summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Hausmann <simon.hausmann@nokia.com>2010-07-09 08:01:30 (GMT)
committerSimon Hausmann <simon.hausmann@nokia.com>2010-07-09 08:01:30 (GMT)
commit5c50c6a782b127442c3fa748b3dd4d1007db69dc (patch)
treee0f8c328a21d6197940f864104578de4ce2ceb10
parent75c5bc5f7efd5f7055b689a244147e69733280a4 (diff)
downloadQt-5c50c6a782b127442c3fa748b3dd4d1007db69dc.zip
Qt-5c50c6a782b127442c3fa748b3dd4d1007db69dc.tar.gz
Qt-5c50c6a782b127442c3fa748b3dd4d1007db69dc.tar.bz2
Updated WebKit to ad96ca2f9b57271da4ea7432022ac686ee0981c2
Integrated changes: || <https://webkit.org/b/37760> || FrameView's layout root can be detached by style recalc || || <https://webkit.org/b/38922> || innerHTML decompilation issues in textarea || || <https://webkit.org/b/36878> || REGRESSION: Trailing colon on hostnames (with no port specified) causes "Not allowed to use restricted network port" || || <https://webkit.org/b/37781> || [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR || || <https://webkit.org/b/36502> || Cross-origin bypass: iFrame.src can be set to a JavaScript URL via nodeValue or textContent || || <https://webkit.org/b/28697> || WebKit crash on WebCore::Node::nodeIndex() || || <https://webkit.org/b/37031> || Cross-origin bypass: Javascript URL can be set as iframe.src via multiple DOM aliases || || <https://webkit.org/b/36522> || [Qt] Rename QWebSettings::XSSAuditorEnabled to XSSAuditingEnabled || || <https://webkit.org/b/38583> || Use of stale pointers whilst normalizing DOM nodes with mutation event handlers that modify element attributes || || <https://webkit.org/b/41412> || [Qt] Canvas arcTo() should draw straight line to p1 if p0, p1 and p2 are collinear || || <https://webkit.org/b/39878> || [Qt]: REGRESSION(r58703): QWebSettings::JavascriptCanAccessClipboard has wrong case in "Javascript" part. || || <https://webkit.org/b/26824> || focus() behavior permits keystrokes to be redirected across domains || || <https://webkit.org/b/39508> || Crash in WebCore::toAlphabetic() while running MangleMe || || <https://webkit.org/b/36571> || WebKit should treat port numbers outside of the valid range as being blacklisted || || <https://webkit.org/b/38497> || Make sure that http URLs always have a host in SecurityOrigin || || <https://webkit.org/b/38626> || ZDI-CAN-765: CSS Charset Text Transformation Vulnerability || || <https://webkit.org/b/36838> || Cross-origin image theft via SVGs as a canvas pattern || || <https://webkit.org/b/27751> || [sg:high] Copying text to the system clipboard can be done in any context || || <https://webkit.org/b/36843> || REGRESSION (r47291): XHR allows arbitrary XSRF across domains || || <https://webkit.org/b/37230> || REGRESSION (4.0.5): Safari asks for credentials all the time when authenticating to Windows IIS Server || || <https://webkit.org/b/37618> || Memory Corruption with Drag-Drop item from a purged document. || || <https://webkit.org/b/38260> || Frame.src allows javascript URLs with starting spaces || || <https://webkit.org/b/38261> || Table layout crash bug ||
-rw-r--r--src/3rdparty/webkit/.tag2
-rw-r--r--src/3rdparty/webkit/VERSION2
-rw-r--r--src/3rdparty/webkit/WebCore/ChangeLog502
-rw-r--r--src/3rdparty/webkit/WebCore/bindings/js/JSAttrCustom.cpp10
-rw-r--r--src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.cpp12
-rw-r--r--src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.h2
-rw-r--r--src/3rdparty/webkit/WebCore/bindings/js/JSElementCustom.cpp11
-rw-r--r--src/3rdparty/webkit/WebCore/bindings/js/JSNamedNodeMapCustom.cpp32
-rw-r--r--src/3rdparty/webkit/WebCore/bindings/js/JSNodeCustom.cpp70
-rw-r--r--src/3rdparty/webkit/WebCore/css/CSSHelper.cpp6
-rw-r--r--src/3rdparty/webkit/WebCore/dom/Attr.idl2
-rw-r--r--src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp47
-rw-r--r--src/3rdparty/webkit/WebCore/dom/Document.cpp22
-rw-r--r--src/3rdparty/webkit/WebCore/dom/Document.h3
-rw-r--r--src/3rdparty/webkit/WebCore/dom/Element.cpp14
-rw-r--r--src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp5
-rw-r--r--src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h2
-rw-r--r--src/3rdparty/webkit/WebCore/dom/NamedNodeMap.idl4
-rw-r--r--src/3rdparty/webkit/WebCore/dom/Node.idl4
-rw-r--r--src/3rdparty/webkit/WebCore/dom/Range.cpp25
-rw-r--r--src/3rdparty/webkit/WebCore/dom/Range.h1
-rw-r--r--src/3rdparty/webkit/WebCore/editing/EditorCommand.cpp21
-rw-r--r--src/3rdparty/webkit/WebCore/editing/markup.cpp4
-rw-r--r--src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.cpp18
-rw-r--r--src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.h4
-rw-r--r--src/3rdparty/webkit/WebCore/generated/JSNode.cpp12
-rw-r--r--src/3rdparty/webkit/WebCore/generated/JSNode.h4
-rw-r--r--src/3rdparty/webkit/WebCore/html/canvas/CanvasRenderingContext2D.cpp2
-rw-r--r--src/3rdparty/webkit/WebCore/loader/DocumentThreadableLoader.cpp29
-rw-r--r--src/3rdparty/webkit/WebCore/page/DragController.cpp8
-rw-r--r--src/3rdparty/webkit/WebCore/page/DragController.h8
-rw-r--r--src/3rdparty/webkit/WebCore/page/EventHandler.cpp8
-rw-r--r--src/3rdparty/webkit/WebCore/page/FrameView.cpp7
-rw-r--r--src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp18
-rw-r--r--src/3rdparty/webkit/WebCore/page/Settings.cpp6
-rw-r--r--src/3rdparty/webkit/WebCore/page/Settings.h4
-rw-r--r--src/3rdparty/webkit/WebCore/platform/KURL.cpp18
-rw-r--r--src/3rdparty/webkit/WebCore/platform/KURLGoogle.cpp10
-rw-r--r--src/3rdparty/webkit/WebCore/platform/graphics/qt/PathQt.cpp43
-rw-r--r--src/3rdparty/webkit/WebCore/platform/network/ProtectionSpace.h1
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp3
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderButton.h4
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderDataGrid.h2
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.h2
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderInline.cpp2
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp27
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderListItem.h2
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp6
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderMedia.h2
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderMenuList.h2
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderObject.h3
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderProgress.h2
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderSlider.h2
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderText.cpp2
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderTextControl.h2
-rw-r--r--src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp4
-rw-r--r--src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.cpp5
-rw-r--r--src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.h2
-rw-r--r--src/3rdparty/webkit/WebKit/qt/ChangeLog62
59 files changed, 979 insertions, 160 deletions
diff --git a/src/3rdparty/webkit/.tag b/src/3rdparty/webkit/.tag
index 0b824b7..1d1c8ed 100644
--- a/src/3rdparty/webkit/.tag
+++ b/src/3rdparty/webkit/.tag
@@ -1 +1 @@
-d59845f6fec84f15da116f50a1a0e52ce26116e9
+ad96ca2f9b57271da4ea7432022ac686ee0981c2
diff --git a/src/3rdparty/webkit/VERSION b/src/3rdparty/webkit/VERSION
index c970745..2e5ebd0 100644
--- a/src/3rdparty/webkit/VERSION
+++ b/src/3rdparty/webkit/VERSION
@@ -4,4 +4,4 @@ This is a snapshot of the Qt port of WebKit from
and has the sha1 checksum
- d59845f6fec84f15da116f50a1a0e52ce26116e9
+ ad96ca2f9b57271da4ea7432022ac686ee0981c2
diff --git a/src/3rdparty/webkit/WebCore/ChangeLog b/src/3rdparty/webkit/WebCore/ChangeLog
index a4ae758..a993a97 100644
--- a/src/3rdparty/webkit/WebCore/ChangeLog
+++ b/src/3rdparty/webkit/WebCore/ChangeLog
@@ -1,3 +1,505 @@
+2010-05-14 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by David Hyatt.
+
+ Move the m_width(Length) and m_columns(RenderTable::ColumnStruct)
+ vector out-of-bounds check out of the ASSERT into the main code.
+ https://bugs.webkit.org/show_bug.cgi?id=38261
+
+ Test: fast/table/fixed-table-layout-large-colspan-crash.html
+
+ * rendering/FixedTableLayout.cpp:
+ (WebCore::FixedTableLayout::calcWidthArray):
+
+2010-05-21 Beth Dakin <bdakin@apple.com>
+
+ Reviewed by Darin Adler.
+
+ Fix for <rdar://problem/8009118> Crash in WebCore::toAlphabetic()
+ while running MangleMe
+ -and corresponding-
+ https://bugs.webkit.org/show_bug.cgi?id=39508
+
+ The math was slightly off here, and we wound up trying to access an
+ array at index -1 in some cases. We need to decrement numberShadow
+ rather than subtracting one from the result of the modulo
+ operation.
+
+ * rendering/RenderListMarker.cpp:
+ (WebCore::toAlphabeticOrNumeric):
+
+2010-05-20 Dan Bernstein <mitz@apple.com>
+
+ Reviewed by Dave Hyatt.
+
+ <rdar://problem/8007953> Textarea using custom font appears blank
+
+ Test: fast/css/font-face-in-shadow-DOM.html
+
+ When a remote font is loaded, CSSFontSelector forces a style recalc, which replaces all
+ RenderSyles that have FontFallbackLists referencing the placeholder font with fresh
+ RenderStyles. However, it does not descend into shadow DOM trees, so those may end up with
+ styles that still reference the placeholder font.
+
+ The fix is to add RenderObject::requiresForcedStyleRecalcPropagation() and have it return
+ true from renderers that maintain shadow DOM trees or otherwise keep their own RenderStyles.
+
+ * dom/Element.cpp:
+ (WebCore::Element::recalcStyle): Check if forced style recalc needs to propagated.
+ * rendering/RenderButton.h:
+ (WebCore::RenderButton::requiresForcedStyleRecalcPropagation):
+ * rendering/RenderDataGrid.h:
+ (WebCore::RenderDataGrid::requiresForcedStyleRecalcPropagation):
+ * rendering/RenderFileUploadControl.h:
+ (WebCore::RenderFileUploadControl::requiresForcedStyleRecalcPropagation):
+ * rendering/RenderListItem.h:
+ (WebCore::RenderListItem::requiresForcedStyleRecalcPropagation):
+ * rendering/RenderMedia.h:
+ (WebCore::RenderMedia::requiresForcedStyleRecalcPropagation):
+ * rendering/RenderMenuList.h:
+ (WebCore::RenderMenuList::RenderMenuList::requiresForcedStyleRecalcPropagation):
+ * rendering/RenderObject.h:
+ (WebCore::RenderObject::requiresForcedStyleRecalcPropagation):
+ * rendering/RenderProgress.h:
+ (WebCore::RenderProgress::requiresForcedStyleRecalcPropagation):
+ * rendering/RenderSlider.h:
+ (WebCore::RenderSlider::requiresForcedStyleRecalcPropagation):
+ * rendering/RenderTextControl.h:
+ (WebCore::RenderTextControl::requiresForcedStyleRecalcPropagation):
+
+2010-04-02 Justin Schuh <jschuh@chromium.org>
+
+ Reviewed by Alexey Proskuryakov.
+
+ XHR allows arbitrary XSRF across domains
+ https://bugs.webkit.org/show_bug.cgi?id=36843
+
+ Added a one-line change to prevent bypassing the XDC check on
+ synchronous preflighted requests. Added layout tests to cover
+ variations of this problem.
+
+ Tests: http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html
+ http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html
+ http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html
+ http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::preflightFailure):
+
+2010-04-28 Julien Chaffraix <jchaffraix@webkit.org>
+
+ Reviewed by Alexey Proskuryakov.
+
+ [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR
+ https://bugs.webkit.org/show_bug.cgi?id=37781
+ <rdar://problem/7905150>
+
+ Tests: http/tests/xmlhttprequest/access-control-preflight-credential-async.html
+ http/tests/xmlhttprequest/access-control-preflight-credential-sync.html
+
+ Rolling the patch in as I could not reproduce Qt results locally.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Now we remove the
+ credential from the request here to avoid forgetting to do so in the different code path.
+ (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): Just add the
+ "Origin" header.
+ (WebCore::DocumentThreadableLoader::loadRequest): Check here the the credential have
+ been removed so that we don't leak them. Also tweaked a comment to make it clear that
+ the URL check has issue when credential is involved.
+
+2010-04-21 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by Adam Roben.
+
+ Windows build fix.
+
+ * platform/network/cf/ResourceHandleCFNet.cpp: Declare CFURLConnectionCreateWithProperties
+ for now, as it's mistakenly missing from WebKitSupportLibrary headers.
+
+2010-05-19 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by David Hyatt.
+
+ Check that the node is a text node before doing a static cast
+ to a Text class pointer.
+ https://bugs.webkit.org/show_bug.cgi?id=38626
+
+ Test: fast/text/text-transform-nontext-node-crash.xhtml
+
+ * rendering/RenderText.cpp:
+ (WebCore::RenderText::originalText):
+ * rendering/RenderTextFragment.cpp:
+ (WebCore::RenderTextFragment::originalText):
+ (WebCore::RenderTextFragment::previousCharacter):
+
+2010-05-12 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by Darin Adler.
+
+ HTML Entity Escape the contents of a textarea node when accessed
+ via the innerHTML and outerHTML node properties.
+ https://bugs.webkit.org/show_bug.cgi?id=38922
+
+ Test: fast/innerHTML/innerHTML-special-elements.html
+
+ * editing/markup.cpp:
+ (WebCore::appendStartMarkup):
+
+2010-05-12 James Robinson <jamesr@chromium.org>
+
+ Patch by Dan Bernstein.
+
+ Reviewed by David Hyatt.
+
+ Fix marking the layout root's parent as needing layout
+ https://bugs.webkit.org/show_bug.cgi?id=37760
+
+ If an element gets marked as needing layout due to the recalcStyle()
+ call in FrameView::layout(), the m_layoutSchedulingEnabled flag will
+ be set to false. It's possible at this point that a parent of the
+ existing FrameView::m_layoutRoot will be marked as needing layout.
+
+ This patch updates FrameView::scheduleRelayoutOfSubtree to account
+ for this case.
+
+ Manual test only due to subtle timing issues.
+
+ * manual-tests/layoutroot_detach.xml: Added.
+ * page/FrameView.cpp:
+ (WebCore::FrameView::scheduleRelayoutOfSubtree):
+
+2010-05-10 Sam Weinig <sam@webkit.org>
+
+ Reviewed by Darin Adler.
+
+ Fix for https://bugs.webkit.org/show_bug.cgi?id=38583
+ <rdar://problem/7948784> Crash in Element::normalizeAttributes.
+
+ Test: fast/dom/Element/normalize-crash.html
+
+ * dom/Element.cpp:
+ (WebCore::Element::normalizeAttributes): Copy attributes to a vector
+ before iterating.
+ * dom/NamedAttrMap.cpp:
+ (WebCore::NamedNodeMap::copyAttributesToVector): Added.
+ * dom/NamedAttrMap.h:
+
+2010-05-10 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by Darin Adler.
+
+ Based on a patch by Eric Seidel.
+
+ https://bugs.webkit.org/show_bug.cgi?id=28697
+ <rdar://problem/7946578> WebKit crash on WebCore::Node::nodeIndex()
+
+ It's not OK to call ContainerNode::willRemoveChild() in a loop, because Range code assumes
+ that it can adjust start and end position to any node except for the one being removed -
+ so these notifications cannot be batched.
+
+ Test: fast/dom/Range/remove-all-children-crash.html
+
+ * dom/ContainerNode.cpp:
+ (WebCore::willRemoveChild): Removed unused ExceptionCode.
+ (WebCore::willRemoveChildren): New function, used in removeChildren() case.
+ (WebCore::ContainerNode::removeChild): ExceptionCode return was always 0, don't bother with it.
+ (WebCore::ContainerNode::removeChildren): Call willRemoveChildrenFromNode.
+ (WebCore::dispatchChildRemovalEvents): Moved some logic out into willRemoveChildrenFromNode
+ and willRemoveChild.
+
+ * dom/Document.cpp:
+ (WebCore::Document::nodeChildrenWillBeRemoved): New function, used in removeChildren() case.
+
+ * dom/Document.h:
+ (WebCore::Document::nodeChildrenWillBeRemoved): New function, used in removeChildren() case.
+
+ * dom/Range.h:
+ * dom/Range.cpp:
+ (WebCore::boundaryNodeChildrenWillBeRemoved): New function, used in removeChildren() case.
+ (WebCore::Range::nodeChildrenWillBeRemoved): Ditto.
+
+2010-05-03 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by Adam Barth.
+
+ https://bugs.webkit.org/show_bug.cgi?id=38497
+ <rdar://problem/7759438> Make sure that http URLs always have a host in SecurityOrigin
+
+ This is a hardening fix, and behavior really depends on what an underlying networking layer
+ does. So, no test.
+
+ * page/SecurityOrigin.cpp:
+ (WebCore::schemeRequiresAuthority): List schemes that need an authority for successful loading.
+ (WebCore::SecurityOrigin::SecurityOrigin): Never let e.g. http origins with empty authorities
+ have the same security origin.
+
+2010-05-03 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Add support for controlling clipboard access from javascript.
+ Clipboard access from javascript is disabled by default.
+ https://bugs.webkit.org/show_bug.cgi?id=27751
+
+ Test: editing/execCommand/clipboard-access.html
+
+ * WebCore.base.exp:
+ * editing/EditorCommand.cpp:
+ (WebCore::supportedCopyCut):
+ (WebCore::supportedPaste):
+ (WebCore::createCommandMap):
+ * page/Settings.cpp:
+ (WebCore::Settings::Settings):
+ (WebCore::Settings::setJavaScriptCanAccessClipboard):
+ * page/Settings.h:
+ (WebCore::Settings::javaScriptCanAccessClipboard):
+
+2010-04-30 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by David Kilzer.
+
+ Convert m_documentUnderMouse, m_dragInitiator to RefPtr.
+ Eliminated unused m_dragInitiator accessor to prevent dereferencing.
+ https://bugs.webkit.org/show_bug.cgi?id=37618
+
+ Test: editing/pasteboard/drag-drop-iframe-refresh-crash.html
+
+ * page/DragController.cpp:
+ (WebCore::DragController::tryDocumentDrag):
+ (WebCore::DragController::concludeEditDrag):
+ * page/DragController.h:
+ (WebCore::DragController::draggingImageURL):
+ (WebCore::DragController::documentUnderMouse):
+
+2010-04-14 Justin Schuh <jschuh@chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Javascript URL can be set as iframe.src via multiple DOM aliases
+ https://bugs.webkit.org/show_bug.cgi?id=37031
+
+ Moved frame/iframe checks from Attr to Node on inherited members.
+ Node child manipulation methods now return NOT_SUPPORTED_ERR if used
+ on a frame/iframe src attribute.
+ NamedNodeMap set methods now perform frame/iframe src checks.
+ Moved allowSettingSrcToJavascriptURL static helper function from
+ JSElementCustom.cpp to exported function in JSDOMBinding.h.
+
+ * bindings/js/JSAttrCustom.cpp:
+ (WebCore::JSAttr::setValue):
+ * bindings/js/JSDOMBinding.cpp:
+ (WebCore::allowSettingSrcToJavascriptURL):
+ * bindings/js/JSDOMBinding.h:
+ * bindings/js/JSElementCustom.cpp:
+ * bindings/js/JSNamedNodeMapCustom.cpp:
+ (WebCore::JSNamedNodeMap::setNamedItem):
+ (WebCore::JSNamedNodeMap::setNamedItemNS):
+ * bindings/js/JSNodeCustom.cpp:
+ (WebCore::isAttrFrameSrc):
+ (WebCore::JSNode::setNodeValue):
+ (WebCore::JSNode::setTextContent):
+ (WebCore::JSNode::insertBefore):
+ (WebCore::JSNode::replaceChild):
+ (WebCore::JSNode::removeChild):
+ (WebCore::JSNode::appendChild):
+ * bindings/v8/custom/V8AttrCustom.cpp:
+ * bindings/v8/custom/V8NamedNodeMapCustom.cpp:
+ (WebCore::V8NamedNodeMap::setNamedItemNSCallback):
+ (WebCore::V8NamedNodeMap::setNamedItemCallback):
+ (WebCore::toV8):
+ * bindings/v8/custom/V8NodeCustom.cpp:
+ (WebCore::isFrameSrc):
+ (WebCore::V8Node::textContentAccessorSetter):
+ (WebCore::V8Node::nodeValueAccessorSetter):
+ (WebCore::V8Node::insertBeforeCallback):
+ (WebCore::V8Node::replaceChildCallback):
+ (WebCore::V8Node::removeChildCallback):
+ (WebCore::V8Node::appendChildCallback):
+ * dom/Attr.idl:
+ * dom/NamedNodeMap.idl:
+ * dom/Node.idl:
+
+2010-03-26 Justin Schuh <jschuh@chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Security: iFrame.src accepts JavaScript URL via nodeValue or textContent
+ https://bugs.webkit.org/show_bug.cgi?id=36502
+
+ Overrode inherited nodeValue and textContent in Attr.idl so they proxy
+ to value, which performs a security check.
+
+ Test: http/tests/security/xss-DENIED-iframe-src-alias.html
+
+ * bindings/js/JSAttrCustom.cpp:
+ (WebCore::JSAttr::nodeValue):
+ (WebCore::JSAttr::setNodeValue):
+ (WebCore::JSAttr::textContent):
+ (WebCore::JSAttr::setTextContent):
+ * bindings/v8/custom/V8AttrCustom.cpp:
+ (WebCore::V8Attr::nodeValueAccessorSetter):
+ (WebCore::V8Attr::nodeValueAccessorGetter):
+ (WebCore::V8Attr::textContentAccessorSetter):
+ (WebCore::V8Attr::textContentAccessorGetter):
+ * dom/Attr.idl:
+
+2010-05-05 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by Darin Adler.
+
+ https://bugs.webkit.org/show_bug.cgi?id=38260
+ <rdar://problem/7917548> Fix whitespace removing in deprecatedParseURL().
+
+ Broken all the way since r4 (yes, that's a revision number).
+
+ Test: http/tests/security/xss-DENIED-javascript-with-spaces.html
+
+ * css/CSSHelper.cpp: (WebCore::deprecatedParseURL): Fixed loop conditions for remaining length.
+
+2010-04-23 Dan Bernstein <mitz@apple.com>
+
+ Reviewed by Simon Fraser.
+
+ <rdar://problem/7898436> :after content is duplicated
+
+ Test: fast/css-generated-content/after-duplicated-after-split.html
+
+ * rendering/RenderInline.cpp:
+ (WebCore::RenderInline::splitInlines): Pass the correct owner of the child list.
+
+2010-03-30 Chris Evans <cevans@chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Taint the canvas if an SVG-derived pattern is rendered into it.
+
+ https://bugs.webkit.org/show_bug.cgi?id=36838
+
+ Test: fast/canvas/svg-taint.html
+
+ * html/canvas/CanvasRenderingContext2D.cpp:
+ (WebCore::CanvasRenderingContext2D::createPattern):
+ Take into account the image's hasSingleSecurityOrigin() property.
+
+2010-04-07 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by Darinn Adler.
+
+ https://bugs.webkit.org/show_bug.cgi?id=37230
+ <rdar://problem/7813115> REGRESSION (4.0.5): Safari asks for credentials all the time when
+ authenticating to Windows IIS Server
+
+ * platform/network/ProtectionSpace.h: (WebCore::ProtectionSpaceAuthenticationScheme): Added
+ a constant for ProtectionSpaceAuthenticationSchemeUnknown.
+
+ * platform/network/cf/AuthenticationCF.cpp: (WebCore::core):
+ * platform/network/cf/SocketStreamHandleCFNet.cpp: (WebCore::authenticationSchemeFromAuthenticationMethod):
+ Return ProtectionSpaceAuthenticationSchemeUnknown for unknown scheme.
+
+ * platform/network/mac/AuthenticationMac.mm:
+ (WebCore::mac): Support NTLM on systems older than 10.6. We actually get this string from
+ NSURLConnection, even though there was no public constant.
+ (WebCore::core): Return ProtectionSpaceAuthenticationSchemeUnknown for unknown scheme.
+
+2010-04-19 Dan Bernstein <mitz@apple.com>
+
+ Reviewed by Darin Adler.
+
+ Make the fix for <rdar://problem/7873647> from r57759 more robust.
+
+ * rendering/RenderLayer.cpp:
+ (WebCore::RenderLayer::updateHoverActiveState): Use RefPtrs for the Nodes.
+
+2010-04-16 Dan Bernstein <mitz@apple.com>
+
+ Reviewed by Simon Fraser.
+
+ <rdar://problem/7873647> Crash when updating hover state
+
+ Test: fast/dynamic/hover-style-recalc-crash.html
+
+ Updating the hover state of an element caused the document to need style
+ recalc, and then updating the hover state of a link caused style recalc,
+ which changed the render tree while updateHoverActiveState() was iterating
+ over it, leading to a crash.
+
+ * rendering/RenderLayer.cpp:
+ (WebCore::RenderLayer::updateHoverActiveState): Collect the nodes to be
+ updated into vectors, then update their active and hover states.
+
+2010-03-31 Mark Rowe <mrowe@apple.com>
+
+ Reviewed by Darin Adler.
+
+ <http://webkit.org/b/36878> REGRESSION: Trailing colon on hostnames (with no port specified) causes "Not allowed to use restricted network port"
+
+ * platform/KURL.cpp:
+ (WebCore::KURL::port): Explicitly handle the case of a colon being present in the URL after the host name but with
+ no port number before the path. This is handled in the same manner as the colon and port being omitted completely.
+
+2010-03-24 Mark Rowe <mrowe@apple.com>
+
+ Revert the portion of r56489 that dealt with port zero as it introduced some test failures.
+
+ * platform/KURL.cpp:
+ (WebCore::KURL::port): Use the "ok" argument to charactersToUIntStrict to determine whether
+ it was able to successfully parse the string as an unsigned integer, rather than relying on
+ the fact it returned zero when it failed.
+
+2010-03-24 Mark Rowe <mrowe@apple.com>
+
+ Reviewed by Darin Adler.
+
+ WebKit should treat port numbers outside the valid range as being blacklisted
+ <http://webkit.org/b/36571> / <rdar://problem/7790908>
+
+ * platform/KURL.cpp:
+ (WebCore::KURL::port): Map invalid port numbers to invalidPortNumber.
+ (WebCore::portAllowed): Add invalidPortNumber to the blacklist.
+ * platform/KURLGoogle.cpp: invalid port numbers to invalidPortNumber.
+ (WebCore::KURL::port): Add invalidPortNumber to the blacklist.
+ Also bring this in to sync with KURL. Having this identical code in two places is stupid.
+
+2010-05-05 Alexey Proskuryakov <ap@apple.com>
+
+ Reviewed by Adele Peterson.
+
+ https://bugs.webkit.org/show_bug.cgi?id=26824
+ <rdar://problem/7018610> EventHandler can operate on a wrong frame if focus changes during
+ keyboard event dispatch.
+
+ EventHandler object is tied to a frame, so it's wrong for it to continue processing a keyboard
+ event if focused frame changes between keydown and keypress.
+
+ * manual-tests/focus-change-between-key-events.html: Added.
+
+ * page/EventHandler.cpp: (WebCore::EventHandler::keyEvent): Bail out early if focused frame
+ changes while dispatching keydown. Also made similar changes for Windows to maintain matching
+ behavior, even though EventHandler was re-entered anyway due to WM_KEYDOWN and WM_CHAR being
+ separate events.
+
+2010-07-02 Tor Arne Vestbø <tor.arne.vestbo@nokia.com>
+
+ Reviewed by Simon Hausmann.
+
+ [Qt] Canvas arcTo() should draw straight line to p1 if p0, p1 and p2 are collinear
+
+ The implementation of PathQt's addArcTo() was not float-safe and also had
+ a case where it drew an 'infinite' line, which is not part of the spec.
+
+ http://www.whatwg.org/specs/web-apps/current-work/#dom-context-2d-arcto
+
+ We now use qFuzzyCompare() in both cases. The method isPointOnPathBorder()
+ also had the same problem, and was refactored a bit in the process of fixing
+ the bug.
+
+ Initial patch by Andreas Kling.
+
+ https://bugs.webkit.org/show_bug.cgi?id=41412
+
+ * platform/graphics/qt/PathQt.cpp:
+
2010-03-26 Shu Chang <chang.shu@nokia.com>
Reviewed by Eric Seidel.
diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSAttrCustom.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSAttrCustom.cpp
index 3c01535..4cd40ac 100644
--- a/src/3rdparty/webkit/WebCore/bindings/js/JSAttrCustom.cpp
+++ b/src/3rdparty/webkit/WebCore/bindings/js/JSAttrCustom.cpp
@@ -33,6 +33,7 @@
#include "Document.h"
#include "HTMLFrameElementBase.h"
#include "HTMLNames.h"
+#include "JSDOMBinding.h"
using namespace JSC;
@@ -46,13 +47,8 @@ void JSAttr::setValue(ExecState* exec, JSValue value)
String attrValue = valueToStringWithNullCheck(exec, value);
Element* ownerElement = imp->ownerElement();
- if (ownerElement && (ownerElement->hasTagName(iframeTag) || ownerElement->hasTagName(frameTag))) {
- if (equalIgnoringCase(imp->name(), "src") && protocolIsJavaScript(deprecatedParseURL(attrValue))) {
- Document* contentDocument = static_cast<HTMLFrameElementBase*>(ownerElement)->contentDocument();
- if (contentDocument && !checkNodeSecurity(exec, contentDocument))
- return;
- }
- }
+ if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->name(), attrValue))
+ return;
ExceptionCode ec = 0;
imp->setValue(attrValue, ec);
diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.cpp
index f294dad..393c1ee 100644
--- a/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.cpp
+++ b/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.cpp
@@ -24,6 +24,7 @@
#include "debugger/DebuggerCallFrame.h"
#include "ActiveDOMObject.h"
+#include "CSSHelper.h"
#include "DOMCoreException.h"
#include "DOMObjectHashTableMap.h"
#include "Document.h"
@@ -33,6 +34,7 @@
#include "Frame.h"
#include "HTMLAudioElement.h"
#include "HTMLCanvasElement.h"
+#include "HTMLFrameElementBase.h"
#include "HTMLImageElement.h"
#include "HTMLNames.h"
#include "HTMLScriptElement.h"
@@ -630,6 +632,16 @@ bool shouldAllowNavigation(ExecState* exec, Frame* frame)
return lexicalFrame && lexicalFrame->loader()->shouldAllowNavigation(frame);
}
+bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value)
+{
+ if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) {
+ Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument();
+ if (contentDocument && !checkNodeSecurity(exec, contentDocument))
+ return false;
+ }
+ return true;
+}
+
void printErrorMessageForFrame(Frame* frame, const String& message)
{
if (!frame)
diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.h b/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.h
index 219472b..40f7e40 100644
--- a/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.h
+++ b/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.h
@@ -301,6 +301,8 @@ namespace WebCore {
bool allowsAccessFromFrame(JSC::ExecState*, Frame*);
bool allowsAccessFromFrame(JSC::ExecState*, Frame*, String& message);
bool shouldAllowNavigation(JSC::ExecState*, Frame*);
+ bool allowSettingSrcToJavascriptURL(JSC::ExecState*, Element*, const String&, const String&);
+
void printErrorMessageForFrame(Frame*, const String& message);
JSC::JSValue objectToStringFunctionGetter(JSC::ExecState*, JSC::JSValue, const JSC::Identifier& propertyName);
diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSElementCustom.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSElementCustom.cpp
index c725290..94012fd 100644
--- a/src/3rdparty/webkit/WebCore/bindings/js/JSElementCustom.cpp
+++ b/src/3rdparty/webkit/WebCore/bindings/js/JSElementCustom.cpp
@@ -36,6 +36,7 @@
#include "HTMLFrameElementBase.h"
#include "HTMLNames.h"
#include "JSAttr.h"
+#include "JSDOMBinding.h"
#include "JSHTMLElementWrapperFactory.h"
#include "JSNodeList.h"
#include "NodeList.h"
@@ -63,16 +64,6 @@ void JSElement::markChildren(MarkStack& markStack)
markDOMObjectWrapper(markStack, globalData, static_cast<StyledElement*>(element)->inlineStyleDecl());
}
-static inline bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value)
-{
- if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) {
- Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument();
- if (contentDocument && !checkNodeSecurity(exec, contentDocument))
- return false;
- }
- return true;
-}
-
JSValue JSElement::setAttribute(ExecState* exec, const ArgList& args)
{
ExceptionCode ec = 0;
diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSNamedNodeMapCustom.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
index 13f3628..965498a 100644
--- a/src/3rdparty/webkit/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
+++ b/src/3rdparty/webkit/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
@@ -35,6 +35,38 @@ using namespace JSC;
namespace WebCore {
+JSValue JSNamedNodeMap::setNamedItem(ExecState* exec, const ArgList& args)
+{
+ NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl());
+ ExceptionCode ec = 0;
+ Node* newNode = toNode(args.at(0));
+
+ if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+ if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue()))
+ return jsNull();
+ }
+
+ JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItem(newNode, ec)));
+ setDOMException(exec, ec);
+ return result;
+}
+
+JSValue JSNamedNodeMap::setNamedItemNS(ExecState* exec, const ArgList& args)
+{
+ NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl());
+ ExceptionCode ec = 0;
+ Node* newNode = toNode(args.at(0));
+
+ if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+ if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue()))
+ return jsNull();
+ }
+
+ JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItemNS(newNode, ec)));
+ setDOMException(exec, ec);
+ return result;
+}
+
bool JSNamedNodeMap::canGetItemsForName(ExecState*, NamedNodeMap* impl, const Identifier& propertyName)
{
return impl->getNamedItem(propertyName);
diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSNodeCustom.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSNodeCustom.cpp
index 134c581..bf6c633 100644
--- a/src/3rdparty/webkit/WebCore/bindings/js/JSNodeCustom.cpp
+++ b/src/3rdparty/webkit/WebCore/bindings/js/JSNodeCustom.cpp
@@ -38,6 +38,7 @@
#include "JSAttr.h"
#include "JSCDATASection.h"
#include "JSComment.h"
+#include "JSDOMBinding.h"
#include "JSDocument.h"
#include "JSDocumentFragment.h"
#include "JSDocumentType.h"
@@ -66,12 +67,53 @@ using namespace JSC;
namespace WebCore {
-typedef int ExpectionCode;
+static inline bool isAttrFrameSrc(Element *element, const String& name)
+{
+ return element && (element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src");
+}
+
+void JSNode::setNodeValue(JSC::ExecState* exec, JSC::JSValue value)
+{
+ Node* imp = static_cast<Node*>(impl());
+ String nodeValue = valueToStringWithNullCheck(exec, value);
+
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+ Element* ownerElement = static_cast<Attr*>(impl())->ownerElement();
+ if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue))
+ return;
+ }
+
+ ExceptionCode ec = 0;
+ imp->setNodeValue(nodeValue, ec);
+ setDOMException(exec, ec);
+}
+
+void JSNode::setTextContent(JSC::ExecState* exec, JSC::JSValue value)
+{
+ Node* imp = static_cast<Node*>(impl());
+ String nodeValue = valueToStringWithNullCheck(exec, value);
+
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+ Element* ownerElement = static_cast<Attr*>(impl())->ownerElement();
+ if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue))
+ return;
+ }
+
+ ExceptionCode ec = 0;
+ imp->setTextContent(nodeValue, ec);
+ setDOMException(exec, ec);
+}
JSValue JSNode::insertBefore(ExecState* exec, const ArgList& args)
{
+ Node* imp = static_cast<Node*>(impl());
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+ setDOMException(exec, NOT_SUPPORTED_ERR);
+ return jsNull();
+ }
+
ExceptionCode ec = 0;
- bool ok = impl()->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true);
+ bool ok = imp->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true);
setDOMException(exec, ec);
if (ok)
return args.at(0);
@@ -80,8 +122,14 @@ JSValue JSNode::insertBefore(ExecState* exec, const ArgList& args)
JSValue JSNode::replaceChild(ExecState* exec, const ArgList& args)
{
+ Node* imp = static_cast<Node*>(impl());
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+ setDOMException(exec, NOT_SUPPORTED_ERR);
+ return jsNull();
+ }
+
ExceptionCode ec = 0;
- bool ok = impl()->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true);
+ bool ok = imp->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true);
setDOMException(exec, ec);
if (ok)
return args.at(1);
@@ -90,8 +138,14 @@ JSValue JSNode::replaceChild(ExecState* exec, const ArgList& args)
JSValue JSNode::removeChild(ExecState* exec, const ArgList& args)
{
+ Node* imp = static_cast<Node*>(impl());
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+ setDOMException(exec, NOT_SUPPORTED_ERR);
+ return jsNull();
+ }
+
ExceptionCode ec = 0;
- bool ok = impl()->removeChild(toNode(args.at(0)), ec);
+ bool ok = imp->removeChild(toNode(args.at(0)), ec);
setDOMException(exec, ec);
if (ok)
return args.at(0);
@@ -100,8 +154,14 @@ JSValue JSNode::removeChild(ExecState* exec, const ArgList& args)
JSValue JSNode::appendChild(ExecState* exec, const ArgList& args)
{
+ Node* imp = static_cast<Node*>(impl());
+ if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+ setDOMException(exec, NOT_SUPPORTED_ERR);
+ return jsNull();
+ }
+
ExceptionCode ec = 0;
- bool ok = impl()->appendChild(toNode(args.at(0)), ec, true);
+ bool ok = imp->appendChild(toNode(args.at(0)), ec, true);
setDOMException(exec, ec);
if (ok)
return args.at(0);
diff --git a/src/3rdparty/webkit/WebCore/css/CSSHelper.cpp b/src/3rdparty/webkit/WebCore/css/CSSHelper.cpp
index 8e6f3a0..c3418b4 100644
--- a/src/3rdparty/webkit/WebCore/css/CSSHelper.cpp
+++ b/src/3rdparty/webkit/WebCore/css/CSSHelper.cpp
@@ -36,7 +36,7 @@ String deprecatedParseURL(const String& url)
int o = 0;
int l = i->length();
- while (o < l && (*i)[o] <= ' ') {
+ while (0 < l && (*i)[o] <= ' ') {
++o;
--l;
}
@@ -53,7 +53,7 @@ String deprecatedParseURL(const String& url)
l -= 5;
}
- while (o < l && (*i)[o] <= ' ') {
+ while (0 < l && (*i)[o] <= ' ') {
++o;
--l;
}
@@ -65,7 +65,7 @@ String deprecatedParseURL(const String& url)
l -= 2;
}
- while (o < l && (*i)[o] <= ' ') {
+ while (0 < l && (*i)[o] <= ' ') {
++o;
--l;
}
diff --git a/src/3rdparty/webkit/WebCore/dom/Attr.idl b/src/3rdparty/webkit/WebCore/dom/Attr.idl
index af84478..3c73bc0 100644
--- a/src/3rdparty/webkit/WebCore/dom/Attr.idl
+++ b/src/3rdparty/webkit/WebCore/dom/Attr.idl
@@ -28,7 +28,9 @@ module core {
// DOM Level 1
readonly attribute [ConvertNullStringTo=Null] DOMString name;
+
readonly attribute boolean specified;
+
attribute [ConvertNullStringTo=Null, ConvertNullToNullString, CustomSetter] DOMString value
setter raises(DOMException);
diff --git a/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp b/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp
index fb2852f..c17489a 100644
--- a/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp
@@ -292,19 +292,32 @@ void ContainerNode::willRemove()
Node::willRemove();
}
-static ExceptionCode willRemoveChild(Node *child)
+static void willRemoveChild(Node* child)
{
- ExceptionCode ec = 0;
+ // update auxiliary doc info (e.g. iterators) to note that node is being removed
+ child->document()->nodeWillBeRemoved(child);
+ child->document()->incDOMTreeVersion();
// fire removed from document mutation events.
dispatchChildRemovalEvents(child);
- if (ec)
- return ec;
if (child->attached())
child->willRemove();
-
- return 0;
+}
+
+static void willRemoveChildren(ContainerNode* container)
+{
+ container->document()->nodeChildrenWillBeRemoved(container);
+ container->document()->incDOMTreeVersion();
+
+ // FIXME: Adding new children from event handlers can cause an infinite loop here.
+ for (RefPtr<Node> child = container->firstChild(); child; child = child->nextSibling()) {
+ // fire removed from document mutation events.
+ dispatchChildRemovalEvents(child.get());
+
+ if (child->attached())
+ child->willRemove();
+ }
}
bool ContainerNode::removeChild(Node* oldChild, ExceptionCode& ec)
@@ -328,10 +341,7 @@ bool ContainerNode::removeChild(Node* oldChild, ExceptionCode& ec)
}
RefPtr<Node> child = oldChild;
-
- ec = willRemoveChild(child.get());
- if (ec)
- return false;
+ willRemoveChild(child.get());
// Mutation events might have moved this child into a different parent.
if (child->parentNode() != this) {
@@ -399,14 +409,12 @@ bool ContainerNode::removeChildren()
return false;
// The container node can be removed from event handlers.
- RefPtr<Node> protect(this);
-
+ RefPtr<ContainerNode> protect(this);
+
// Do any prep work needed before actually starting to detach
// and remove... e.g. stop loading frames, fire unload events.
- // FIXME: Adding new children from event handlers can cause an infinite loop here.
- for (RefPtr<Node> n = m_firstChild; n; n = n->nextSibling())
- willRemoveChild(n.get());
-
+ willRemoveChildren(protect.get());
+
// exclude this node when looking for removed focusedNode since only children will be removed
document()->removeFocusedNodeOfSubtree(this, true);
@@ -936,6 +944,8 @@ static void dispatchChildInsertionEvents(Node* child)
static void dispatchChildRemovalEvents(Node* child)
{
+ ASSERT(!eventDispatchForbidden());
+
#if ENABLE(INSPECTOR)
if (Page* page = child->document()->page()) {
if (InspectorController* inspectorController = page->inspectorController())
@@ -946,11 +956,6 @@ static void dispatchChildRemovalEvents(Node* child)
RefPtr<Node> c = child;
RefPtr<Document> document = child->document();
- // update auxiliary doc info (e.g. iterators) to note that node is being removed
- document->nodeWillBeRemoved(child);
-
- document->incDOMTreeVersion();
-
// dispatch pre-removal mutation events
if (c->parentNode() && document->hasListenerType(Document::DOMNODEREMOVED_LISTENER))
c->dispatchEvent(MutationEvent::create(eventNames().DOMNodeRemovedEvent, true, c->parentNode()));
diff --git a/src/3rdparty/webkit/WebCore/dom/Document.cpp b/src/3rdparty/webkit/WebCore/dom/Document.cpp
index 545819d..9803cf5 100644
--- a/src/3rdparty/webkit/WebCore/dom/Document.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/Document.cpp
@@ -2957,6 +2957,28 @@ void Document::nodeChildrenChanged(ContainerNode* container)
}
}
+void Document::nodeChildrenWillBeRemoved(ContainerNode* container)
+{
+ if (!disableRangeMutation(page())) {
+ HashSet<Range*>::const_iterator end = m_ranges.end();
+ for (HashSet<Range*>::const_iterator it = m_ranges.begin(); it != end; ++it)
+ (*it)->nodeChildrenWillBeRemoved(container);
+ }
+
+ HashSet<NodeIterator*>::const_iterator nodeIteratorsEnd = m_nodeIterators.end();
+ for (HashSet<NodeIterator*>::const_iterator it = m_nodeIterators.begin(); it != nodeIteratorsEnd; ++it) {
+ for (Node* n = container->firstChild(); n; n = n->nextSibling())
+ (*it)->nodeWillBeRemoved(n);
+ }
+
+ if (Frame* frame = this->frame()) {
+ for (Node* n = container->firstChild(); n; n = n->nextSibling()) {
+ frame->selection()->nodeWillBeRemoved(n);
+ frame->dragCaretController()->nodeWillBeRemoved(n);
+ }
+ }
+}
+
void Document::nodeWillBeRemoved(Node* n)
{
HashSet<NodeIterator*>::const_iterator nodeIteratorsEnd = m_nodeIterators.end();
diff --git a/src/3rdparty/webkit/WebCore/dom/Document.h b/src/3rdparty/webkit/WebCore/dom/Document.h
index 44cdf0d..68927f4 100644
--- a/src/3rdparty/webkit/WebCore/dom/Document.h
+++ b/src/3rdparty/webkit/WebCore/dom/Document.h
@@ -616,6 +616,9 @@ public:
void detachRange(Range*);
void nodeChildrenChanged(ContainerNode*);
+ // nodeChildrenWillBeRemoved is used when removing all node children at once.
+ void nodeChildrenWillBeRemoved(ContainerNode*);
+ // nodeWillBeRemoved is only safe when removing one node at a time.
void nodeWillBeRemoved(Node*);
void textInserted(Node*, unsigned offset, unsigned length);
diff --git a/src/3rdparty/webkit/WebCore/dom/Element.cpp b/src/3rdparty/webkit/WebCore/dom/Element.cpp
index 6bd512d..a02bb4c 100644
--- a/src/3rdparty/webkit/WebCore/dom/Element.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/Element.cpp
@@ -937,7 +937,7 @@ void Element::recalcStyle(StyleChange change)
newStyle->setChildrenAffectedByDirectAdjacentRules();
}
- if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get())) {
+ if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get()) || change == Force && renderer() && renderer()->requiresForcedStyleRecalcPropagation()) {
setRenderStyle(newStyle);
} else if (needsStyleRecalc() && (styleChangeType() != SyntheticStyleChange) && (document()->usesSiblingRules() || document()->usesDescendantRules())) {
// Although no change occurred, we use the new style so that the cousin style sharing code won't get
@@ -1429,9 +1429,15 @@ void Element::normalizeAttributes()
NamedNodeMap* attrs = attributes(true);
if (!attrs)
return;
- unsigned numAttrs = attrs->length();
- for (unsigned i = 0; i < numAttrs; i++) {
- if (Attr* attr = attrs->attributeItem(i)->attr())
+
+ if (attrs->isEmpty())
+ return;
+
+ Vector<RefPtr<Attribute> > attributeVector;
+ attrs->copyAttributesToVector(attributeVector);
+ size_t numAttrs = attributeVector.size();
+ for (size_t i = 0; i < numAttrs; ++i) {
+ if (Attr* attr = attributeVector[i]->attr())
attr->normalize();
}
}
diff --git a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp
index d8a6ba8..ee979cf 100644
--- a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp
@@ -172,6 +172,11 @@ PassRefPtr<Node> NamedNodeMap::item(unsigned index) const
return m_attributes[index]->createAttrIfNeeded(m_element);
}
+void NamedNodeMap::copyAttributesToVector(Vector<RefPtr<Attribute> >& copy)
+{
+ copy = m_attributes;
+}
+
Attribute* NamedNodeMap::getAttributeItemSlowCase(const String& name, bool shouldIgnoreAttributeCase) const
{
unsigned len = length();
diff --git a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h
index d5136b5..e292576 100644
--- a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h
+++ b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h
@@ -72,6 +72,8 @@ public:
Attribute* attributeItem(unsigned index) const { return m_attributes[index].get(); }
Attribute* getAttributeItem(const QualifiedName&) const;
+ void copyAttributesToVector(Vector<RefPtr<Attribute> >&);
+
void shrinkToLength() { m_attributes.shrinkCapacity(length()); }
void reserveInitialCapacity(unsigned capacity) { m_attributes.reserveInitialCapacity(capacity); }
diff --git a/src/3rdparty/webkit/WebCore/dom/NamedNodeMap.idl b/src/3rdparty/webkit/WebCore/dom/NamedNodeMap.idl
index 4d36577..7bfbf23 100644
--- a/src/3rdparty/webkit/WebCore/dom/NamedNodeMap.idl
+++ b/src/3rdparty/webkit/WebCore/dom/NamedNodeMap.idl
@@ -28,7 +28,7 @@ module core {
Node getNamedItem(in DOMString name);
- Node setNamedItem(in Node node)
+ [Custom] Node setNamedItem(in Node node)
raises(DOMException);
Node removeNamedItem(in DOMString name)
@@ -46,7 +46,7 @@ module core {
// FIXME: the implementation does take an exceptioncode parameter.
/*raises(DOMException)*/;
- Node setNamedItemNS(in Node node)
+ [Custom] Node setNamedItemNS(in Node node)
raises(DOMException);
[OldStyleObjC] Node removeNamedItemNS(in [ConvertNullToNullString] DOMString namespaceURI,
diff --git a/src/3rdparty/webkit/WebCore/dom/Node.idl b/src/3rdparty/webkit/WebCore/dom/Node.idl
index 0489316..22d9a85 100644
--- a/src/3rdparty/webkit/WebCore/dom/Node.idl
+++ b/src/3rdparty/webkit/WebCore/dom/Node.idl
@@ -51,7 +51,7 @@ module core {
readonly attribute [ConvertNullStringTo=Null] DOMString nodeName;
// FIXME: the spec says this can also raise on retrieval.
- attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString nodeValue
+ attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString nodeValue
setter raises(DOMException);
readonly attribute unsigned short nodeType;
@@ -96,7 +96,7 @@ module core {
readonly attribute [ConvertNullStringTo=Null] DOMString baseURI;
// FIXME: the spec says this can also raise on retrieval.
- attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString textContent
+ attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString textContent
setter raises(DOMException);
boolean isSameNode(in Node other);
diff --git a/src/3rdparty/webkit/WebCore/dom/Range.cpp b/src/3rdparty/webkit/WebCore/dom/Range.cpp
index 52d1785..689b590 100644
--- a/src/3rdparty/webkit/WebCore/dom/Range.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/Range.cpp
@@ -1716,6 +1716,31 @@ void Range::nodeChildrenChanged(ContainerNode* container)
boundaryNodeChildrenChanged(m_end, container);
}
+static inline void boundaryNodeChildrenWillBeRemoved(RangeBoundaryPoint& boundary, ContainerNode* container)
+{
+ for (Node* nodeToBeRemoved = container->firstChild(); nodeToBeRemoved; nodeToBeRemoved = nodeToBeRemoved->nextSibling()) {
+ if (boundary.childBefore() == nodeToBeRemoved) {
+ boundary.setToStartOfNode(container);
+ return;
+ }
+
+ for (Node* n = boundary.container(); n; n = n->parentNode()) {
+ if (n == nodeToBeRemoved) {
+ boundary.setToStartOfNode(container);
+ return;
+ }
+ }
+ }
+}
+
+void Range::nodeChildrenWillBeRemoved(ContainerNode* container)
+{
+ ASSERT(container);
+ ASSERT(container->document() == m_ownerDocument);
+ boundaryNodeChildrenWillBeRemoved(m_start, container);
+ boundaryNodeChildrenWillBeRemoved(m_end, container);
+}
+
static inline void boundaryNodeWillBeRemoved(RangeBoundaryPoint& boundary, Node* nodeToBeRemoved)
{
if (boundary.childBefore() == nodeToBeRemoved) {
diff --git a/src/3rdparty/webkit/WebCore/dom/Range.h b/src/3rdparty/webkit/WebCore/dom/Range.h
index fd0f66a..bfddd32 100644
--- a/src/3rdparty/webkit/WebCore/dom/Range.h
+++ b/src/3rdparty/webkit/WebCore/dom/Range.h
@@ -111,6 +111,7 @@ public:
void textQuads(Vector<FloatQuad>&, bool useSelectionHeight = false);
void nodeChildrenChanged(ContainerNode*);
+ void nodeChildrenWillBeRemoved(ContainerNode*);
void nodeWillBeRemoved(Node*);
void textInserted(Node*, unsigned offset, unsigned length);
diff --git a/src/3rdparty/webkit/WebCore/editing/EditorCommand.cpp b/src/3rdparty/webkit/WebCore/editing/EditorCommand.cpp
index 34fa46d..4cb34ac 100644
--- a/src/3rdparty/webkit/WebCore/editing/EditorCommand.cpp
+++ b/src/3rdparty/webkit/WebCore/editing/EditorCommand.cpp
@@ -1069,6 +1069,21 @@ static bool supportedFromMenuOrKeyBinding(Frame*, EditorCommandSource source)
return source == CommandFromMenuOrKeyBinding;
}
+static bool supportedCopyCut(Frame* frame, EditorCommandSource source)
+{
+ switch (source) {
+ case CommandFromMenuOrKeyBinding:
+ return true;
+ case CommandFromDOM:
+ case CommandFromDOMWithUserInterface: {
+ Settings* settings = frame ? frame->settings() : 0;
+ return settings && settings->javaScriptCanAccessClipboard();
+ }
+ }
+ ASSERT_NOT_REACHED();
+ return false;
+}
+
static bool supportedPaste(Frame* frame, EditorCommandSource source)
{
switch (source) {
@@ -1077,7 +1092,7 @@ static bool supportedPaste(Frame* frame, EditorCommandSource source)
case CommandFromDOM:
case CommandFromDOMWithUserInterface: {
Settings* settings = frame ? frame->settings() : 0;
- return settings && settings->isDOMPasteAllowed();
+ return settings && (settings->javaScriptCanAccessClipboard() ? settings->isDOMPasteAllowed() : 0);
}
}
ASSERT_NOT_REACHED();
@@ -1304,9 +1319,9 @@ static const CommandMap& createCommandMap()
{ "BackColor", { executeBackColor, supported, enabledInRichlyEditableText, stateNone, valueBackColor, notTextInsertion, doNotAllowExecutionWhenDisabled } },
{ "BackwardDelete", { executeDeleteBackward, supportedFromMenuOrKeyBinding, enabledInEditableText, stateNone, valueNull, notTextInsertion, doNotAllowExecutionWhenDisabled } }, // FIXME: remove BackwardDelete when Safari for Windows stops using it.
{ "Bold", { executeToggleBold, supported, enabledInRichlyEditableText, stateBold, valueNull, notTextInsertion, doNotAllowExecutionWhenDisabled } },
- { "Copy", { executeCopy, supported, enabledCopy, stateNone, valueNull, notTextInsertion, allowExecutionWhenDisabled } },
+ { "Copy", { executeCopy, supportedCopyCut, enabledCopy, stateNone, valueNull, notTextInsertion, allowExecutionWhenDisabled } },
{ "CreateLink", { executeCreateLink, supported, enabledInRichlyEditableText, stateNone, valueNull, notTextInsertion, doNotAllowExecutionWhenDisabled } },
- { "Cut", { executeCut, supported, enabledCut, stateNone, valueNull, notTextInsertion, allowExecutionWhenDisabled } },
+ { "Cut", { executeCut, supportedCopyCut, enabledCut, stateNone, valueNull, notTextInsertion, allowExecutionWhenDisabled } },
{ "Delete", { executeDelete, supported, enabledDelete, stateNone, valueNull, notTextInsertion, doNotAllowExecutionWhenDisabled } },
{ "DeleteBackward", { executeDeleteBackward, supportedFromMenuOrKeyBinding, enabledInEditableText, stateNone, valueNull, notTextInsertion, doNotAllowExecutionWhenDisabled } },
{ "DeleteBackwardByDecomposingPreviousCharacter", { executeDeleteBackwardByDecomposingPreviousCharacter, supportedFromMenuOrKeyBinding, enabledInEditableText, stateNone, valueNull, notTextInsertion, doNotAllowExecutionWhenDisabled } },
diff --git a/src/3rdparty/webkit/WebCore/editing/markup.cpp b/src/3rdparty/webkit/WebCore/editing/markup.cpp
index 787dad9..7e90107 100644
--- a/src/3rdparty/webkit/WebCore/editing/markup.cpp
+++ b/src/3rdparty/webkit/WebCore/editing/markup.cpp
@@ -404,10 +404,12 @@ static void appendStartMarkup(Vector<UChar>& result, const Node* node, const Ran
if (Node* parent = node->parentNode()) {
if (parent->hasTagName(scriptTag)
|| parent->hasTagName(styleTag)
- || parent->hasTagName(textareaTag)
|| parent->hasTagName(xmpTag)) {
appendUCharRange(result, ucharRange(node, range));
break;
+ } else if (parent->hasTagName(textareaTag)) {
+ appendEscapedContent(result, ucharRange(node, range), documentIsHTML);
+ break;
}
}
if (!annotate) {
diff --git a/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.cpp b/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.cpp
index 7aed66c..1232cfc 100644
--- a/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.cpp
+++ b/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.cpp
@@ -264,14 +264,7 @@ JSValue JSC_HOST_CALL jsNamedNodeMapPrototypeFunctionSetNamedItem(ExecState* exe
if (!thisValue.inherits(&JSNamedNodeMap::s_info))
return throwError(exec, TypeError);
JSNamedNodeMap* castedThisObj = static_cast<JSNamedNodeMap*>(asObject(thisValue));
- NamedNodeMap* imp = static_cast<NamedNodeMap*>(castedThisObj->impl());
- ExceptionCode ec = 0;
- Node* node = toNode(args.at(0));
-
-
- JSC::JSValue result = toJS(exec, castedThisObj->globalObject(), WTF::getPtr(imp->setNamedItem(node, ec)));
- setDOMException(exec, ec);
- return result;
+ return castedThisObj->setNamedItem(exec, args);
}
JSValue JSC_HOST_CALL jsNamedNodeMapPrototypeFunctionRemoveNamedItem(ExecState* exec, JSObject*, JSValue thisValue, const ArgList& args)
@@ -325,14 +318,7 @@ JSValue JSC_HOST_CALL jsNamedNodeMapPrototypeFunctionSetNamedItemNS(ExecState* e
if (!thisValue.inherits(&JSNamedNodeMap::s_info))
return throwError(exec, TypeError);
JSNamedNodeMap* castedThisObj = static_cast<JSNamedNodeMap*>(asObject(thisValue));
- NamedNodeMap* imp = static_cast<NamedNodeMap*>(castedThisObj->impl());
- ExceptionCode ec = 0;
- Node* node = toNode(args.at(0));
-
-
- JSC::JSValue result = toJS(exec, castedThisObj->globalObject(), WTF::getPtr(imp->setNamedItemNS(node, ec)));
- setDOMException(exec, ec);
- return result;
+ return castedThisObj->setNamedItemNS(exec, args);
}
JSValue JSC_HOST_CALL jsNamedNodeMapPrototypeFunctionRemoveNamedItemNS(ExecState* exec, JSObject*, JSValue thisValue, const ArgList& args)
diff --git a/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.h b/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.h
index 0fa1fdf..b79e97c 100644
--- a/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.h
+++ b/src/3rdparty/webkit/WebCore/generated/JSNamedNodeMap.h
@@ -50,6 +50,10 @@ public:
virtual void getOwnPropertyNames(JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode mode = JSC::ExcludeDontEnumProperties);
static JSC::JSValue getConstructor(JSC::ExecState*, JSC::JSGlobalObject*);
+
+ // Custom functions
+ JSC::JSValue setNamedItem(JSC::ExecState*, const JSC::ArgList&);
+ JSC::JSValue setNamedItemNS(JSC::ExecState*, const JSC::ArgList&);
NamedNodeMap* impl() const { return m_impl.get(); }
private:
diff --git a/src/3rdparty/webkit/WebCore/generated/JSNode.cpp b/src/3rdparty/webkit/WebCore/generated/JSNode.cpp
index 47dafd4..1e16be6 100644
--- a/src/3rdparty/webkit/WebCore/generated/JSNode.cpp
+++ b/src/3rdparty/webkit/WebCore/generated/JSNode.cpp
@@ -394,11 +394,7 @@ void JSNode::put(ExecState* exec, const Identifier& propertyName, JSValue value,
void setJSNodeNodeValue(ExecState* exec, JSObject* thisObject, JSValue value)
{
- JSNode* castedThisObj = static_cast<JSNode*>(thisObject);
- Node* imp = static_cast<Node*>(castedThisObj->impl());
- ExceptionCode ec = 0;
- imp->setNodeValue(valueToStringWithNullCheck(exec, value), ec);
- setDOMException(exec, ec);
+ static_cast<JSNode*>(thisObject)->setNodeValue(exec, value);
}
void setJSNodePrefix(ExecState* exec, JSObject* thisObject, JSValue value)
@@ -412,11 +408,7 @@ void setJSNodePrefix(ExecState* exec, JSObject* thisObject, JSValue value)
void setJSNodeTextContent(ExecState* exec, JSObject* thisObject, JSValue value)
{
- JSNode* castedThisObj = static_cast<JSNode*>(thisObject);
- Node* imp = static_cast<Node*>(castedThisObj->impl());
- ExceptionCode ec = 0;
- imp->setTextContent(valueToStringWithNullCheck(exec, value), ec);
- setDOMException(exec, ec);
+ static_cast<JSNode*>(thisObject)->setTextContent(exec, value);
}
JSValue JSNode::getConstructor(ExecState* exec, JSGlobalObject* globalObject)
diff --git a/src/3rdparty/webkit/WebCore/generated/JSNode.h b/src/3rdparty/webkit/WebCore/generated/JSNode.h
index be6dd23..e2c82c4 100644
--- a/src/3rdparty/webkit/WebCore/generated/JSNode.h
+++ b/src/3rdparty/webkit/WebCore/generated/JSNode.h
@@ -54,6 +54,10 @@ public:
static JSC::JSValue getConstructor(JSC::ExecState*, JSC::JSGlobalObject*);
+ // Custom attributes
+ void setNodeValue(JSC::ExecState*, JSC::JSValue);
+ void setTextContent(JSC::ExecState*, JSC::JSValue);
+
// Custom functions
JSC::JSValue insertBefore(JSC::ExecState*, const JSC::ArgList&);
JSC::JSValue replaceChild(JSC::ExecState*, const JSC::ArgList&);
diff --git a/src/3rdparty/webkit/WebCore/html/canvas/CanvasRenderingContext2D.cpp b/src/3rdparty/webkit/WebCore/html/canvas/CanvasRenderingContext2D.cpp
index 9cec7a9..73a572e 100644
--- a/src/3rdparty/webkit/WebCore/html/canvas/CanvasRenderingContext2D.cpp
+++ b/src/3rdparty/webkit/WebCore/html/canvas/CanvasRenderingContext2D.cpp
@@ -1215,7 +1215,7 @@ PassRefPtr<CanvasPattern> CanvasRenderingContext2D::createPattern(HTMLImageEleme
if (!cachedImage || !image->cachedImage()->image())
return CanvasPattern::create(Image::nullImage(), repeatX, repeatY, true);
- bool originClean = !canvas()->document()->securityOrigin()->taintsCanvas(KURL(KURL(), cachedImage->url()));
+ bool originClean = !canvas()->document()->securityOrigin()->taintsCanvas(KURL(KURL(), cachedImage->url())) && cachedImage->image()->hasSingleSecurityOrigin();
return CanvasPattern::create(cachedImage->image(), repeatX, repeatY, originClean);
}
diff --git a/src/3rdparty/webkit/WebCore/loader/DocumentThreadableLoader.cpp b/src/3rdparty/webkit/WebCore/loader/DocumentThreadableLoader.cpp
index de0a0b0..55f51ac 100644
--- a/src/3rdparty/webkit/WebCore/loader/DocumentThreadableLoader.cpp
+++ b/src/3rdparty/webkit/WebCore/loader/DocumentThreadableLoader.cpp
@@ -81,16 +81,19 @@ DocumentThreadableLoader::DocumentThreadableLoader(Document* document, Threadabl
ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
- if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields()))
- makeSimpleCrossOriginAccessRequest(request);
+ OwnPtr<ResourceRequest> crossOriginRequest(new ResourceRequest(request));
+ crossOriginRequest->removeCredentials();
+ crossOriginRequest->setAllowCookies(m_options.allowCredentials);
+
+ if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields()))
+ makeSimpleCrossOriginAccessRequest(*crossOriginRequest);
else {
- m_actualRequest.set(new ResourceRequest(request));
- m_actualRequest->setAllowCookies(m_options.allowCredentials);
+ m_actualRequest.set(crossOriginRequest.release());
- if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), request.url(), m_options.allowCredentials, request.httpMethod(), request.httpHeaderFields()))
+ if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields()))
preflightSuccess();
else
- makeCrossOriginAccessRequestWithPreflight(request);
+ makeCrossOriginAccessRequestWithPreflight(*m_actualRequest);
}
}
@@ -106,8 +109,6 @@ void DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest(const Resource
// Make a copy of the passed request so that we can modify some details.
ResourceRequest crossOriginRequest(request);
- crossOriginRequest.removeCredentials();
- crossOriginRequest.setAllowCookies(m_options.allowCredentials);
crossOriginRequest.setHTTPOrigin(m_document->securityOrigin()->toString());
loadRequest(crossOriginRequest, DoSecurityCheck);
@@ -287,11 +288,17 @@ void DocumentThreadableLoader::preflightSuccess()
void DocumentThreadableLoader::preflightFailure()
{
+ m_actualRequest = 0; // Prevent didFinishLoading() from bypassing access check.
m_client->didFail(ResourceError());
}
void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, SecurityCheckPolicy securityCheck)
{
+ // Any credential should have been removed from the cross-site requests.
+ const KURL& requestURL = request.url();
+ ASSERT(m_sameOriginRequest || requestURL.user().isEmpty());
+ ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty());
+
if (m_async) {
// Don't sniff content or send load callbacks for the preflight request.
bool sendLoadCallbacks = m_options.sendLoadCallbacks && !m_actualRequest;
@@ -315,15 +322,15 @@ void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, Secur
// No exception for file:/// resources, see <rdar://problem/4962298>.
// Also, if we have an HTTP response, then it wasn't a network error in fact.
- if (!error.isNull() && !request.url().isLocalFile() && response.httpStatusCode() <= 0) {
+ if (!error.isNull() && !requestURL.isLocalFile() && response.httpStatusCode() <= 0) {
m_client->didFail(error);
return;
}
// FIXME: FrameLoader::loadSynchronously() does not tell us whether a redirect happened or not, so we guess by comparing the
// request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was
- // requested.
- if (request.url() != response.url() && !isAllowedRedirect(response.url())) {
+ // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials.
+ if (requestURL != response.url() && !isAllowedRedirect(response.url())) {
m_client->didFailRedirectCheck();
return;
}
diff --git a/src/3rdparty/webkit/WebCore/page/DragController.cpp b/src/3rdparty/webkit/WebCore/page/DragController.cpp
index f238b27..0da6873 100644
--- a/src/3rdparty/webkit/WebCore/page/DragController.cpp
+++ b/src/3rdparty/webkit/WebCore/page/DragController.cpp
@@ -313,7 +313,7 @@ bool DragController::tryDocumentDrag(DragData* dragData, DragDestinationAction a
}
IntPoint point = frameView->windowToContents(dragData->clientPosition());
- Element* element = elementUnderMouse(m_documentUnderMouse, point);
+ Element* element = elementUnderMouse(m_documentUnderMouse.get(), point);
if (!asFileInput(element)) {
VisibleSelection dragCaret = m_documentUnderMouse->frame()->visiblePositionForPoint(point);
m_page->dragCaretController()->setSelection(dragCaret);
@@ -363,7 +363,7 @@ bool DragController::concludeEditDrag(DragData* dragData)
return false;
IntPoint point = m_documentUnderMouse->view()->windowToContents(dragData->clientPosition());
- Element* element = elementUnderMouse(m_documentUnderMouse, point);
+ Element* element = elementUnderMouse(m_documentUnderMouse.get(), point);
Frame* innerFrame = element->ownerDocument()->frame();
ASSERT(innerFrame);
@@ -439,7 +439,7 @@ bool DragController::concludeEditDrag(DragData* dragData)
applyCommand(MoveSelectionCommand::create(fragment, dragCaret.base(), smartInsert, smartDelete));
} else {
if (setSelectionToDragCaret(innerFrame, dragCaret, range, point))
- applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse, fragment, true, dragData->canSmartReplace(), chosePlainText));
+ applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse.get(), fragment, true, dragData->canSmartReplace(), chosePlainText));
}
} else {
String text = dragData->asPlainText();
@@ -450,7 +450,7 @@ bool DragController::concludeEditDrag(DragData* dragData)
m_client->willPerformDragDestinationAction(DragDestinationActionEdit, dragData);
if (setSelectionToDragCaret(innerFrame, dragCaret, range, point))
- applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse, createFragmentFromText(range.get(), text), true, false, true));
+ applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse.get(), createFragmentFromText(range.get(), text), true, false, true));
}
loader->setAllowStaleResources(false);
diff --git a/src/3rdparty/webkit/WebCore/page/DragController.h b/src/3rdparty/webkit/WebCore/page/DragController.h
index 3b2b083..712f9ab 100644
--- a/src/3rdparty/webkit/WebCore/page/DragController.h
+++ b/src/3rdparty/webkit/WebCore/page/DragController.h
@@ -67,13 +67,11 @@ namespace WebCore {
DragOperation sourceDragOperation() const { return m_sourceDragOperation; }
void setDraggingImageURL(const KURL& url) { m_draggingImageURL = url; }
const KURL& draggingImageURL() const { return m_draggingImageURL; }
- void setDragInitiator(Document* initiator) { m_dragInitiator = initiator; m_didInitiateDrag = true; }
- Document* dragInitiator() const { return m_dragInitiator; }
void setDragOffset(const IntPoint& offset) { m_dragOffset = offset; }
const IntPoint& dragOffset() const { return m_dragOffset; }
DragSourceAction dragSourceAction() const { return m_dragSourceAction; }
- Document* documentUnderMouse() const { return m_documentUnderMouse; }
+ Document* documentUnderMouse() const { return m_documentUnderMouse.get(); }
DragDestinationAction dragDestinationAction() const { return m_dragDestinationAction; }
DragSourceAction delegateDragSourceAction(const IntPoint& pagePoint);
@@ -114,8 +112,8 @@ namespace WebCore {
Page* m_page;
DragClient* m_client;
- Document* m_documentUnderMouse; // The document the mouse was last dragged over.
- Document* m_dragInitiator; // The Document (if any) that initiated the drag.
+ RefPtr<Document> m_documentUnderMouse; // The document the mouse was last dragged over.
+ RefPtr<Document> m_dragInitiator; // The Document (if any) that initiated the drag.
DragDestinationAction m_dragDestinationAction;
DragSourceAction m_dragSourceAction;
diff --git a/src/3rdparty/webkit/WebCore/page/EventHandler.cpp b/src/3rdparty/webkit/WebCore/page/EventHandler.cpp
index 1654257..f1ee742 100644
--- a/src/3rdparty/webkit/WebCore/page/EventHandler.cpp
+++ b/src/3rdparty/webkit/WebCore/page/EventHandler.cpp
@@ -2163,7 +2163,9 @@ bool EventHandler::keyEvent(const PlatformKeyboardEvent& initialKeyEvent)
if (initialKeyEvent.type() == PlatformKeyboardEvent::RawKeyDown) {
node->dispatchEvent(keydown, ec);
- return keydown->defaultHandled() || keydown->defaultPrevented();
+ // If frame changed as a result of keydown dispatch, then return true to avoid sending a subsequent keypress message to the new frame.
+ bool changedFocusedFrame = m_frame->page() && m_frame != m_frame->page()->focusController()->focusedOrMainFrame();
+ return keydown->defaultHandled() || keydown->defaultPrevented() || changedFocusedFrame;
}
// Run input method in advance of DOM event handling. This may result in the IM
@@ -2183,7 +2185,9 @@ bool EventHandler::keyEvent(const PlatformKeyboardEvent& initialKeyEvent)
}
node->dispatchEvent(keydown, ec);
- bool keydownResult = keydown->defaultHandled() || keydown->defaultPrevented();
+ // If frame changed as a result of keydown dispatch, then return early to avoid sending a subsequent keypress message to the new frame.
+ bool changedFocusedFrame = m_frame->page() && m_frame != m_frame->page()->focusController()->focusedOrMainFrame();
+ bool keydownResult = keydown->defaultHandled() || keydown->defaultPrevented() || changedFocusedFrame;
if (handledByInputMethod || (keydownResult && !backwardCompatibilityMode))
return keydownResult;
diff --git a/src/3rdparty/webkit/WebCore/page/FrameView.cpp b/src/3rdparty/webkit/WebCore/page/FrameView.cpp
index 639414b..01f0375 100644
--- a/src/3rdparty/webkit/WebCore/page/FrameView.cpp
+++ b/src/3rdparty/webkit/WebCore/page/FrameView.cpp
@@ -1315,14 +1315,13 @@ void FrameView::scheduleRelayoutOfSubtree(RenderObject* relayoutRoot)
{
ASSERT(m_frame->view() == this);
- if (!m_layoutSchedulingEnabled || (m_frame->contentRenderer()
- && m_frame->contentRenderer()->needsLayout())) {
+ if (m_frame->contentRenderer() && m_frame->contentRenderer()->needsLayout()) {
if (relayoutRoot)
relayoutRoot->markContainingBlocksForLayout(false);
return;
}
- if (layoutPending()) {
+ if (layoutPending() || !m_layoutSchedulingEnabled) {
if (m_layoutRoot != relayoutRoot) {
if (isObjectAncestorContainerOf(m_layoutRoot, relayoutRoot)) {
// Keep the current root
@@ -1339,7 +1338,7 @@ void FrameView::scheduleRelayoutOfSubtree(RenderObject* relayoutRoot)
relayoutRoot->markContainingBlocksForLayout(false);
}
}
- } else {
+ } else if (m_layoutSchedulingEnabled) {
int delay = m_frame->document()->minimumLayoutDelay();
m_layoutRoot = relayoutRoot;
m_delayedLayout = delay != 0;
diff --git a/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp b/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp
index c0b3e22..516c533 100644
--- a/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp
+++ b/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp
@@ -90,6 +90,20 @@ static URLSchemesMap& schemesWithUniqueOrigins()
return schemesWithUniqueOrigins;
}
+static bool schemeRequiresAuthority(const String& scheme)
+{
+ DEFINE_STATIC_LOCAL(URLSchemesMap, schemes, ());
+
+ if (schemes.isEmpty()) {
+ schemes.add("http");
+ schemes.add("https");
+ schemes.add("ftp");
+ }
+
+ return schemes.contains(scheme);
+}
+
+
SecurityOrigin::SecurityOrigin(const KURL& url, SandboxFlags sandboxFlags)
: m_sandboxFlags(sandboxFlags)
, m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
@@ -103,6 +117,10 @@ SecurityOrigin::SecurityOrigin(const KURL& url, SandboxFlags sandboxFlags)
if (m_protocol == "about" || m_protocol == "javascript")
m_protocol = "";
+ // For edge case URLs that were probably misparsed, make sure that the origin is unique.
+ if (schemeRequiresAuthority(m_protocol) && m_host.isEmpty())
+ m_isUnique = true;
+
// document.domain starts as m_host, but can be set by the DOM.
m_domain = m_host;
diff --git a/src/3rdparty/webkit/WebCore/page/Settings.cpp b/src/3rdparty/webkit/WebCore/page/Settings.cpp
index 475d373..c0659d2 100644
--- a/src/3rdparty/webkit/WebCore/page/Settings.cpp
+++ b/src/3rdparty/webkit/WebCore/page/Settings.cpp
@@ -79,6 +79,7 @@ Settings::Settings(Page* page)
, m_allowUniversalAccessFromFileURLs(true)
, m_allowFileAccessFromFileURLs(true)
, m_javaScriptCanOpenWindowsAutomatically(false)
+ , m_javaScriptCanAccessClipboard(false)
, m_shouldPrintBackgrounds(false)
, m_textAreasAreResizable(false)
#if ENABLE(DASHBOARD_SUPPORT)
@@ -291,6 +292,11 @@ void Settings::setJavaScriptCanOpenWindowsAutomatically(bool javaScriptCanOpenWi
m_javaScriptCanOpenWindowsAutomatically = javaScriptCanOpenWindowsAutomatically;
}
+void Settings::setJavaScriptCanAccessClipboard(bool javaScriptCanAccessClipboard)
+{
+ m_javaScriptCanAccessClipboard = javaScriptCanAccessClipboard;
+}
+
void Settings::setDefaultTextEncodingName(const String& defaultTextEncodingName)
{
m_defaultTextEncodingName = defaultTextEncodingName;
diff --git a/src/3rdparty/webkit/WebCore/page/Settings.h b/src/3rdparty/webkit/WebCore/page/Settings.h
index b677712..a6653ce 100644
--- a/src/3rdparty/webkit/WebCore/page/Settings.h
+++ b/src/3rdparty/webkit/WebCore/page/Settings.h
@@ -122,6 +122,9 @@ namespace WebCore {
void setJavaScriptCanOpenWindowsAutomatically(bool);
bool javaScriptCanOpenWindowsAutomatically() const { return m_javaScriptCanOpenWindowsAutomatically; }
+ void setJavaScriptCanAccessClipboard(bool);
+ bool javaScriptCanAccessClipboard() const { return m_javaScriptCanAccessClipboard; }
+
void setSpatialNavigationEnabled(bool);
bool isSpatialNavigationEnabled() const { return m_isSpatialNavigationEnabled; }
@@ -330,6 +333,7 @@ namespace WebCore {
bool m_allowUniversalAccessFromFileURLs: 1;
bool m_allowFileAccessFromFileURLs: 1;
bool m_javaScriptCanOpenWindowsAutomatically : 1;
+ bool m_javaScriptCanAccessClipboard : 1;
bool m_shouldPrintBackgrounds : 1;
bool m_textAreasAreResizable : 1;
#if ENABLE(DASHBOARD_SUPPORT)
diff --git a/src/3rdparty/webkit/WebCore/platform/KURL.cpp b/src/3rdparty/webkit/WebCore/platform/KURL.cpp
index 40adfbc..3c8d50f 100644
--- a/src/3rdparty/webkit/WebCore/platform/KURL.cpp
+++ b/src/3rdparty/webkit/WebCore/platform/KURL.cpp
@@ -215,6 +215,9 @@ static const unsigned char characterClassTable[256] = {
/* 252 */ BadChar, /* 253 */ BadChar, /* 254 */ BadChar, /* 255 */ BadChar
};
+static const unsigned maximumValidPortNumber = 0xFFFE;
+static const unsigned invalidPortNumber = 0xFFFF;
+
static int copyPathRemovingDots(char* dst, const char* src, int srcStart, int srcEnd);
static void encodeRelativeString(const String& rel, const TextEncoding&, CharBuffer& ouput);
static String substituteBackslashes(const String&);
@@ -573,12 +576,17 @@ String KURL::host() const
unsigned short KURL::port() const
{
- if (m_hostEnd == m_portEnd)
+ // We return a port of 0 if there is no port specified. This can happen in two situations:
+ // 1) The URL contains no colon after the host name and before the path component of the URL.
+ // 2) The URL contains a colon but there's no port number before the path component of the URL begins.
+ if (m_hostEnd == m_portEnd || m_hostEnd == m_portEnd - 1)
return 0;
- int number = m_string.substring(m_hostEnd + 1, m_portEnd - m_hostEnd - 1).toInt();
- if (number < 0 || number > 0xFFFF)
- return 0;
+ const UChar* stringData = m_string.characters();
+ bool ok = false;
+ unsigned number = charactersToUIntStrict(stringData + m_hostEnd + 1, m_portEnd - m_hostEnd - 1, &ok);
+ if (!ok || number > maximumValidPortNumber)
+ return invalidPortNumber;
return number;
}
@@ -1757,7 +1765,7 @@ bool portAllowed(const KURL& url)
6667, // Standard IRC [Apple addition]
6668, // Alternate IRC [Apple addition]
6669, // Alternate IRC [Apple addition]
-
+ invalidPortNumber, // Used to block all invalid port numbers
};
const unsigned short* const blockedPortListEnd = blockedPortList + sizeof(blockedPortList) / sizeof(blockedPortList[0]);
diff --git a/src/3rdparty/webkit/WebCore/platform/KURLGoogle.cpp b/src/3rdparty/webkit/WebCore/platform/KURLGoogle.cpp
index 8be7009..10b9bb8 100644
--- a/src/3rdparty/webkit/WebCore/platform/KURLGoogle.cpp
+++ b/src/3rdparty/webkit/WebCore/platform/KURLGoogle.cpp
@@ -57,6 +57,8 @@ using std::binary_search;
namespace WebCore {
+static const unsigned invalidPortNumber = 0xFFFF;
+
// Wraps WebCore's text encoding in a character set converter for the
// canonicalizer.
class KURLCharsetConverter : public url_canon::CharsetConverter {
@@ -499,7 +501,7 @@ String KURL::host() const
unsigned short KURL::port() const
{
if (!m_url.m_isValid || m_url.m_parsed.port.len <= 0)
- return 0;
+ return invalidPortNumber;
int port = url_parse::ParsePort(m_url.utf8String().data(), m_url.m_parsed.port);
if (port == url_parse::PORT_UNSPECIFIED)
return 0;
@@ -853,6 +855,12 @@ bool portAllowed(const KURL& url)
3659, // apple-sasl / PasswordServer [Apple addition]
4045, // lockd
6000, // X11
+ 6665, // Alternate IRC [Apple addition]
+ 6666, // Alternate IRC [Apple addition]
+ 6667, // Standard IRC [Apple addition]
+ 6668, // Alternate IRC [Apple addition]
+ 6669, // Alternate IRC [Apple addition]
+ invalidPortNumber, // Used to block all invalid port numbers
};
const unsigned short* const blockedPortListEnd = blockedPortList + sizeof(blockedPortList) / sizeof(blockedPortList[0]);
diff --git a/src/3rdparty/webkit/WebCore/platform/graphics/qt/PathQt.cpp b/src/3rdparty/webkit/WebCore/platform/graphics/qt/PathQt.cpp
index a7351a0..c96fe25 100644
--- a/src/3rdparty/webkit/WebCore/platform/graphics/qt/PathQt.cpp
+++ b/src/3rdparty/webkit/WebCore/platform/graphics/qt/PathQt.cpp
@@ -69,23 +69,31 @@ Path& Path::operator=(const Path& other)
return *this;
}
+static inline bool areCollinear(const QPointF& a, const QPointF& b, const QPointF& c)
+{
+ // Solved from comparing the slopes of a to b and b to c: (ay-by)/(ax-bx) == (cy-by)/(cx-bx)
+ return qFuzzyCompare((c.y() - b.y()) * (a.x() - b.x()), (a.y() - b.y()) * (c.x() - b.x()));
+}
+
+static inline bool withinRange(qreal p, qreal a, qreal b)
+{
+ return (p >= a && p <= b) || (p >= b && p <= a);
+}
+
// Check whether a point is on the border
-bool isPointOnPathBorder(const QPolygonF& border, const QPointF& p)
+static bool isPointOnPathBorder(const QPolygonF& border, const QPointF& p)
{
QPointF p1 = border.at(0);
QPointF p2;
for (int i = 1; i < border.size(); ++i) {
p2 = border.at(i);
- // (x1<=x<=x2||x1=>x>=x2) && (y1<=y<=y2||y1=>y>=y2) && (y2-y1)(x-x1) == (y-y1)(x2-x1)
- // In which, (y2-y1)(x-x1) == (y-y1)(x2-x1) is from (y2-y1)/(x2-x1) == (y-y1)/(x-x1)
- // it want to check the slope between p1 and p2 is same with slope between p and p1,
- // if so then the three points lie on the same line.
- // In which, (x1<=x<=x2||x1=>x>=x2) && (y1<=y<=y2||y1=>y>=y2) want to make sure p is
- // between p1 and p2, not outside.
- if (((p.x() <= p1.x() && p.x() >= p2.x()) || (p.x() >= p1.x() && p.x() <= p2.x()))
- && ((p.y() <= p1.y() && p.y() >= p2.y()) || (p.y() >= p1.y() && p.y() <= p2.y()))
- && (p2.y() - p1.y()) * (p.x() - p1.x()) == (p.y() - p1.y()) * (p2.x() - p1.x())) {
+ if (areCollinear(p, p1, p2)
+ // Once we know that the points are collinear we
+ // only need to check one of the coordinates
+ && (qAbs(p2.x() - p1.x()) > qAbs(p2.y() - p1.y()) ?
+ withinRange(p.x(), p1.x(), p2.x()) :
+ withinRange(p.y(), p1.y(), p2.y()))) {
return true;
}
p1 = p2;
@@ -199,19 +207,14 @@ void Path::addArcTo(const FloatPoint& p1, const FloatPoint& p2, float radius)
float p1p2_length = sqrtf(p1p2.x() * p1p2.x() + p1p2.y() * p1p2.y());
double cos_phi = (p1p0.x() * p1p2.x() + p1p0.y() * p1p2.y()) / (p1p0_length * p1p2_length);
- // all points on a line logic
- if (cos_phi == -1) {
+
+ // The points p0, p1, and p2 are on the same straight line (HTML5, 4.8.11.1.8)
+ // We could have used areCollinear() here, but since we're reusing
+ // the variables computed above later on we keep this logic.
+ if (qFuzzyCompare(qAbs(cos_phi), 1.0)) {
m_path.lineTo(p1);
return;
}
- if (cos_phi == 1) {
- // add infinite far away point
- unsigned int max_length = 65535;
- double factor_max = max_length / p1p0_length;
- FloatPoint ep((p0.x() + factor_max * p1p0.x()), (p0.y() + factor_max * p1p0.y()));
- m_path.lineTo(ep);
- return;
- }
float tangent = radius / tan(acos(cos_phi) / 2);
float factor_p1p0 = tangent / p1p0_length;
diff --git a/src/3rdparty/webkit/WebCore/platform/network/ProtectionSpace.h b/src/3rdparty/webkit/WebCore/platform/network/ProtectionSpace.h
index 126b499..42cbc8a 100644
--- a/src/3rdparty/webkit/WebCore/platform/network/ProtectionSpace.h
+++ b/src/3rdparty/webkit/WebCore/platform/network/ProtectionSpace.h
@@ -47,6 +47,7 @@ enum ProtectionSpaceAuthenticationScheme {
ProtectionSpaceAuthenticationSchemeHTMLForm = 4,
ProtectionSpaceAuthenticationSchemeNTLM = 5,
ProtectionSpaceAuthenticationSchemeNegotiate = 6,
+ ProtectionSpaceAuthenticationSchemeUnknown = 100,
};
class ProtectionSpace {
diff --git a/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp b/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp
index 09af518..4d6b88c 100644
--- a/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp
+++ b/src/3rdparty/webkit/WebCore/rendering/FixedTableLayout.cpp
@@ -166,8 +166,7 @@ int FixedTableLayout::calcWidthArray(int)
int usedSpan = 0;
int i = 0;
- while (usedSpan < span) {
- ASSERT(cCol + i < nEffCols);
+ while (usedSpan < span && cCol + i < nEffCols) {
int eSpan = m_table->spanOfEffCol(cCol + i);
// Only set if no col element has already set it.
if (m_width[cCol + i].isAuto() && w.type() != Auto) {
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderButton.h b/src/3rdparty/webkit/WebCore/rendering/RenderButton.h
index 7fd6ab0..1fc5eb6 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderButton.h
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderButton.h
@@ -57,12 +57,14 @@ public:
virtual bool canHaveChildren() const;
-protected:
+private:
virtual void styleWillChange(StyleDifference, const RenderStyle* newStyle);
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
virtual bool hasLineIfEmpty() const { return true; }
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
void timerFired(Timer<RenderButton>*);
RenderTextFragment* m_buttonText;
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderDataGrid.h b/src/3rdparty/webkit/WebCore/rendering/RenderDataGrid.h
index 467edcc..ce221ea 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderDataGrid.h
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderDataGrid.h
@@ -53,6 +53,8 @@ public:
private:
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
RenderStyle* columnStyle(DataGridColumn*);
RenderStyle* headerStyle(DataGridColumn*);
void recalcStyleForColumns();
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.h b/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.h
index 99dd35c..a5f3367 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.h
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.h
@@ -56,6 +56,8 @@ private:
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
// FileChooserClient methods.
void valueChanged();
void repaint() { RenderBlock::repaint(); }
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderInline.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderInline.cpp
index 1d76742..5b1deff 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderInline.cpp
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderInline.cpp
@@ -274,7 +274,7 @@ void RenderInline::splitInlines(RenderBlock* fromBlock, RenderBlock* toBlock,
// has to move into the inline continuation. Call updateBeforeAfterContent to ensure that the inline's :after
// content gets properly destroyed.
if (document()->usesBeforeAfterRules())
- inlineCurr->children()->updateBeforeAfterContent(this, AFTER);
+ inlineCurr->children()->updateBeforeAfterContent(inlineCurr, AFTER);
// Now we need to take all of the children starting from the first child
// *after* currChild and append them all to the clone.
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp
index a012868..2aec361 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderLayer.cpp
@@ -3178,22 +3178,33 @@ void RenderLayer::updateHoverActiveState(const HitTestRequest& request, HitTestR
// Locate the common ancestor render object for the two renderers.
RenderObject* ancestor = commonAncestor(oldHoverObj, newHoverObj);
+ Vector<RefPtr<Node>, 32> nodesToRemoveFromChain;
+ Vector<RefPtr<Node>, 32> nodesToAddToChain;
+
if (oldHoverObj != newHoverObj) {
// The old hover path only needs to be cleared up to (and not including) the common ancestor;
for (RenderObject* curr = oldHoverObj; curr && curr != ancestor; curr = curr->hoverAncestor()) {
- if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain())) {
- curr->node()->setActive(false);
- curr->node()->setHovered(false);
- }
+ if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain()))
+ nodesToRemoveFromChain.append(curr->node());
}
}
// Now set the hover state for our new object up to the root.
for (RenderObject* curr = newHoverObj; curr; curr = curr->hoverAncestor()) {
- if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain())) {
- curr->node()->setActive(request.active());
- curr->node()->setHovered(true);
- }
+ if (curr->node() && !curr->isText() && (!mustBeInActiveChain || curr->node()->inActiveChain()))
+ nodesToAddToChain.append(curr->node());
+ }
+
+ size_t removeCount = nodesToRemoveFromChain.size();
+ for (size_t i = 0; i < removeCount; ++i) {
+ nodesToRemoveFromChain[i]->setActive(false);
+ nodesToRemoveFromChain[i]->setHovered(false);
+ }
+
+ size_t addCount = nodesToAddToChain.size();
+ for (size_t i = 0; i < addCount; ++i) {
+ nodesToAddToChain[i]->setActive(request.active());
+ nodesToAddToChain[i]->setHovered(true);
}
}
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderListItem.h b/src/3rdparty/webkit/WebCore/rendering/RenderListItem.h
index c4c41dc..d140979 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderListItem.h
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderListItem.h
@@ -63,6 +63,8 @@ private:
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
void updateMarkerLocation();
inline int calcValue() const;
void updateValueNow() const;
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp
index d0353ee..6c8f769 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderListMarker.cpp
@@ -101,8 +101,10 @@ static inline String toAlphabeticOrNumeric(int number, const UChar* sequence, in
int length = 1;
if (type == AlphabeticSequence) {
- while ((numberShadow /= sequenceSize) > 0)
- letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize - 1];
+ while ((numberShadow /= sequenceSize) > 0) {
+ --numberShadow;
+ letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize];
+ }
} else {
while ((numberShadow /= sequenceSize) > 0)
letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize];
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderMedia.h b/src/3rdparty/webkit/WebCore/rendering/RenderMedia.h
index 0d24c4c..32d6d65 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderMedia.h
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderMedia.h
@@ -118,6 +118,8 @@ private:
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
RefPtr<HTMLElement> m_controlsShadowRoot;
RefPtr<MediaControlElement> m_panel;
RefPtr<MediaControlMuteButtonElement> m_muteButton;
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderMenuList.h b/src/3rdparty/webkit/WebCore/rendering/RenderMenuList.h
index aeb6205..5ee8588 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderMenuList.h
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderMenuList.h
@@ -78,6 +78,8 @@ private:
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
// PopupMenuClient methods
virtual String itemText(unsigned listIndex) const;
virtual String itemToolTip(unsigned listIndex) const;
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderObject.h b/src/3rdparty/webkit/WebCore/rendering/RenderObject.h
index d928521..593fa52 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderObject.h
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderObject.h
@@ -322,6 +322,8 @@ public:
bool cellWidthChanged() const { return m_cellWidthChanged; }
void setCellWidthChanged(bool b = true) { m_cellWidthChanged = b; }
+ virtual bool requiresForcedStyleRecalcPropagation() const { return false; }
+
#if ENABLE(MATHML)
virtual bool isRenderMathMLBlock() const { return false; }
#endif // ENABLE(MATHML)
@@ -412,7 +414,6 @@ public:
void drawArcForBoxSide(GraphicsContext*, int x, int y, float thickness, IntSize radius, int angleStart,
int angleSpan, BoxSide, Color, const Color& textcolor, EBorderStyle, bool firstCorner);
-public:
// The pseudo element style can be cached or uncached. Use the cached method if the pseudo element doesn't respect
// any pseudo classes (and therefore has no concept of changing state).
RenderStyle* getCachedPseudoStyle(PseudoId, RenderStyle* parentStyle = 0) const;
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderProgress.h b/src/3rdparty/webkit/WebCore/rendering/RenderProgress.h
index 0a90fde..7aa1efe 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderProgress.h
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderProgress.h
@@ -40,6 +40,8 @@ private:
virtual void calcPrefWidths();
virtual void layout();
virtual void updateFromElement();
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
int m_position;
};
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderSlider.h b/src/3rdparty/webkit/WebCore/rendering/RenderSlider.h
index 92ad73b..fc8ce24 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderSlider.h
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderSlider.h
@@ -58,6 +58,8 @@ namespace WebCore {
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
PassRefPtr<RenderStyle> createThumbStyle(const RenderStyle* parentStyle);
int trackSize();
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp
index 307db64..c08adc2 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp
@@ -203,7 +203,7 @@ void RenderText::deleteTextBoxes()
PassRefPtr<StringImpl> RenderText::originalText() const
{
Node* e = node();
- return e ? static_cast<Text*>(e)->dataImpl() : 0;
+ return (e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : 0;
}
void RenderText::absoluteRects(Vector<IntRect>& rects, int tx, int ty)
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderTextControl.h b/src/3rdparty/webkit/WebCore/rendering/RenderTextControl.h
index 2fc8edc..984f41d 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderTextControl.h
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderTextControl.h
@@ -107,6 +107,8 @@ private:
virtual bool canBeProgramaticallyScrolled(bool) const { return true; }
+ virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
+
String finishText(Vector<UChar>&) const;
bool m_wasChangedSinceLastChangeEvent;
diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp
index f3398a3..1e15d66 100644
--- a/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp
+++ b/src/3rdparty/webkit/WebCore/rendering/RenderTextFragment.cpp
@@ -47,7 +47,7 @@ RenderTextFragment::RenderTextFragment(Node* node, StringImpl* str)
PassRefPtr<StringImpl> RenderTextFragment::originalText() const
{
Node* e = node();
- RefPtr<StringImpl> result = (e ? static_cast<Text*>(e)->dataImpl() : contentString());
+ RefPtr<StringImpl> result = ((e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : contentString());
if (result && (start() > 0 || start() < result->length()))
result = result->substring(start(), end());
return result.release();
@@ -80,7 +80,7 @@ UChar RenderTextFragment::previousCharacter()
{
if (start()) {
Node* e = node();
- StringImpl* original = (e ? static_cast<Text*>(e)->dataImpl() : contentString());
+ StringImpl* original = ((e && e->isTextNode()) ? static_cast<Text*>(e)->dataImpl() : contentString());
if (original)
return (*original)[start() - 1];
}
diff --git a/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.cpp b/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.cpp
index 47b4f3b..d907d86 100644
--- a/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.cpp
+++ b/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.cpp
@@ -187,6 +187,7 @@ void QWebSettingsPrivate::apply()
value = attributes.value(QWebSettings::JavascriptCanAccessClipboard,
global->attributes.value(QWebSettings::JavascriptCanAccessClipboard));
settings->setDOMPasteAllowed(value);
+ settings->setJavaScriptCanAccessClipboard(value);
value = attributes.value(QWebSettings::DeveloperExtrasEnabled,
global->attributes.value(QWebSettings::DeveloperExtrasEnabled));
@@ -235,8 +236,8 @@ void QWebSettingsPrivate::apply()
global->attributes.value(QWebSettings::LocalContentCanAccessFileUrls));
settings->setAllowFileAccessFromFileURLs(value);
- value = attributes.value(QWebSettings::XSSAuditorEnabled,
- global->attributes.value(QWebSettings::XSSAuditorEnabled));
+ value = attributes.value(QWebSettings::XSSAuditingEnabled,
+ global->attributes.value(QWebSettings::XSSAuditingEnabled));
settings->setXSSAuditorEnabled(value);
#if ENABLE(TILED_BACKING_STORE)
diff --git a/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.h b/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.h
index 207a9b6..156f633 100644
--- a/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.h
+++ b/src/3rdparty/webkit/WebKit/qt/Api/qwebsettings.h
@@ -68,7 +68,7 @@ public:
#endif
LocalContentCanAccessRemoteUrls,
DnsPrefetchEnabled,
- XSSAuditorEnabled,
+ XSSAuditingEnabled,
AcceleratedCompositingEnabled,
SpatialNavigationEnabled,
LocalContentCanAccessFileUrls,
diff --git a/src/3rdparty/webkit/WebKit/qt/ChangeLog b/src/3rdparty/webkit/WebKit/qt/ChangeLog
index 9dd129e..63d5568 100644
--- a/src/3rdparty/webkit/WebKit/qt/ChangeLog
+++ b/src/3rdparty/webkit/WebKit/qt/ChangeLog
@@ -1,3 +1,65 @@
+2010-07-09 Simon Hausmann <simon.hausmann@nokia.com>
+
+ Unreviewed trivial Symbian build fix.
+
+ [Qt] Fix the Symbian build when compiling without S60
+
+ Use Q_OS_SYMBIAN instead of Q_WS_S60 for the user agent
+ determination.
+
+ * Api/qwebpage.cpp:
+ (QWebPage::userAgentForUrl):
+
+2010-07-09 Kristian Amlie <kristian.amlie@nokia.com>
+
+ Reviewed by Simon Hausmann.
+
+ [Qt] Fixed Qt symbian/linux-armcc mkspec when configured with -qtlibinfix.
+
+ * declarative/declarative.pro: Use QT_LIBINFIX.
+
+2010-06-01 Raine Makelainen <raine.makelainen@nokia.com>
+
+ Reviewed by Simon Hausmann.
+
+ [Qt]: REGRESSION(r58703): QWebSettings::JavascriptCanAccessClipboard has wrong case in "Javascript" part.
+ https://bugs.webkit.org/show_bug.cgi?id=39878
+
+ QWebSettings::JavaScriptCanAccessClipboard reverted back to
+ QWebSettings::JavascriptCanAccessClipboard. QWebSettings::DOMPasteAllowed enum removed.
+
+ Value of QWebSettings::JavascriptCanAccessClipboard to setDOMPasteAllowed and
+ setJavaScriptCanAccessClipboard of WebCore::Settings.
+
+ * Api/qwebsettings.cpp:
+ (QWebSettingsPrivate::apply):
+ * Api/qwebsettings.h:
+
+2010-05-03 Abhishek Arya <inferno@chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Add support for controlling clipboard access from javascript.
+ Clipboard access from javascript is disabled by default.
+ https://bugs.webkit.org/show_bug.cgi?id=27751
+
+ * Api/qwebsettings.cpp:
+ (QWebSettingsPrivate::apply):
+ * Api/qwebsettings.h:
+
+2010-03-24 Kent Hansen <kent.hansen@nokia.com>
+
+ Reviewed by Simon Hausmann.
+
+ [Qt] Rename QWebSettings::XSSAuditorEnabled to XSSAuditingEnabled
+ https://bugs.webkit.org/show_bug.cgi?id=36522
+
+ For consistency with other QWebSettings attributes.
+
+ * Api/qwebsettings.cpp:
+ (QWebSettingsPrivate::apply):
+ * Api/qwebsettings.h:
+
2010-05-19 Antti Koivisto <koivisto@iki.fi>
Rubber-stamped by Kenneth Rohde Christiansen.