Diff
Modified: trunk/LayoutTests/ChangeLog (198574 => 198575)
--- trunk/LayoutTests/ChangeLog 2016-03-23 03:28:09 UTC (rev 198574)
+++ trunk/LayoutTests/ChangeLog 2016-03-23 04:16:44 UTC (rev 198575)
@@ -1,3 +1,18 @@
+2016-03-22 Darin Adler <da...@apple.com>
+
+ showModalDialog code runs with “first window” set to wrong window
+ https://bugs.webkit.org/show_bug.cgi?id=155710
+
+ Test by John Wilander.
+
+ Reviewed by Brent Fulgham.
+
+ * http/tests/security/cross-origin-modal-dialog-base-expected.txt: Added.
+ * http/tests/security/cross-origin-modal-dialog-base.html: Added.
+ * http/tests/security/resources/cross-origin-modal-dialog-base-1.html: Added.
+ * http/tests/security/resources/cross-origin-modal-dialog-base-2.html: Added.
+ * platform/wk2/TestExpectations: Skip test until we get better showModalDialog support.
+
2016-03-22 Said Abou-Hallawa <sabouhall...@apple.com>
userSpaceOnUse patterns are not stroked for empty object bounding box elements
Added: trunk/LayoutTests/http/tests/security/cross-origin-modal-dialog-base-expected.txt (0 => 198575)
--- trunk/LayoutTests/http/tests/security/cross-origin-modal-dialog-base-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-modal-dialog-base-expected.txt 2016-03-23 04:16:44 UTC (rev 198575)
@@ -0,0 +1,14 @@
+CONSOLE MESSAGE: line 9: document.location.origin before setting location to a relative path: http://localhost:8000
+CONSOLE MESSAGE: line 18: document.location.origin after setting location to a relative path: http://localhost:8000
+Tests that a modal dialog doesn't fall back to its openers origin when document.location is set to a relative path.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Showing modal dialog.
+Returned from modal dialog.
+If test passed, console messages above should both show the same document.location.origin, .
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Property changes on: trunk/LayoutTests/http/tests/security/cross-origin-modal-dialog-base-expected.txt
___________________________________________________________________
Added: svn:eol-style
Added: trunk/LayoutTests/http/tests/security/cross-origin-modal-dialog-base.html (0 => 198575)
--- trunk/LayoutTests/http/tests/security/cross-origin-modal-dialog-base.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-modal-dialog-base.html 2016-03-23 04:16:44 UTC (rev 198575)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html lang="en">
+<script src=""
+<body>
+<script>
+ if (window.testRunner)
+ testRunner.setCanOpenWindows();
+
+ description("Tests that a modal dialog doesn't fall back to its openers origin when document.location is set to a relative path.");
+
+ var triggeredCaptureListener = false;
+ var triggeredBubbleListener = false;
+
+ _onload_ = function () {
+ debug('Showing modal dialog.');
+ showModalDialog('http://localhost:8000/security/resources/cross-origin-modal-dialog-base-1.html');
+ debug('Returned from modal dialog.');
+ debug('If test passed, console messages above should both show the same document.location.origin, <http://localhost:8000>.');
+ finishJSTest();
+ };
+
+ var jsTestIsAsync = true;
+</script>
+<script src=""
+</body>
+</html>
Property changes on: trunk/LayoutTests/http/tests/security/cross-origin-modal-dialog-base.html
___________________________________________________________________
Added: svn:mime-type
Added: svn:eol-style
Added: trunk/LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-1.html (0 => 198575)
--- trunk/LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-1.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-1.html 2016-03-23 04:16:44 UTC (rev 198575)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="UTF-8">
+ <title>Dialog Content, Step 1</title>
+</head>
+<body>
+<script>
+ console.log("document.location.origin before setting location to a relative path: " + document.location.origin);
+ document.location = "/security/resources/cross-origin-modal-dialog-base-2.html";
+</script>
+This is a modal dialog.
+</body>
+</html>
Property changes on: trunk/LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-1.html
___________________________________________________________________
Added: svn:mime-type
Added: svn:eol-style
Added: trunk/LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-2.html (0 => 198575)
--- trunk/LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-2.html 2016-03-23 04:16:44 UTC (rev 198575)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="UTF-8">
+ <title>Dialog Content, Step 2</title>
+ <script>
+ function closeWindow()
+ {
+ if (window.testRunner) {
+ testRunner.abortModal();
+ }
+ close();
+ }
+ </script>
+</head>
+<body _onload_="closeWindow()">
+<script>
+ console.log("document.location.origin after setting location to a relative path: " + document.location.origin);
+</script>
+This is a modal dialog.
+</body>
+</html>
Property changes on: trunk/LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-2.html
___________________________________________________________________
Added: svn:mime-type
Added: svn:eol-style
Modified: trunk/LayoutTests/platform/wk2/TestExpectations (198574 => 198575)
--- trunk/LayoutTests/platform/wk2/TestExpectations 2016-03-23 03:28:09 UTC (rev 198574)
+++ trunk/LayoutTests/platform/wk2/TestExpectations 2016-03-23 04:16:44 UTC (rev 198575)
@@ -323,6 +323,7 @@
# WebKit2 needs showModalDialog
fast/events/scroll-event-during-modal-dialog.html
fast/harness/show-modal-dialog.html
+http/tests/security/cross-origin-modal-dialog-base.html [ Skip ]
# WebKit2 needs to support synchronous creation of about:blank/data:url frames
fast/dom/HTMLDocument/hasFocus.html
Modified: trunk/Source/WebCore/ChangeLog (198574 => 198575)
--- trunk/Source/WebCore/ChangeLog 2016-03-23 03:28:09 UTC (rev 198574)
+++ trunk/Source/WebCore/ChangeLog 2016-03-23 04:16:44 UTC (rev 198575)
@@ -1,3 +1,17 @@
+2016-03-22 Darin Adler <da...@apple.com>
+
+ showModalDialog code runs with “first window” set to wrong window
+ https://bugs.webkit.org/show_bug.cgi?id=155710
+
+ Reviewed by Brent Fulgham.
+
+ Test: http/tests/security/cross-origin-modal-dialog-base.html
+
+ * page/Chrome.cpp:
+ (WebCore::Chrome::runModal): Null out entryScope so that the "first window"
+ checks inside the modal dialog won't run in the context of the original window
+ that presented the dialog.
+
2016-03-22 Said Abou-Hallawa <sabouhall...@apple.com>
userSpaceOnUse patterns are not stroked for empty object bounding box elements
Modified: trunk/Source/WebCore/page/Chrome.cpp (198574 => 198575)
--- trunk/Source/WebCore/page/Chrome.cpp 2016-03-23 03:28:09 UTC (rev 198574)
+++ trunk/Source/WebCore/page/Chrome.cpp 2016-03-23 04:16:44 UTC (rev 198575)
@@ -48,8 +48,10 @@
#include "Settings.h"
#include "StorageNamespace.h"
#include "WindowFeatures.h"
+#include <runtime/VM.h>
#include <wtf/PassRefPtr.h>
#include <wtf/RefPtr.h>
+#include <wtf/TemporaryChange.h>
#include <wtf/Vector.h>
#include <wtf/text/StringBuilder.h>
@@ -219,6 +221,10 @@
// in a way that could interact with this view.
PageGroupLoadDeferrer deferrer(m_page, false);
+ // _javascript_ that runs within the nested event loop must not be run in the context of the
+ // script that called showModalDialog. Null out entryScope to break the connection.
+ TemporaryChange<JSC::VMEntryScope*> entryScopeNullifier { m_page.mainFrame().document()->vm().entryScope, nullptr };
+
TimerBase::fireTimersInNestedEventLoop();
m_client.runModal();
}