Google Git
Sign in
chromium / chromium / src / b9e3d96067ff8c016d2505ab2a1f6b9d985c6b35^! / .
commitb9e3d96067ff8c016d2505ab2a1f6b9d985c6b35[log] [tgz]
authorjochen <jochen@chromium.org>Mon Jul 25 08:19:46 2016
committerCommit bot <commit-bot@chromium.org>Mon Jul 25 08:37:49 2016
tree188c2ec791d446879d539d8d9591a8ceb3ab23ab
parent34b990b50b984c81eb660e8ceaf9c2d431c7aad6 [diff]
Sprinkle some release asserts over HTMLFrameElementBase

It appears to be difficult to get this right, but it's quite bad if we
get it wrong, so rather crash.

BUG=628942
R=dcheng@chromium.org

Review-Url: https://codereview.chromium.org/2169453002
Cr-Commit-Position: refs/heads/master@{#407430}

diff --git a/third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp b/third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp
index 0c5029c..6d7cced 100644
--- a/third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp
+++ b/third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp

@@ -47,6 +47,7 @@
     , m_scrollingMode(ScrollbarAuto)
     , m_marginWidth(-1)
     , m_marginHeight(-1)
+    , m_javaScriptURLFailedAccessCheck(false)
 {
 }
 
@@ -58,8 +59,11 @@
     const KURL& completeURL = document().completeURL(m_URL);
 
     if (protocolIsJavaScript(completeURL)) {
-        if (contentFrame() && !ScriptController::canAccessFromCurrentOrigin(toIsolate(&document()), contentFrame()))
+        if (contentFrame() && !ScriptController::canAccessFromCurrentOrigin(toIsolate(&document()), contentFrame())) {
+            m_javaScriptURLFailedAccessCheck = true;
             return false;
+        }
+        SECURITY_CHECK(!m_javaScriptURLFailedAccessCheck);
     }
 
     LocalFrame* parentFrame = document().frame();
@@ -168,6 +172,10 @@
     if (!SubframeLoadingDisabler::canLoadFrame(*this))
         return;
 
+    // We should never have a content frame at the point where we got inserted
+    // into a tree.
+    SECURITY_CHECK(!contentFrame());
+
     setNameAndOpenURL();
 }
 
@@ -188,6 +196,7 @@
 void HTMLFrameElementBase::setLocation(const String& str)
 {
     m_URL = AtomicString(str);
+    m_javaScriptURLFailedAccessCheck = false;
 
     if (isConnected())
         openURL(false);

diff --git a/third_party/WebKit/Source/core/html/HTMLFrameElementBase.h b/third_party/WebKit/Source/core/html/HTMLFrameElementBase.h
index 6e9cf68..0038b8c 100644
--- a/third_party/WebKit/Source/core/html/HTMLFrameElementBase.h
+++ b/third_party/WebKit/Source/core/html/HTMLFrameElementBase.h

@@ -78,6 +78,7 @@
 
     AtomicString m_URL;
     AtomicString m_frameName;
+    mutable bool m_javaScriptURLFailedAccessCheck;
 };
 
 inline bool isHTMLFrameElementBase(const HTMLElement& element)