Don't use FrameLoader::m_provisionalItem for history state if a cross-origin

redirect happens BUG=500554 Review URL: https://codereview.chromium.org/1175113009 git-svn-id: svn://svn.chromium.org/blink/trunk@198022 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Don't use FrameLoader::m_provisionalItem for history state if a cross-origin
redirect happens BUG=500554 Review URL: https://codereview.chromium.org/1175113009 git-svn-id: svn://svn.chromium.org/blink/trunk@198022 bbb929c8-8fbe-4397-9dbb-9b2b20218538
5f5d4a2e · japhet@chromium.org · c54dc856 · 5f5d4a2e · 5f5d4a2e · 5f5d4a2e
Commit 5f5d4a2e authored Jun 29, 2015 by japhet@chromium.org
5 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/history/cross-origin-redirect-on-back-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/history/cross-origin-redirect-on-back-expected.txt
+We pass if we don't crash.
--- a/third_party/WebKit/LayoutTests/http/tests/history/cross-origin-redirect-on-back.html
+++ b/third_party/WebKit/LayoutTests/http/tests/history/cross-origin-redirect-on-back.html
+<html>
+<body>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+window.onload = function() {
+    if (location.hash == "#back") {
+        document.body.appendChild(document.createTextNode("We pass if we don't crash."));
+        if (window.testRunner)
+            testRunner.notifyDone();
+        return;
+    }
+
+    setTimeout(function() {
+        history.replaceState({}, "", "#back");
+        history.pushState({}, "", "http://127.0.0.1:8000/resources/redirect.php?url=http://localhost:8000/history/resources/back.html");
+        location = "http://127.0.0.1:8000/history/resources/back.html";
+    }, 0);
+};
+</script>
+</body>
+</html>
--- a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
@@ -388,7 +388,7 @@ void DocumentLoader::willSendRequest(ResourceRequest& newRequest, const Resource
        return;

    appendRedirect(newRequest.url());
-    frameLoader()->client()->dispatchDidReceiveServerRedirectForProvisionalLoad();
+    frameLoader()->receivedMainResourceRedirect(m_request.url());
    if (!shouldContinueForNavigationPolicy(newRequest, CheckContentSecurityPolicy))
        cancelMainResourceLoad(ResourceError::cancelledError(m_request.url()));
 }

--- a/third_party/WebKit/Source/core/loader/FrameLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
@@ -340,10 +340,18 @@ void FrameLoader::replaceDocumentWhileExecutingJavaScriptURL(const String& sourc
    documentLoader->replaceDocumentWhileExecutingJavaScriptURL(init, source, ownerDocument);
 }

+void FrameLoader::receivedMainResourceRedirect(const KURL& newURL)
+{
+    client()->dispatchDidReceiveServerRedirectForProvisionalLoad();
+    // If a back/forward navigation redirects cross-origin, don't reuse any state from the HistoryItem.
+    if (m_provisionalItem && !SecurityOrigin::create(m_provisionalItem->url())->isSameSchemeHostPort(SecurityOrigin::create(newURL).get()))
+        m_provisionalItem.clear();
+}
+
 void FrameLoader::setHistoryItemStateForCommit(HistoryCommitType historyCommitType, HistoryNavigationType navigationType)
 {
    RefPtrWillBeRawPtr<HistoryItem> oldItem = m_currentItem;
-    if (historyCommitType == BackForwardCommit)
+    if (historyCommitType == BackForwardCommit && m_provisionalItem)
        m_currentItem = m_provisionalItem.release();
    else
        m_currentItem = HistoryItem::create();

--- a/third_party/WebKit/Source/core/loader/FrameLoader.h
+++ b/third_party/WebKit/Source/core/loader/FrameLoader.h
@@ -156,6 +156,8 @@ public:
    void finishedParsing();
    void checkCompleted();

+    void receivedMainResourceRedirect(const KURL& newURL);
+
    // This prepares the FrameLoader for the next commit. It will dispatch
    // unload events, abort XHR requests and detach the document. Returns true
    // if the frame is ready to receive the next commit, or false otherwise.