Fix a crash by adding <base> to a detached srcdoc document.

ParentDocument() can be nullptr. Bug: 750836 Change-Id: Idff5feeececa8ad32f3248c565c878902dd24ffc Reviewed-on: https://chromium-review.googlesource.com/597370 Commit-Queue: Kent Tamura <tkent@chromium.org> Reviewed-by: Hayato Ito <hayato@chromium.org> Cr-Commit-Position: refs/heads/master@{#491277}

Fix a crash by adding <base> to a detached srcdoc document.
ParentDocument() can be nullptr. Bug: 750836 Change-Id: Idff5feeececa8ad32f3248c565c878902dd24ffc Reviewed-on: https://chromium-review.googlesource.com/597370 Commit-Queue: Kent Tamura <tkent@chromium.org> Reviewed-by: Hayato Ito <hayato@chromium.org> Cr-Commit-Position: refs/heads/master@{#491277}
0d862af0 · Kent Tamura · Commit Bot · eb3f807a · 0d862af0 · 0d862af0
Commit 0d862af0 authored Aug 02, 2017 by Kent Tamura Committed by Commit Bot Aug 02, 2017
4 changed files
--- a/third_party/WebKit/LayoutTests/html/README.md
+++ b/third_party/WebKit/LayoutTests/html/README.md
@@ -42,6 +42,10 @@ Some areas have their own directories not under html/.
    P, HR, PRE, BLOCKQUOTE, OL, UL, LI, DL, DT, DD, FIGURE, FIGCAPTION, MAIN,
    and DIV.

+*   infrastructure/
+
+    [Common infrastructure](https://html.spec.whatwg.org/multipage/infrastructure.html#infrastructure)
+
 *   marquee/

    MARQUEE element.

--- a/third_party/WebKit/LayoutTests/html/infrastructure/fallback_base_url-expected.txt
+++ b/third_party/WebKit/LayoutTests/html/infrastructure/fallback_base_url-expected.txt
+This is a testharness.js-based test.
+FAIL The fallback base URL of a srcdoc document should be the document base URL of the document's browsing context's browsing context container's document even after the srcdoc document lost its browsing context. assert_not_equals: after detaching got disallowed value "about:srcdoc"
+Harness: the test ran to completion.
+
--- a/third_party/WebKit/LayoutTests/html/infrastructure/fallback_base_url.html
+++ b/third_party/WebKit/LayoutTests/html/infrastructure/fallback_base_url.html
+<!DOCTYPE html>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<body>
+<script>
+// The specification is unclear for this particular case. We should clarify it
+// and merge this test to wpt/html/infrastructure/urls/terminology-0/document-base-url.html
+
+var t = async_test('The fallback base URL of a srcdoc document should be the document base URL of the document\'s browsing context\'s browsing context container\'s document even after the srcdoc document lost its browsing context.');
+t.step(() => {
+  var iframe = document.createElement('iframe');
+  iframe.srcdoc = 'text';
+  iframe.onload = t.step_func_done(() => {
+    var srcdoc = iframe.contentDocument;
+    assert_equals(srcdoc.baseURI, document.baseURI, 'before detaching');
+    iframe.remove();
+    srcdoc.body.innerHTML = '<base href="relative/">';
+    assert_not_equals(srcdoc.baseURI, 'about:srcdoc', 'after detaching');
+  });
+  document.body.appendChild(iframe);
+});
+</script>
+</body>
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -3592,11 +3592,16 @@ void Document::UpdateBaseURL() {
 }

 KURL Document::FallbackBaseURL() const {
-  if (IsSrcdocDocument())
-    return ParentDocument()->BaseURL();
-  if (urlForBinding().IsAboutBlankURL()) {
+  if (IsSrcdocDocument()) {
+    // TODO(tkent): Referring to ParentDocument() is not correct.  See
+    // crbug.com/751329.
+    if (Document* parent = ParentDocument())
+      return parent->BaseURL();
+  } else if (urlForBinding().IsAboutBlankURL()) {
    if (context_document_)
      return context_document_->BaseURL();
+    // TODO(tkent): Referring to ParentDocument() is not correct.  See
+    // crbug.com/751329.
    if (Document* parent = ParentDocument())
      return parent->BaseURL();
  }