Title: [141667] trunk
- Revision
- 141667
- Author
- commit-qu...@webkit.org
- Date
- 2013-02-01 16:58:26 -0800 (Fri, 01 Feb 2013)
Log Message
Document is never released if an image's src attribute is changed to a url blocked by content-security-policy.
https://bugs.webkit.org/show_bug.cgi?id=108545
Source/WebCore:
If we just scheduled an error event due to an null newImage, we should not cancel it when newImage and oldImage
is not the same. Otherwise we will ref the sourceElement in updateHasPendingEvent (m_hasPendingErrorEvent is true)
but never deref it since we already cancelled the error event.
Patch by Yongjun Zhang <yongjun_zh...@apple.com> on 2013-02-01
Reviewed by Alexey Proskuryakov.
Test: fast/images/image-error-event-not-firing.html
* loader/ImageLoader.cpp:
(WebCore::ImageLoader::updateFromElement): don't cancel error event if newImage is null, we want the
error event to fire.
LayoutTests:
Patch by Yongjun Zhang <yongjun_zh...@apple.com> on 2013-02-01
Reviewed by Alexey Proskuryakov.
Add a test to verify the error event is fired when image's src attribute is changed to a url
but the url blocked by content-security-policy.
* fast/images/image-error-event-not-firing-expected.txt: Added.
* fast/images/image-error-event-not-firing.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (141666 => 141667)
--- trunk/LayoutTests/ChangeLog 2013-02-02 00:51:38 UTC (rev 141666)
+++ trunk/LayoutTests/ChangeLog 2013-02-02 00:58:26 UTC (rev 141667)
@@ -1,3 +1,16 @@
+2013-02-01 Yongjun Zhang <yongjun_zh...@apple.com>
+
+ Document is never released if an image's src attribute is changed to a url blocked by content-security-policy.
+ https://bugs.webkit.org/show_bug.cgi?id=108545
+
+ Reviewed by Alexey Proskuryakov.
+
+ Add a test to verify the error event is fired when image's src attribute is changed to a url
+ but the url blocked by content-security-policy.
+
+ * fast/images/image-error-event-not-firing-expected.txt: Added.
+ * fast/images/image-error-event-not-firing.html: Added.
+
2013-02-01 Florin Malita <fmal...@chromium.org>
[Chromium] Unreviewed gardening.
Added: trunk/LayoutTests/fast/images/image-error-event-not-firing-expected.txt (0 => 141667)
--- trunk/LayoutTests/fast/images/image-error-event-not-firing-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/images/image-error-event-not-firing-expected.txt 2013-02-02 00:58:26 UTC (rev 141667)
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: Refused to load the image 'http://www.myfakesiteabc.com/image.png' because it violates the following Content Security Policy directive: "img-src 'self'".
+
+This tests onerror event is fired if we change image src to a url blocked by content-security-policy.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS error event fired.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/images/image-error-event-not-firing.html (0 => 141667)
--- trunk/LayoutTests/fast/images/image-error-event-not-firing.html (rev 0)
+++ trunk/LayoutTests/fast/images/image-error-event-not-firing.html 2013-02-02 00:58:26 UTC (rev 141667)
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="img-src 'self'">
+<script src=""
+<script>
+description(
+ "This tests onerror event is fired if we change image src to a url blocked by content-security-policy."
+)
+
+jsTestIsAsync = true;
+
+function load()
+{
+ var image = document.getElementById('test');
+ image._onerror_ = function() {
+ testPassed("error event fired.");
+ finishJSTest();
+ };
+ image.src = '';
+
+ setTimeout(function() {
+ testFailed("error event is not fired.")
+ finishJSTest();
+ }, 200);
+}
+</script>
+
+</head>
+<body _onload_='load()'>
+
+<img src="" id="test"></img>
+
+<script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (141666 => 141667)
--- trunk/Source/WebCore/ChangeLog 2013-02-02 00:51:38 UTC (rev 141666)
+++ trunk/Source/WebCore/ChangeLog 2013-02-02 00:58:26 UTC (rev 141667)
@@ -1,3 +1,20 @@
+2013-02-01 Yongjun Zhang <yongjun_zh...@apple.com>
+
+ Document is never released if an image's src attribute is changed to a url blocked by content-security-policy.
+ https://bugs.webkit.org/show_bug.cgi?id=108545
+
+ If we just scheduled an error event due to an null newImage, we should not cancel it when newImage and oldImage
+ is not the same. Otherwise we will ref the sourceElement in updateHasPendingEvent (m_hasPendingErrorEvent is true)
+ but never deref it since we already cancelled the error event.
+
+ Reviewed by Alexey Proskuryakov.
+
+ Test: fast/images/image-error-event-not-firing.html
+
+ * loader/ImageLoader.cpp:
+ (WebCore::ImageLoader::updateFromElement): don't cancel error event if newImage is null, we want the
+ error event to fire.
+
2013-02-01 Benjamin Poulain <bpoul...@apple.com>
Clean the String->AtomicString conversion for AnimationController::pauseAnimationAtTime
Modified: trunk/Source/WebCore/loader/ImageLoader.cpp (141666 => 141667)
--- trunk/Source/WebCore/loader/ImageLoader.cpp 2013-02-02 00:51:38 UTC (rev 141666)
+++ trunk/Source/WebCore/loader/ImageLoader.cpp 2013-02-02 00:58:26 UTC (rev 141667)
@@ -217,12 +217,23 @@
CachedImage* oldImage = m_image.get();
if (newImage != oldImage) {
- if (m_hasPendingBeforeLoadEvent)
+ if (m_hasPendingBeforeLoadEvent) {
beforeLoadEventSender().cancelEvent(this);
- if (m_hasPendingLoadEvent)
+ m_hasPendingBeforeLoadEvent = false;
+ }
+ if (m_hasPendingLoadEvent) {
loadEventSender().cancelEvent(this);
- if (m_hasPendingErrorEvent)
+ m_hasPendingLoadEvent = false;
+ }
+
+ // Cancel error events that belong to the previous load, which is now cancelled by changing the src attribute.
+ // If newImage is null and m_hasPendingErrorEvent is true, we know the error event has been just posted by
+ // this load and we should not cancel the event.
+ // FIXME: If both previous load and this one got blocked with an error, we can receive one error event instead of two.
+ if (m_hasPendingErrorEvent && newImage) {
errorEventSender().cancelEvent(this);
+ m_hasPendingErrorEvent = false;
+ }
m_image = newImage;
m_hasPendingBeforeLoadEvent = !m_element->document()->isImageDocument() && newImage;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
