Update DocumentLoader::Url() to match Document::Url() on document.open()

Bug: 978579
Change-Id: I382b9da1d8aec0199355374ed6930a730b7e4562
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1731788Reviewed-by: Nate Chapin <japhet@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#683642}

third_party/blink/renderer/core/dom/document.cc

@@ -3552,6 +3552,8 @@ void Document::open(Document* entered_document,
     KURL new_url = entered_document->Url();
     new_url.SetFragmentIdentifier(String());
     SetURL(new_url);
+    if (Loader())
+      Loader()->UpdateUrlForDocumentOpen(new_url);
 
     SetSecurityOrigin(entered_document->GetMutableSecurityOrigin());
     SetReferrerPolicy(entered_document->GetReferrerPolicy());
@@ -7374,6 +7376,8 @@ DocumentLoader* Document::Loader() const {
   if (!frame_)
     return nullptr;
 
+  // TODO(dcheng): remove this check. frame_ is guaranteed to be non-null only
+  // if frame_->GetDocument() == this.
   if (frame_->GetDocument() != this)
     return nullptr;
 

third_party/blink/renderer/core/dom/document.h

@@ -1581,6 +1581,10 @@ class CORE_EXPORT Document : public ContainerNode,
   }
   bool ToggleDuringParsing() { return toggle_during_parsing_; }
 
+  bool HasPendingJavaScriptUrlsForTest() {
+    return !pending_javascript_urls_.IsEmpty();
+  }
+
  protected:
   void ClearXMLVersion() { xml_version_ = String(); }
 

third_party/blink/renderer/core/loader/document_loader.h

@@ -293,6 +293,11 @@ class CORE_EXPORT DocumentLoader
 
   bool IsBrowserInitiated() const { return is_browser_initiated_; }
 
+  // TODO(dcheng, japhet): Some day, Document::Url() will always match
+  // DocumentLoader::Url(), and one of them will be removed. Today is not that
+  // day though.
+  void UpdateUrlForDocumentOpen(const KURL& url) { url_ = url; }
+
  protected:
   Vector<KURL> redirect_chain_;
 

third_party/blink/renderer/core/loader/document_loader_test.cc

@@ -15,6 +15,8 @@
 #include "third_party/blink/renderer/core/frame/web_local_frame_impl.h"
 #include "third_party/blink/renderer/core/page/page.h"
 #include "third_party/blink/renderer/core/testing/scoped_fake_plugin_registry.h"
+#include "third_party/blink/renderer/core/testing/sim/sim_request.h"
+#include "third_party/blink/renderer/core/testing/sim/sim_test.h"
 #include "third_party/blink/renderer/platform/loader/static_data_navigation_body_loader.h"
 #include "third_party/blink/renderer/platform/testing/unit_test_helpers.h"
 #include "third_party/blink/renderer/platform/testing/url_test_helpers.h"
@@ -219,4 +221,35 @@ TEST_F(DocumentLoaderTest, MixedContentOptOutNotSetIfNoHeaderReceived) {
                    ->GetMixedAutoUpgradeOptOut());
 }
 
+class DocumentLoaderSimTest : public SimTest {};
+
+TEST_F(DocumentLoaderSimTest, DocumentOpenUpdatesUrl) {
+  SimRequest main_resource("https://example.com", "text/html");
+  LoadURL("https://example.com");
+  main_resource.Write("<iframe src='javascript:42;'></iframe>");
+
+  auto* child_frame = To<WebLocalFrameImpl>(MainFrame().FirstChild());
+  auto* child_document = child_frame->GetFrame()->GetDocument();
+  EXPECT_TRUE(child_document->HasPendingJavaScriptUrlsForTest());
+
+  main_resource.Write(
+      "<script>"
+      "window[0].document.open();"
+      "window[0].document.write('hello');"
+      "window[0].document.close();"
+      "</script>");
+
+  main_resource.Finish();
+
+  // document.open() should have cancelled the pending JavaScript URLs.
+  EXPECT_FALSE(child_document->HasPendingJavaScriptUrlsForTest());
+
+  // Per https://whatwg.org/C/dynamic-markup-insertion.html#document-open-steps,
+  // the URL associated with the Document should match the URL of the entry
+  // Document.
+  EXPECT_EQ(KURL("https://example.com"), child_document->Url());
+  // Similarly, the URL of the DocumentLoader should also match.
+  EXPECT_EQ(KURL("https://example.com"), child_document->Loader()->Url());
+}
+
 }  // namespace blink