2016-11-14 Matthew Hanson Merge r208691. rdar://problem/29250304 2016-11-14 David Kilzer Bug 164702: WebContent crash due to checked unsigned overflow in WebCore: WebCore::RenderLayerCompositor::requiresCompositingLayer const + 1104 Reviewed by Darin Adler. Test: inspector/layers/layers-compositing-reasons.html * rendering/RenderLayerCompositor.cpp: (WebCore::RenderLayerCompositor::requiresCompositingForCanvas): Don't composite if the canvas area overflows. 2016-11-14 Matthew Hanson Merge r208655. rdar://problem/29250302 2016-11-12 Wenson Hsieh The main content heuristic should be robust when handling large media elements https://bugs.webkit.org/show_bug.cgi?id=164676 Reviewed by Eric Carlson. Handles integer overflow gracefully when performing the main content check for very large media elements. If the heuristic comes across such an element, it will now bail early and reject the video as main content. Also adds a new API test: VideoControlsManager.VideoControlsManagerPageWithEnormousVideo. * html/MediaElementSession.cpp: (WebCore::isElementRectMostlyInMainFrame): 2016-11-06 Matthew Hanson Merge r208392. rdar://problem/28409526 2016-11-03 Anders Carlsson Add new 'other' Apple Pay button style https://bugs.webkit.org/show_bug.cgi?id=164384 rdar://problem/28302528 Reviewed by Dean Jackson. * DerivedSources.make: * WebCorePrefix.h: Add extension points. * css/CSSPrimitiveValueMappings.h: (WebCore::CSSPrimitiveValue::CSSPrimitiveValue): Add ApplePayButtonType::Other. (WebCore::CSSPrimitiveValue::operator ApplePayButtonType): Add CSSValueOther. * css/CSSValueKeywords.in: Add other. * css/parser/CSSParser.cpp: (WebCore::isValidKeywordPropertyAndValue): Add CSSValueOther. * css/parser/CSSParserFastPaths.cpp: (WebCore::CSSParserFastPaths::isValidKeywordPropertyAndValue): Add CSSValueOther. * rendering/RenderThemeCocoa.mm: (WebCore::toPKPaymentButtonType): Handle ApplePayButtonType::Other. * rendering/style/RenderStyleConstants.h: Add ApplePayButtonType::Other. 2016-11-03 Matthew Hanson Merge r208328. rdar://problem/29084886 2016-11-03 Dan Bernstein REGRESSION (r206247): Painting milestones can be delayed until the next layer flush https://bugs.webkit.org/show_bug.cgi?id=164340 Reviewed by Tim Horton. To give WebKit a chance to deliver the painting milestones to its client after the commit, we must tell it about them before or during the commit. To that end, we should not defer the call to firePaintRelatedMilestonesIfNeeded until after the commit. * rendering/RenderLayerCompositor.cpp: (WebCore::RenderLayerCompositor::RenderLayerCompositor): Removed m_paintRelatedMilestonesTimer initializer. (WebCore::RenderLayerCompositor::didPaintBacking): Call FrameView::firePaintRelatedMilestonesIfNeeded directly from here. (WebCore::RenderLayerCompositor::paintRelatedMilestonesTimerFired): Deleted. * rendering/RenderLayerCompositor.h: 2016-11-03 Matthew Hanson Merge r208319. rdar://problem/29084077 2016-11-02 Simon Fraser Followup after r208314. The style created for reflections contains transforms and a mask, so needs to get explicit z-index on it. This doesn't change rendering, since this layer has no children. Fixes assertions in various reflection tests. * rendering/RenderLayer.cpp: (WebCore::RenderLayer::calculateClipRects): 2016-11-03 Matthew Hanson Merge r208314. rdar://problem/29084077 2016-11-02 Simon Fraser REGRESSION (r208025) GraphicsContext state stack assertions loading webkit.org https://bugs.webkit.org/show_bug.cgi?id=164350 rdar://problem/29053414 Reviewed by Dean Jackson. After r208025 it as possible for KeyframeAnimation::animate() to produce a RenderStyle with a non-1 opacity, but without the explicit z-index that triggers stacking context. This confused the RenderLayer paintWithTransparency code, triggering mismsatched GraphicsContext save/restores. This occurred when the runningOrFillingForwards state was mis-computed. keyframeAnim->animate() can spit out a new style when in the StartWaitTimer sometimes, so "!keyframeAnim->waitingToStart() && !keyframeAnim->postActive()" gave the wrong answser. Rather than depend on the super-confusing animation state, use a bool out param from animate() to say when it actually produced a new style, and when true, do the setZIndex(0). Test: animations/stacking-during-opacity-animation.html * page/animation/AnimationBase.h: * page/animation/CSSPropertyAnimation.cpp: (WebCore::CSSPropertyAnimation::blendProperties): Log after blending so the log shows the blended style. * page/animation/CompositeAnimation.cpp: (WebCore::CompositeAnimation::animate): * page/animation/ImplicitAnimation.cpp: (WebCore::ImplicitAnimation::animate): * page/animation/ImplicitAnimation.h: * page/animation/KeyframeAnimation.cpp: (WebCore::KeyframeAnimation::animate): * page/animation/KeyframeAnimation.h: * platform/graphics/GraphicsContext.cpp: (WebCore::GraphicsContext::restore): * platform/graphics/ca/cocoa/PlatformCALayerCocoa.mm: (PlatformCALayer::drawLayerContents): No functional change, but created scope for the GraphicsContext so that it didn't outlive the CGContextRestoreGState(context). * rendering/RenderLayer.cpp: (WebCore::RenderLayer::beginTransparencyLayers): New assertion that catches the problem earlier. 2016-11-03 Matthew Hanson Merge r208307. rdar://problem/29078457 2016-11-02 David Kilzer Bug 164333: Add logging for "WebKit encountered an internal error" messages due to Network process crashes Reviewed by Alex Christensen. * page/DiagnosticLoggingKeys.cpp: (WebCore::DiagnosticLoggingKeys::networkProcessCrashedKey): - Add implementation for new key method. * page/DiagnosticLoggingKeys.h: (WebCore::DiagnosticLoggingKeys::networkProcessCrashedKey): - Add declaration for new key method. 2016-11-03 Matthew Hanson Merge r208286. rdar://problem/28634857 2016-11-02 David Kilzer Add logging for "WebKit encountered an internal error" messages Reviewed by Alex Christensen. * page/DiagnosticLoggingKeys.cpp: (WebCore::DiagnosticLoggingKeys::internalErrorKey): (WebCore::DiagnosticLoggingKeys::invalidSessionIDKey): (WebCore::DiagnosticLoggingKeys::createSharedBufferFailedKey): (WebCore::DiagnosticLoggingKeys::synchronousMessageFailedKey): - Add implementations for new key methods. * page/DiagnosticLoggingKeys.h: (WebCore::DiagnosticLoggingKeys::internalErrorKey): (WebCore::DiagnosticLoggingKeys::invalidSessionIDKey): (WebCore::DiagnosticLoggingKeys::createSharedBufferFailedKey): (WebCore::DiagnosticLoggingKeys::synchronousMessageFailedKey): - Add declarations for new key methods. 2016-11-03 Matthew Hanson Merge r208101. rdar://problem/29053206 2016-10-29 Youenn Fablet REGRESSION (Safari 10 / r189445): WKWebView and WebView no longer allow async XMLHttpRequest timeout to exceed 60 seconds https://bugs.webkit.org/show_bug.cgi?id=163814 Reviewed by Darin Adler. Tests: http/tests/xmlhttprequest/resetting-timeout-to-zero.html http/tests/xmlhttprequest/timeout-greater-than-default-network-timeout.html * xml/XMLHttpRequest.cpp: (WebCore::XMLHttpRequest::setTimeout): If the XHR timeout is active, resetting the timeout to zero should lead to using the default network timeout. Since it is difficult to update the timeout once the request is sent, we mimic the default network timeout with a 60 seconds XHR timeout. (WebCore::XMLHttpRequest::createRequest): Setting network timeout to infinity if the XHR timeout is active. 2016-11-03 Matthew Hanson Merge r208025. rdar://problem/28216240 2016-10-27 Simon Fraser If an animation's keyframes affect stacking context properties, create stacking context while the animation is running https://bugs.webkit.org/show_bug.cgi?id=164094 Reviewed by Dean Jackson. The CSS animations spec now makes it clear that a keyframe animation animating properties which can affect stacking context should establish stacking context while it's running, or filling-forwards. This is part of the "the user agent must act as if the will-change property...includes all the properties animated by the animation" clause. Implement by having CompositeAnimation::animate() track whether running animations should create stacking context, replacing existing code in AnimationController::updateAnimations() which only looked at opacity and transform. Transitions are also checked to see if they need to trigger stacking context. This allows for the removal of a 0.9999 hack when blending opacity. Tests: animations/stacking-context-fill-forwards.html animations/stacking-context-not-fill-forwards.html animations/stacking-context-unchanged-while-running.html * page/animation/AnimationController.cpp: (WebCore::AnimationController::updateAnimations): * page/animation/CSSPropertyAnimation.cpp: * page/animation/CompositeAnimation.cpp: (WebCore::CompositeAnimation::animate): * page/animation/KeyframeAnimation.cpp: (WebCore::KeyframeAnimation::KeyframeAnimation): (WebCore::KeyframeAnimation::computeStackingContextImpact): (WebCore::KeyframeAnimation::animate): * page/animation/KeyframeAnimation.h: * rendering/RenderLayer.cpp: (WebCore::RenderLayer::currentTransform): * rendering/style/WillChangeData.cpp: (WebCore::WillChangeData::propertyCreatesStackingContext): (WebCore::propertyCreatesStackingContext): Deleted. * rendering/style/WillChangeData.h: 2016-11-01 Matthew Hanson Rollout r208167. rdar://problem/28216240 2016-11-01 Matthew Hanson Rollout r208255. rdar://problem/28962886 2016-11-01 Matthew Hanson Rollout r208173. rdar://problem/28962886 2016-11-01 Matthew Hanson Merge r208175. rdar://problem/29032335 2016-10-31 Jer Noble Unreviewed build fix for the build fix; AVStreamDataParser not defined on iOS. * platform/spi/mac/AVFoundationSPI.h: 2016-11-01 Matthew Hanson Merge r208171. rdar://problem/29032335 2016-10-31 Jer Noble Unreviewed build fix after r208151; outputMIMECodecParameterForInputMIMECodecParameter not defined pre-Sierra. * platform/spi/mac/AVFoundationSPI.h: 2016-11-01 Matthew Hanson Merge r208161. rdar://problem/29032335 2016-10-31 Jer Noble Unreviewed build fix after r208151; _setPreventsSleepDuringVideoPlayback: only defined in non-simulator SDKs. * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm: (WebCore::MediaPlayerPrivateAVFoundationObjC::createAVPlayer): (WebCore::MediaPlayerPrivateAVFoundationObjC::setShouldDisableSleep): * platform/spi/mac/AVFoundationSPI.h: 2016-11-01 Matthew Hanson Merge r206637. rdar://problem/28718754 2016-09-30 Said Abou-Hallawa Unreviewed, fix 32-bit build. * loader/cache/CachedImage.cpp: (WebCore::CachedImage::decodedSizeChanged): 2016-10-31 Matthew Hanson Merge r208151. rdar://problem/29032335 2016-10-31 Jer Noble Opt-out of AVPlayer automatic sleep disabling https://bugs.webkit.org/show_bug.cgi?id=163983 Reviewed by Eric Carlson. In addition to the DisplaySleepDisabler, notify the MediaPlayerPrivateAVFoundationObjC object whether it should disable display sleep. Provide all the necessary boilerplate to allow the media player private to query the HTMLMediaPlayer so that the correct value can be set on AVPlayer upon creation. * html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::updateSleepDisabling): * html/HTMLMediaElement.h: * platform/graphics/MediaPlayer.cpp: (WebCore::MediaPlayer::setShouldDisableSleep): (WebCore::MediaPlayer::shouldDisableSleep): * platform/graphics/MediaPlayer.h: (WebCore::MediaPlayerClient::mediaPlayerShouldDisableSleep): * platform/graphics/MediaPlayerPrivate.h: (WebCore::MediaPlayerPrivateInterface::setShouldDisableSleep): * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.h: * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm: (WebCore::MediaPlayerPrivateAVFoundationObjC::createAVPlayer): (WebCore::MediaPlayerPrivateAVFoundationObjC::setShouldDisableSleep): Drive-by fix: Re-organize the contents of AVFoundationSPI.h so that there's a single top-level #if USE(APPLE_INTERNAL_SDK) statement, rather than that conditional being sprinkled about the file. * platform/spi/mac/AVFoundationSPI.h: 2016-10-31 Matthew Hanson Merge r208168. rdar://problem/28962886 2016-10-28 Brent Fulgham Do a better job of protecting Frame objects in the context of JavaScript calls https://bugs.webkit.org/show_bug.cgi?id=164163 Reviewed by Darin Adler. * editing/AlternativeTextController.cpp: (WebCore::AlternativeTextController::respondToUnappliedSpellCorrection): Protected the Frame. * editing/Editor.cpp: (WebCore::Editor::setTextAsChildOfElement): Ditto. * editing/EditorCommand.cpp: (WebCore::executeSwapWithMark): Ditto. * editing/TypingCommand.cpp: (WebCore::TypingCommand::deleteKeyPressed): Ditto. (WebCore::TypingCommand::forwardDeleteKeyPressed): Ditto. * editing/mac/EditorMac.mm: (WebCore::Editor::replaceNodeFromPasteboard): Ditto. * page/ContextMenuController.cpp: (WebCore::ContextMenuController::contextMenuItemSelected): Ditto. * page/DOMSelection.cpp: (WebCore::DOMSelection::collapse): Ditto. (WebCore::DOMSelection::collapseToEnd): Ditto. (WebCore::DOMSelection::collapseToStart): Ditto. (WebCore::DOMSelection::setBaseAndExtent): Ditto. (WebCore::DOMSelection::setPosition): Ditto. (WebCore::DOMSelection::modify): Ditto. (WebCore::DOMSelection::extend): Ditto. (WebCore::DOMSelection::addRange): Ditto. (WebCore::DOMSelection::deleteFromDocument): Ditto. * page/DragController.cpp: (WebCore::setSelectionToDragCaret): Ditto. (WebCore::DragController::startDrag): Ditto. * page/Frame.cpp: (WebCore::Frame::checkOverflowScroll): Ditto. * page/TextIndicator.cpp: (WebCore::TextIndicator::createWithRange): Ditto. 2016-10-31 Matthew Hanson Merge r208025. rdar://problem/28216240 2016-10-27 Simon Fraser If an animation's keyframes affect stacking context properties, create stacking context while the animation is running https://bugs.webkit.org/show_bug.cgi?id=164094 Reviewed by Dean Jackson. The CSS animations spec now makes it clear that a keyframe animation animating properties which can affect stacking context should establish stacking context while it's running, or filling-forwards. This is part of the "the user agent must act as if the will-change property...includes all the properties animated by the animation" clause. Implement by having CompositeAnimation::animate() track whether running animations should create stacking context, replacing existing code in AnimationController::updateAnimations() which only looked at opacity and transform. Transitions are also checked to see if they need to trigger stacking context. This allows for the removal of a 0.9999 hack when blending opacity. Tests: animations/stacking-context-fill-forwards.html animations/stacking-context-not-fill-forwards.html animations/stacking-context-unchanged-while-running.html * page/animation/AnimationController.cpp: (WebCore::AnimationController::updateAnimations): * page/animation/CSSPropertyAnimation.cpp: * page/animation/CompositeAnimation.cpp: (WebCore::CompositeAnimation::animate): * page/animation/KeyframeAnimation.cpp: (WebCore::KeyframeAnimation::KeyframeAnimation): (WebCore::KeyframeAnimation::computeStackingContextImpact): (WebCore::KeyframeAnimation::animate): * page/animation/KeyframeAnimation.h: * rendering/RenderLayer.cpp: (WebCore::RenderLayer::currentTransform): * rendering/style/WillChangeData.cpp: (WebCore::WillChangeData::propertyCreatesStackingContext): (WebCore::propertyCreatesStackingContext): Deleted. * rendering/style/WillChangeData.h: 2016-10-31 Matthew Hanson Merge r208003. rdar://problem/28811878 2016-10-27 Brent Fulgham Prevent hit tests from being performed on an invalid render tree https://bugs.webkit.org/show_bug.cgi?id=163877 Reviewed by Simon Fraser. Changeset r200971 added code to ensure that layout is up-to-date before hit testing, but did so only for the main frame. It was still possible to enter cross-frame hit testing with a subframe needing style recalc. In that situation, the subframe's updateLayout() would get called, which could trigger a compositing change that marked the parent frame as needing style recalc. A subsequent layout on the parent frame (for example by hit testing traversing into a second subframe) could then mutate the parent frame's layer tree while hit testing was traversing it. This patch modifies the hit test logic to ensure that a recursive layout is performed so that we always perform hit tests on a clean set of frames. It also adds some assertions to warn us if we encounter this invalid state. Tested by fast/layers/prevent-hit-test-during-layout.html. * dom/Document.cpp: (WebCore::Document::scheduleStyleRecalc): Assert that we are not hit testing during style recalculation. * page/EventHandler.cpp: (WebCore::EventHandler::hitTestResultAtPoint): Ensure that we have a clean render tree when hit testing. * page/FrameView.cpp: (WebCore::FrameView::setNeedsLayout): Assert that we are not in the process of hit testing when we schedule a layout. * rendering/RenderView.cpp: (WebCore::RenderView::hitTest): Mark RenderView as in an active hit test. * rendering/RenderView.h: 2016-10-31 Matthew Hanson Merge r206635 and r206637. rdar://problem/28718754 2016-10-28 Said Abou-Hallawa Change the MemoryCache and CachedResource adjustSize functions to take a long argument https://bugs.webkit.org/show_bug.cgi?id=162708 Reviewed by Brent Fulgham. Because the MemoryCache stores the size of the cached memory in unsigned, two problems my happen when reporting a change in the size of the memory: 1. Signed integer overflow -- which can happen because MemoryCache::adjustSize() takes a signed integer argument. If the allocated or the freed memory size is larger than the maximum of a signed integer, an overflow will happen. For the image caching code, this can be seen where the unsigned decodedSize is casted to an integer before passing it to ImageObserver::decodedSizeChanged(). 2. Unsigned integer overflow -- which can happen if the new allocated memory size plus the currentSize exceeds the maximum of unsigned. This can be seen in MemoryCache::adjustSize() where we add delta to m_liveSize or m_deadSize without checking whether this addition will overflow or not. We do not assert for overflow although we assert for underflow. The fix for these two problems can be the following: 1. Make all the adjustSize functions all the way till MemoryCache::adjustSize() take a signed long integer argument. 2. Do not create a NativeImagePtr for an ImageFrame if its frameBytes plus the ImageFrameCache::decodedSize() will exceed the maximum of an unsigned integer. * loader/cache/CachedImage.cpp: (WebCore::CachedImage::decodedSizeChanged): Change the argument to be long. No overflow will happen when casting the argument from unsigned to long. * loader/cache/CachedImage.h: * loader/cache/CachedResource.cpp: (WebCore::CachedResource::setDecodedSize): Use long integer casting when calling MemoryCache::adjustSize(). (WebCore::CachedResource::setEncodedSize): Ditto. * loader/cache/MemoryCache.cpp: (WebCore::MemoryCache::MemoryCache): Add as static assert to ensure sizeof(long long) can hold any unsigned or its negation. (WebCore::MemoryCache::revalidationSucceeded): Use long integer casting when calling MemoryCache::adjustSize(). (WebCore::MemoryCache::remove): Ditto. (WebCore::MemoryCache::adjustSize): Change the function argument to long integer. No overflow will happen when casting the argument from unsigned to long. * loader/cache/MemoryCache.h: * platform/graphics/BitmapImage.cpp: (WebCore::BitmapImage::destroyMetadataAndNotify): Use long long casting when calling ImageObserver::decodedSizeChanged(). (WebCore::BitmapImage::cacheFrame): Do not create the NativeImage if adding its frameByes to the MemoryCache will cause numerical overflow. (WebCore::BitmapImage::didDecodeProperties): Use long long casting. (WebCore::BitmapImage::frameImageAtIndex): Use long long casting when calling ImageObserver::decodedSizeChanged(). * platform/graphics/ImageObserver.h: * platform/graphics/cg/PDFDocumentImage.cpp: (WebCore::PDFDocumentImage::decodedSizeChanged): Use long long casting when calling ImageObserver::decodedSizeChanged(). 2016-10-31 Matthew Hanson Merge r206802. rdar://problem/28409525 2016-10-28 Said Abou-Hallawa The dragged image should be the current frame only of the animated image https://bugs.webkit.org/show_bug.cgi?id=162109 Instead of creating an NSImage with all the frames for the dragImage, create an NSImage with the current frame only. * bindings/objc/DOM.mm: (-[DOMElement image]): Call the Image function with its new name. (-[DOMElement _imageTIFFRepresentation]): Ditto. * dom/DataTransferMac.mm: (WebCore::DataTransfer::createDragImage): Call snapshotNSImage() to create the dragImage. * editing/cocoa/HTMLConverter.mm: (fileWrapperForElement): Call the Image function with its new name. * platform/graphics/BitmapImage.cpp: (WebCore::BitmapImage::framesNativeImages): Added. * platform/graphics/BitmapImage.h: * platform/graphics/Image.h: (WebCore::Image::framesNativeImages): Added. (WebCore::Image::nsImage): Rename getNSImage() to nsImage(). (WebCore::Image::snapshotNSImage): Returns the NSImage of the current frame. (WebCore::Image::tiffRepresentation): Rename getTIFFRepresentation() to tiffRepresentation(). (WebCore::Image::getNSImage): Deleted. (WebCore::Image::getTIFFRepresentation): Deleted. * platform/graphics/mac/ImageMac.mm: (WebCore::BitmapImage::tiffRepresentation): Rename getTIFFRepresentation() to tiffRepresentation(). (WebCore::BitmapImage::nsImage): Rename getNSImage() to nsImage(). (WebCore::BitmapImage::snapshotNSImage): Returns the NSImage of the current frame. (WebCore::BitmapImage::getTIFFRepresentation): Deleted. (WebCore::BitmapImage::getNSImage): Deleted. * platform/mac/CursorMac.mm: (WebCore::createCustomCursor): Call snapshotNSImage() since the cursor does not animate anyway. * platform/mac/DragImageMac.mm: (WebCore::createDragImageFromImage): Use snapshotNSImage() for the dragImage. * platform/mac/PasteboardMac.mm: (WebCore::Pasteboard::write): Call the Image function with its new name. 2016-10-27 Daniel Bates Merge r207848. rdar://problem/28216276 2016-10-25 Daniel Bates REGRESSION (r178265): XSS Auditor fails to block document.write() of incomplete tag https://bugs.webkit.org/show_bug.cgi?id=163978 Reviewed by Darin Adler. During the tokenization process of an HTML tag the start and end positions of each of its attributes is tracked so that the XSS Auditor can request a snippet around a suspected injected attribute. We need to take care to consider document.write() boundaries when tracking the start and end positions of each HTML tag and attribute so that the XSS Auditor receives the correct snippet. Following r178265 we no longer consider document.write() boundaries when tracking the start and end positions of attributes. So, the substring represented by the start and end positions of an attribute may correspond to some other attribute in the tag. Therefore the XSS Auditor may fail to block an injection because the snippet it requested may not be the snippet that it intended to request. Tests: http/tests/security/xssAuditor/dom-write-location-dom-write-open-img-onerror.html http/tests/security/xssAuditor/dom-write-location-open-img-onerror.html http/tests/security/xssAuditor/nested-dom-write-location-open-img-onerror.html * html/parser/HTMLSourceTracker.cpp: (WebCore::HTMLSourceTracker::startToken): Set the attribute base offset to be the token start position. (WebCore::HTMLSourceTracker::source): Use the specified attribute start position as-is. We no longer adjust it here because it was adjusted with respect to the attribute base offset, which takes into account document.write() boundaries. * html/parser/HTMLToken.h: (WebCore::HTMLToken::setAttributeBaseOffset): Added. (WebCore::HTMLToken::beginAttribute): Subtract attribute base offset from the specified offset. (WebCore::HTMLToken::endAttribute): Ditto. * html/parser/HTMLTokenizer.h: (WebCore::HTMLTokenizer::setTokenAttributeBaseOffset): Added. 2016-10-27 David Kilzer Fix merge r207708. rdar://problem/28962914 * html/MediaElementSession.cpp: (WebCore::isElementRectMostlyInMainFrame): Call unsafeGet(). * platform/graphics/ImageSource.cpp: (WebCore::ImageSource::calculateMaximumSubsamplingLevel): Call unsafeGet(). * platform/graphics/IntRect.h: (WebCore::IntRect::area): Replace non-template area() method with template version. * rendering/shapes/Shape.cpp: (WebCore::Shape::createRasterShape): Call unsafeGet(). 2016-10-27 Matthew Hanson Merge r207930. rdar://problem/28811881 2016-10-26 Zalan Bujtas Ignore out-of-flow siblings when searching for a spanner candidate. https://bugs.webkit.org/show_bug.cgi?id=164042. Reviewed by Simon Fraser. While searching for the spanner candidates in a flow thread, we have to take into account whether renderers are in- or out-of-flow. What it means is that while traversing the renderer tree to find the the candidate renderer (next sibling/ancestor's next child in pre-order traversal), we have to check if the candidate is in the same layout context too. Test: fast/multicol/crash-when-spanner-candidate-is-out-of-flow.html * rendering/RenderMultiColumnFlowThread.cpp: (WebCore::spannerPlacehoderCandidate): (WebCore::RenderMultiColumnFlowThread::processPossibleSpannerDescendant): 2016-10-26 David Kilzer Merge r207708. rdar://problem/28962914 * platform/graphics/BitmapImage.cpp: (WebCore::BitmapImage::BitmapImage): * platform/graphics/ImageSource.cpp: (WebCore::ImageSource::frameBytesAtIndex): - Add calls to unsafeGet() that don't exist in trunk. 2016-10-21 David Kilzer Bug 163762: IntSize::area() should used checked arithmetic Reviewed by Darin Adler. No new tests since no change in nominal behavior. * platform/graphics/IntSize.h: (WebCore::IntSize::area): Change to return a Checked value. Use WTF:: namespace to avoid including another header. * platform/graphics/IntRect.h: (WebCore::IntRect::area): Ditto. The remaining changes are to use the Checked return value of IntSize::area() and IntRect::area() correctly in context, in addition to items noted below. * html/HTMLPlugInImageElement.cpp: (WebCore::HTMLPlugInImageElement::isTopLevelFullPagePlugin): Declare contentWidth and contentHeight as float values to prevent overflow when computing the area, and to make the inequality comparison in the return statement uses the same type for both sides. * html/ImageData.cpp: (WebCore::ImageData::ImageData): * html/MediaElementSession.cpp: (WebCore::isElementRectMostlyInMainFrame): * platform/graphics/ImageBackingStore.h: (WebCore::ImageBackingStore::setSize): Restructure logic to compute area only once. (WebCore::ImageBackingStore::clear): * platform/graphics/ImageFrame.h: (WebCore::ImageFrame::frameBytes): * platform/graphics/ImageSource.cpp: (WebCore::ImageSource::maximumSubsamplingLevel): * platform/graphics/ca/LayerPool.cpp: (WebCore::LayerPool::backingStoreBytesForSize): * platform/graphics/cg/ImageDecoderCG.cpp: (WebCore::ImageDecoder::frameBytesAtIndex): * platform/graphics/filters/FEGaussianBlur.cpp: (WebCore::FEGaussianBlur::platformApplySoftware): * platform/graphics/filters/FilterEffect.cpp: (WebCore::FilterEffect::asUnmultipliedImage): (WebCore::FilterEffect::asPremultipliedImage): (WebCore::FilterEffect::copyUnmultipliedImage): (WebCore::FilterEffect::copyPremultipliedImage): (WebCore::FilterEffect::createUnmultipliedImageResult): (WebCore::FilterEffect::createPremultipliedImageResult): * platform/graphics/win/ImageBufferDataDirect2D.cpp: (WebCore::ImageBufferData::getData): Update overflow check, rename local variable to numBytes, and compute numBytes once. * platform/graphics/win/ImageDecoderDirect2D.cpp: (WebCore::ImageDecoder::frameBytesAtIndex): * platform/image-decoders/ImageDecoder.cpp: (WebCore::ImageDecoder::frameBytesAtIndex): * platform/ios/LegacyTileLayerPool.mm: (WebCore::LegacyTileLayerPool::bytesBackingLayerWithPixelSize): * rendering/RenderLayerCompositor.cpp: (WebCore::RenderLayerCompositor::requiresCompositingForCanvas): * rendering/shapes/Shape.cpp: (WebCore::Shape::createRasterShape): 2016-10-26 David Kilzer Merge r207560. rdar://problem/28962914 2016-10-19 David Kilzer Bug 163670: Refine assertions in WebCore::ImageData constructors Reviewed by Brent Fulgham. No new tests because there is no change in nominal behavior. * html/ImageData.cpp: (WebCore::ImageData::ImageData(const IntSize&)): Change to use ASSERT() since the worst-case scenario here is a nullptr deref. Switch to IntSize::area() to compute the area. (WebCore::ImageData::ImageData(const IntSize&, Ref&&)): Add ASSERT() identical to the previous constructor, and change ASSERT_WITH_SECURITY_IMPLICATION() to only fire when m_data is not nullptr and the length check fails. Switch to IntSize::area() to compute the area. 2016-10-26 Matthew Hanson Merge r207523. rdar://problem/28718748 2016-10-19 Jer Noble [Mac][MSE] Movies with a 'mehd' box have a zero-duration https://bugs.webkit.org/show_bug.cgi?id=163641 Reviewed by Darin Adler. Test: media/media-source/media-source-init-segment-duration.html The canonical (ISO/IEC 14496-12:2012) way to signal the duration of a fragmented media file is to add a 'mehd' box to the 'mvex' container box specifying the duration of the fragment. Support this through the AVAsset -overallDurationHint property. * platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm: (WebCore::SourceBufferPrivateAVFObjC::didParseStreamDataAsAsset): * platform/spi/mac/AVFoundationSPI.h: 2016-10-26 Matthew Hanson Merge r207547. rdar://problem/28810755 2016-10-19 Zalan Bujtas Use anonymous table row for new child at RenderTableRow::addChild() if available. https://bugs.webkit.org/show_bug.cgi?id=163651 Reviewed by David Hyatt. We should try to prevent the continuation siblings from getting separated and inserted into wrapper renderers. It makes finding these continuation siblings difficult. This patch adds a checks for anonymous table rows so that we could find a closer common ancestor of beforeChild/new child. Test: fast/table/crash-when-table-has-continuation-and-content-inserted.html * rendering/RenderObject.cpp: (WebCore::RenderObject::showRenderObject): Add continuation information. * rendering/RenderTableRow.cpp: (WebCore::RenderTableRow::addChild): 2016-10-26 Matthew Hanson Merge r207804. rdar://problem/28849628 2016-10-24 Zalan Bujtas Do not update selection rect on dirty lineboxes. https://bugs.webkit.org/show_bug.cgi?id=163862 Reviewed by Simon Fraser. In certain cases RenderBlock::updateFirstLetter() triggers unwanted render tree mutation while the caller assumes intact renderers. This patch ensures that no renderers gets destroyed while computing the preferred widths when we are outside of layout context. Test: fast/css-generated-content/dynamic-first-letter-selection-clear-crash.html * rendering/RenderBlock.cpp: (WebCore::RenderBlock::computePreferredLogicalWidths): (WebCore::RenderBlock::updateFirstLetter): * rendering/RenderBlock.h: * rendering/RenderListItem.cpp: (WebCore::RenderListItem::insertOrMoveMarkerRendererIfNeeded): * rendering/RenderRubyRun.cpp: (WebCore::RenderRubyRun::updateFirstLetter): * rendering/RenderRubyRun.h: * rendering/RenderTable.cpp: (WebCore::RenderTable::updateFirstLetter): * rendering/RenderTable.h: * rendering/svg/RenderSVGText.cpp: (WebCore::RenderSVGText::updateFirstLetter): * rendering/svg/RenderSVGText.h: 2016-10-26 Matthew Hanson Merge r207692. rdar://problem/28810751 2016-10-20 Dean Jackson SVG should not paint selection within a mask https://bugs.webkit.org/show_bug.cgi?id=163772 Reviewed by Simon Fraser. When masking content, we shouldn't paint the text selection as we are rendering into the masking offscreen buffer. Test: svg/masking/mask-should-not-paint-selection.html * rendering/PaintPhase.h: Add a new behavior - PaintBehaviorSkipSelectionHighlight. * rendering/svg/SVGInlineTextBox.cpp: (WebCore::SVGInlineTextBox::paint): Don't update the selectionStyle if PaintBehaviorSkipSelectionHighlight is true. * rendering/svg/SVGRenderingContext.cpp: (WebCore::SVGRenderingContext::renderSubtreeToImageBuffer): Add PaintBehaviorSkipSelectionHighlight to the PaintInfo. 2016-10-26 Matthew Hanson Merge r207683. rdar://problem/28849627 2016-10-21 Zalan Bujtas Do not mutate the render tree while collecting selection repaint rects. https://bugs.webkit.org/show_bug.cgi?id=163800 Reviewed by David Hyatt. RenderListItem not only mutates the tree while in layout but it also uses the old descendant context to find the insertion point. This patch strictly ensures that we only do it while in layout and never in other cases such as collecting repaint rects. This gets redundant when webkit.org/b/163789 is fixed. Test: fast/lists/crash-when-list-marker-is-moved-during-selection.html * rendering/RenderListItem.cpp: (WebCore::RenderListItem::insertOrMoveMarkerRendererIfNeeded): 2016-10-26 Matthew Hanson Merge r207661. rdar://problem/28857478 2016-10-21 Jer Noble CRASH in SourceBuffer::sourceBufferPrivateDidReceiveSample + 2169 https://bugs.webkit.org/show_bug.cgi?id=163735 Reviewed by Eric Carlson. Test: media/media-source/media-source-sample-wrong-track-id.html When SourceBuffer receives a sample in sourceBufferPrivateDidReceiveSample() containing a trackID not previously seen in an initialization segment, it creates a default TrackBuffer object to contain that track's samples. One of the fields in TrackBuffer, description, is normally filled out when an initialization segment is received, but with this default TrackBuffer, it's still null when it's checked later in sourceBufferPrivateDidReceiveSample(). Rather than adding a null-check on trackBuffer.description, drop any sample that has a trackID which was not present during a previous initialization segment. * Modules/mediasource/SourceBuffer.cpp: (WebCore::SourceBuffer::sourceBufferPrivateDidReceiveSample): 2016-10-26 Matthew Hanson Merge r207631. rdar://problem/28810750 2016-10-20 Zalan Bujtas Stop searching for first-letter containers at multi-column boundary. https://bugs.webkit.org/show_bug.cgi?id=163739 We should not cross the multi-column boundary while searching for the first-letter container. While moving first-letter renderers to a multi-column parent, it could result in finding the wrong container and end up adding a new wrapper under the original container (from where we are moving the renderers). Reviewed by David Hyatt. Test: fast/css-generated-content/first-letter-move-to-multicolumn-crash.html * rendering/RenderBoxModelObject.cpp: (WebCore::RenderBoxModelObject::moveChildrenTo): * rendering/RenderTextFragment.cpp: (WebCore::RenderTextFragment::blockForAccompanyingFirstLetter): 2016-10-26 Matthew Hanson Merge r207477. rdar://problem/28810756 2016-10-18 Brent Fulgham Correct Document::removeAllEventListeners https://bugs.webkit.org/show_bug.cgi?id=163558 Reviewed by Chris Dumez. Tested by fast/dom/node-move-to-new-document-crash-main.html. * dom/Document.cpp: (WebCore::Document::removeAllEventListeners): Clear out the wheel and touch event targets when clearing all data. 2016-10-26 Matthew Hanson Merge r207221. rdar://problem/28894492 2016-10-12 Brent Fulgham [WebGL] Revise vertex array attribute checks to account for lazy memory allocation. https://bugs.webkit.org/show_bug.cgi?id=163149 Reviewed by Dean Jackson. Tested by fast/canvas/webgl/webgl-drawarrays-crash-2.html * html/canvas/WebGLRenderingContextBase.cpp: (WebCore::WebGLRenderingContextBase::validateVertexAttributes): 2016-10-26 Matthew Hanson Merge r206190. rdar://problem/28744102 2016-09-20 Nan Wang AX: AppleVisUser: VO can't navigate web dialogs iOS10 https://bugs.webkit.org/show_bug.cgi?id=162322 Reviewed by Chris Fleizach. When using VoiceOver to navigate a web dialog's children, we were setting focus onto the focusable parent in accessibilityElementDidBecomeFocused. When the focusable parent is the dialog, it will cause the VO cursor jumping back and forward. Fixed it by not setting focus on web dialogs in such case. Test: accessibility/ios-simulator/dialog-did-become-focused.html * accessibility/ios/WebAccessibilityObjectWrapperIOS.mm: (-[WebAccessibilityObjectWrapper accessibilityElementDidBecomeFocused]): 2016-10-26 Matthew Hanson Merge r206102. rdar://problem/28744106 2016-09-19 Nan Wang AX: Add accessibility support for details element on iOS https://bugs.webkit.org/show_bug.cgi?id=162041 Reviewed by Chris Fleizach. The details and summary elements are poorly supported on iOS. Two major issues: 1. Assistive technologies taking focus onto details/summary elements will cause unexpected behavior. 2. VoiceOver is not speaking the expanded status of the details element. Fixed them by not setting focus onto elements inside details and exposing the details element's expanded status to its summary's accessible children. Test: accessibility/ios-simulator/detail-summary-ios.html * accessibility/ios/WebAccessibilityObjectWrapperIOS.mm: (matchedParent): (-[WebAccessibilityObjectWrapper _accessibilityListAncestor]): (-[WebAccessibilityObjectWrapper _accessibilityLandmarkAncestor]): (-[WebAccessibilityObjectWrapper _accessibilityTableAncestor]): (-[WebAccessibilityObjectWrapper _accessibilityFieldsetAncestor]): (-[WebAccessibilityObjectWrapper tableCellParent]): (-[WebAccessibilityObjectWrapper tableParent]): (-[WebAccessibilityObjectWrapper convertPointToScreenSpace:]): (-[WebAccessibilityObjectWrapper convertRectToScreenSpace:]): (-[WebAccessibilityObjectWrapper detailParentForSummaryObject:]): (-[WebAccessibilityObjectWrapper detailParentForObject:]): (-[WebAccessibilityObjectWrapper accessibilityElementDidBecomeFocused]): (-[WebAccessibilityObjectWrapper accessibilitySupportsARIAExpanded]): (-[WebAccessibilityObjectWrapper accessibilityIsExpanded]): 2016-10-24 Matthew Hanson Merge r204472. rdar://problem/28544885 2016-08-15 Keith Rollin Rename LOG_ALWAYS https://bugs.webkit.org/show_bug.cgi?id=160768 Rename LOG_ALWAYS and friends, given that the first parameter to it is a boolean expression that determines whether or not logging should be performed. Reviewed by Chris Dumez. No new tests. No new functionality is added. Only some macro names have been changed. * loader/FrameLoader.cpp: (WebCore::FrameLoader::prepareForLoadStart): (WebCore::FrameLoader::checkLoadCompleteForThisFrame): * platform/MemoryPressureHandler.cpp: (WebCore::MemoryPressureHandler::ReliefLogger::logMemoryUsageChange): * platform/graphics/cocoa/IOSurface.mm: (WebCore::IOSurface::IOSurface): 2016-10-20 Matthew Hanson Merge r207220. rdar://problem/28811939 2016-10-12 Wenson Hsieh Now playing media sessions are always cleared for the active foreground tab https://bugs.webkit.org/show_bug.cgi?id=163310 Reviewed by Jer Noble. Currently, we clear out Now Playing info whenever we set the visibility of Now Playing controls to Never. This is incorrect, as the Now Playing session needs to still be active (just not visible) in this state. Instead, we should not be taking the active/foregrounded-ness of a media session for Now Playing into account in MediaElementSession::canShowControlsManager so that even if a media session is in the active/foreground tab, we will update the Now Playing session with the latest info. However, when setting the visibility, we now check and see if the session allows Now Playing visibility, and set the Now Playing visibility to Always or Never depending on the answer. Tweaked existing unit tests in NowPlayingControlsTests. * html/MediaElementSession.cpp: (WebCore::MediaElementSession::canShowControlsManager): (WebCore::MediaElementSession::allowsNowPlayingControlsVisibility): (WebCore::MediaElementSession::pageAllowsNowPlayingControls): Deleted. * html/MediaElementSession.h: * platform/audio/PlatformMediaSession.h: (WebCore::PlatformMediaSession::allowsNowPlayingControlsVisibility): * platform/audio/mac/MediaSessionManagerMac.mm: (WebCore::MediaSessionManagerMac::updateNowPlayingInfo): 2016-10-20 Matthew Hanson Merge r206771. rdar://problem/28811939 2016-10-04 Wenson Hsieh Media controls are displayed in the incorrect state momentarily after switching between tabs playing media https://bugs.webkit.org/show_bug.cgi?id=162766 Reviewed by Jer Noble. When showing Now Playing controls for a media session, we should first set up the Now Playing info and playback state before telling MediaRemote to make the session visible. This is WebKit work in ensuring that when switching Now Playing sessions by switching tabs, we do not first display an invalid Now Playing state before updating to the expected state. Adds 2 new WebKit API tests in NowPlayingControlsTests: NowPlayingControlsHideAfterShowingClearsInfo and NowPlayingControlsClearInfoAfterSessionIsNoLongerValid. * platform/audio/PlatformMediaSessionManager.h: (WebCore::PlatformMediaSessionManager::lastUpdatedNowPlayingTitle): (WebCore::PlatformMediaSessionManager::lastUpdatedNowPlayingDuration): (WebCore::PlatformMediaSessionManager::lastUpdatedNowPlayingElapsedTime): (WebCore::PlatformMediaSessionManager::hasActiveNowPlayingSession): Deleted. * platform/audio/mac/MediaSessionManagerMac.h: * platform/audio/mac/MediaSessionManagerMac.mm: (WebCore::MediaSessionManagerMac::updateNowPlayingInfo): 2016-10-20 Matthew Hanson Merge r207486. rdar://problem/28409742 2016-10-18 Ryosuke Niwa REGRESSION (r201471): Keyboard remains visible when swiping back on twitter.com https://bugs.webkit.org/show_bug.cgi?id=163581 Reviewed by Simon Fraser. The bug was caused by Chrome::elementDidBlur not getting called, which resulted in StopAssistingNode not getting sent to the UI process. Test: fast/forms/ios/hide-keyboard-on-node-removal.html * dom/Document.cpp: (WebCore::Document::setFocusedElement): Restore the behavior prior to r201471 by calling Chrome::elementDidBlur explicitly. * html/HTMLTextFormControlElement.cpp: (WebCore::HTMLTextFormControlElement::dispatchBlurEvent): Added a comment about ordering. 2016-10-20 Matthew Hanson Merge r207275. rdar://problem/28810752 2016-10-12 Zalan Bujtas RenderRubyRun should not mark child renderers dirty at the end of layout. https://bugs.webkit.org/show_bug.cgi?id=163359 Reviewed by David Hyatt. The current layout logic does not support marking renderers dirty for subsequent layouts. Layout needs to exit with a clean tree. Should relayoutChild be insufficient, we could also mark the base/text dirty for the justified content. Test: fast/ruby/rubyrun-has-bad-child.html * rendering/RenderBlockLineLayout.cpp: (WebCore::RenderBlockFlow::updateRubyForJustifiedText): * rendering/RenderRubyRun.cpp: (WebCore::RenderRubyRun::layout): (WebCore::RenderRubyRun::layoutBlock): * rendering/RenderRubyRun.h: 2016-10-20 Matthew Hanson Merge r207274. rdar://problem/28849629 2016-10-12 Simon Fraser Crash when using megaplan.ru https://bugs.webkit.org/show_bug.cgi?id=163276 rdar://problem/28446672 Reviewed by Sam Weinig. Make sure we allocate enough space in the vector of CGPoints that we use for path building. Test: css3/masking/large-clip-path.html * platform/graphics/cg/PathCG.cpp: (WebCore::Path::polygonPathFromPoints): 2016-10-20 Matthew Hanson Merge r207159. rdar://problem/28857481 2016-10-11 Daniel Bates [iOS] REGRESSION (r197953): User gesture required to load video in iOS 9-built apps https://bugs.webkit.org/show_bug.cgi?id=163244 Reviewed by Jer Noble. Adds a new setting to toggle requiring a user gesture to load a video (enabled by default). Disable this setting for apps built against iOS 9 or earlier. Tests: media/loadedmetadata-fires-without-user-gesture-when-setRequiresUserGestureToLoadVideo-false.html media/require-user-gesture-to-load-video.html * html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::HTMLMediaElement): Only require a user gesture to load a video when Settings::requiresUserGestureToLoadVideo() is true. * page/Settings.cpp: Enable setting requiresUserGestureToLoadVideo by default. * page/Settings.in: Add setting, requiresUserGestureToLoadVideo. 2016-10-20 Matthew Hanson Merge r206712. rdar://problem/28216065 2016-10-01 Simon Fraser Bad cast when CSS position programmatically changed from -webkit-sticky to fixed https://bugs.webkit.org/show_bug.cgi?id=160826 Reviewed by Zalan Bujtas. If a scrolling state tree node changed type (e.g. from sticky to fixed), we'd fail to recreate the node so keep a node with the wrong type. Fix by destroying the node and making a new one with a new ID in this case. The new ID is necessary to ensure that the scrolling tree is updated. Test: fast/scrolling/sticky-to-fixed.html * page/scrolling/ScrollingStateTree.cpp: (WebCore::ScrollingStateTree::nodeTypeAndParentMatch): (WebCore::ScrollingStateTree::attachNode): (WebCore::ScrollingStateTree::stateNodeForID): * page/scrolling/ScrollingStateTree.h: 2016-10-20 Matthew Hanson Merge r206706. rdar://problem/28635081 2016-09-30 David Kilzer REGRESSION (r203424): WebCore::ImageBuffer::createCompatibleBuffer() in ImageBufferCG.cpp over-releases CGColorSpaceRef objects Reviewed by Joseph Pecoraro. Code is covered by existing tests, but no crashes have been observed in practice. May require running one test multiple times to reproduce. * platform/graphics/cg/ImageBufferCG.cpp: (WebCore::ImageBuffer::createCompatibleBuffer): Don't use adoptCF() when the function doesn't return a +1 retained CGColorSpaceRef. 2016-10-20 Matthew Hanson Merge r206074. rdar://problem/28216061 2016-09-17 David Kilzer MainThreadBridge needs an isolatedCopy() of SecurityOrigin Reviewed by Carlos Garcia Campos. Covered by existing tests. * loader/WorkerThreadableLoader.cpp: (WebCore::WorkerThreadableLoader::MainThreadBridge::MainThreadBridge): Make an isolatedCopy() of SecurityOrigin here since that's the correct idiom to use when the object is passed from a worker thread back to the main thread. Fix suggested by Daniel Bates. 2016-10-20 Babak Shafiei Build fix. rdar://problem/28883727 * platform/network/cf/SynchronousResourceHandleCFURLConnectionDelegate.cpp: (WebCore::SynchronousResourceHandleCFURLConnectionDelegate::didReceiveResponse): 2016-10-20 Daniel Bates Merge r206809. rdar://problem/28718761 2016-10-05 Daniel Bates Do not follow redirects when sending violation report https://bugs.webkit.org/show_bug.cgi?id=162520 Reviewed by Alex Christensen. Do not follow redirects when sending a Content Security Policy or XSS Auditor violation report as redirects can be used to forward report details to a third-party. This changes makes WebKit more closely conform to the reporting requirements in section Reporting of the Content Security Level 2 standard: (Editor's Draft, 25 April 2016). Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html * loader/LoaderStrategy.h: Modified createPingHandle() to take a boolean, shouldFollowRedirects, whether to follow redirect responses for a ping request. * loader/PingLoader.cpp: (WebCore::PingLoader::loadImage): Pass ShouldFollowRedirects::Yes to PingLoader::startPingLoad to keep our current behavior. (WebCore::PingLoader::sendPing): Ditto. Note our current behavior of following redirects matches the behavior described in the section "Hyperlink auditing" of the HTML standard: (23 September 2016). (WebCore::PingLoader::sendViolationReport): Pass ShouldFollowRedirects::No to PingLoader::startPingLoad so that we do not follow redirects when sending a violation report. (WebCore::PingLoader::startPingLoad): Modified to take argument shouldFollowRedirects whether to follow redirect responses for a ping request. * loader/PingLoader.h: * platform/network/PingHandle.h: Add boolean m_shouldFollowRedirects. I grouped this boolean with the existing boolean, m_shouldUseCredentialStorage, as opposed to appending to the end of the class definition to avoid increasing object size as clang will coalesces the two bools into a single machine word. Override ResourceHandleClient::willSendRequest() and ResourceHandleClient::willSendRequestAsync() to follow a redirect, if applicable. 2016-10-20 Matthew Hanson Merge r206217. rdar://problem/28811877 2016-09-21 Daniel Bates REGRESSION (r201090): Setting style.webkitTextSizeAdjust does not change text change on iPad https://bugs.webkit.org/show_bug.cgi?id=162227 Reviewed by Simon Fraser. The CSS property -webkit-text-size-adjust should be respected on all iOS devices. Following r201090 we respect it only on iPhone and in iPhone-apps run on iPad. Tests: fast/text-autosizing/ios/ipad/programmatic-text-size-adjust.html fast/text-autosizing/ios/ipad/text-size-adjust-inline-style.html fast/text-autosizing/ios/programmatic-text-size-adjust.html fast/text-autosizing/ios/text-size-adjust-inline-style.html fast/text-autosizing/text-size-adjust-inline-style.html * css/parser/CSSParser.cpp: (WebCore::isValidKeywordPropertyAndValue): Remove unused code to validate -webkit-text-size-adjust. This code is never used because -webkit-text-size-adjust is a value property (since it accepts a as a value and CSSParserFastPaths::isKeywordPropertyID(CSSPropertyWebkitTextSizeAdjust) returns false). That is, it is not a keyword property. (WebCore::CSSParser::parseValue): Always enable the -webkit-text-size-adjust CSS property when building for iOS regardless of whether Settings:textAutosizingEnabled() is enabled. 2016-10-20 Matthew Hanson Merge r206881. rdar://problem/28721519 2016-10-06 Anders Carlsson Crash when ApplePaySession.completeMerchantValidation is not passed a dictionary https://bugs.webkit.org/show_bug.cgi?id=163074 rdar://problem/27824842 Reviewed by Tim Horton. Raise a type error on a null initializer object. * Modules/applepay/ApplePaySession.cpp: (WebCore::ApplePaySession::completeMerchantValidation): 2016-10-20 Matthew Hanson Merge r204637. rdar://problem/28216256 2016-08-16 Simon Fraser Rename didLayout(LayoutMilestones) to didReachLayoutMilestone(), and related WK2 functions https://bugs.webkit.org/show_bug.cgi?id=160923 Reviewed by Tim Horton. didLayout(LayoutMilestones) -> didReachLayoutMilestone(LayoutMilestones) dispatchDidLayout(LayoutMilestones) -> dispatchDidReachLayoutMilestone(LayoutMilestones) * dom/Document.cpp: (WebCore::Document::setVisualUpdatesAllowed): * loader/EmptyClients.h: * loader/FrameLoader.cpp: (WebCore::FrameLoader::didReachLayoutMilestone): (WebCore::FrameLoader::didLayout): Deleted. * loader/FrameLoader.h: * loader/FrameLoaderClient.h: * page/FrameView.cpp: (WebCore::FrameView::fireLayoutRelatedMilestonesIfNeeded): (WebCore::FrameView::firePaintRelatedMilestonesIfNeeded): * page/LayoutMilestones.h: Formatting * page/Page.cpp: (WebCore::Page::addRelevantRepaintedObject): 2016-10-20 Matthew Hanson Merge r207157. rdar://problem/28857500 2016-10-11 Daniel Bates [iOS] Sandbox QuickLook previews https://bugs.webkit.org/show_bug.cgi?id=163240 Fix bad merge following r207151. * platform/network/cf/ResourceResponse.h: Define m_isQuickLook. 2016-10-20 Matthew Hanson Merge r207155. rdar://problem/28857500 2016-10-11 Daniel Bates [iOS] Sandbox QuickLook previews https://bugs.webkit.org/show_bug.cgi?id=163240 Reviewed by Brent Fulgham. Use a unique origin for- and limit the capabilities of- QuickLook previews. Tests: http/tests/quicklook/at-import-stylesheet-blocked.html http/tests/quicklook/base-url-blocked.html http/tests/quicklook/cross-origin-iframe-blocked.html http/tests/quicklook/csp-header-ignored.html http/tests/quicklook/document-domain-is-empty-string.html http/tests/quicklook/external-stylesheet-blocked.html http/tests/quicklook/hide-referer-on-navigation.html http/tests/quicklook/submit-form-blocked.html http/tests/quicklook/top-navigation-blocked.html * dom/Document.cpp: (WebCore::Document::processHttpEquiv): Call ContentSecurityPolicy::didReceiveHeader(). (WebCore::Document::processReferrerPolicy): Do not process referrer policy for QuickLook previews. (WebCore::Document::initSecurityContext): Apply sandbox for QuickLook previews. (WebCore::Document::shouldEnforceQuickLookSandbox): Added. (WebCore::Document::applyQuickLookSandbox): Added. * dom/Document.h: * page/csp/ContentSecurityPolicy.h: Change accessibility of didReceiveHeader() from private to public. (WebCore::ContentSecurityPolicy::processHTTPEquiv): Deleted. * platform/network/cf/ResourceResponse.h: (WebCore::ResourceResponse::isQuickLook): Added. (WebCore::ResourceResponse::setIsQuickLook): Added. * platform/network/cf/SynchronousResourceHandleCFURLConnectionDelegate.cpp: (WebCore::SynchronousResourceHandleCFURLConnectionDelegate::didReceiveResponse): Modified to mark resource response as a QuickLook preview, if appropriate. Also remove the name of the first argument and the need to use UNUSED_PARAM(connection) as we no longer make use of the first argument following r207151. * platform/network/ios/QuickLook.mm: (-[WebResourceLoaderQuickLookDelegate _sendDidReceiveResponseIfNecessary]): Ditto. * platform/network/mac/WebCoreResourceHandleAsDelegate.mm: (-[WebCoreResourceHandleAsDelegate connection:didReceiveResponse:]): Ditto. Fix style nits, including renaming the function argument "r" to "resource" to better describe its purpose. 2016-10-20 Matthew Hanson Merge r206132. rdar://problem/28634856 2016-09-19 Anders Carlsson Suppress JavaScript prompts early on in certain cases https://bugs.webkit.org/show_bug.cgi?id=162243 rdar://problem/27661602 Reviewed by Geoffrey Garen. Export symbols needed by WebKit2. * loader/FrameLoader.h: * loader/FrameLoaderStateMachine.h: 2016-10-20 Matthew Hanson Merge r205326. rdar://problem/28476952 2016-09-01 Ricky Mondello YouTube Flash plug-in replacement facility should not insert showinfo=0 into iframe URLs https://bugs.webkit.org/show_bug.cgi?id=161478 Reviewed by Eric Carlson. * Modules/plugins/YouTubePluginReplacement.cpp: (WebCore::YouTubePluginReplacement::youTubeURLFromAbsoluteURL): Stop adding the query parameter. 2016-10-20 Matthew Hanson Merge r205306. rdar://problem/28476952 2016-09-01 Ricky Mondello YouTube Flash plug-in replacement facility should more gracefully handle malformed queries https://bugs.webkit.org/show_bug.cgi?id=161476 Reviewed by Eric Carlson. Some YouTube Flash embeds use '&' instead of '?' to start the query portion of the URL. Before this patch, our implementation discards all parts of the path after the '&', which could drop important query information like the start time for the video. This patch treats anything after that '&' as a "malformed query" and uses it as the query to restore to the transformed URL if there was no actual query in the original URL. * Modules/plugins/YouTubePluginReplacement.cpp: (WebCore::processAndCreateYouTubeURL): Add an out-parameter for the path after the first ampersand. (WebCore::YouTubePluginReplacement::youTubeURLFromAbsoluteURL): If the input URL had no query, append the possibly malformed one found after the first ampersand to the replacement URL. 2016-10-20 Matthew Hanson Merge r205274. rdar://problem/28476952 2016-08-31 Ricky Mondello Enable the YouTube Flash plug-in replacement behavior on all Cocoa ports https://bugs.webkit.org/show_bug.cgi?id=161453 Reviewed by Eric Carlson. Now that we have some tests for the URL transformation logic (r205212) and the ability to enable the YouTube Flash plug-in replacement behavior independently from the QuickTime plug-in replacement behavior (r205214 and r205271), enable the YouTube Flash plug-in replacement behavior for Cocoa ports. We can and will continue to improve it. * page/Settings.cpp: Enable the feature for PLATFORM(COCOA), rather than just PLATFORM(IOS). 2016-10-20 Matthew Hanson Merge r205271. rdar://problem/28476952 2016-08-31 Ricky Mondello Break pluginReplacementEnabled into youTubeFlashPluginReplacementEnabled and quickTimePluginReplacementEnabled https://bugs.webkit.org/show_bug.cgi?id=161424 Reviewed by Dean Jackson. Replace the single pluginReplacementEnabled setting with individual settings for the YouTube Flash plug-in behavior and the QuickTime plug-in behavior. Unless otherwise noted, this change copies the existing plumbing for pluginReplacementEnabled and renames it twice. The default values for these settings remain the same. * Modules/plugins/PluginReplacement.h: (WebCore::ReplacementPlugin::ReplacementPlugin): Augment the constructor. (WebCore::ReplacementPlugin::isEnabledBySettings): Added. * Modules/plugins/QuickTimePluginReplacement.h: Declare a static member function. * Modules/plugins/QuickTimePluginReplacement.mm: (WebCore::QuickTimePluginReplacement::registerPluginReplacement): Properly create a ReplacementPlugin instance. (WebCore::QuickTimePluginReplacement::isEnabledBySettings): Added. * Modules/plugins/YouTubePluginReplacement.cpp: (WebCore::YouTubePluginReplacement::registerPluginReplacement): Properly create a ReplacementPlugin instance. (WebCore::YouTubePluginReplacement::isEnabledBySettings): Added. * Modules/plugins/YouTubePluginReplacement.h: Declare a static member function. * html/HTMLPlugInElement.cpp: (WebCore::HTMLPlugInElement::requestObject): Ask the ReplacementPlugin whether it's enabled, rather than assume all plug-in replacement is guarded by a single run-time setting. * page/Settings.cpp: Declare values for defaults for both settings. * page/Settings.in: Declare two settings. * testing/InternalSettings.cpp: (WebCore::InternalSettings::Backup::Backup): Handle both settings. (WebCore::InternalSettings::Backup::restoreTo): Ditto. (WebCore::InternalSettings::setQuickTimePluginReplacementEnabled): Added. (WebCore::InternalSettings::setYouTubeFlashPluginReplacementEnabled): Added. (WebCore::InternalSettings::setPluginReplacementEnabled): Deleted. * testing/InternalSettings.h: Duplicate and rename. * testing/InternalSettings.idl: Ditto. 2016-10-20 Matthew Hanson Merge r205214. rdar://problem/28476952 2016-08-30 Ricky Mondello "pluginReplacementEnabled" should be a Setting, not a RuntimeEnabledFeature https://bugs.webkit.org/show_bug.cgi?id=161416 Reviewed by Simon Fraser. Mostly mechanical. Tested by running LayoutTests/plugins/quicktime-plugin-replacement.html and manually toggling defaultPluginReplacementEnabled and observing a behavior change. * bindings/generic/RuntimeEnabledFeatures.cpp: (WebCore::RuntimeEnabledFeatures::reset): Purged of the pluginReplacementEnabled setting. * bindings/generic/RuntimeEnabledFeatures.h: (WebCore::RuntimeEnabledFeatures::setPluginReplacementEnabled): Deleted. (WebCore::RuntimeEnabledFeatures::pluginReplacementEnabled): Deleted. * html/HTMLPlugInElement.cpp: (WebCore::HTMLPlugInElement::requestObject): Use the setting. * page/Settings.cpp: Supply different values for iOS and other platforms, matching the RuntimeEnabledFeature values, enabled for iOS and disabled otherwise. * page/Settings.in: Declare the setting. * testing/InternalSettings.cpp: (WebCore::InternalSettings::Backup::Backup): Use the setting. (WebCore::InternalSettings::Backup::restoreTo): Ditto. (WebCore::InternalSettings::setPluginReplacementEnabled): Ditto. * testing/InternalSettings.h: Can now throw an exception, like other Settings-backed members. * testing/InternalSettings.idl: Declare this as possibly throwing an exception. 2016-10-20 Matthew Hanson Merge r205212. rdar://problem/28476952 2016-08-30 Ricky Mondello YouTubePluginReplacementTest's URL transformation logic should have tests https://bugs.webkit.org/show_bug.cgi?id=161406 Reviewed by Eric Carlson. Refactor most of YouTubePluginReplacement::youTubeURL into a static method that can be used by TestWebKitAPI. * Modules/plugins/YouTubePluginReplacement.cpp: (WebCore::YouTubePluginReplacement::youTubeURL): Now implemented in terms of youTubeURLFromAbsoluteURL. (WebCore::YouTubePluginReplacement::youTubeURLFromAbsoluteURL): Absorbs most of youTubeURL. * Modules/plugins/YouTubePluginReplacement.h: Declare a public method, for the benefit of testing. * WebCore.xcodeproj/project.pbxproj: Make some heads private for TestWebKitAPI's benefit. 2016-08-25 Brent Fulgham Merge r205163. rdar://problem/28216249 2016-08-29 Brent Fulgham Avoid holding GlyphData in MathOperator https://bugs.webkit.org/show_bug.cgi?id=161256 Reviewed by Myles C. Maxfield. Do not cache GlyphData in MathOperator elements, because the fonts referenced in the GlyphData may be purged during low-memory conditions. Instead, we should store either the relevant CodePoint, or the fallback Glyph (for the current system font). Added an initialization function for GlyphAssemblyData, since unions containing structs do not properly call constructors, resulting in garbage font/glyph content. No new tests. Changes are covered by existing MathML test suite. * rendering/mathml/MathOperator.cpp: (WebCore::MathOperator::GlyphAssemblyData::initialize): Added. (WebCore::MathOperator::MathOperator): Initialize m_assembly/m_variant. (WebCore::MathOperator::setSizeVariant): Only store the glyph, not the font. (WebCore::glyphDataForCodePointOrFallbackGlyph): Added helper function. (WebCore::MathOperator::setGlyphAssembly): Do not rely on stored GlyphData. (WebCore::MathOperator::calculateGlyphAssemblyFallback): Remove unneeded argument. Check if a fallback glyph is being used and remember for later. (WebCore::MathOperator::calculateStretchyData): Do not rely on stored GlyphData. (WebCore::MathOperator::fillWithVerticalExtensionGlyph): Ditto. (WebCore::MathOperator::fillWithHorizontalExtensionGlyph): Ditto. (WebCore::MathOperator::paintVerticalGlyphAssembly): Ditto. (WebCore::MathOperator::paintHorizontalGlyphAssembly): Ditto. (WebCore::MathOperator::paint): Ditto. * rendering/mathml/MathOperator.h: (WebCore::MathOperator::GlyphAssemblyData::hasExtension): Added. (WebCore::MathOperator::GlyphAssemblyData::hasMiddle): Added. (WebCore::MathOperator::MathOperator): Deleted. 2016-08-25 Brent Fulgham Merge r205031. rdar://problem/28216249 2016-08-25 Brent Fulgham Crash when getting font bounding rect https://bugs.webkit.org/show_bug.cgi?id=161202 Reviewed by Myles C. Maxfield. We should never store GlyphData objects for later use, because they contain raw pointers to Font elements contained in caches, and those font caches get periodically purged. Instead, we should hold onto the ‘key’ representing the GlyphData, and simply ask the system for the GlyphData the next time it is needed. Tested by existing MathML tests under ASAN and GuardMalloc. * rendering/mathml/RenderMathMLToken.cpp: (WebCore::RenderMathMLToken::RenderMathMLToken): Clean up constructors. (WebCore::RenderMathMLToken::computePreferredLogicalWidths): Use keys to get correct GlyphData when needed. (WebCore::RenderMathMLToken::updateMathVariantGlyph): Ditto. (WebCore::RenderMathMLToken::firstLineBaseline): Ditto. (WebCore::RenderMathMLToken::layoutBlock): Ditto. (WebCore::RenderMathMLToken::paint): Ditto. (WebCore::RenderMathMLToken::paintChildren): Ditto. * rendering/mathml/RenderMathMLToken.h: 2016-10-12 Matthew Hanson Merge r206975. rdar://problem/28545012 2016-10-07 Ryosuke Niwa REGRESSION(r165103): labels list doesn't get invalidated when other lists are invalidated at document level https://bugs.webkit.org/show_bug.cgi?id=163145 Reviewed by Darin Adler. The bug was caused by Document::invalidateNodeListAndCollectionCaches removing all node lists regardless of whether they have been invalidated or not. Fixed the bug by removing only those node lists that got invalidated via LiveNodeList::invalidateCache. Test: fast/dom/NodeList/form-labels-length.html * dom/Document.cpp: (WebCore::Document::Document): (WebCore::Document::unregisterNodeListForInvalidation): Removed the conditional which allowed removal to happen while m_listsInvalidatedAtDocument is empty inside invalidateNodeListAndCollectionCaches. * dom/Document.h: * dom/Node.cpp: (WebCore::Document::invalidateNodeListAndCollectionCaches): Just remove the node lists being invalidated via LiveNodeList's invalidateCache, which calls unregisterNodeListForInvalidation, instead of removing them all. We make a copy of the list of node lists into a local vector because mutating HashMap while iterating over it is not a safe operation. 2016-10-12 Matthew Hanson Merge r206280. rdar://problem/28476953 2016-09-22 Brady Eidson IDBIndex.openCursor() matches indices on multiple object stores. and https://bugs.webkit.org/show_bug.cgi?id=158833 Reviewed by Alex Christensen. Tests: storage/indexeddb/modern/multiple-objectstore-index-cursor-collision-private.html storage/indexeddb/modern/multiple-objectstore-index-cursor-collision.html * Modules/indexeddb/server/SQLiteIDBCursor.cpp: (WebCore::IDBServer::buildIndexStatement): Need to include the object store id in the statement for index cursors, otherwise there will be collisions amongst multiple object stores that happen to share primary keys. (WebCore::IDBServer::SQLiteIDBCursor::bindArguments): 2016-10-12 Matthew Hanson Merge r205861. rdar://problem/28409523 2016-09-12 Zalan Bujtas Input type object and the associated render can go out of sync. https://bugs.webkit.org/show_bug.cgi?id=161871 Reviewed by Antti Koivisto. Bail out when we've got a mismatched renderer. Test: fast/forms/assert-on-input-type-change.html * html/ImageInputType.cpp: (WebCore::ImageInputType::altAttributeChanged): 2016-10-12 Matthew Hanson Merge r205786. rdar://problem/28476956 2016-09-10 Chris Dumez It is possible for Document::m_frame pointer to become stale https://bugs.webkit.org/show_bug.cgi?id=161812 Reviewed by Ryosuke Niwa. Document::m_frame is supposed to get cleared by Document::prepareForDestruction(). The Frame destructor calls Frame::setView(nullptr) which is supposed to call the prepareForDestruction() on the Frame's associated document. However, Frame::setView(nullptr) was calling prepareForDestruction() only if Document::inPageCache() returned true. This is because, we allow Documents to stay alive in the PageCache even though they don't have a frame. The issue is that Document::m_inPageCache flag was set to true right before firing the pagehide event, so technically before really entering PageCache. Therefore, we can run into problems if a Frame gets destroyed by a pagehide EventHandler because ~Frame() will not call Document::prepareForDestruction() due to Document::m_inPageCache being true. After the frame is destroyed, Document::m_frame becomes stale and any action on the document will likely lead to crashes (such as the one in the layout test and the radar which happens when trying to unregister event listeners from the document). The solution adopted in this patch is to replace the m_inPageCache boolean with a m_pageCacheState enumeration that has 3 states: - NotInPageCache - AboutToEnterPageCache - InPageCache Frame::setView() / Frame::setDocument() were then updated to call Document::prepareForDestruction() on the associated document whenever the document's pageCacheState is not InPageCache. This means that we will now call Document::prepareForDestruction() when the document is being detached from its frame while firing the pagehide event. Note that I tried to keep this patch minimal. Therefore, I kept the Document::inPageCache() getter for now. I plan to switch all its calls sites to the new Document::pageCacheState() getter in a follow-up patch so that we can finally drop the confusing Document::inPageCache(). Test: fast/history/pagehide-remove-iframe-crash.html * dom/Document.cpp: (WebCore::Document::Document): (WebCore::Document::~Document): (WebCore::Document::createRenderTree): (WebCore::Document::destroyRenderTree): (WebCore::Document::setFocusedElement): (WebCore::Document::setPageCacheState): (WebCore::Document::topDocument): * dom/Document.h: (WebCore::Document::pageCacheState): (WebCore::Document::inPageCache): * history/CachedFrame.cpp: (WebCore::CachedFrame::destroy): * history/PageCache.cpp: (WebCore::setPageCacheState): (WebCore::PageCache::addIfCacheable): * loader/FrameLoader.cpp: (WebCore::FrameLoader::stopAllLoaders): (WebCore::FrameLoader::open): * loader/HistoryController.cpp: (WebCore::HistoryController::invalidateCurrentItemCachedPage): * page/Frame.cpp: (WebCore::Frame::setView): 2016-10-12 Matthew Hanson Merge r205197. rdar://problem/28481424 2016-08-30 Brent Fulgham Use of uninitialised memory in TransformationMatrx::blend4() https://bugs.webkit.org/show_bug.cgi?id=134621 Reviewed by Dean Jackson. Change is based on the Blink change (patch by ): TransformationMatrix::blend() was attempting to blend between non-invertable matricies. This resulted in garbage stack variables being used. This patch ensures that blend() will fall back to a 50% step interpolation when one of the sides are not invertable. Tested by new TransformationMatrix test in TestWebKitAPI. * platform/graphics/transforms/TransformationMatrix.cpp: (WebCore::TransformationMatrix::blend2): Properly handle failure in the decompose method calls. (WebCore::TransformationMatrix::blend4): Ditto. 2016-10-12 Matthew Hanson Merge r205190. rdar://problem/28545010 2016-08-30 Youenn Fablet [Fetch API] Blob not found URL should result in a network error https://bugs.webkit.org/show_bug.cgi?id=161381 Reviewed by Sam Weinig. Covered by rebased and updated tests. Raising a network error if no blob can be found from the URL. It is no longer notified by a 404 response. Updated FileReaderLoader to generate the correct exception. Made some clean-up in the code, in particular adding an enum class for BlobResourceHandle errors. * fileapi/FileReaderLoader.cpp: (WebCore::FileReaderLoader::didFail): (WebCore::FileReaderLoader::toErrorCode): (WebCore::FileReaderLoader::httpStatusCodeToErrorCode): * fileapi/FileReaderLoader.h: * platform/network/BlobResourceHandle.cpp: (WebCore::BlobResourceHandle::loadResourceSynchronously): (WebCore::BlobResourceHandle::doStart): (WebCore::BlobResourceHandle::didGetSize): (WebCore::BlobResourceHandle::readSync): (WebCore::BlobResourceHandle::readFileSync): (WebCore::BlobResourceHandle::readAsync): (WebCore::BlobResourceHandle::didOpen): (WebCore::BlobResourceHandle::didRead): (WebCore::BlobResourceHandle::failed): (WebCore::BlobResourceHandle::notifyResponse): (WebCore::BlobResourceHandle::notifyResponseOnError): (WebCore::BlobResourceHandle::notifyFail): * platform/network/BlobResourceHandle.h: 2016-10-12 Matthew Hanson Merge r204631. rdar://problem/28481427 2016-08-19 Chris Dumez DumpRenderTree crashed in com.apple.WebCore: WebCore::DOMWindow::resetDOMWindowProperties + 607 https://bugs.webkit.org/show_bug.cgi?id=160983 Reviewed by Brent Fulgham. Update DOMWindow::frameDestroyed() to ref the window object as the crash traces seem to indicate it can get destroyed during the execution of this method. Also update the code in the ~Frame destructor to not iterate over the list of FrameDestructionObservers because observers remove themselves from the list when they get destroyed. No new tests, do not know how to reproduce. * page/DOMWindow.cpp: (WebCore::DOMWindow::frameDestroyed): * page/Frame.cpp: (WebCore::Frame::~Frame): 2016-10-12 Matthew Hanson Merge r204266. rdar://problem/28216261 2016-08-08 John Wilander Popups opened from a sandboxed iframe should themselves be sandboxed https://bugs.webkit.org/show_bug.cgi?id=134850 Reviewed by Brent Fulgham. Test: http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html * loader/FrameLoader.cpp: (WebCore::FrameLoader::continueLoadAfterNewWindowPolicy): Now copies the opener's frame loader effective sandbox flags to the new frame loader. 2016-10-12 Matthew Hanson Merge r203903. rdar://problem/28476961 2016-07-28 Dean Jackson color-gamut media query returns incorrect results https://bugs.webkit.org/show_bug.cgi?id=160166 Reviewed by Darin Adler. While I was unable to reproduce the originator's issue, we communicated via email and it might have been related to a customized color space calibration on an external display. Anyway, I took this opportunity to update to use the more appropriate API for detection on macOS Sierra. Covered by the existing fast/media/mq-color-gamut.html test. * platform/mac/PlatformScreenMac.mm: (WebCore::screenSupportsExtendedColor): Use NSScreen canRepresentDisplayGamut. 2016-10-11 Matthew Hanson Merge r203792. rdar://problem/28476951 2016-07-27 Jeremy Jones Fullscreen video zoom button does not work after rotating when aspect ratio matches display. https://bugs.webkit.org/show_bug.cgi?id=160263 rdar://problem/27368872 Reviewed by Eric Carlson. When video and display aspect ratio match, and rotating from landscape to protrait, the transform used in layout will be Identity. This means checking the transform for identity is an insufficient test to see if the bounds need to be resolved. Instead, always attempt to resolve the bounds and do a more accurate test while doing so. * platform/ios/WebVideoFullscreenInterfaceAVKit.mm: (-[WebAVPlayerLayer layoutSublayers]): (-[WebAVPlayerLayer resolveBounds]): 2016-10-11 Matthew Hanson Merge r203611. rdar://problem/28476958 2016-07-22 Daniel Bates CSP: object-src and plugin-types directives are not respected for plugin replacements https://bugs.webkit.org/show_bug.cgi?id=159761 Reviewed by Brent Fulgham. Apply the Content Security Policy (CSP) object-src and plugin-types directives to content that will load with a plugin replacement. Tests: security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html * html/HTMLPlugInImageElement.cpp: (WebCore::HTMLPlugInImageElement::allowedToLoadPluginContent): Added. (WebCore::HTMLPlugInImageElement::requestObject): Only request loading plugin content if we are allowed to load such content. * html/HTMLPlugInImageElement.h: * loader/SubframeLoader.cpp: (WebCore::SubframeLoader::pluginIsLoadable): Removed code to check CSP as we will check CSP earlier in HTMLPlugInImageElement::requestObject(). (WebCore::SubframeLoader::requestPlugin): Ditto. (WebCore::SubframeLoader::isPluginContentAllowedByContentSecurityPolicy): Deleted; moved implementation to HTMLPlugInImageElement::allowedToLoadPluginContent(). (WebCore::SubframeLoader::requestObject): Deleted. * loader/SubframeLoader.h: * page/csp/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded): Changed signature from a non-const function to a const function since these functions do not modify |this|. * page/csp/ContentSecurityPolicy.h: 2016-10-11 Matthew Hanson Merge r203522. rdar://problem/28476959 2016-07-21 Daniel Bates REGRESSION: Plugin replaced YouTube Flash videos always have the same width https://bugs.webkit.org/show_bug.cgi?id=159998 Reviewed by Simon Fraser. Fixes an issue where the width of a plugin replaced YouTube video loaded via an HTML embed element would always have the same width regardless of value of the width attribute. For YouTube Flash videos the YouTube plugin replacement substitutes a shadow DOM subtree for the default renderer of an HTML embed element. The root of this shadow DOM subtree is an HTML div element. Currently we set inline styles on this
when it is instantiated. In particular, we set inline display and position to "inline-block" and "relative", respectively, and set an invalid height and width (we specify a font weight value instead of a CSS length value - this causes an ASSERT_NOT_REACHED() assertion failure in StyleBuilderConverter::convertLengthSizing() in a debug build). These styles never worked as intended and we ultimately created an inline renderer (ignoring display "inline-block") that had auto width and height. Instead it is sufficient to remove all these inline styles and create a RenderBlockFlow renderer for this
so that it renders as a block, non-replaced element to achieve the intended illusion that the is a single element. * html/shadow/YouTubeEmbedShadowElement.cpp: Remove unused header HTMLEmbedElement.h and include header RenderBlockFlow.h. Also update copyright in license block. (WebCore::YouTubeEmbedShadowElement::YouTubeEmbedShadowElement): Remove inline styles as these never worked as intended. (WebCore::YouTubeEmbedShadowElement::createElementRenderer): Override; create a block-flow renderer for us so that we layout as a block, non-replaced element. * html/shadow/YouTubeEmbedShadowElement.h: 2016-10-11 Matthew Hanson Merge r203383. rdar://problem/28216264 2016-07-18 Brent Fulgham Don't associate form-associated elements with forms in other trees. https://bugs.webkit.org/show_bug.cgi?id=119451 Change is based on the Blink change (patch by ): Reviewed by Chris Dumez. Prevent elements from being associated with forms that are not part of the same home subtree. This brings us in line with the WhatWG HTML specification as of September, 2013. Tests: fast/forms/image-disconnected-during-parse.html fast/forms/input-disconnected-during-parse.html * dom/Element.h: (WebCore::Node::rootElement): Added. * html/FormAssociatedElement.cpp: (WebCore::FormAssociatedElement::insertedInto): If the element is associated with a form that is not part of the same tree, remove the association. * html/HTMLImageElement.cpp: (WebCore::HTMLImageElement::insertedInto): Ditto. 2016-10-02 Babak Shafiei Merge r205657. rdar://problem/28216268 2016-09-08 Myles C. Maxfield Support new emoji group candidates https://bugs.webkit.org/show_bug.cgi?id=161664 Reviewed by Simon Fraser. Support more emoji group candidates. This includes joining groups into a single glyph, as well as atomic deletions of the entire group when the backspace key is pressed. Tests: editing/deleting/delete-emoji.html: fast/text/emoji-num-glyphs.html: * platform/text/CharacterProperties.h: (WebCore::isEmojiGroupCandidate): 2016-09-30 Babak Shafiei Merge follow up fix for rdar://problem/28567557. 2016-09-30 Anders Carlsson Follow up for Add CSS -webkit-appearance property for Apple Pay buttons Reviewed by Dan Bernstein. * css/CSSParser.cpp: (WebCore::isKeywordPropertyID): Add CSSPropertyApplePayButtonStyle and CSSPropertyApplePayButtonType. * rendering/RenderThemeCocoa.mm: (WebCore::RenderThemeCocoa::paintApplePayButton): Make sure to reinitialize the text matrix. 2016-09-30 Babak Shafiei Merge r206181. rdar://problem/28408526 2016-09-20 Anders Carlsson Remove "in-store" from "-apple-pay-button-type" https://bugs.webkit.org/show_bug.cgi?id=162321 rdar://problem/28394581 Reviewed by Beth Dakin. * css/CSSPrimitiveValueMappings.h: (WebCore::CSSPrimitiveValue::CSSPrimitiveValue): (WebCore::CSSPrimitiveValue::operator ApplePayButtonType): * css/CSSValueKeywords.in: * css/parser/CSSParser.cpp: (WebCore::isValidKeywordPropertyAndValue): * css/parser/CSSParserFastPaths.cpp: (WebCore::CSSParserFastPaths::isValidKeywordPropertyAndValue): * rendering/RenderThemeCocoa.mm: (WebCore::toPKPaymentButtonType): * rendering/style/RenderStyleConstants.h: 2016-09-30 Babak Shafiei Merge r205992. rdar://problem/28567557 2016-09-15 Anders Carlsson Fix build. * platform/spi/cocoa/PassKitSPI.h: 2016-09-30 Babak Shafiei Merge r205980. rdar://problem/28567557 2016-09-14 Anders Carlsson Add CSS -webkit-appearance property for Apple Pay buttons https://bugs.webkit.org/show_bug.cgi?id=161986 Reviewed by Dean Jackson. Add a new -webkit-appearance property, "-apple-pay-button". Also, add two properties, "-apple-pay-button-type" and "-apple-pay-button-style". * WebCore.xcodeproj/project.pbxproj: Add RenderThemeCocoa.h and RenderThemeCocoa.mm. * css/CSSComputedStyleDeclaration.cpp: (WebCore::ComputedStyleExtractor::propertyValue): Handle CSSPropertyApplePayButtonStyle and CSSPropertyApplePayButtonType. * css/CSSPrimitiveValueMappings.h: (WebCore::CSSPrimitiveValue::CSSPrimitiveValue): (WebCore::CSSPrimitiveValue::operator ApplePayButtonStyle): (WebCore::CSSPrimitiveValue::operator ApplePayButtonType): Add ApplePayButtonStyle and ApplePayButtonType conversion routines. * css/CSSPropertyNames.in: Add -apple-pay-button-style and -apple-pay-button-type. * css/CSSValueKeywords.in: Add CSS values. * css/parser/CSSParser.cpp: (WebCore::isValidKeywordPropertyAndValue): Handle CSSPropertyApplePayButtonStyle and CSSPropertyApplePayButtonType. * css/parser/CSSParserFastPaths.cpp: (WebCore::CSSParserFastPaths::isKeywordPropertyID): Handle CSSPropertyApplePayButtonStyle and CSSPropertyApplePayButtonType. (WebCore::isAppleLegacyCSSPropertyKeyword): New function that returns whether the CSS property should be rewritten to -webkit-. We want to rewrite -apple- but not -apple-pay-. (WebCore::cssPropertyID): Use the newly added isAppleLegacyCSSPropertyKeyword. (WebCore::isAppleLegacyCSSValueKeyword): Check for "-apple-pay-" in addition to "-apple-system-". * platform/ThemeTypes.h: Add ApplePayButtonPart. * platform/spi/cocoa/PassKitSPI.h: Add PKDrawApplePayButton declaration. * rendering/RenderTheme.cpp: (WebCore::RenderTheme::adjustStyle): Handle ApplePayButtonPart. (WebCore::RenderTheme::paint): Handle ApplePayButtonPart. * rendering/RenderTheme.h: (WebCore::RenderTheme::adjustApplePayButtonStyle): (WebCore::RenderTheme::paintApplePayButton): Add new functions. * rendering/RenderThemeCocoa.h: Added. * rendering/RenderThemeCocoa.mm: Added. (WebCore::RenderThemeCocoa::adjustApplePayButtonStyle): Adjust the minimum width and minimum height accordingly. (WebCore::toPKPaymentButtonStyle): (WebCore::toPKPaymentButtonType): Helper functions that convert our WebCore types to PK types. (WebCore::RenderThemeCocoa::paintApplePayButton): Call PKDrawApplePayButton. * rendering/RenderThemeIOS.h: * rendering/RenderThemeMac.h: Inherit from RenderThemeCocoa. * rendering/style/RenderStyle.h: (WebCore::RenderStyle::applePayButtonStyle): (WebCore::RenderStyle::applePayButtonType): (WebCore::RenderStyle::setApplePayButtonStyle): (WebCore::RenderStyle::setApplePayButtonType): (WebCore::RenderStyle::initialApplePayButtonStyle): (WebCore::RenderStyle::initialApplePayButtonType): * rendering/style/RenderStyleConstants.h: * rendering/style/StyleRareInheritedData.cpp: (WebCore::StyleRareInheritedData::StyleRareInheritedData): (WebCore::StyleRareInheritedData::operator==): * rendering/style/StyleRareInheritedData.h: Add new style members for the button style and button type properties. 2016-09-29 Babak Shafiei Merge r206556. rdar://problem/28524440 2016-09-28 Jer Noble CRASH at WebCore::CDMSessionAVStreamSession::update + 950 https://bugs.webkit.org/show_bug.cgi?id=162701 Reviewed by Beth Dakin. If the SourceBuffer backing a