[webkit-changes] [234188] trunk

Tue, 24 Jul 2018 21:48:02 -0700

Title: [234188] trunk
Revision
234188
Author
cdu...@apple.com
Date
2018-07-24 21:47:39 -0700 (Tue, 24 Jul 2018)

Log Message

REGRESSION (r219757): Accessing response getter of XHR instance from IFRAME sets constructor to Object from the IFRAME
https://bugs.webkit.org/show_bug.cgi?id=187411
<rdar://problem/41920593>

Reviewed by Sam Weinig.

Source/WebCore:

Update JSXMLHttpRequest::response() to use the XMLHttpRequest's global object exec when constructing a JSONObject
for the response instead of the caller's exec.

Test: http/tests/xmlhttprequest/xhr-response-constructor-subframe.html

* bindings/js/JSXMLHttpRequestCustom.cpp:
(WebCore::JSXMLHttpRequest::response const):

LayoutTests:

Add layout test coverage. I have verified locally that it passes in Chromium as well.

* http/tests/xmlhttprequest/resources/data.json: Added.
* http/tests/xmlhttprequest/resources/xhr-response-constructor-iframe.html: Added.
* http/tests/xmlhttprequest/xhr-response-constructor-subframe-expected.txt: Added.
* http/tests/xmlhttprequest/xhr-response-constructor-subframe.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (234187 => 234188)


--- trunk/LayoutTests/ChangeLog	2018-07-25 04:09:47 UTC (rev 234187)
+++ trunk/LayoutTests/ChangeLog	2018-07-25 04:47:39 UTC (rev 234188)
@@ -1,3 +1,18 @@
+2018-07-24  Chris Dumez  <cdu...@apple.com>
+
+        REGRESSION (r219757): Accessing response getter of XHR instance from IFRAME sets constructor to Object from the IFRAME
+        https://bugs.webkit.org/show_bug.cgi?id=187411
+        <rdar://problem/41920593>
+
+        Reviewed by Sam Weinig.
+
+        Add layout test coverage. I have verified locally that it passes in Chromium as well.
+
+        * http/tests/xmlhttprequest/resources/data.json: Added.
+        * http/tests/xmlhttprequest/resources/xhr-response-constructor-iframe.html: Added.
+        * http/tests/xmlhttprequest/xhr-response-constructor-subframe-expected.txt: Added.
+        * http/tests/xmlhttprequest/xhr-response-constructor-subframe.html: Added.
+
 2018-07-24  Simon Fraser  <simon.fra...@apple.com>
 
         Animation stops with object-fit:contain on an animated 2d canvas

Added: trunk/LayoutTests/http/tests/xmlhttprequest/resources/data.json (0 => 234188)


--- trunk/LayoutTests/http/tests/xmlhttprequest/resources/data.json	                        (rev 0)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/resources/data.json	2018-07-25 04:47:39 UTC (rev 234188)
@@ -0,0 +1,3 @@
+{
+    "foo": 123
+}

Added: trunk/LayoutTests/http/tests/xmlhttprequest/resources/xhr-response-constructor-iframe.html (0 => 234188)


--- trunk/LayoutTests/http/tests/xmlhttprequest/resources/xhr-response-constructor-iframe.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/resources/xhr-response-constructor-iframe.html	2018-07-25 04:47:39 UTC (rev 234188)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+function setupListener(xhr) {
+    xhr.addEventListener('readystatechange', function (e) {
+        // Access xhr.response so that it gets cached.
+        if (xhr.response) {
+            top.debug("* In child frame");
+            if (xhr.response.constructor === top.Object)
+                top.testPassed("xhr.response.constructor is top.Object");
+            else
+                top.testFailed("xhr.response.constructor is not top.Object");
+        }
+    });
+}
+</script>
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/xmlhttprequest/xhr-response-constructor-subframe-expected.txt (0 => 234188)


--- trunk/LayoutTests/http/tests/xmlhttprequest/xhr-response-constructor-subframe-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/xhr-response-constructor-subframe-expected.txt	2018-07-25 04:47:39 UTC (rev 234188)
@@ -0,0 +1,13 @@
+Tests the value of xhr.response.constructor
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+* In child frame
+PASS xhr.response.constructor is top.Object
+* In top frame
+PASS xhr.response.constructor is top.Object
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/http/tests/xmlhttprequest/xhr-response-constructor-subframe.html (0 => 234188)


--- trunk/LayoutTests/http/tests/xmlhttprequest/xhr-response-constructor-subframe.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/xhr-response-constructor-subframe.html	2018-07-25 04:47:39 UTC (rev 234188)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+    description("Tests the value of xhr.response.constructor");
+    jsTestIsAsync = true;
+
+    window.addEventListener('load', function(){
+        const iframe = document.createElement('iframe')
+        iframe.src = ''
+        iframe.addEventListener('load', function(){
+            xhr = new XMLHttpRequest()
+            xhr.responseType = "json";
+            xhr.open('GET', 'resources/data.json');
+            iframe.contentWindow.setupListener(xhr)
+            xhr.addEventListener('load', function() {
+                debug("* In top frame");
+                shouldBe("xhr.response.constructor", "top.Object");
+                finishJSTest();
+            });
+            xhr.send('');
+
+        });
+        document.body.appendChild(iframe)
+    });
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (234187 => 234188)


--- trunk/Source/WebCore/ChangeLog	2018-07-25 04:09:47 UTC (rev 234187)
+++ trunk/Source/WebCore/ChangeLog	2018-07-25 04:47:39 UTC (rev 234188)
@@ -1,3 +1,19 @@
+2018-07-24  Chris Dumez  <cdu...@apple.com>
+
+        REGRESSION (r219757): Accessing response getter of XHR instance from IFRAME sets constructor to Object from the IFRAME
+        https://bugs.webkit.org/show_bug.cgi?id=187411
+        <rdar://problem/41920593>
+
+        Reviewed by Sam Weinig.
+
+        Update JSXMLHttpRequest::response() to use the XMLHttpRequest's global object exec when constructing a JSONObject
+        for the response instead of the caller's exec.
+
+        Test: http/tests/xmlhttprequest/xhr-response-constructor-subframe.html
+
+        * bindings/js/JSXMLHttpRequestCustom.cpp:
+        (WebCore::JSXMLHttpRequest::response const):
+
 2018-07-24  Simon Fraser  <simon.fra...@apple.com>
 
         Animation stops with object-fit:contain on an animated 2d canvas

Modified: trunk/Source/WebCore/bindings/js/JSXMLHttpRequestCustom.cpp (234187 => 234188)


--- trunk/Source/WebCore/bindings/js/JSXMLHttpRequestCustom.cpp	2018-07-25 04:09:47 UTC (rev 234187)
+++ trunk/Source/WebCore/bindings/js/JSXMLHttpRequestCustom.cpp	2018-07-25 04:47:39 UTC (rev 234188)
@@ -84,7 +84,7 @@
         return jsUndefined();
 
     case XMLHttpRequest::ResponseType::Json:
-        value = toJS<IDLJSON>(state, wrapped().responseTextIgnoringResponseType());
+        value = toJS<IDLJSON>(*globalObject()->globalExec(), wrapped().responseTextIgnoringResponseType());
         if (!value)
             value = jsNull();
         break;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to