diff options
author | Simon Hausmann <simon.hausmann@nokia.com> | 2010-07-09 08:01:30 (GMT) |
---|---|---|
committer | Simon Hausmann <simon.hausmann@nokia.com> | 2010-07-09 08:01:30 (GMT) |
commit | 5c50c6a782b127442c3fa748b3dd4d1007db69dc (patch) | |
tree | e0f8c328a21d6197940f864104578de4ce2ceb10 /src/3rdparty/webkit/WebCore/page | |
parent | 75c5bc5f7efd5f7055b689a244147e69733280a4 (diff) | |
download | Qt-5c50c6a782b127442c3fa748b3dd4d1007db69dc.zip Qt-5c50c6a782b127442c3fa748b3dd4d1007db69dc.tar.gz Qt-5c50c6a782b127442c3fa748b3dd4d1007db69dc.tar.bz2 |
Updated WebKit to ad96ca2f9b57271da4ea7432022ac686ee0981c2
Integrated changes:
|| <https://webkit.org/b/37760> || FrameView's layout root can be detached by style recalc ||
|| <https://webkit.org/b/38922> || innerHTML decompilation issues in textarea ||
|| <https://webkit.org/b/36878> || REGRESSION: Trailing colon on hostnames (with no port specified) causes "Not allowed to use restricted network port" ||
|| <https://webkit.org/b/37781> || [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR ||
|| <https://webkit.org/b/36502> || Cross-origin bypass: iFrame.src can be set to a JavaScript URL via nodeValue or textContent ||
|| <https://webkit.org/b/28697> || WebKit crash on WebCore::Node::nodeIndex() ||
|| <https://webkit.org/b/37031> || Cross-origin bypass: Javascript URL can be set as iframe.src via multiple DOM aliases ||
|| <https://webkit.org/b/36522> || [Qt] Rename QWebSettings::XSSAuditorEnabled to XSSAuditingEnabled ||
|| <https://webkit.org/b/38583> || Use of stale pointers whilst normalizing DOM nodes with mutation event handlers that modify element attributes ||
|| <https://webkit.org/b/41412> || [Qt] Canvas arcTo() should draw straight line to p1 if p0, p1 and p2 are collinear ||
|| <https://webkit.org/b/39878> || [Qt]: REGRESSION(r58703): QWebSettings::JavascriptCanAccessClipboard has wrong case in "Javascript" part. ||
|| <https://webkit.org/b/26824> || focus() behavior permits keystrokes to be redirected across domains ||
|| <https://webkit.org/b/39508> || Crash in WebCore::toAlphabetic() while running MangleMe ||
|| <https://webkit.org/b/36571> || WebKit should treat port numbers outside of the valid range as being blacklisted ||
|| <https://webkit.org/b/38497> || Make sure that http URLs always have a host in SecurityOrigin ||
|| <https://webkit.org/b/38626> || ZDI-CAN-765: CSS Charset Text Transformation Vulnerability ||
|| <https://webkit.org/b/36838> || Cross-origin image theft via SVGs as a canvas pattern ||
|| <https://webkit.org/b/27751> || [sg:high] Copying text to the system clipboard can be done in any context ||
|| <https://webkit.org/b/36843> || REGRESSION (r47291): XHR allows arbitrary XSRF across domains ||
|| <https://webkit.org/b/37230> || REGRESSION (4.0.5): Safari asks for credentials all the time when authenticating to Windows IIS Server ||
|| <https://webkit.org/b/37618> || Memory Corruption with Drag-Drop item from a purged document. ||
|| <https://webkit.org/b/38260> || Frame.src allows javascript URLs with starting spaces ||
|| <https://webkit.org/b/38261> || Table layout crash bug ||
Diffstat (limited to 'src/3rdparty/webkit/WebCore/page')
-rw-r--r-- | src/3rdparty/webkit/WebCore/page/DragController.cpp | 8 | ||||
-rw-r--r-- | src/3rdparty/webkit/WebCore/page/DragController.h | 8 | ||||
-rw-r--r-- | src/3rdparty/webkit/WebCore/page/EventHandler.cpp | 8 | ||||
-rw-r--r-- | src/3rdparty/webkit/WebCore/page/FrameView.cpp | 7 | ||||
-rw-r--r-- | src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp | 18 | ||||
-rw-r--r-- | src/3rdparty/webkit/WebCore/page/Settings.cpp | 6 | ||||
-rw-r--r-- | src/3rdparty/webkit/WebCore/page/Settings.h | 4 |
7 files changed, 44 insertions, 15 deletions
diff --git a/src/3rdparty/webkit/WebCore/page/DragController.cpp b/src/3rdparty/webkit/WebCore/page/DragController.cpp index f238b27..0da6873 100644 --- a/src/3rdparty/webkit/WebCore/page/DragController.cpp +++ b/src/3rdparty/webkit/WebCore/page/DragController.cpp @@ -313,7 +313,7 @@ bool DragController::tryDocumentDrag(DragData* dragData, DragDestinationAction a } IntPoint point = frameView->windowToContents(dragData->clientPosition()); - Element* element = elementUnderMouse(m_documentUnderMouse, point); + Element* element = elementUnderMouse(m_documentUnderMouse.get(), point); if (!asFileInput(element)) { VisibleSelection dragCaret = m_documentUnderMouse->frame()->visiblePositionForPoint(point); m_page->dragCaretController()->setSelection(dragCaret); @@ -363,7 +363,7 @@ bool DragController::concludeEditDrag(DragData* dragData) return false; IntPoint point = m_documentUnderMouse->view()->windowToContents(dragData->clientPosition()); - Element* element = elementUnderMouse(m_documentUnderMouse, point); + Element* element = elementUnderMouse(m_documentUnderMouse.get(), point); Frame* innerFrame = element->ownerDocument()->frame(); ASSERT(innerFrame); @@ -439,7 +439,7 @@ bool DragController::concludeEditDrag(DragData* dragData) applyCommand(MoveSelectionCommand::create(fragment, dragCaret.base(), smartInsert, smartDelete)); } else { if (setSelectionToDragCaret(innerFrame, dragCaret, range, point)) - applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse, fragment, true, dragData->canSmartReplace(), chosePlainText)); + applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse.get(), fragment, true, dragData->canSmartReplace(), chosePlainText)); } } else { String text = dragData->asPlainText(); @@ -450,7 +450,7 @@ bool DragController::concludeEditDrag(DragData* dragData) m_client->willPerformDragDestinationAction(DragDestinationActionEdit, dragData); if (setSelectionToDragCaret(innerFrame, dragCaret, range, point)) - applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse, createFragmentFromText(range.get(), text), true, false, true)); + applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse.get(), createFragmentFromText(range.get(), text), true, false, true)); } loader->setAllowStaleResources(false); diff --git a/src/3rdparty/webkit/WebCore/page/DragController.h b/src/3rdparty/webkit/WebCore/page/DragController.h index 3b2b083..712f9ab 100644 --- a/src/3rdparty/webkit/WebCore/page/DragController.h +++ b/src/3rdparty/webkit/WebCore/page/DragController.h @@ -67,13 +67,11 @@ namespace WebCore { DragOperation sourceDragOperation() const { return m_sourceDragOperation; } void setDraggingImageURL(const KURL& url) { m_draggingImageURL = url; } const KURL& draggingImageURL() const { return m_draggingImageURL; } - void setDragInitiator(Document* initiator) { m_dragInitiator = initiator; m_didInitiateDrag = true; } - Document* dragInitiator() const { return m_dragInitiator; } void setDragOffset(const IntPoint& offset) { m_dragOffset = offset; } const IntPoint& dragOffset() const { return m_dragOffset; } DragSourceAction dragSourceAction() const { return m_dragSourceAction; } - Document* documentUnderMouse() const { return m_documentUnderMouse; } + Document* documentUnderMouse() const { return m_documentUnderMouse.get(); } DragDestinationAction dragDestinationAction() const { return m_dragDestinationAction; } DragSourceAction delegateDragSourceAction(const IntPoint& pagePoint); @@ -114,8 +112,8 @@ namespace WebCore { Page* m_page; DragClient* m_client; - Document* m_documentUnderMouse; // The document the mouse was last dragged over. - Document* m_dragInitiator; // The Document (if any) that initiated the drag. + RefPtr<Document> m_documentUnderMouse; // The document the mouse was last dragged over. + RefPtr<Document> m_dragInitiator; // The Document (if any) that initiated the drag. DragDestinationAction m_dragDestinationAction; DragSourceAction m_dragSourceAction; diff --git a/src/3rdparty/webkit/WebCore/page/EventHandler.cpp b/src/3rdparty/webkit/WebCore/page/EventHandler.cpp index 1654257..f1ee742 100644 --- a/src/3rdparty/webkit/WebCore/page/EventHandler.cpp +++ b/src/3rdparty/webkit/WebCore/page/EventHandler.cpp @@ -2163,7 +2163,9 @@ bool EventHandler::keyEvent(const PlatformKeyboardEvent& initialKeyEvent) if (initialKeyEvent.type() == PlatformKeyboardEvent::RawKeyDown) { node->dispatchEvent(keydown, ec); - return keydown->defaultHandled() || keydown->defaultPrevented(); + // If frame changed as a result of keydown dispatch, then return true to avoid sending a subsequent keypress message to the new frame. + bool changedFocusedFrame = m_frame->page() && m_frame != m_frame->page()->focusController()->focusedOrMainFrame(); + return keydown->defaultHandled() || keydown->defaultPrevented() || changedFocusedFrame; } // Run input method in advance of DOM event handling. This may result in the IM @@ -2183,7 +2185,9 @@ bool EventHandler::keyEvent(const PlatformKeyboardEvent& initialKeyEvent) } node->dispatchEvent(keydown, ec); - bool keydownResult = keydown->defaultHandled() || keydown->defaultPrevented(); + // If frame changed as a result of keydown dispatch, then return early to avoid sending a subsequent keypress message to the new frame. + bool changedFocusedFrame = m_frame->page() && m_frame != m_frame->page()->focusController()->focusedOrMainFrame(); + bool keydownResult = keydown->defaultHandled() || keydown->defaultPrevented() || changedFocusedFrame; if (handledByInputMethod || (keydownResult && !backwardCompatibilityMode)) return keydownResult; diff --git a/src/3rdparty/webkit/WebCore/page/FrameView.cpp b/src/3rdparty/webkit/WebCore/page/FrameView.cpp index 639414b..01f0375 100644 --- a/src/3rdparty/webkit/WebCore/page/FrameView.cpp +++ b/src/3rdparty/webkit/WebCore/page/FrameView.cpp @@ -1315,14 +1315,13 @@ void FrameView::scheduleRelayoutOfSubtree(RenderObject* relayoutRoot) { ASSERT(m_frame->view() == this); - if (!m_layoutSchedulingEnabled || (m_frame->contentRenderer() - && m_frame->contentRenderer()->needsLayout())) { + if (m_frame->contentRenderer() && m_frame->contentRenderer()->needsLayout()) { if (relayoutRoot) relayoutRoot->markContainingBlocksForLayout(false); return; } - if (layoutPending()) { + if (layoutPending() || !m_layoutSchedulingEnabled) { if (m_layoutRoot != relayoutRoot) { if (isObjectAncestorContainerOf(m_layoutRoot, relayoutRoot)) { // Keep the current root @@ -1339,7 +1338,7 @@ void FrameView::scheduleRelayoutOfSubtree(RenderObject* relayoutRoot) relayoutRoot->markContainingBlocksForLayout(false); } } - } else { + } else if (m_layoutSchedulingEnabled) { int delay = m_frame->document()->minimumLayoutDelay(); m_layoutRoot = relayoutRoot; m_delayedLayout = delay != 0; diff --git a/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp b/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp index c0b3e22..516c533 100644 --- a/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp +++ b/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp @@ -90,6 +90,20 @@ static URLSchemesMap& schemesWithUniqueOrigins() return schemesWithUniqueOrigins; } +static bool schemeRequiresAuthority(const String& scheme) +{ + DEFINE_STATIC_LOCAL(URLSchemesMap, schemes, ()); + + if (schemes.isEmpty()) { + schemes.add("http"); + schemes.add("https"); + schemes.add("ftp"); + } + + return schemes.contains(scheme); +} + + SecurityOrigin::SecurityOrigin(const KURL& url, SandboxFlags sandboxFlags) : m_sandboxFlags(sandboxFlags) , m_protocol(url.protocol().isNull() ? "" : url.protocol().lower()) @@ -103,6 +117,10 @@ SecurityOrigin::SecurityOrigin(const KURL& url, SandboxFlags sandboxFlags) if (m_protocol == "about" || m_protocol == "javascript") m_protocol = ""; + // For edge case URLs that were probably misparsed, make sure that the origin is unique. + if (schemeRequiresAuthority(m_protocol) && m_host.isEmpty()) + m_isUnique = true; + // document.domain starts as m_host, but can be set by the DOM. m_domain = m_host; diff --git a/src/3rdparty/webkit/WebCore/page/Settings.cpp b/src/3rdparty/webkit/WebCore/page/Settings.cpp index 475d373..c0659d2 100644 --- a/src/3rdparty/webkit/WebCore/page/Settings.cpp +++ b/src/3rdparty/webkit/WebCore/page/Settings.cpp @@ -79,6 +79,7 @@ Settings::Settings(Page* page) , m_allowUniversalAccessFromFileURLs(true) , m_allowFileAccessFromFileURLs(true) , m_javaScriptCanOpenWindowsAutomatically(false) + , m_javaScriptCanAccessClipboard(false) , m_shouldPrintBackgrounds(false) , m_textAreasAreResizable(false) #if ENABLE(DASHBOARD_SUPPORT) @@ -291,6 +292,11 @@ void Settings::setJavaScriptCanOpenWindowsAutomatically(bool javaScriptCanOpenWi m_javaScriptCanOpenWindowsAutomatically = javaScriptCanOpenWindowsAutomatically; } +void Settings::setJavaScriptCanAccessClipboard(bool javaScriptCanAccessClipboard) +{ + m_javaScriptCanAccessClipboard = javaScriptCanAccessClipboard; +} + void Settings::setDefaultTextEncodingName(const String& defaultTextEncodingName) { m_defaultTextEncodingName = defaultTextEncodingName; diff --git a/src/3rdparty/webkit/WebCore/page/Settings.h b/src/3rdparty/webkit/WebCore/page/Settings.h index b677712..a6653ce 100644 --- a/src/3rdparty/webkit/WebCore/page/Settings.h +++ b/src/3rdparty/webkit/WebCore/page/Settings.h @@ -122,6 +122,9 @@ namespace WebCore { void setJavaScriptCanOpenWindowsAutomatically(bool); bool javaScriptCanOpenWindowsAutomatically() const { return m_javaScriptCanOpenWindowsAutomatically; } + void setJavaScriptCanAccessClipboard(bool); + bool javaScriptCanAccessClipboard() const { return m_javaScriptCanAccessClipboard; } + void setSpatialNavigationEnabled(bool); bool isSpatialNavigationEnabled() const { return m_isSpatialNavigationEnabled; } @@ -330,6 +333,7 @@ namespace WebCore { bool m_allowUniversalAccessFromFileURLs: 1; bool m_allowFileAccessFromFileURLs: 1; bool m_javaScriptCanOpenWindowsAutomatically : 1; + bool m_javaScriptCanAccessClipboard : 1; bool m_shouldPrintBackgrounds : 1; bool m_textAreasAreResizable : 1; #if ENABLE(DASHBOARD_SUPPORT) |