjectElement::updateWidget):
+ * html/HTMLPlugInElement.cpp:
+ (WebCore::HTMLPlugInElement::HTMLPlugInElement):
+ (WebCore::HTMLPlugInElement::pluginWidget):
+ * html/HTMLPlugInElement.h:
+
2010-10-12 Nikolas Zimmermann <nzimmermann at rim.com>
Reviewed by Gavin Barraclough.
diff --git a/WebCore/html/HTMLEmbedElement.cpp b/WebCore/html/HTMLEmbedElement.cpp
index 70c60df..4f5729a 100644
--- a/WebCore/html/HTMLEmbedElement.cpp
+++ b/WebCore/html/HTMLEmbedElement.cpp
@@ -161,7 +161,12 @@ void HTMLEmbedElement::updateWidget(bool onlyCreateNonNetscapePlugins)
Vector<String> paramValues;
parametersForPlugin(paramNames, paramValues);
- if (!dispatchBeforeLoadEvent(m_url)) {
+ ASSERT(!m_inBeforeLoadEventHandler);
+ m_inBeforeLoadEventHandler = true;
+ bool beforeLoadAllowedLoad = dispatchBeforeLoadEvent(m_url);
+ m_inBeforeLoadEventHandler = false;
+
+ if (!beforeLoadAllowedLoad) {
if (document()->isPluginDocument()) {
// Plugins inside plugin documents load differently than other plugins. By the time
// we are here in a plugin document, the load of the plugin (which is the plugin document's
diff --git a/WebCore/html/HTMLObjectElement.cpp b/WebCore/html/HTMLObjectElement.cpp
index e303b52..2b51286 100644
--- a/WebCore/html/HTMLObjectElement.cpp
+++ b/WebCore/html/HTMLObjectElement.cpp
@@ -279,7 +279,10 @@ void HTMLObjectElement::updateWidget(bool onlyCreateNonNetscapePlugins)
if (onlyCreateNonNetscapePlugins && wouldLoadAsNetscapePlugin(url, serviceType))
return;
+ ASSERT(!m_inBeforeLoadEventHandler);
+ m_inBeforeLoadEventHandler = true;
bool beforeLoadAllowedLoad = dispatchBeforeLoadEvent(url);
+ m_inBeforeLoadEventHandler = false;
// beforeload events can modify the DOM, potentially causing
// RenderWidget::destroy() to be called. Ensure we haven't been
diff --git a/WebCore/html/HTMLPlugInElement.cpp b/WebCore/html/HTMLPlugInElement.cpp
index f074923..e584ddb 100644
--- a/WebCore/html/HTMLPlugInElement.cpp
+++ b/WebCore/html/HTMLPlugInElement.cpp
@@ -49,10 +49,11 @@ using namespace HTMLNames;
HTMLPlugInElement::HTMLPlugInElement(const QualifiedName& tagName, Document* doc)
: HTMLFrameOwnerElement(tagName, doc)
+ , m_inBeforeLoadEventHandler(false)
#if ENABLE(NETSCAPE_PLUGIN_API)
, m_NPObject(0)
- , m_isCapturingMouseEvents(false)
#endif
+ , m_isCapturingMouseEvents(false)
{
}
@@ -100,6 +101,12 @@ PassScriptInstance HTMLPlugInElement::getInstance() const
Widget* HTMLPlugInElement::pluginWidget() const
{
+ if (m_inBeforeLoadEventHandler) {
+ // The plug-in hasn't loaded yet, and it makes no sense to try to load if beforeload handler happened to touch the plug-in element.
+ // That would recursively call beforeload for the same element.
+ return 0;
+ }
+
RenderWidget* renderWidget = renderWidgetForJSBindings();
if (!renderWidget)
return 0;
diff --git a/WebCore/html/HTMLPlugInElement.h b/WebCore/html/HTMLPlugInElement.h
index 847d83b..5a4221c 100644
--- a/WebCore/html/HTMLPlugInElement.h
+++ b/WebCore/html/HTMLPlugInElement.h
@@ -59,6 +59,8 @@ protected:
virtual bool mapToEntry(const QualifiedName& attrName, MappedAttributeEntry& result) const;
virtual void parseMappedAttribute(Attribute*);
+ bool m_inBeforeLoadEventHandler;
+
private:
virtual void defaultEventHandler(Event*);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list