Merge branch '4.7' of scm.dev.nokia.troll.no:qt/qt-webkit into 4.7-integration

* '4.7' of scm.dev.nokia.troll.no:qt/qt-webkit:
  Updated WebKit to ad96ca2f9b57271da4ea7432022ac686ee0981c2

59 files changed, 979 insertions, 160 deletions

diff --git a/src/3rdparty/webkit/.tag b/src/3rdparty/webkit/.tag
index 0b824b7..1d1c8ed 100644
--- a/src/3rdparty/webkit/.tag
+++ b/src/3rdparty/webkit/.tag
@@ -1 +1 @@
-d59845f6fec84f15da116f50a1a0e52ce26116e9
+ad96ca2f9b57271da4ea7432022ac686ee0981c2
diff --git a/src/3rdparty/webkit/VERSION b/src/3rdparty/webkit/VERSION
index c970745..2e5ebd0 100644
--- a/src/3rdparty/webkit/VERSION
+++ b/src/3rdparty/webkit/VERSION
@@ -4,4 +4,4 @@ This is a snapshot of the Qt port of WebKit from
 
 and has the sha1 checksum
 
-        d59845f6fec84f15da116f50a1a0e52ce26116e9
+        ad96ca2f9b57271da4ea7432022ac686ee0981c2
diff --git a/src/3rdparty/webkit/WebCore/ChangeLog b/src/3rdparty/webkit/WebCore/ChangeLog
index a4ae758..a993a97 100644
--- a/src/3rdparty/webkit/WebCore/ChangeLog
+++ b/src/3rdparty/webkit/WebCore/ChangeLog
@@ -1,3 +1,505 @@
+2010-05-14  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by David Hyatt.
+
+        Move the m_width(Length) and m_columns(RenderTable::ColumnStruct)
+        vector out-of-bounds check out of the ASSERT into the main code.
+        https://bugs.webkit.org/show_bug.cgi?id=38261
+
+        Test: fast/table/fixed-table-layout-large-colspan-crash.html
+
+        * rendering/FixedTableLayout.cpp:
+        (WebCore::FixedTableLayout::calcWidthArray):
+
+2010-05-21  Beth Dakin  <bdakin@apple.com>
+
+        Reviewed by Darin Adler.
+
+        Fix for <rdar://problem/8009118> Crash in WebCore::toAlphabetic() 
+        while running MangleMe
+        -and corresponding-
+        https://bugs.webkit.org/show_bug.cgi?id=39508
+
+        The math was slightly off here, and we wound up trying to access an 
+        array at index -1 in some cases. We need to decrement numberShadow 
+        rather than subtracting one from the result of the modulo 
+        operation.
+
+        * rendering/RenderListMarker.cpp:
+        (WebCore::toAlphabeticOrNumeric):
+
+2010-05-20  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Dave Hyatt.
+
+        <rdar://problem/8007953> Textarea using custom font appears blank
+
+        Test: fast/css/font-face-in-shadow-DOM.html
+
+        When a remote font is loaded, CSSFontSelector forces a style recalc, which replaces all
+        RenderSyles that have FontFallbackLists referencing the placeholder font with fresh
+        RenderStyles. However, it does not descend into shadow DOM trees, so those may end up with
+        styles that still reference the placeholder font.
+
+        The fix is to add RenderObject::requiresForcedStyleRecalcPropagation() and have it return
+        true from renderers that maintain shadow DOM trees or otherwise keep their own RenderStyles.
+
+        * dom/Element.cpp:
+        (WebCore::Element::recalcStyle): Check if forced style recalc needs to propagated.
+        * rendering/RenderButton.h:
+        (WebCore::RenderButton::requiresForcedStyleRecalcPropagation):
+        * rendering/RenderDataGrid.h:
+        (WebCore::RenderDataGrid::requiresForcedStyleRecalcPropagation):
+        * rendering/RenderFileUploadControl.h:
+        (WebCore::RenderFileUploadControl::requiresForcedStyleRecalcPropagation):
+        * rendering/RenderListItem.h:
+        (WebCore::RenderListItem::requiresForcedStyleRecalcPropagation):
+        * rendering/RenderMedia.h:
+        (WebCore::RenderMedia::requiresForcedStyleRecalcPropagation):
+        * rendering/RenderMenuList.h:
+        (WebCore::RenderMenuList::RenderMenuList::requiresForcedStyleRecalcPropagation):
+        * rendering/RenderObject.h:
+        (WebCore::RenderObject::requiresForcedStyleRecalcPropagation):
+        * rendering/RenderProgress.h:
+        (WebCore::RenderProgress::requiresForcedStyleRecalcPropagation):
+        * rendering/RenderSlider.h:
+        (WebCore::RenderSlider::requiresForcedStyleRecalcPropagation):
+        * rendering/RenderTextControl.h:
+        (WebCore::RenderTextControl::requiresForcedStyleRecalcPropagation):
+
+2010-04-02  Justin Schuh  <jschuh@chromium.org>
+
+        Reviewed by Alexey Proskuryakov.
+
+        XHR allows arbitrary XSRF across domains 
+        https://bugs.webkit.org/show_bug.cgi?id=36843
+
+        Added a one-line change to prevent bypassing the XDC check on
+        synchronous preflighted requests. Added layout tests to cover
+        variations of this problem.
+
+        Tests: http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html
+               http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html
+               http/tests/xmlhttprequest/access-control-preflight-sync-header-denied.html
+               http/tests/xmlhttprequest/access-control-preflight-sync-method-denied.html
+
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::preflightFailure):
+
+2010-04-28  Julien Chaffraix  <jchaffraix@webkit.org>
+
+        Reviewed by Alexey Proskuryakov.
+
+        [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR
+        https://bugs.webkit.org/show_bug.cgi?id=37781
+        <rdar://problem/7905150>
+
+        Tests: http/tests/xmlhttprequest/access-control-preflight-credential-async.html
+               http/tests/xmlhttprequest/access-control-preflight-credential-sync.html
+
+        Rolling the patch in as I could not reproduce Qt results locally.
+
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Now we remove the
+        credential from the request here to avoid forgetting to do so in the different code path.
+        (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): Just add the
+        "Origin" header.
+        (WebCore::DocumentThreadableLoader::loadRequest): Check here the the credential have
+        been removed so that we don't leak them. Also tweaked a comment to make it clear that
+        the URL check has issue when credential is involved.
+
+2010-04-21  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Adam Roben.
+
+        Windows build fix.
+
+        * platform/network/cf/ResourceHandleCFNet.cpp: Declare CFURLConnectionCreateWithProperties
+        for now, as it's mistakenly missing from WebKitSupportLibrary headers.
+
+2010-05-19  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by David Hyatt.
+
+        Check that the node is a text node before doing a static cast
+        to a Text class pointer.
+        https://bugs.webkit.org/show_bug.cgi?id=38626    
+
+        Test: fast/text/text-transform-nontext-node-crash.xhtml
+
+        * rendering/RenderText.cpp:
+        (WebCore::RenderText::originalText):
+        * rendering/RenderTextFragment.cpp:
+        (WebCore::RenderTextFragment::originalText):
+        (WebCore::RenderTextFragment::previousCharacter):
+
+2010-05-12  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        HTML Entity Escape the contents of a textarea node when accessed
+        via the innerHTML and outerHTML node properties.
+        https://bugs.webkit.org/show_bug.cgi?id=38922
+
+        Test: fast/innerHTML/innerHTML-special-elements.html
+
+        * editing/markup.cpp:
+        (WebCore::appendStartMarkup):
+
+2010-05-12  James Robinson  <jamesr@chromium.org>
+
+        Patch by Dan Bernstein.
+
+        Reviewed by David Hyatt.
+
+        Fix marking the layout root's parent as needing layout
+        https://bugs.webkit.org/show_bug.cgi?id=37760
+
+        If an element gets marked as needing layout due to the recalcStyle()
+        call in FrameView::layout(), the m_layoutSchedulingEnabled flag will
+        be set to false.  It's possible at this point that a parent of the
+        existing FrameView::m_layoutRoot will be marked as needing layout.
+
+        This patch updates FrameView::scheduleRelayoutOfSubtree to account
+        for this case.
+
+        Manual test only due to subtle timing issues.
+
+        * manual-tests/layoutroot_detach.xml: Added.
+        * page/FrameView.cpp:
+        (WebCore::FrameView::scheduleRelayoutOfSubtree):
+
+2010-05-10  Sam Weinig  <sam@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        Fix for https://bugs.webkit.org/show_bug.cgi?id=38583
+        <rdar://problem/7948784> Crash in Element::normalizeAttributes.
+
+        Test: fast/dom/Element/normalize-crash.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::normalizeAttributes): Copy attributes to a vector
+        before iterating.
+        * dom/NamedAttrMap.cpp:
+        (WebCore::NamedNodeMap::copyAttributesToVector): Added.
+        * dom/NamedAttrMap.h:
+
+2010-05-10  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Darin Adler.
+
+        Based on a patch by Eric Seidel.
+
+        https://bugs.webkit.org/show_bug.cgi?id=28697
+        <rdar://problem/7946578> WebKit crash on WebCore::Node::nodeIndex()
+
+        It's not OK to call ContainerNode::willRemoveChild() in a loop, because Range code assumes
+        that it can adjust start and end position to any node except for the one being removed -
+        so these notifications cannot be batched.
+
+        Test: fast/dom/Range/remove-all-children-crash.html
+
+        * dom/ContainerNode.cpp:
+        (WebCore::willRemoveChild): Removed unused ExceptionCode.
+        (WebCore::willRemoveChildren): New function, used in removeChildren() case.
+        (WebCore::ContainerNode::removeChild): ExceptionCode return was always 0, don't bother with it.
+        (WebCore::ContainerNode::removeChildren): Call willRemoveChildrenFromNode.
+        (WebCore::dispatchChildRemovalEvents): Moved some logic out into willRemoveChildrenFromNode
+        and willRemoveChild.
+
+        * dom/Document.cpp:
+        (WebCore::Document::nodeChildrenWillBeRemoved): New function, used in removeChildren() case.
+
+        * dom/Document.h: 
+        (WebCore::Document::nodeChildrenWillBeRemoved): New function, used in removeChildren() case.
+
+        * dom/Range.h:
+        * dom/Range.cpp:
+        (WebCore::boundaryNodeChildrenWillBeRemoved): New function, used in removeChildren() case.
+        (WebCore::Range::nodeChildrenWillBeRemoved): Ditto.
+
+2010-05-03  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Adam Barth.
+
+        https://bugs.webkit.org/show_bug.cgi?id=38497
+        <rdar://problem/7759438> Make sure that http URLs always have a host in SecurityOrigin
+
+        This is a hardening fix, and behavior really depends on what an underlying networking layer
+        does. So, no test.
+
+        * page/SecurityOrigin.cpp:
+        (WebCore::schemeRequiresAuthority): List schemes that need an authority for successful loading.
+        (WebCore::SecurityOrigin::SecurityOrigin): Never let e.g. http origins with empty authorities
+        have the same security origin.
+
+2010-05-03  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Add support for controlling clipboard access from javascript.
+        Clipboard access from javascript is disabled by default.
+        https://bugs.webkit.org/show_bug.cgi?id=27751
+
+        Test: editing/execCommand/clipboard-access.html
+
+        * WebCore.base.exp:
+        * editing/EditorCommand.cpp:
+        (WebCore::supportedCopyCut):
+        (WebCore::supportedPaste):
+        (WebCore::createCommandMap):
+        * page/Settings.cpp:
+        (WebCore::Settings::Settings):
+        (WebCore::Settings::setJavaScriptCanAccessClipboard):
+        * page/Settings.h:
+        (WebCore::Settings::javaScriptCanAccessClipboard):
+
+2010-04-30  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by David Kilzer.
+
+        Convert m_documentUnderMouse, m_dragInitiator to RefPtr.
+        Eliminated unused m_dragInitiator accessor to prevent dereferencing.
+        https://bugs.webkit.org/show_bug.cgi?id=37618
+
+        Test: editing/pasteboard/drag-drop-iframe-refresh-crash.html
+
+        * page/DragController.cpp:
+        (WebCore::DragController::tryDocumentDrag):
+        (WebCore::DragController::concludeEditDrag):
+        * page/DragController.h:
+        (WebCore::DragController::draggingImageURL):
+        (WebCore::DragController::documentUnderMouse):
+
+2010-04-14  Justin Schuh  <jschuh@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Javascript URL can be set as iframe.src via multiple DOM aliases
+        https://bugs.webkit.org/show_bug.cgi?id=37031
+
+        Moved frame/iframe checks from Attr to Node on inherited members.
+        Node child manipulation methods now return NOT_SUPPORTED_ERR if used
+        on a frame/iframe src attribute.
+        NamedNodeMap set methods now perform frame/iframe src checks.
+        Moved allowSettingSrcToJavascriptURL static helper function from 
+        JSElementCustom.cpp to exported function in JSDOMBinding.h.
+
+        * bindings/js/JSAttrCustom.cpp:
+        (WebCore::JSAttr::setValue):
+        * bindings/js/JSDOMBinding.cpp:
+        (WebCore::allowSettingSrcToJavascriptURL):
+        * bindings/js/JSDOMBinding.h:
+        * bindings/js/JSElementCustom.cpp:
+        * bindings/js/JSNamedNodeMapCustom.cpp:
+        (WebCore::JSNamedNodeMap::setNamedItem):
+        (WebCore::JSNamedNodeMap::setNamedItemNS):
+        * bindings/js/JSNodeCustom.cpp:
+        (WebCore::isAttrFrameSrc):
+        (WebCore::JSNode::setNodeValue):
+        (WebCore::JSNode::setTextContent):
+        (WebCore::JSNode::insertBefore):
+        (WebCore::JSNode::replaceChild):
+        (WebCore::JSNode::removeChild):
+        (WebCore::JSNode::appendChild):
+        * bindings/v8/custom/V8AttrCustom.cpp:
+        * bindings/v8/custom/V8NamedNodeMapCustom.cpp:
+        (WebCore::V8NamedNodeMap::setNamedItemNSCallback):
+        (WebCore::V8NamedNodeMap::setNamedItemCallback):
+        (WebCore::toV8):
+        * bindings/v8/custom/V8NodeCustom.cpp:
+        (WebCore::isFrameSrc):
+        (WebCore::V8Node::textContentAccessorSetter):
+        (WebCore::V8Node::nodeValueAccessorSetter):
+        (WebCore::V8Node::insertBeforeCallback):
+        (WebCore::V8Node::replaceChildCallback):
+        (WebCore::V8Node::removeChildCallback):
+        (WebCore::V8Node::appendChildCallback):
+        * dom/Attr.idl:
+        * dom/NamedNodeMap.idl:
+        * dom/Node.idl:
+
+2010-03-26  Justin Schuh  <jschuh@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Security: iFrame.src accepts JavaScript URL via nodeValue or textContent
+        https://bugs.webkit.org/show_bug.cgi?id=36502
+
+        Overrode inherited nodeValue and textContent in Attr.idl so they proxy 
+        to value, which performs a security check.
+
+        Test: http/tests/security/xss-DENIED-iframe-src-alias.html
+
+        * bindings/js/JSAttrCustom.cpp:
+        (WebCore::JSAttr::nodeValue):
+        (WebCore::JSAttr::setNodeValue):
+        (WebCore::JSAttr::textContent):
+        (WebCore::JSAttr::setTextContent):
+        * bindings/v8/custom/V8AttrCustom.cpp:
+        (WebCore::V8Attr::nodeValueAccessorSetter):
+        (WebCore::V8Attr::nodeValueAccessorGetter):
+        (WebCore::V8Attr::textContentAccessorSetter):
+        (WebCore::V8Attr::textContentAccessorGetter):
+        * dom/Attr.idl:
+
+2010-05-05  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=38260
+        <rdar://problem/7917548> Fix whitespace removing in deprecatedParseURL().
+
+        Broken all the way since r4 (yes, that's a revision number).
+
+        Test: http/tests/security/xss-DENIED-javascript-with-spaces.html
+
+        * css/CSSHelper.cpp: (WebCore::deprecatedParseURL): Fixed loop conditions for remaining length.
+
+2010-04-23  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Simon Fraser.
+
+        <rdar://problem/7898436> :after content is duplicated
+
+        Test: fast/css-generated-content/after-duplicated-after-split.html
+
+        * rendering/RenderInline.cpp:
+        (WebCore::RenderInline::splitInlines): Pass the correct owner of the child list.
+
+2010-03-30  Chris Evans  <cevans@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Taint the canvas if an SVG-derived pattern is rendered into it.
+
+        https://bugs.webkit.org/show_bug.cgi?id=36838
+
+        Test: fast/canvas/svg-taint.html
+
+        * html/canvas/CanvasRenderingContext2D.cpp:
+        (WebCore::CanvasRenderingContext2D::createPattern):
+          Take into account the image's hasSingleSecurityOrigin() property.
+
+2010-04-07  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Darinn Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=37230
+        <rdar://problem/7813115> REGRESSION (4.0.5): Safari asks for credentials all the time when
+        authenticating to Windows IIS Server
+
+        * platform/network/ProtectionSpace.h: (WebCore::ProtectionSpaceAuthenticationScheme): Added
+        a constant for ProtectionSpaceAuthenticationSchemeUnknown.
+
+        * platform/network/cf/AuthenticationCF.cpp: (WebCore::core):
+        * platform/network/cf/SocketStreamHandleCFNet.cpp: (WebCore::authenticationSchemeFromAuthenticationMethod):
+        Return ProtectionSpaceAuthenticationSchemeUnknown for unknown scheme.
+
+        * platform/network/mac/AuthenticationMac.mm:
+        (WebCore::mac): Support NTLM on systems older than 10.6. We actually get this string from
+        NSURLConnection, even though there was no public constant.
+        (WebCore::core): Return ProtectionSpaceAuthenticationSchemeUnknown for unknown scheme.
+
+2010-04-19  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Darin Adler.
+
+        Make the fix for <rdar://problem/7873647> from r57759 more robust.
+
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::updateHoverActiveState): Use RefPtrs for the Nodes.
+
+2010-04-16  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Simon Fraser.
+
+        <rdar://problem/7873647> Crash when updating hover state
+
+        Test: fast/dynamic/hover-style-recalc-crash.html
+
+        Updating the hover state of an element caused the document to need style
+        recalc, and then updating the hover state of a link caused style recalc,
+        which changed the render tree while updateHoverActiveState() was iterating
+        over it, leading to a crash.
+
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::updateHoverActiveState): Collect the nodes to be
+        updated into vectors, then update their active and hover states.
+
+2010-03-31  Mark Rowe  <mrowe@apple.com>
+
+        Reviewed by Darin Adler.
+
+        <http://webkit.org/b/36878> REGRESSION: Trailing colon on hostnames (with no port specified) causes "Not allowed to use restricted network port"
+
+        * platform/KURL.cpp:
+        (WebCore::KURL::port): Explicitly handle the case of a colon being present in the URL after the host name but with
+        no port number before the path.  This is handled in the same manner as the colon and port being omitted completely.
+
+2010-03-24  Mark Rowe  <mrowe@apple.com>
+
+        Revert the portion of r56489 that dealt with port zero as it introduced some test failures.
+
+        * platform/KURL.cpp:
+        (WebCore::KURL::port): Use the "ok" argument to charactersToUIntStrict to determine whether
+        it was able to successfully parse the string as an unsigned integer, rather than relying on
+        the fact it returned zero when it failed.
+
+2010-03-24  Mark Rowe  <mrowe@apple.com>
+
+        Reviewed by Darin Adler.
+
+        WebKit should treat port numbers outside the valid range as being blacklisted
+        <http://webkit.org/b/36571> / <rdar://problem/7790908>
+
+        * platform/KURL.cpp:
+        (WebCore::KURL::port): Map invalid port numbers to invalidPortNumber.
+        (WebCore::portAllowed): Add invalidPortNumber to the blacklist.
+        * platform/KURLGoogle.cpp:  invalid port numbers to invalidPortNumber.
+        (WebCore::KURL::port): Add invalidPortNumber to the blacklist.
+        Also bring this in to sync with KURL.  Having this identical code in two places is stupid.
+
+2010-05-05  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Adele Peterson.
+
+        https://bugs.webkit.org/show_bug.cgi?id=26824
+        <rdar://problem/7018610> EventHandler can operate on a wrong frame if focus changes during
+        keyboard event dispatch.
+
+        EventHandler object is tied to a frame, so it's wrong for it to continue processing a keyboard
+        event if focused frame changes between keydown and keypress.
+
+        * manual-tests/focus-change-between-key-events.html: Added.
+
+        * page/EventHandler.cpp: (WebCore::EventHandler::keyEvent): Bail out early if focused frame
+        changes while dispatching keydown. Also made similar changes for Windows to maintain matching
+        behavior, even though EventHandler was re-entered anyway due to WM_KEYDOWN and WM_CHAR being
+        separate events.
+
+2010-07-02  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>
+
+        Reviewed by Simon Hausmann.
+
+        [Qt] Canvas arcTo() should draw straight line to p1 if p0, p1 and p2 are collinear
+
+        The implementation of PathQt's addArcTo() was not float-safe and also had
+        a case where it drew an 'infinite' line, which is not part of the spec.
+
+        http://www.whatwg.org/specs/web-apps/current-work/#dom-context-2d-arcto
+
+        We now use qFuzzyCompare() in both cases. The method isPointOnPathBorder()
+        also had the same problem, and was refactored a bit in the process of fixing
+        the bug.
+
+        Initial patch by Andreas Kling.
+
+        https://bugs.webkit.org/show_bug.cgi?id=41412
+
+        * platform/graphics/qt/PathQt.cpp:
+
 2010-03-26  Shu Chang  <chang.shu@nokia.com>
 
         Reviewed by Eric Seidel.
diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSAttrCustom.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSAttrCustom.cpp
index 3c01535..4cd40ac 100644
--- a/src/3rdparty/webkit/WebCore/bindings/js/JSAttrCustom.cpp
+++ b/src/3rdparty/webkit/WebCore/bindings/js/JSAttrCustom.cpp
@@ -33,6 +33,7 @@
 #include "Document.h"
 #include "HTMLFrameElementBase.h"
 #include "HTMLNames.h"
+#include "JSDOMBinding.h"
 
 using namespace JSC;
 
@@ -46,13 +47,8 @@ void JSAttr::setValue(ExecState* exec, JSValue value)
     String attrValue = valueToStringWithNullCheck(exec, value);
 
     Element* ownerElement = imp->ownerElement();
-    if (ownerElement && (ownerElement->hasTagName(iframeTag) || ownerElement->hasTagName(frameTag))) {
-        if (equalIgnoringCase(imp->name(), "src") && protocolIsJavaScript(deprecatedParseURL(attrValue))) {
-            Document* contentDocument = static_cast<HTMLFrameElementBase*>(ownerElement)->contentDocument();
-            if (contentDocument && !checkNodeSecurity(exec, contentDocument))
-                return;
-        }
-    }
+    if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->name(), attrValue))
+        return;
 
     ExceptionCode ec = 0;
     imp->setValue(attrValue, ec);
diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.cpp
index f294dad..393c1ee 100644
--- a/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.cpp
+++ b/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.cpp
@@ -24,6 +24,7 @@
 #include "debugger/DebuggerCallFrame.h"
 
 #include "ActiveDOMObject.h"
+#include "CSSHelper.h"
 #include "DOMCoreException.h"
 #include "DOMObjectHashTableMap.h"
 #include "Document.h"
@@ -33,6 +34,7 @@
 #include "Frame.h"
 #include "HTMLAudioElement.h"
 #include "HTMLCanvasElement.h"
+#include "HTMLFrameElementBase.h"
 #include "HTMLImageElement.h"
 #include "HTMLNames.h"
 #include "HTMLScriptElement.h"
@@ -630,6 +632,16 @@ bool shouldAllowNavigation(ExecState* exec, Frame* frame)
     return lexicalFrame && lexicalFrame->loader()->shouldAllowNavigation(frame);
 }
 
+bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value)
+{
+    if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) {
+          Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument();
+          if (contentDocument && !checkNodeSecurity(exec, contentDocument))
+              return false;
+      }
+      return true;
+}
+
 void printErrorMessageForFrame(Frame* frame, const String& message)
 {
     if (!frame)
diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.h b/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.h
index 219472b..40f7e40 100644
--- a/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.h
+++ b/src/3rdparty/webkit/WebCore/bindings/js/JSDOMBinding.h
@@ -301,6 +301,8 @@ namespace WebCore {
     bool allowsAccessFromFrame(JSC::ExecState*, Frame*);
     bool allowsAccessFromFrame(JSC::ExecState*, Frame*, String& message);
     bool shouldAllowNavigation(JSC::ExecState*, Frame*);
+    bool allowSettingSrcToJavascriptURL(JSC::ExecState*, Element*, const String&, const String&);
+
     void printErrorMessageForFrame(Frame*, const String& message);
     JSC::JSValue objectToStringFunctionGetter(JSC::ExecState*, JSC::JSValue, const JSC::Identifier& propertyName);
 
diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSElementCustom.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSElementCustom.cpp
index c725290..94012fd 100644
--- a/src/3rdparty/webkit/WebCore/bindings/js/JSElementCustom.cpp
+++ b/src/3rdparty/webkit/WebCore/bindings/js/JSElementCustom.cpp
@@ -36,6 +36,7 @@
 #include "HTMLFrameElementBase.h"
 #include "HTMLNames.h"
 #include "JSAttr.h"
+#include "JSDOMBinding.h"
 #include "JSHTMLElementWrapperFactory.h"
 #include "JSNodeList.h"
 #include "NodeList.h"
@@ -63,16 +64,6 @@ void JSElement::markChildren(MarkStack& markStack)
         markDOMObjectWrapper(markStack, globalData, static_cast<StyledElement*>(element)->inlineStyleDecl());
 }
 
-static inline bool allowSettingSrcToJavascriptURL(ExecState* exec, Element* element, const String& name, const String& value)
-{
-    if ((element->hasTagName(iframeTag) || element->hasTagName(frameTag)) && equalIgnoringCase(name, "src") && protocolIsJavaScript(deprecatedParseURL(value))) {
-        Document* contentDocument = static_cast<HTMLFrameElementBase*>(element)->contentDocument();
-        if (contentDocument && !checkNodeSecurity(exec, contentDocument))
-            return false;
-    }
-    return true;
-}
-
 JSValue JSElement::setAttribute(ExecState* exec, const ArgList& args)
 {
     ExceptionCode ec = 0;
diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSNamedNodeMapCustom.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
index 13f3628..965498a 100644
--- a/src/3rdparty/webkit/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
+++ b/src/3rdparty/webkit/WebCore/bindings/js/JSNamedNodeMapCustom.cpp
@@ -35,6 +35,38 @@ using namespace JSC;
 
 namespace WebCore {
 
+JSValue JSNamedNodeMap::setNamedItem(ExecState* exec, const ArgList& args)
+{
+    NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl());
+    ExceptionCode ec = 0;
+    Node* newNode = toNode(args.at(0));
+
+    if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+        if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue()))
+            return jsNull();
+    }
+
+    JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItem(newNode, ec)));
+    setDOMException(exec, ec);
+    return result;
+}
+
+JSValue JSNamedNodeMap::setNamedItemNS(ExecState* exec, const ArgList& args)
+{
+    NamedNodeMap* imp = static_cast<NamedNodeMap*>(impl());
+    ExceptionCode ec = 0;
+    Node* newNode = toNode(args.at(0));
+
+    if (newNode && newNode->nodeType() == Node::ATTRIBUTE_NODE && imp->element()) {
+        if (!allowSettingSrcToJavascriptURL(exec, imp->element(), newNode->nodeName(), newNode->nodeValue()))
+            return jsNull();
+    }
+
+    JSValue result = toJS(exec, globalObject(), WTF::getPtr(imp->setNamedItemNS(newNode, ec)));
+    setDOMException(exec, ec);
+    return result;
+}
+
 bool JSNamedNodeMap::canGetItemsForName(ExecState*, NamedNodeMap* impl, const Identifier& propertyName)
 {
     return impl->getNamedItem(propertyName);
diff --git a/src/3rdparty/webkit/WebCore/bindings/js/JSNodeCustom.cpp b/src/3rdparty/webkit/WebCore/bindings/js/JSNodeCustom.cpp
index 134c581..bf6c633 100644
--- a/src/3rdparty/webkit/WebCore/bindings/js/JSNodeCustom.cpp
+++ b/src/3rdparty/webkit/WebCore/bindings/js/JSNodeCustom.cpp
@@ -38,6 +38,7 @@
 #include "JSAttr.h"
 #include "JSCDATASection.h"
 #include "JSComment.h"
+#include "JSDOMBinding.h"
 #include "JSDocument.h"
 #include "JSDocumentFragment.h"
 #include "JSDocumentType.h"
@@ -66,12 +67,53 @@ using namespace JSC;
 
 namespace WebCore {
 
-typedef int ExpectionCode;
+static inline bool isAttrFrameSrc(Element *element, const String& name)
+{
+    return element && (element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src");
+}
+
+void JSNode::setNodeValue(JSC::ExecState* exec, JSC::JSValue value)
+{
+    Node* imp = static_cast<Node*>(impl());
+    String nodeValue = valueToStringWithNullCheck(exec, value);
+
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+        Element* ownerElement = static_cast<Attr*>(impl())->ownerElement();
+        if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue))
+            return;
+    }
+
+    ExceptionCode ec = 0;
+    imp->setNodeValue(nodeValue, ec);
+    setDOMException(exec, ec);
+}
+
+void JSNode::setTextContent(JSC::ExecState* exec, JSC::JSValue value)
+{
+    Node* imp = static_cast<Node*>(impl());
+    String nodeValue = valueToStringWithNullCheck(exec, value);
+
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE) {
+        Element* ownerElement = static_cast<Attr*>(impl())->ownerElement();
+        if (ownerElement && !allowSettingSrcToJavascriptURL(exec, ownerElement, imp->nodeName(), nodeValue))
+            return;
+    }
+
+    ExceptionCode ec = 0;
+    imp->setTextContent(nodeValue, ec);
+    setDOMException(exec, ec);
+}
 
 JSValue JSNode::insertBefore(ExecState* exec, const ArgList& args)
 {
+    Node* imp = static_cast<Node*>(impl());
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+        setDOMException(exec, NOT_SUPPORTED_ERR);
+        return jsNull();
+    }
+
     ExceptionCode ec = 0;
-    bool ok = impl()->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true);
+    bool ok = imp->insertBefore(toNode(args.at(0)), toNode(args.at(1)), ec, true);
     setDOMException(exec, ec);
     if (ok)
         return args.at(0);
@@ -80,8 +122,14 @@ JSValue JSNode::insertBefore(ExecState* exec, const ArgList& args)
 
 JSValue JSNode::replaceChild(ExecState* exec, const ArgList& args)
 {
+    Node* imp = static_cast<Node*>(impl());
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+        setDOMException(exec, NOT_SUPPORTED_ERR);
+        return jsNull();
+    }
+
     ExceptionCode ec = 0;
-    bool ok = impl()->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true);
+    bool ok = imp->replaceChild(toNode(args.at(0)), toNode(args.at(1)), ec, true);
     setDOMException(exec, ec);
     if (ok)
         return args.at(1);
@@ -90,8 +138,14 @@ JSValue JSNode::replaceChild(ExecState* exec, const ArgList& args)
 
 JSValue JSNode::removeChild(ExecState* exec, const ArgList& args)
 {
+    Node* imp = static_cast<Node*>(impl());
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+        setDOMException(exec, NOT_SUPPORTED_ERR);
+        return jsNull();
+    }
+
     ExceptionCode ec = 0;
-    bool ok = impl()->removeChild(toNode(args.at(0)), ec);
+    bool ok = imp->removeChild(toNode(args.at(0)), ec);
     setDOMException(exec, ec);
     if (ok)
         return args.at(0);
@@ -100,8 +154,14 @@ JSValue JSNode::removeChild(ExecState* exec, const ArgList& args)
 
 JSValue JSNode::appendChild(ExecState* exec, const ArgList& args)
 {
+    Node* imp = static_cast<Node*>(impl());
+    if (imp->nodeType() == Node::ATTRIBUTE_NODE && isAttrFrameSrc(static_cast<Attr*>(impl())->ownerElement(), imp->nodeName())) {
+        setDOMException(exec, NOT_SUPPORTED_ERR);
+        return jsNull();
+    }
+
     ExceptionCode ec = 0;
-    bool ok = impl()->appendChild(toNode(args.at(0)), ec, true);
+    bool ok = imp->appendChild(toNode(args.at(0)), ec, true);
     setDOMException(exec, ec);
     if (ok)
         return args.at(0);
diff --git a/src/3rdparty/webkit/WebCore/css/CSSHelper.cpp b/src/3rdparty/webkit/WebCore/css/CSSHelper.cpp
index 8e6f3a0..c3418b4 100644
--- a/src/3rdparty/webkit/WebCore/css/CSSHelper.cpp
+++ b/src/3rdparty/webkit/WebCore/css/CSSHelper.cpp
@@ -36,7 +36,7 @@ String deprecatedParseURL(const String& url)
     int o = 0;
     int l = i->length();
 
-    while (o < l && (*i)[o] <= ' ') {
+    while (0 < l && (*i)[o] <= ' ') {
         ++o;
         --l;
     }
@@ -53,7 +53,7 @@ String deprecatedParseURL(const String& url)
         l -= 5;
     }
 
-    while (o < l && (*i)[o] <= ' ') {
+    while (0 < l && (*i)[o] <= ' ') {
         ++o;
         --l;
     }
@@ -65,7 +65,7 @@ String deprecatedParseURL(const String& url)
         l -= 2;
     }
 
-    while (o < l && (*i)[o] <= ' ') {
+    while (0 < l && (*i)[o] <= ' ') {
         ++o;
         --l;
     }
diff --git a/src/3rdparty/webkit/WebCore/dom/Attr.idl b/src/3rdparty/webkit/WebCore/dom/Attr.idl
index af84478..3c73bc0 100644
--- a/src/3rdparty/webkit/WebCore/dom/Attr.idl
+++ b/src/3rdparty/webkit/WebCore/dom/Attr.idl
@@ -28,7 +28,9 @@ module core {
         // DOM Level 1
 
         readonly attribute [ConvertNullStringTo=Null] DOMString name;
+
         readonly attribute boolean specified;
+
                  attribute [ConvertNullStringTo=Null, ConvertNullToNullString, CustomSetter] DOMString value 
                      setter raises(DOMException);
 
diff --git a/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp b/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp
index fb2852f..c17489a 100644
--- a/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp
@@ -292,19 +292,32 @@ void ContainerNode::willRemove()
     Node::willRemove();
 }
 
-static ExceptionCode willRemoveChild(Node *child)
+static void willRemoveChild(Node* child)
 {
-    ExceptionCode ec = 0;
+    // update auxiliary doc info (e.g. iterators) to note that node is being removed
+    child->document()->nodeWillBeRemoved(child);
+    child->document()->incDOMTreeVersion();
 
     // fire removed from document mutation events.
     dispatchChildRemovalEvents(child);
-    if (ec)
-        return ec;
 
     if (child->attached())
         child->willRemove();
-    
-    return 0;
+}
+
+static void willRemoveChildren(ContainerNode* container)
+{
+    container->document()->nodeChildrenWillBeRemoved(container);
+    container->document()->incDOMTreeVersion();
+
+    // FIXME: Adding new children from event handlers can cause an infinite loop here.
+    for (RefPtr<Node> child = container->firstChild(); child; child = child->nextSibling()) {
+        // fire removed from document mutation events.
+        dispatchChildRemovalEvents(child.get());
+
+        if (child->attached())
+            child->willRemove();
+    }
 }
 
 bool ContainerNode::removeChild(Node* oldChild, ExceptionCode& ec)
@@ -328,10 +341,7 @@ bool ContainerNode::removeChild(Node* oldChild, ExceptionCode& ec)
     }
 
     RefPtr<Node> child = oldChild;
-
-    ec = willRemoveChild(child.get());
-    if (ec)
-        return false;
+    willRemoveChild(child.get());
 
     // Mutation events might have moved this child into a different parent.
     if (child->parentNode() != this) {
@@ -399,14 +409,12 @@ bool ContainerNode::removeChildren()
         return false;
 
     // The container node can be removed from event handlers.
-    RefPtr<Node> protect(this);
-    
+    RefPtr<ContainerNode> protect(this);
+
     // Do any prep work needed before actually starting to detach
     // and remove... e.g. stop loading frames, fire unload events.
-    // FIXME: Adding new children from event handlers can cause an infinite loop here.
-    for (RefPtr<Node> n = m_firstChild; n; n = n->nextSibling())
-        willRemoveChild(n.get());
-    
+    willRemoveChildren(protect.get());
+
     // exclude this node when looking for removed focusedNode since only children will be removed
     document()->removeFocusedNodeOfSubtree(this, true);
 
@@ -936,6 +944,8 @@ static void dispatchChildInsertionEvents(Node* child)
 
 static void dispatchChildRemovalEvents(Node* child)
 {
+    ASSERT(!eventDispatchForbidden());
+
 #if ENABLE(INSPECTOR)    
     if (Page* page = child->document()->page()) {
         if (InspectorController* inspectorController = page->inspectorController())
@@ -946,11 +956,6 @@ static void dispatchChildRemovalEvents(Node* child)
     RefPtr<Node> c = child;
     RefPtr<Document> document = child->document();
 
-    // update auxiliary doc info (e.g. iterators) to note that node is being removed
-    document->nodeWillBeRemoved(child);
-
-    document->incDOMTreeVersion();
-
     // dispatch pre-removal mutation events
     if (c->parentNode() && document->hasListenerType(Document::DOMNODEREMOVED_LISTENER))
         c->dispatchEvent(MutationEvent::create(eventNames().DOMNodeRemovedEvent, true, c->parentNode()));
diff --git a/src/3rdparty/webkit/WebCore/dom/Document.cpp b/src/3rdparty/webkit/WebCore/dom/Document.cpp
index 545819d..9803cf5 100644
--- a/src/3rdparty/webkit/WebCore/dom/Document.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/Document.cpp
@@ -2957,6 +2957,28 @@ void Document::nodeChildrenChanged(ContainerNode* container)
     }
 }
 
+void Document::nodeChildrenWillBeRemoved(ContainerNode* container)
+{
+    if (!disableRangeMutation(page())) {
+        HashSet<Range*>::const_iterator end = m_ranges.end();
+        for (HashSet<Range*>::const_iterator it = m_ranges.begin(); it != end; ++it)
+            (*it)->nodeChildrenWillBeRemoved(container);
+    }
+
+    HashSet<NodeIterator*>::const_iterator nodeIteratorsEnd = m_nodeIterators.end();
+    for (HashSet<NodeIterator*>::const_iterator it = m_nodeIterators.begin(); it != nodeIteratorsEnd; ++it) {
+        for (Node* n = container->firstChild(); n; n = n->nextSibling())
+            (*it)->nodeWillBeRemoved(n);
+    }
+
+    if (Frame* frame = this->frame()) {
+        for (Node* n = container->firstChild(); n; n = n->nextSibling()) {
+            frame->selection()->nodeWillBeRemoved(n);
+            frame->dragCaretController()->nodeWillBeRemoved(n);
+        }
+    }
+}
+
 void Document::nodeWillBeRemoved(Node* n)
 {
     HashSet<NodeIterator*>::const_iterator nodeIteratorsEnd = m_nodeIterators.end();
diff --git a/src/3rdparty/webkit/WebCore/dom/Document.h b/src/3rdparty/webkit/WebCore/dom/Document.h
index 44cdf0d..68927f4 100644
--- a/src/3rdparty/webkit/WebCore/dom/Document.h
+++ b/src/3rdparty/webkit/WebCore/dom/Document.h
@@ -616,6 +616,9 @@ public:
     void detachRange(Range*);
 
     void nodeChildrenChanged(ContainerNode*);
+    // nodeChildrenWillBeRemoved is used when removing all node children at once.
+    void nodeChildrenWillBeRemoved(ContainerNode*);
+    // nodeWillBeRemoved is only safe when removing one node at a time.
     void nodeWillBeRemoved(Node*);
 
     void textInserted(Node*, unsigned offset, unsigned length);
diff --git a/src/3rdparty/webkit/WebCore/dom/Element.cpp b/src/3rdparty/webkit/WebCore/dom/Element.cpp
index 6bd512d..a02bb4c 100644
--- a/src/3rdparty/webkit/WebCore/dom/Element.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/Element.cpp
@@ -937,7 +937,7 @@ void Element::recalcStyle(StyleChange change)
                 newStyle->setChildrenAffectedByDirectAdjacentRules();
         }
 
-        if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get())) {
+        if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get()) || change == Force && renderer() && renderer()->requiresForcedStyleRecalcPropagation()) {
             setRenderStyle(newStyle);
         } else if (needsStyleRecalc() && (styleChangeType() != SyntheticStyleChange) && (document()->usesSiblingRules() || document()->usesDescendantRules())) {
             // Although no change occurred, we use the new style so that the cousin style sharing code won't get
@@ -1429,9 +1429,15 @@ void Element::normalizeAttributes()
     NamedNodeMap* attrs = attributes(true);
     if (!attrs)
         return;
-    unsigned numAttrs = attrs->length();
-    for (unsigned i = 0; i < numAttrs; i++) {
-        if (Attr* attr = attrs->attributeItem(i)->attr())
+
+    if (attrs->isEmpty())
+        return;
+
+    Vector<RefPtr<Attribute> > attributeVector;
+    attrs->copyAttributesToVector(attributeVector);
+    size_t numAttrs = attributeVector.size();
+    for (size_t i = 0; i < numAttrs; ++i) {
+        if (Attr* attr = attributeVector[i]->attr())
             attr->normalize();
     }
 }
diff --git a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp
index d8a6ba8..ee979cf 100644
--- a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp
@@ -172,6 +172,11 @@ PassRefPtr<Node> NamedNodeMap::item(unsigned index) const
     return m_attributes[index]->createAttrIfNeeded(m_element);
 }
 
+void NamedNodeMap::copyAttributesToVector(Vector<RefPtr<Attribute> >& copy)
+{
+    copy = m_attributes;
+}
+
 Attribute* NamedNodeMap::getAttributeItemSlowCase(const String& name, bool shouldIgnoreAttributeCase) const
 {
     unsigned len = length();
diff --git a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h