The Vulnerability History Project

2011-01-08 Charlie Reis <creis@chromium.org>

      Reviewed by Mihai Parparita.

        Canceled frame loads can corrupt back forward list
        https://bugs.webkit.org/show_bug.cgi?id=50254

        http/tests/navigation/forward-and-cancel.html aborts a slowly loading
        subframe in a frame tree and ensures the history items are updated properly.

        * LayoutTests/http/tests/navigation/forward-and-cancel-expected.txt: Added.
        * LayoutTests/http/tests/navigation/forward-and-cancel.html: Added.
        * LayoutTests/http/tests/navigation/resources/forward-and-cancel-frames.html: Added.
        * LayoutTests/http/tests/navigation/resources/forward-and-cancel-frames-container.html: Added.
2011-01-08  Charlie Reis  <creis@chromium.org>

        Reviewed by Mihai Parparita.

        Canceled frame loads can corrupt back forward list
        https://bugs.webkit.org/show_bug.cgi?id=50254

        Avoids changing m_currentItem until the navigation commits.
        Also resets top-level history items if a subframe navigation is canceled.

        * WebCore/loader/FrameLoader.cpp:
        (WebCore::FrameLoader::checkLoadCompleteForThisFrame):
        * WebCore/loader/HistoryController.cpp:
        * WebCore/loader/HistoryController.h:

git-svn-id: svn://svn.chromium.org/blink/trunk@75336 bbb929c8-8fbe-4397-9dbb-9b2b20218538

by Colleen the Moray Eel 2011-01-09 01:27:19 UTC

commit 71075a2dc134ffd5d33a8d140fb21121f6832764

Chromium VCC CVE-2011-1059

third_party/WebKit/LayoutTests/ChangeLog

-15

third_party/WebKit/LayoutTests/http/tests/navigation/forward-and-cancel-expected.txt

-15

third_party/WebKit/LayoutTests/http/tests/navigation/forward-and-cancel.html

-43

third_party/WebKit/LayoutTests/http/tests/navigation/resources/forward-and-cancel-frames-container.html

-7

third_party/WebKit/LayoutTests/http/tests/navigation/resources/forward-and-cancel-frames.html