2017-10-04 Kocsen Chung Revert r222779. rdar://problem/34706688 2017-10-04 Kocsen Chung Revert r222786. rdar://problem/34706688 2017-10-03 Jason Marcell Cherry-pick r222786. rdar://problem/34706688 2017-10-03 Brent Fulgham Unreviewed test fix after r222779. * testing/cocoa/WebArchiveDumpSupport.mm: (WebCoreTestSupport::createCFURLResponseFromResponseData): Setting NSSecureCoding in this test code should be done based on build system, just like it is in the actual WebArchive handling code. 2017-10-03 Jason Marcell Cherry-pick r222779. rdar://problem/34706688 2017-10-03 Brent Fulgham [Mac] Use safer decoding practices for NSKeyedUnarchiver https://bugs.webkit.org/show_bug.cgi?id=175887 Reviewed by Daniel Bates. * loader/archive/cf/LegacyWebArchiveMac.mm: (WebCore::LegacyWebArchive::createResourceResponseFromMacArchivedData): Use NSSecureCoding to unarchive. (WebCore::LegacyWebArchive::createPropertyListRepresentation): Ditto for archiving. * testing/cocoa/WebArchiveDumpSupport.mm: (WebCoreTestSupport::createCFURLResponseFromResponseData): Update to use NSSecureCoding if possible. 2017-10-01 Jason Marcell Cherry-pick r222588. rdar://problem/34717517 2017-09-27 Myles C. Maxfield Minimum font size may cause elements to have an infinite line-height https://bugs.webkit.org/show_bug.cgi?id=177573 Reviewed by Dan Bernstein. When minimum font size is specified, we were trying to preserve the ratio of specified font-size and specified line-height in order to boost the computed font size proportionately to the font-size boost. However, this doesn't work when the specified font-size is 0, because the ratio between line-height and font-size is infinite. The most straightforward solution is just to make small font-sizes opt out of the line-height adjustment because the result would be too big. Test: fast/text/line-height-minimumFontSize-text-small-font-size.html * css/StyleBuilderCustom.h: (WebCore::computeLineHeightMultiplierDueToFontSize): (WebCore::StyleBuilderCustom::applyValueLineHeight): 2017-09-27 Jason Marcell Cherry-pick r222576. rdar://problem/34553953 2017-09-27 Myles C. Maxfield "Tag" codepoints require the complex text codepath https://bugs.webkit.org/show_bug.cgi?id=177251 Reviewed by David Hyatt. Previously, Tag codepoints (U+E0000 - U+E007F) weren't triggering the complex text codepath. Eventually, we should migrate the default from simple to complex. I'll do that in a separate patch. Test: fast/text/flag-codepoint.html * platform/graphics/FontCascade.cpp: (WebCore::FontCascade::characterRangeCodePath): 2017-09-26 Jason Marcell Cherry-pick r222539. rdar://problem/34205774 2017-09-26 Zalan Bujtas Fall back to normal line layout position, when simple line layout fails to find one. https://bugs.webkit.org/show_bug.cgi?id=176220 Reviewed by Brent Fulgham. In case of empty content, let's just fall back to normal line layout and try to find the visually correct one. Test: fast/text/invalid-positionForPoint-offset.html * rendering/RenderText.cpp: (WebCore::RenderText::positionForPoint): * rendering/SimpleLineLayoutResolver.cpp: (WebCore::SimpleLineLayout::RunResolver::runForPoint const): 2017-09-26 Jason Marcell Cherry-pick r222474. rdar://problem/34646376 2017-09-25 Per Arne Vollan Crash in WebCore::TreeScope::documentScope https://bugs.webkit.org/show_bug.cgi?id=176159 Reviewed by Ryosuke Niwa. When all children are replaced with a new node in ContainerNode::replaceAllChildren, the treescope of the new node should be set after the call to willRemoveChildren, since this call can fire events, and execute JS code, which might change the treescope of the container node. Test: fast/dom/crash-moving-subtree-between-documents.html * dom/ContainerNode.cpp: (WebCore::ContainerNode::replaceAllChildren): 2017-09-25 Jason Marcell Cherry-pick r222304. rdar://problem/34646370 2017-09-20 Said Abou-Hallawa REGRESSION(r191731): SVGPatternElement can only reference another SVGPatternElement in the same SVG document https://bugs.webkit.org/show_bug.cgi?id=176221 Reviewed by Tim Horton. According to the specs: https://www.w3.org/TR/SVG11/filters.html#FilterElementHrefAttribute https://www.w3.org/TR/SVG11/pservers.html#LinearGradientElementHrefAttribute https://www.w3.org/TR/SVG11/pservers.html#RadialGradientElementHrefAttribute https://www.w3.org/TR/SVG11/pservers.html#PatternElementHrefAttribute The xlink:href attribute of the SVG filter, gradient and pattern elements must reference another element within the current SVG of the same type. In r191731, the code of SVGPatternElement::collectPatternAttributes() was removed and replaced by RenderSVGResourcePattern::collectPatternAttributes() to avoid cyclic reference in the pattern element. The problem is the old code used to check whether the referenced element is before casting it. This code was not copied to the new function. So we now allow the SVGPatternElement to reference any SVG resource element. To fix this issue, we need to prevent SVGResources from chaining an incorrect type of element to the SVG filter, gradient and pattern elements. We also need to use the SVGResources for getting the referenced element when collecting the attributes for the gradient elements. SVGResources solves the cyclic referencing issue so there is no need to repeat the same code in many places. Also, from now on the SVGResources will have valid linked resource only. So casting the referenced element should always be valid. Tests: svg/custom/pattern-invalid-content-inheritance.svg * rendering/svg/RenderSVGResourcePattern.cpp: (WebCore::RenderSVGResourcePattern::collectPatternAttributes const): Asserts the linkedResource is of type RenderSVGResourcePattern. * rendering/svg/SVGResources.cpp: (WebCore::SVGResources::SVGResources): (WebCore::isChainableResource): Ensure that an SVG resource can reference only an SVG resource with the valid type. (WebCore::SVGResources::buildCachedResources): * rendering/svg/SVGResources.h: 2017-09-20 Jason Marcell Cherry-pick r222097. rdar://problem/34508516 2017-09-15 Brent Fulgham Make DocumentLoader a FrameDestructionObserver https://bugs.webkit.org/show_bug.cgi?id=176364 Reviewed by Alex Christensen. The DocumentLoader needs to know when its Frame is destroyed so that it can perform properly cleanup. Test: fast/events/beforeunload-dom-manipulation-crash.html * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::DocumentLoader): Call FrameDestructionObserver constructor. (WebCore::DocumentLoader::responseReceived): Drive-by fix. Make sure the current object is valid during the callback. (WebCore::DocumentLoader::attachToFrame): Use FrameDestructionObserver::observerFrame rather than setting the m_frame variable directly. (WebCore::DocumentLoader::detachFromFrame): Ditto. * loader/DocumentLoader.h: (WebCore::DocumentLoader::frame const): Deleted, as this is provided by the FrameDestructionObserver. 2017-09-19 Jason Marcell Cherry-pick r222226. rdar://problem/34534758 2017-09-19 Zalan Bujtas AXObjectCache::performDeferredCacheUpdate is called recursively through FrameView::layout. https://bugs.webkit.org/show_bug.cgi?id=176218 Reviewed by Simon Fraser. There are certain cases when we might re-enter performDeferredCacheUpdate through recursive layout calls (see webkit.org/b/177176) and mutate m_deferredTextChangedList multiple times. Test: accessibility/crash-table-recursive-layout.html * accessibility/AXObjectCache.cpp: (WebCore::AXObjectCache::performDeferredCacheUpdate): * accessibility/AXObjectCache.h: 2017-09-19 Jason Marcell Cherry-pick r222220. rdar://problem/34534766 2017-09-15 Wenson Hsieh createMarkupInternal should protect its pointer to the Range's common ancestor https://bugs.webkit.org/show_bug.cgi?id=177033 Reviewed by Tim Horton. Adds basic safeguarding to codepaths hit while executing an outdent command. Test: editing/execCommand/outdent-with-media-query-listener-in-iframe.html * editing/IndentOutdentCommand.cpp: (WebCore::IndentOutdentCommand::outdentRegion): Avoid an infinite loop if endOfCurrentParagraph is a null position. * editing/markup.cpp: (WebCore::createMarkupInternal): Protect the raw pointer to the Range's common ancestor node. 2017-09-19 Jason Marcell Cherry-pick r222214. rdar://problem/34534751 2017-09-19 Zalan Bujtas Do not mutate RenderText content during layout. https://bugs.webkit.org/show_bug.cgi?id=176219 Reviewed by David Hyatt. Update combined text when the style/content change as opposed to lazily, during layout. -content mutation during layout might make the inline tree go out of sync. Test: fast/text/international/dynamic-text-combine-crash.html * rendering/RenderBlockFlow.cpp: (WebCore::RenderBlockFlow::computeInlinePreferredLogicalWidths const): * rendering/RenderCombineText.cpp: (WebCore::RenderCombineText::styleDidChange): (WebCore::RenderCombineText::setRenderedText): (WebCore::RenderCombineText::combineTextIfNeeded): (WebCore::RenderCombineText::combineText): Deleted. * rendering/RenderCombineText.h: * rendering/RenderText.h: * rendering/line/BreakingContext.h: (WebCore::BreakingContext::handleText): * rendering/line/LineBreaker.cpp: (WebCore::LineBreaker::skipLeadingWhitespace): 2017-09-19 Jason Marcell Cherry-pick r221978. rdar://problem/34508522 2017-09-13 Daniel Bates Make history.pushState()/replaceState() more closely aligned to the HTML standard https://bugs.webkit.org/show_bug.cgi?id=176730 Reviewed by Alex Christensen. Update history.pushState()/replaceState() to more closely align with the algorithm specified in (9 September 2017). Test: http/tests/security/history-pushState-replaceState-from-sandboxed-iframe.html * page/History.cpp: (WebCore::History::stateObjectAdded): * page/SecurityOrigin.cpp: (WebCore::SecurityOrigin::extractInnerURL): Use URL constructor that takes a base URL as opposed to using the special ParsedURLString-variant because the latter can only be used to parse a string returned from URL::string(). And the extracted inner URL does not meet this criterion. Using the ParsedURLString-variant of the URL constructor with a string that is not the result of URL::string() will cause an assertion failure in a debug build. 2017-09-19 Jason Marcell Cherry-pick r222167. rdar://problem/34508525 2017-09-18 Antti Koivisto Avoid style resolution when clearing focused element. https://bugs.webkit.org/show_bug.cgi?id=176224 Reviewed by Zalan Bujtas. Test: fast/dom/focus-style-resolution.html * dom/Document.cpp: (WebCore::Document::setFocusedElement): Don't do synchronous style resolution with FocusRemovalEventsMode::DoNotDispatch. Style resolution may dispatch events. * html/HTMLInputElement.cpp: (WebCore::HTMLInputElement::didBlur): Move resolveStyleIfNeeded call to setFocusedElement. It is the only client for didBlur. 2017-09-19 Jason Marcell Cherry-pick r222163. rdar://problem/34508516 2017-09-18 Per Arne Vollan [WK1] Layout Test fast/events/beforeunload-dom-manipulation-crash.html is crashing. https://bugs.webkit.org/show_bug.cgi?id=177071 Reviewed by Brent Fulgham. The Page pointer in the history controller's frame is null. Add a null pointer check before accessing the page. No new tests, covered by exiting tests. * loader/HistoryController.cpp: (WebCore::HistoryController::updateForStandardLoad): (WebCore::HistoryController::updateForRedirectWithLockedBackForwardList): (WebCore::HistoryController::updateForClientRedirect): 2017-09-19 Jason Marcell Cherry-pick r222114. rdar://problem/34508510 2017-09-15 Wenson Hsieh Avoid style recomputation when forwarding a focus event to an text field's input type https://bugs.webkit.org/show_bug.cgi?id=176160 Reviewed by Ryosuke Niwa. Currently, TextFieldInputType::forwardEvent synchronously triggers style recomputation, for the purpose of scrolling to the origin upon handling a blur event, and also for updating caps lock state after a blur or focus. In synchronously triggering style recomputation, we may end up running arbitrary JavaScript, which may change the HTMLInputElement's type and cause the current TextFieldInputType to be destroyed. To mitigate this, we only update caps lock state when forwarding a focus or blur event to the InputType, and instead scroll blurred text fields to the origin later, in HTMLInputElement::didBlur (invoked from Document::setFocusedElement after blur and focusout events have fired). Instead of having the InputType update style, lift the call to Document::updateStyleIfNeeded up into HTMLInputElement so that we gracefully handle the case where the page destroys and sets a new InputType within the scope of this style update. Test: fast/forms/change-input-type-in-focus-handler.html * dom/Document.cpp: (WebCore::Document::setFocusedElement): * html/HTMLInputElement.cpp: (WebCore::HTMLInputElement::didBlur): * html/HTMLInputElement.h: * html/InputType.h: (WebCore::InputType::elementDidBlur): * html/TextFieldInputType.cpp: (WebCore::TextFieldInputType::forwardEvent): (WebCore::TextFieldInputType::elementDidBlur): * html/TextFieldInputType.h: 2017-09-14 Jason Marcell Cherry-pick r222008. rdar://problem/34426473 2017-09-13 Zalan Bujtas Switch multicolumn's spanner map from raw over to weak pointers. https://bugs.webkit.org/show_bug.cgi?id=176367 Reviewed by Antti Koivisto. Test: fast/multicol/spanner-crash-when-adding-summary.html * rendering/RenderMultiColumnFlowThread.cpp: (WebCore::RenderMultiColumnFlowThread::evacuateAndDestroy): (WebCore::RenderMultiColumnFlowThread::flowThreadDescendantInserted): (WebCore::RenderMultiColumnFlowThread::handleSpannerRemoval): * rendering/RenderMultiColumnFlowThread.h: * rendering/RenderMultiColumnSet.cpp: (WebCore::RenderMultiColumnSet::firstRendererInFlowThread const): (WebCore::RenderMultiColumnSet::lastRendererInFlowThread const): * rendering/RenderMultiColumnSpannerPlaceholder.cpp: (WebCore::RenderMultiColumnSpannerPlaceholder::RenderMultiColumnSpannerPlaceholder): * rendering/RenderMultiColumnSpannerPlaceholder.h: 2017-09-14 Jason Marcell Cherry-pick r222005. rdar://problem/34426487 2017-09-13 Wenson Hsieh Submitting a form can cause HTMLFormElement's associated elements vector to be mutated during iteration https://bugs.webkit.org/show_bug.cgi?id=176368 Reviewed by Ryosuke Niwa. In the process of iterating over form.associatedElements() during form submission in FormSubmission::create, the page may cause us to clobber the vector of FormAssociatedElements* we're currently iterating over by inserting new form controls beneath the form element we're in the process of submitting. This happens because FormSubmission::create calls HTMLTextAreaElement::appendFormData, which requires layout to be up to date, which in turn makes us updateLayout() and set focus, which fires a `change` event, upon which the page's JavaScript inserts additonal DOM nodes into the form, modifying the vector of associated elements. To mitigate this, instead of iterating over HTMLFormElement::associatedElements(), which returns a reference to the HTMLFormElement's actual m_associatedElements vector, we iterate over a new vector of Refs created from m_associatedElements. This patch also removes an event dispatch assertion added in r212026. This assertion was added to catch any other events dispatched in this scope, since dispatching events there would have had security implications, but after making iteration over associated elements robust, this NoEventDispatchAssertion is no longer useful. Test: fast/forms/append-children-during-form-submission.html * loader/FormSubmission.cpp: (WebCore::FormSubmission::create): 2017-09-14 Jason Marcell Cherry-pick r221968. rdar://problem/34169683 2017-09-12 Matt Rajca Ensure the user interacted with the page before setting m_userHasInteractedWithMediaElement https://bugs.webkit.org/show_bug.cgi?id=176816 Reviewed by Eric Carlson. Currently, when the user presses a keyboard shortcut in the client to reload a page, that may get registered as a user gesture on the reloaded page. Before setting the m_userHasInteractedWithMediaElement flag, we should check if a user gesture was actually handled by checking the userDidInteractWithPage flag. In case of key events that aren't handled by the page, this will be set to false by EventHandler: // If the key event was not handled, do not treat it as user interaction with the page. if (topDocument && !wasHandled) topDocument->setUserDidInteractWithPage(savedUserDidInteractWithPage); We need to revisit this in the future in webkit.org/b/176817 and ensure user gesture tokens don't carry over across reloads of the page. Tests: I wasn't able to trigger the pathological scenario this aims to fix with a test that calls window.location.reload() from a synthetic keyDown event. * dom/Document.cpp: (WebCore::Document::noteUserInteractionWithMediaElement): 2017-09-12 Jason Marcell Cherry-pick r221917. rdar://problem/34404461 2017-09-12 Brent Fulgham Show punycode to user if a URL mixes Armenian Seh or Vo with other scripts https://bugs.webkit.org/show_bug.cgi?id=176578 Reviewed by Alex Christensen. Revise our "lookalike character" logic to include the Armenian Vo and Seh characters, which can be mistaken for 'n' and 'v' when displayed in certain fonts. Tested by new API tests. * platform/mac/WebCoreNSURLExtras.mm: (WebCore::isArmenianLookalikeCharacter): Added utility function. (WebCore::isArmenianScriptCharacter): Ditto. (WebCore::isLookalikeCharacter): Handle Armenian-lookalike cases. 2017-09-10 Jason Marcell Cherry-pick r221709. rdar://problem/34169683 2017-09-05 Matt Rajca Support new autoplay quirk for arbitrary user gestures. https://bugs.webkit.org/show_bug.cgi?id=176402 Reviewed by Eric Carlson. This quirk allows any user gesture to allow autoplay in a document. No new tests because this specifically targets one host. * html/MediaElementSession.cpp: (WebCore::needsArbitraryUserGestureAutoplayQuirk): (WebCore::MediaElementSession::playbackPermitted const): 2017-09-10 Jason Marcell Cherry-pick r221386. rdar://problem/34169683 2017-08-22 Matt Rajca Opt all Mac clients into document-level media user gesture quirks. https://bugs.webkit.org/show_bug.cgi?id=175831 This un-breaks many of the sites that take a long time to load video ad elements on-demand. Reviewed by Eric Carlson. Test: media/document-level-media-user-gesture-quirk.html * html/MediaElementSession.cpp: (WebCore::MediaElementSession::playbackPermitted const): (WebCore::needsDocumentLevelMediaUserGestureQuirk): Deleted. 2017-09-10 Jason Marcell Cherry-pick r221014. rdar://problem/34169683 2017-08-21 Matt Rajca Call updateIsPlayingMedia whenever m_userHasInteractedWithMediaElement changes https://bugs.webkit.org/show_bug.cgi?id=175796 Reviewed by Eric Carlson. Test: media/video-user-gesture-tracking.html The page media state depends on m_userHasInteractedWithMediaElement, so force it to update as soon as m_userHasInteractedWithMediaElement changes. This fixes an issue where the media state would not reflect the user interaction flag until a call to updateIsPlayingMedia was made. * dom/Document.cpp: (WebCore::Document::noteUserInteractionWithMediaElement): * dom/Document.h: (WebCore::Document::noteUserInteractionWithMediaElement): Deleted. * testing/Internals.cpp: (WebCore::Internals::pageMediaState): 2017-09-05 Matthew Hanson Cherry-pick r221444. rdar://problem/34215746 2017-08-31 David Quesada WKNavigationDelegatePrivate client redirect SPI needs to be able to detect redirects scheduled before the document finishes loading https://bugs.webkit.org/show_bug.cgi?id=176128 rdar://problem/34068476 Reviewed by Brady Eidson. Removed FrameLoaderClient::dispatchDidPerformClientRedirect() since no client cares about this event anymore. Also removed FrameLoader::performClientRedirect() since it wouldn't do anything but call changeLocation(). No new tests - no change in functionality. * loader/FrameLoader.cpp: * loader/FrameLoader.h: * loader/FrameLoaderClient.h: * loader/NavigationScheduler.cpp: 2017-08-21 Jason Marcell Cherry-pick r220940. rdar://problem/33994308 2017-08-18 Tim Horton Remove classic mode screen scale clamping https://bugs.webkit.org/show_bug.cgi?id=175739 Reviewed by Andy Estes. * platform/ios/PlatformScreenIOS.mm: (WebCore::screenScaleFactor): This code is no longer needed. 2017-08-15 Jason Marcell Cherry-pick r220723. rdar://problem/33901127 2017-08-14 Jer Noble Obj-C exception crash in AVStreamSession when using EME in Private Browsing mode https://bugs.webkit.org/show_bug.cgi?id=175547 Reviewed by Eric Carlson. When the storagePath() is empty, do not use those AVStreamSession APIs which require a valid file path to stored proof-of-key-release data. Drive-by fix: return emptyString() from HTMLMediaElement::mediaPlayerMediaKeysStorageDirectory() when in Private Browsing mode, to match the behavior of WebKitMediaKeySession. * html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::mediaPlayerMediaKeysStorageDirectory const): * platform/graphics/avfoundation/objc/CDMSessionAVStreamSession.mm: (WebCore::CDMSessionAVStreamSession::releaseKeys): (WebCore::CDMSessionAVStreamSession::update): (WebCore::CDMSessionAVStreamSession::generateKeyReleaseMessage): 2017-08-15 Jason Marcell Cherry-pick r217197. rdar://problem/33890650 2017-05-21 Antti Koivisto matchMedia('print').addListener() fires in WK1 but never in WK2 when printing (breaks printing Google maps, QuickLooks) https://bugs.webkit.org/show_bug.cgi?id=172361 Reviewed by Sam Weinig. Test: fast/media/matchMedia-print.html * page/FrameView.cpp: (WebCore::FrameView::layout): Evaluate matchMedia queries unconditionally. No idea why it wasn't like that. * testing/Internals.cpp: (WebCore::Internals::setPrinting): Add testing support. The existing ways to do printing testing were unable to hit this bug as they had too much additional gunk. * testing/Internals.h: * testing/Internals.idl: 2017-08-15 Matthew Hanson Cherry-pick r220722. rdar://problem/33890577 2017-08-14 Andy Estes REGRESSION (r220456): Crash in PreviewLoader::shouldCreateForMIMEType() when a ResourceResponse has a null MIME type https://bugs.webkit.org/show_bug.cgi?id=175548 Reviewed by Brady Eidson. New API test: QuickLook.ShouldCreateForMIMEType * WebCore.xcodeproj/project.pbxproj: * loader/ios/PreviewLoader.h: * loader/ios/PreviewLoader.mm: (WebCore::PreviewLoader::shouldCreateForMIMEType): Check if mimeType is a null String before calling HashSet::contains(). 2017-08-14 Jason Marcell Revert r217197. rdar://problem/33890650 2017-08-14 Jason Marcell Revert r220112. rdar://problem/33890661 2017-08-13 Jason Marcell Cherry-pick r220551. rdar://problem/33843388 2017-08-10 Nan Wang AX: crash at WebCore::AccessibilityObject::supportsARIALiveRegion() const + 24 https://bugs.webkit.org/show_bug.cgi?id=175340 Reviewed by Chris Fleizach. The issue here is that we manualy set the parent object of the AccessibilitySVGRoot object and there are chances that the parent doesn't detach it properly during the parent's destroying process. Accessing the stale parent object will lead to a crash. Fixed this by making the parent object a weak pointer so we don't access an invalid memory. Test: accessibility/add-children-pseudo-element.html * accessibility/AccessibilityRenderObject.cpp: (WebCore::AccessibilityRenderObject::AccessibilityRenderObject): * accessibility/AccessibilityRenderObject.h: (WebCore::AccessibilityRenderObject::createWeakPtr): * accessibility/AccessibilitySVGRoot.cpp: (WebCore::AccessibilitySVGRoot::AccessibilitySVGRoot): (WebCore::AccessibilitySVGRoot::setParent): (WebCore::AccessibilitySVGRoot::parentObject const): * accessibility/AccessibilitySVGRoot.h: 2017-08-09 Jason Marcell Cherry-pick r220459. rdar://problem/33820790 2017-08-09 Daniel Bates REGRESSION (r219013): OAuth flows are broken when redirecting back to application after authentication https://bugs.webkit.org/show_bug.cgi?id=175247 Reviewed by Brady Eidson. Add SPI so that Safari can differentiate between a form submission and a redirected form submission and have PolicyCheck notify the frame loader client if the navigation was in response to receiving a redirect response. This is the WebKit portion to fix an issue when a native app makes use of an OAuth OAuth flow that bounces to Safari for user login and then bounce back to the app. Microsoft Graph's OAuth flow is one example. Safari was differentiating between a form submission and a redirected form submission based on the nullity of WKNavigationAction.sourceFrame because in both cases the navigation type was WKNavigationTypeFormSubmitted. The navigation type is the same for both navigations because WebKit always used the navigation action from the original request for the redirect request when the original request redirected. Prior to r219013, WKNavigationAction.sourceFrame would be nil for a form submission that redirects. Following r219013, WKNavigationAction.sourceFrame is non-nil unless the navigation was initiated by API. In particular, WKNavigationAction.sourceFrame is non-nil for the redirect navigation corresponding to a form submission that redirects. * loader/EmptyClients.cpp: (WebCore::EmptyFrameLoaderClient::dispatchDecidePolicyForNavigationAction): * loader/FrameLoaderClient.h: Have dispatchDecidePolicyForNavigationAction() take a boolean as to whether the navigation was in response to receiving a redirect response. * loader/PolicyChecker.cpp: (WebCore::PolicyChecker::checkNavigationPolicy): Notify the frame loader client whether the navigation is in response to receiving a redirect response. 2017-08-09 Jason Marcell Cherry-pick r220473. rdar://problem/33810961 2017-08-09 Wenson Hsieh [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default https://bugs.webkit.org/show_bug.cgi?id=175392 Reviewed by Tim Horton and Megan Gardner. Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10). No change in behavior. * Configurations/FeatureDefines.xcconfig: 2017-08-09 Jason Marcell Cherry-pick r220456. rdar://problem/33810950 2017-08-09 Andy Estes [QuickLook] Use case-insensitive comparison of preview MIME types https://bugs.webkit.org/show_bug.cgi?id=175350 Reviewed by Brady Eidson. MIME types are case-insensitive, but PreviewLoader was using a case-sensitive comparison to determine if a MIME type was supported by QLPreviewConverter. As a result we would fail to preview Excel macro-enabled workbooks, since CFNetwork would sniff a MIME type of "application/vnd.ms-excel.sheet.macroEnabled.12" but QuickLook contained "application/vnd.ms-excel.sheet.macroenabled.12" in its set of supported MIME type strings. Fix this by copying the QuickLook supported MIME type set into a HashSet using ASCIICaseInsensitiveHash and using that HashSet for MIME type checks. Test: quicklook/excel-macro-enabled.html * loader/ios/PreviewLoader.mm: (WebCore::PreviewLoader::shouldCreateForMIMEType): 2017-08-09 Jason Marcell Cherry-pick r220333. rdar://problem/33810934 2017-08-07 Antti Koivisto REGRESSION (r219121): Airmail 3 prints header part only. https://bugs.webkit.org/show_bug.cgi?id=175258 Reviewed by Andreas Kling. When a WK1 WebViw is printed via AppKit view hierarchy it won't explictly set the page width but uses the existing width. r219121 assumes that all printing code paths set the page width. No test, there appears to be no good way to test AppKit printing behaviors without adding complicated new testing infrastructure. * rendering/RenderView.cpp: (WebCore::RenderView::layout): If we are in printing layout and don't have page width set yet then use the current view width. This matches the behavior prior r219121. 2017-08-09 Jason Marcell Cherry-pick r220289. rdar://problem/33810941 2017-08-04 Said Abou-Hallawa RenderImageResourceStyleImage::image() should return the nullImage() if the image is not available https://bugs.webkit.org/show_bug.cgi?id=174874 Reviewed by Simon Fraser. If an element has a non-CachedImage content data, e.g. -webkit-named-image, RenderImageResourceStyleImage will be created and attached to the RenderImage. RenderImageResourceStyleImage::m_cachedImage will be set to null at the beginning because the m_styleImage->isCachedImage() is false in this case. When ImageLoader finishes loading the url of the src attribute, RenderImageResource::setCachedImage() will be called to set m_cachedImage. A crash will happen when the RenderImage is destroyed. Destroying the RenderImage calls RenderImageResourceStyleImage::shutdown() which checks m_cachedImage and finds it not null, so it calls RenderImageResourceStyleImage::image() which ends up calling CSSNamedImageValue::image() which returns a null pointer because the size is empty. RenderImageResourceStyleImage::shutdown() calls image()->stopAnimation() without checking the return value of image(). Another crash will happen later when deleting the CachedImage from the memory cache if CachedImage::canDestroyDecodedData() is called because the client it gets from m_clients is a freed pointer. This happens because RenderImageResourceStyleImage has m_styleImage of type StyleGeneratedImage but its m_cachedImage is set by RenderImageResource::setCachedImage(). When RenderImageResourceStyleImage::shutdown() is called, it calls StyleGeneratedImage::removeClient() which does not know anything about RenderImageResourceStyleImage::m_cachedImage. So we end up having a freed pointer in the m_clients of the CachedImage. Test: fast/images/image-element-image-content-data.html * rendering/RenderImageResourceStyleImage.cpp: (WebCore::RenderImageResourceStyleImage::shutdown): Revert back the changes of r208511 in this function. Add a call to image()->stopAnimation() without checking the return of image() since it will return the nullImage() if the image not available. There is no need to check m_cachedImage before calling image() because image() does not check or access m_cachedImage. If m_styleImage is not a CachedStyleImage but m_cachedImage is not null, we need to remove m_renderer from the set of the clients of this m_cachedImage. (WebCore::RenderImageResourceStyleImage::image const): The base class method RenderImageResource::image() returns the nullImage() if the image not available. This is because CachedImage::imageForRenderer() returns the nullImage() if the image is not available; see CachedImage.h. We should do the same for the derived class for consistency. 2017-08-08 Jason Marcell Cherry-pick r220248. rdar://problem/33754458 2017-08-03 Jeremy Jones Improve WebKitLegacy video fullscreen animation begin and end rects. https://bugs.webkit.org/show_bug.cgi?id=175152 rdar://problem/32840576 Reviewed by Eric Carlson. No new tests, becuase this change has no effect on the DOM. This change uses different rects for fullscreen animation to prevent the animation from failing, and to improve the aesthetics of the animation. * platform/mac/WebVideoFullscreenController.mm: (frameExpandedToRatioOfFrame): (-[WebVideoFullscreenController enterFullscreen:]): (-[WebVideoFullscreenController exitFullscreen]): (-[WebVideoFullscreenWindow animateFromRect:toRect:withSubAnimation:controllerAction:]): (constrainFrameToRatioOfFrame): Deleted. 2017-08-08 Jason Marcell Cherry-pick r220247. rdar://problem/33754443 2017-08-03 Jer Noble [EME][Mac] SecureStop left on disk in Private Browsing mode. https://bugs.webkit.org/show_bug.cgi?id=175162 Reviewed by Eric Carlson. Return an empty string from mediaKeysStorageDirectory() when the page indicates that storage should be ephemeral(). Previously, an empty string in this case would be treated as an error. Instead, treat an empty string as valid, and do not try to store or retrieve session information to disk in that case. * Modules/encryptedmedia/legacy/WebKitMediaKeySession.cpp: (WebCore::WebKitMediaKeySession::mediaKeysStorageDirectory const): * platform/graphics/avfoundation/objc/CDMSessionAVContentKeySession.mm: (WebCore::CDMSessionAVContentKeySession::releaseKeys): (WebCore::CDMSessionAVContentKeySession::update): (WebCore::CDMSessionAVContentKeySession::generateKeyReleaseMessage): (WebCore::CDMSessionAVContentKeySession::contentKeySession): * platform/graphics/avfoundation/objc/CDMSessionMediaSourceAVFObjC.mm: (WebCore::CDMSessionMediaSourceAVFObjC::storagePath const): 2017-08-07 Jason Marcell Cherry-pick r220163. rdar://problem/33711032 2017-08-02 Andy Estes REGRESSION (r207155): Unable to switch sheets when previewing Numbers '09 spreadsheets https://bugs.webkit.org/show_bug.cgi?id=175098 Reviewed by Daniel Bates. r207155 enabled sandboxing on the frame displaying a QuickLook preview. This restricted frames within the sandbox from navigating their sandboxed siblings or ancestors, which breaks the functionality of multi-sheet Numbers '09 spreadsheet previews. These previews contain a frameset with a table of contents frame and a content frame, and the table of contents frame needs to be able to navigate the content frame when the sheet selection changes. Fix this by disabling the SandboxNavigation flag in the QuickLook sandbox. Frames within the sandbox will be able to navigate each other, but will not be able to navigate the top frame (due to SandboxTopNavigation still being enabled), nor will they be able to navigate any other ancestor frame outside the sandbox (due to QuickLook previews being in a different origin than the hosting frame). These two cases are covered by existing tests. Test: quicklook/multi-sheet-numbers-09.html * dom/Document.cpp: (WebCore::Document::applyQuickLookSandbox): Added a call to disableSandboxFlags(SandboxNavigation) after applying the content security policy. * dom/SecurityContext.h: (WebCore::SecurityContext::disableSandboxFlags): Defined disableSandboxFlags(). 2017-08-07 Jason Marcell Cherry-pick r220153. rdar://problem/33711047 2017-08-02 Jer Noble [MSE] Removing samples when presentation order does not match decode order can cause bad behavior. https://bugs.webkit.org/show_bug.cgi?id=175091 Reviewed by Eric Carlson. Address follow-up comments to r219519. * Modules/mediasource/SourceBuffer.cpp: (WebCore::SourceBuffer::removeCodedFrames): 2017-08-02 Jason Marcell Cherry-pick r220112. rdar://problem/33692164 2017-08-01 Zalan Bujtas REGRESSION (r217197): New Yorker website hangs for a long time on load, lots of blank tiles https://bugs.webkit.org/show_bug.cgi?id=175009 Reviewed by Simon Fraser. This patch ensures that we report the desktop, non-frame-flattened frame size for media queries in subframes. Some websites don't expect the iframes to be expanded to the size of the content and when the media query callback mutates the content (triggering frame resize), they might end up getting into a never ending layout. Test: fast/frames/flattening/media-query-growing-content.html * css/MediaQueryEvaluator.cpp: (WebCore::orientationEvaluate): (WebCore::aspectRatioEvaluate): (WebCore::heightEvaluate): (WebCore::widthEvaluate): * page/FrameView.cpp: (WebCore::FrameView::layout): (WebCore::FrameView::layoutSizeForMediaQuery const): (WebCore::FrameView::evaluateMediaQueryList): * page/FrameView.h: 2017-08-02 Jason Marcell Cherry-pick r220085. rdar://problem/33692157 2017-07-31 Matt Rajca Support quirk for letting media autoplay if the user interacted with at least one media element. https://bugs.webkit.org/show_bug.cgi?id=175005 Reviewed by Eric Carlson. If the user has interacted with at least one media element, let other media elements auto-play as a quirk. * dom/Document.cpp: (WebCore::Document::updateIsPlayingMedia): * dom/Document.h: (WebCore::Document::noteUserInteractionWithMediaElement): * html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::removeBehaviorsRestrictionsAfterFirstUserGesture): * html/MediaElementSession.cpp: (WebCore::needsDocumentLevelMediaUserGestureQuirk): (WebCore::MediaElementSession::playbackPermitted const): * page/MediaProducer.h: 2017-08-02 Jason Marcell Cherry-pick r220084. rdar://problem/33692167 2017-07-31 Nan Wang AX: CFEqual is failing on text markers with exact same data https://bugs.webkit.org/show_bug.cgi?id=175002 Reviewed by Chris Fleizach. We should zero the memory of the TextMarkerData instance so that it can be tested for byte-equivalence. Made sure this change won't break any of the existing tests. * accessibility/AXObjectCache.cpp: (WebCore::AXObjectCache::textMarkerDataForVisiblePosition): (WebCore::AXObjectCache::textMarkerDataForFirstPositionInTextControl): 2017-08-02 Jason Marcell Cherry-pick r220077. rdar://problem/33692157 2017-07-28 Matt Rajca Propagate user gesture tokens when script elements are loaded. https://bugs.webkit.org/show_bug.cgi?id=174959 Reviewed by Eric Carlson. Propagate user gesture tokens when script elements are loaded (i.e. between the time an element is created and its onload handler is invoked). * dom/ScriptElement.cpp: (WebCore::ScriptElement::ScriptElement): (WebCore::ScriptElement::dispatchLoadEventRespectingUserGestureIndicator): (WebCore::ScriptElement::executeScriptAndDispatchEvent): (WebCore::ScriptElement::executePendingScript): * dom/ScriptElement.h: 2017-08-02 Jason Marcell Cherry-pick r220035. rdar://problem/33692157 2017-07-28 Matt Rajca Don't add autoplay restrictions to media elements created in response to user gestures. https://bugs.webkit.org/show_bug.cgi?id=174947 Reviewed by Eric Carlson. Test: media/video-create-with-user-gesture.html * html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::HTMLMediaElement): 2017-08-02 Jason Marcell Cherry-pick r220112. rdar://problem/33687415 2017-08-01 Zalan Bujtas REGRESSION (r217197): New Yorker website hangs for a long time on load, lots of blank tiles https://bugs.webkit.org/show_bug.cgi?id=175009 Reviewed by Simon Fraser. This patch ensures that we report the desktop, non-frame-flattened frame size for media queries in subframes. Some websites don't expect the iframes to be expanded to the size of the content and when the media query callback mutates the content (triggering frame resize), they might end up getting into a never ending layout. Test: fast/frames/flattening/media-query-growing-content.html * css/MediaQueryEvaluator.cpp: (WebCore::orientationEvaluate): (WebCore::aspectRatioEvaluate): (WebCore::heightEvaluate): (WebCore::widthEvaluate): * page/FrameView.cpp: (WebCore::FrameView::layout): (WebCore::FrameView::layoutSizeForMediaQuery const): (WebCore::FrameView::evaluateMediaQueryList): * page/FrameView.h: 2017-08-02 Jason Marcell Cherry-pick r220085. rdar://problem/33687398 2017-07-31 Matt Rajca Support quirk for letting media autoplay if the user interacted with at least one media element. https://bugs.webkit.org/show_bug.cgi?id=175005 Reviewed by Eric Carlson. If the user has interacted with at least one media element, let other media elements auto-play as a quirk. * dom/Document.cpp: (WebCore::Document::updateIsPlayingMedia): * dom/Document.h: (WebCore::Document::noteUserInteractionWithMediaElement): * html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::removeBehaviorsRestrictionsAfterFirstUserGesture): * html/MediaElementSession.cpp: (WebCore::needsDocumentLevelMediaUserGestureQuirk): (WebCore::MediaElementSession::playbackPermitted const): * page/MediaProducer.h: 2017-08-02 Jason Marcell Cherry-pick r220084. rdar://problem/33687425 2017-07-31 Nan Wang AX: CFEqual is failing on text markers with exact same data https://bugs.webkit.org/show_bug.cgi?id=175002 Reviewed by Chris Fleizach. We should zero the memory of the TextMarkerData instance so that it can be tested for byte-equivalence. Made sure this change won't break any of the existing tests. * accessibility/AXObjectCache.cpp: (WebCore::AXObjectCache::textMarkerDataForVisiblePosition): (WebCore::AXObjectCache::textMarkerDataForFirstPositionInTextControl): 2017-08-02 Jason Marcell Cherry-pick r220077. rdar://problem/33687398 2017-07-28 Matt Rajca Propagate user gesture tokens when script elements are loaded. https://bugs.webkit.org/show_bug.cgi?id=174959 Reviewed by Eric Carlson. Propagate user gesture tokens when script elements are loaded (i.e. between the time an element is created and its onload handler is invoked). * dom/ScriptElement.cpp: (WebCore::ScriptElement::ScriptElement): (WebCore::ScriptElement::dispatchLoadEventRespectingUserGestureIndicator): (WebCore::ScriptElement::executeScriptAndDispatchEvent): (WebCore::ScriptElement::executePendingScript): * dom/ScriptElement.h: 2017-08-02 Jason Marcell Cherry-pick r220035. rdar://problem/33687398 2017-07-28 Matt Rajca Don't add autoplay restrictions to media elements created in response to user gestures. https://bugs.webkit.org/show_bug.cgi?id=174947 Reviewed by Eric Carlson. Test: media/video-create-with-user-gesture.html * html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::HTMLMediaElement): 2017-08-02 Matthew Hanson Cherry-pick r219602. rdar://problem/33537767 2017-07-17 Konstantin Tokarev [cmake] Set library types before their targets are created https://bugs.webkit.org/show_bug.cgi?id=174600 Reviewed by Michael Catanzaro. Since r219560 library targets are created before PlatformXXX.cmake files are processed, however library type must be passed in add_library() call and cannot be changed afterwards. Set these variables in OptionsXXX.cmake. No new tests needed. * PlatformMac.cmake: 2017-07-31 Jason Marcell Cherry-pick r220048. rdar://problem/33619591 2017-07-30 Said Abou-Hallawa RenderImageResourceStyleImage::image() should return the nullImage() if the image is not available https://bugs.webkit.org/show_bug.cgi?id=174874 Reviewed by Darin Adler. If an element has image content data for a none cached image, e.g. -webkit-named-image, RenderImageResourceStyleImage will be created and attached to the RenderImage. RenderImageResourceStyleImage::m_cachedImage will be set to null because the m_styleImage->isCachedImage() is false in this case. When ImageLoader finishes loading the url of the src attribute, RenderImageResource::setCachedImage() will be called to set m_cachedImage. A crash will happen when the RenderImage is destroyed. Destroying the RenderImage calls RenderImageResourceStyleImage::shutdown() which checks m_cachedImage and finds it not null, so it calls RenderImageResourceStyleImage::image() which ends up calling CSSNamedImageValue::image() which returns a null pointer because the size is empty. RenderImageResourceStyleImage::shutdown() calls image()->stopAnimation() without checking the return value of image(). Like the base class virtual method RenderImageResource::image(), RenderImageResourceStyleImage::image() should return the nullImage() if the image is not available. Test: fast/images/image-element-image-content-data.html * css/CSSCrossfadeValue.cpp: * css/CSSFilterImageValue.cpp: * page/EventHandler.cpp: * page/PageSerializer.cpp: * rendering/RenderElement.cpp: * rendering/RenderImageResource.cpp: * rendering/RenderImageResourceStyleImage.cpp: (WebCore::RenderImageResourceStyleImage::initialize): (WebCore::RenderImageResourceStyleImage::shutdown): Revert back the changes of r208511 in this function. Add a call to image()->stopAnimation() without checking the return of image() since it will return the nullImage() if the image not available. There is no need to check m_cachedImage before calling image() because image() does not check or access m_cachedImage. (WebCore::RenderImageResourceStyleImage::image): The base class method RenderImageResource::image() returns the nullImage() if the image not available. This is because CachedImage::imageForRenderer() returns the nullImage() if the image is not available; see CachedImage.h. We should do the same for the derived class for consistency. * rendering/style/ContentData.cpp: * rendering/style/StyleCachedImage.cpp: * style/StylePendingResources.cpp: 2017-07-31 Jason Marcell Cherry-pick r220042. rdar://problem/33619586 2017-07-29 Nan Wang AX: findMatchingObjects doesn't work when the startObject is ignored https://bugs.webkit.org/show_bug.cgi?id=174965 Reviewed by Chris Fleizach. findMatchingObjects would return a wrong element if we pass in an ignored start object. To fix this, we should use the closest accessible sibling as the start object. Test: accessibility/mac/search-predicate-from-ignored-element.html * accessibility/AccessibilityObject.cpp: (WebCore::appendChildrenToArray): 2017-07-31 Jason Marcell Cherry-pick r220009. rdar://problem/33619585 2017-07-28 Myles C. Maxfield [macOS] Reeder's defaults font is Times instead of San Francisco https://bugs.webkit.org/show_bug.cgi?id=174885 Reviewed by Simon Fraser. Reeder uses explicit dot-prefixed names in its source code. Within Core Text, dot-prefixed names cannot be matched case insensitively. The solution is to not case-fold these family names, and to make our caches case sensitive for these special names. Tests: fast/text/font-lookup-dot-prefix-case-sensitive-2.html fast/text/font-lookup-dot-prefix-case-sensitive.html * platform/graphics/FontCache.cpp: (WebCore::FontPlatformDataCacheKey::operator==): (WebCore::FontPlatformDataCacheKeyHash::hash): * platform/graphics/FontCascade.cpp: (WebCore::keysMatch): (WebCore::computeFontCascadeCacheHash): * platform/graphics/FontDescription.cpp: (WebCore::FontCascadeDescription::familyNamesAreEqual): (WebCore::FontCascadeDescription::familyNameHash): (WebCore::FontCascadeDescription::foldedFamilyName): * platform/graphics/FontDescription.h: * platform/graphics/cocoa/FontCacheCoreText.cpp: (WebCore::FontDatabase::fontForPostScriptName): 2017-07-28 Jason Marcell Cherry-pick r220003. rdar://problem/33595572 2017-07-28 Myles C. Maxfield REGRESSION(r216944): Fallback fonts erroneously visible when the primary font is loading https://bugs.webkit.org/show_bug.cgi?id=174772 Reviewed by Simon Fraser. During a font load, we try pretty hard to find a font to use that isn't the last resort font (which happens to be Times). We do this by iterating through all the fonts in the font-family list, as well as through all the relevant @font-face blocks which share the requested font family name. Unfortunately, if we find one of these fallback fonts, we were simply using it directly, which means that it was being drawn as visible (because the visibility setting lives inside the Font object). Instead, we should carry the invisibility setting from the interstitial font to this used fallback font. This patch is an extension of r219221, which fixed the problem only for system fallback fonts. This patch adopts the same methodology to all fallback fonts. Test: http/tests/webfont/font-loading-system-fallback-visibility-FontRanges.html * platform/graphics/FontCascadeFonts.cpp: (WebCore::FontCascadeFonts::glyphDataForVariant): (WebCore::glyphPageFromFontRanges): * platform/graphics/FontRanges.cpp: (WebCore::FontRanges::glyphDataForCharacter): 2017-07-28 Jason Marcell Cherry-pick r219998. rdar://problem/33595610 2017-07-28 Wenson Hsieh [iOS DnD] [WK1] Snapshots generated using -[DOMRange renderImageForcingBlackText:] are upside down https://bugs.webkit.org/show_bug.cgi?id=174928 Reviewed by Tim Horton. Pulls the implementation of createDragImageForRange out into DragImageIOS, and use TextIndicator to generate a snapshot instead of FrameSelection's snapshotting utilities. This makes snapshotting a DOMRange behave the same way as snapshotting a dragged selection. No way of testing TextIndicator-based snapshotting yet. * platform/DragImage.cpp: Guard createDragImageForRange for !PLATFORM(IOS). * platform/ios/DragImageIOS.mm: (WebCore::createDragImageForSelection): Add a FIXME to point out that having an additional context flip inside the UIGraphicsImageRenderer block results in an upside-down drag image being returned from createDragImageFromImage. This image is being flipped elsewhere in drag initiation code, which eventually results in the correct orientation; we'll need further investigation to remove this extraneous flip. (WebCore::createDragImageForRange): 2017-07-28 Jason Marcell Cherry-pick r219992. rdar://problem/33595621 2017-07-27 Jeremy Jones Don't override _allowsMediaDocumentInlinePlayback in MediaDocument with playsinlineAttr. https://bugs.webkit.org/show_bug.cgi?id=174850 rdar://problem/33449903 Reviewed by Jon Lee. This change removes playsinlineAttr from MediaDocument so that it doesn't override the setting from _allowsMediaDocumentInlinePlayback. In its place is an update to requiresFullscreenForVideoPlayback that implements the details of exactly which media documents are still allowed to play inlne. Media documents always use a video element; but when there are no video tracks, it has behavior like an audio element. See media-controller.js isAudio(). This change preserves this behavior with respect to fullscreen requirements for media document by mirroring the isAudio() check in requiresFullscreenForVideoPlayback. * html/MediaDocument.cpp: (WebCore::MediaDocumentParser::createDocumentStructure): * html/MediaElementSession.cpp: (WebCore::MediaElementSession::requiresFullscreenForVideoPlayback): 2017-07-28 Jason Marcell Cherry-pick r219991. rdar://problem/33595570 2017-07-27 Jeremy Jones MediaDocument fullscreen pinch gesture should trigger navigate back. https://bugs.webkit.org/show_bug.cgi?id=174914 Reviewed by Jon Lee. No new tests because only effect is from interaction with platform. For media documents, pressing the "done" button on fullscreen video navigates back to the previous page. The same should happen for other gestures that pause playback when returning to inline. This allows the gesture to have the same behavior as the button. * platform/ios/WebVideoFullscreenInterfaceAVKit.mm: (WebVideoFullscreenInterfaceAVKit::shouldExitFullscreenWithReason): 2017-07-28 Jason Marcell Cherry-pick r219950. rdar://problem/33595459 2017-07-26 Chris Dumez Pressing the Escape key should not be a valid user gesture to enter fullscreen https://bugs.webkit.org/show_bug.cgi?id=174864 Reviewed by Geoffrey Garen. Pressing the Escape key should not be a valid user gesture to enter fullscreen since this is the gesture to exit fullscreen already. Test: fullscreen/requestFullscreen-escape-key.html * dom/Document.cpp: (WebCore::Document::requestFullScreenForElement): * dom/UserGestureIndicator.cpp: (WebCore::UserGestureIndicator::UserGestureIndicator): * dom/UserGestureIndicator.h: (WebCore::UserGestureToken::create): (WebCore::UserGestureToken::gestureType): (WebCore::UserGestureToken::UserGestureToken): * page/EventHandler.cpp: (WebCore::EventHandler::internalKeyEvent): 2017-07-28 Jason Marcell Cherry-pick r219949. rdar://problem/33595616 2017-07-26 Nan Wang AX: Incorrect range from index and length in contenteditable with

tags https://bugs.webkit.org/show_bug.cgi?id=174856 Reviewed by Chris Fleizach. When asking for the string inside a text control with a given range, we sometimes get a wrong string at the line boundary due to a bad plain range to text marker conversion. To fix this, we should use the exsisting method on text controls to avoid this issue. Updated the test to test the problematic case. * accessibility/mac/WebAccessibilityObjectWrapperMac.mm: (-[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]): 2017-07-28 Jason Marcell Cherry-pick r219906. rdar://problem/33595387 2017-07-26 Nan Wang AX: should dispatch accessibilityPerformPressAction async on MacOS https://bugs.webkit.org/show_bug.cgi?id=174849 Reviewed by Chris Fleizach. If performing the accessibility press action results in a modal alert being displayed, it can cause VoiceOver to hang. To fix it, we should dispatch the action asynchronously. Updated tests to adapt to this change. * accessibility/mac/WebAccessibilityObjectWrapperMac.mm: (-[WebAccessibilityObjectWrapper accessibilityPerformPressAction]): (-[WebAccessibilityObjectWrapper _accessibilityPerformPressAction]): 2017-07-28 Jason Marcell Cherry-pick r219891. rdar://problem/33595436 2017-07-25 Per Arne Vollan Dragged links are blurry on 1x displays. https://bugs.webkit.org/show_bug.cgi?id=174831 Reviewed by Simon Fraser. When the width and height of the drag image is a multiple of 2, the drag image is not blurry on a 1x display. This is a workaround which should be removed when is fixed. No new tests, since this is not straightforward to test with a layout test. * platform/mac/DragImageMac.mm: (WebCore::LinkImageLayout::LinkImageLayout): 2017-07-26 Jason Marcell Cherry-pick r219876. rdar://problem/33523847 2017-07-25 Said Abou-Hallawa Async image decoding for large images should be disabled after the first time a tile is painted https://bugs.webkit.org/show_bug.cgi?id=174451 Reviewed by Simon Fraser. Flashing because of DOM mutation can be fixed by disabling the asynchronous image decoding after the first time a tile was painted. We can detect this by consulting the tile repaintCount. If it is zero, then it is safe to use asynchronous image decoded. If the tile repaintCount is greater than zero, we are not sure if the renderer rectangle has an image drawn in it already or not. In this case we have to use the synchronous image decoding to avoid causing a flash. Tests: fast/images/async-image-background-change.html fast/images/async-image-src-change.html http/tests/multipart/multipart-async-image.html * html/shadow/MediaControlElements.cpp: (WebCore::MediaControlTextTrackContainerElement::createTextTrackRepresentationImage): * page/FrameView.cpp: (WebCore::FrameView::willPaintContents): (WebCore::FrameView::paintContentsForSnapshot): * page/PageOverlayController.cpp: (WebCore::PageOverlayController::paintContents): * page/PageOverlayController.h: * page/linux/ResourceUsageOverlayLinux.cpp: * page/mac/ServicesOverlayController.h: * page/mac/ServicesOverlayController.mm: (WebCore::ServicesOverlayController::Highlight::paintContents): * platform/graphics/BitmapImage.cpp: (WebCore::BitmapImage::draw): * platform/graphics/BitmapImage.h: * platform/graphics/GraphicsLayer.cpp: (WebCore::GraphicsLayer::paintGraphicsLayerContents): * platform/graphics/GraphicsLayer.h: * platform/graphics/GraphicsLayerClient.h: (WebCore::GraphicsLayerClient::paintContents): * platform/graphics/avfoundation/cf/MediaPlayerPrivateAVFoundationCF.cpp: (WebCore::LayerClient::platformCALayerPaintContents): * platform/graphics/ca/GraphicsLayerCA.cpp: (WebCore::GraphicsLayerCA::platformCALayerPaintContents): * platform/graphics/ca/GraphicsLayerCA.h: * platform/graphics/ca/PlatformCALayer.h: * platform/graphics/ca/PlatformCALayerClient.h: (WebCore::PlatformCALayerClient::platformCALayerRepaintCount): * platform/graphics/ca/TileCoverageMap.cpp: (WebCore::TileCoverageMap::platformCALayerPaintContents): * platform/graphics/ca/TileCoverageMap.h: * platform/graphics/ca/TileGrid.cpp: (WebCore::TileGrid::platformCALayerPaintContents): (WebCore::TileGrid::platformCALayerRepaintCount): * platform/graphics/ca/TileGrid.h: * platform/graphics/ca/cocoa/PlatformCALayerCocoa.mm: (PlatformCALayer::drawLayerContents): * platform/graphics/ca/win/PlatformCALayerWin.cpp: (PlatformCALayer::drawLayerContents): * platform/graphics/ca/win/PlatformCALayerWinInternal.cpp: (PlatformCALayerWinInternal::displayCallback): * platform/graphics/ca/win/WebTiledBackingLayerWin.cpp: (WebTiledBackingLayerWin::displayCallback): * platform/graphics/mac/WebLayer.mm: (-[WebLayer drawInContext:]): (-[WebSimpleLayer drawInContext:]): * rendering/PaintPhase.h: * rendering/RenderBoxModelObject.cpp: (WebCore::RenderBoxModelObject::decodingModeForImageDraw): * rendering/RenderElement.h: * rendering/RenderLayer.cpp: (WebCore::RenderLayer::paintLayerContents): (WebCore::RenderLayer::paintForegroundForFragments): * rendering/RenderLayerBacking.cpp: (WebCore::RenderLayerBacking::paintContents): * rendering/RenderLayerBacking.h: * rendering/RenderLayerCompositor.cpp: (WebCore::RenderLayerCompositor::paintContents): * rendering/RenderLayerCompositor.h: * rendering/RenderWidget.cpp: (WebCore::RenderWidget::paintContents): * testing/Internals.cpp: (WebCore::imageFromImageElement): (WebCore::bitmapImageFromImageElement): (WebCore::Internals::imageFrameIndex): (WebCore::Internals::setImageFrameDecodingDuration): (WebCore::Internals::resetImageAnimation): (WebCore::Internals::isImageAnimating): (WebCore::Internals::setClearDecoderAfterAsyncFrameRequestForTesting): (WebCore::Internals::imageDecodeCount): (WebCore::Internals::setLargeImageAsyncDecodingEnabledForTesting): * testing/Internals.h: * testing/Internals.idl: 2017-07-26 Jason Marcell Cherry-pick r219620. rdar://problem/33523847 2017-07-18 Matt Lewis Unreviewed, rolling out r219610. This caused an api failure on all platforms for the test SnapshotImageLargeAsyncDecoding Reverted changeset: "Async image decoding for large images should be disabled after the first time a tile is painted" https://bugs.webkit.org/show_bug.cgi?id=174451 http://trac.webkit.org/changeset/219610 2017-07-26 Jason Marcell Cherry-pick r219762. rdar://problem/33523889 2017-07-22 Said Abou-Hallawa REGRESSION(r219045): A partially loaded image may not be repainted when its complete frame finishes decoding https://bugs.webkit.org/show_bug.cgi?id=174230 Reviewed by Simon Fraser. Because of r219045, we now only repaint the CachedImageClinets which tried to draw the image but they could not because they have to wait for the image decoding to finish. This was done by keeping a HashSet of these clients and make CachedImage own it. This HashSet is cleared once the image frame finishes decoding and all the waited clients are repainted. But Multiple asynchronous image decoding requests are allowed for the same frame if new data is added to the image source. If we tried to draw the same image twice before it finishes decoding the first request, we will not be to record this second request since the HashSet will not add the same client twice. When he second request finishes decoding, CachedImage will not repaint any client since its HashSet is empty. To fix this problem we can do the following. When an image frame finishes decoding, CachedImage will keep its HashSet of pending drawing clients as long as the image frame is a partially loaded frame. * loader/cache/CachedImage.cpp: (WebCore::CachedImage::CachedImageObserver::imageFrameAvailable): (WebCore::CachedImage::imageFrameAvailable): * loader/cache/CachedImage.h: * platform/graphics/BitmapImage.cpp: (WebCore::BitmapImage::destroyDecodedData): (WebCore::BitmapImage::dataChanged): (WebCore::BitmapImage::setCurrentFrameDecodingStatusIfNecessary): (WebCore::BitmapImage::draw): (WebCore::BitmapImage::internalStartAnimation): (WebCore::BitmapImage::internalAdvanceAnimation): (WebCore::BitmapImage::imageFrameAvailableAtIndex): * platform/graphics/BitmapImage.h: * platform/graphics/ImageFrame.cpp: (WebCore::ImageFrame::decodingStatus): * platform/graphics/ImageFrame.h: Move DecodingStatus out of this class to ImageTypes.h to avoid adding other header files to ImageObvsever.h * platform/graphics/ImageFrameCache.cpp: (WebCore::ImageFrameCache::setNativeImage): (WebCore::ImageFrameCache::cacheMetadataAtIndex): (WebCore::ImageFrameCache::cacheNativeImageAtIndex): (WebCore::ImageFrameCache::cacheNativeImageAtIndexAsync): (WebCore::ImageFrameCache::requestFrameAsyncDecodingAtIndex): (WebCore::ImageFrameCache::frameDecodingStatusAtIndex): * platform/graphics/ImageFrameCache.h: * platform/graphics/ImageObserver.h: * platform/graphics/ImageSource.h: (WebCore::ImageSource::frameDecodingStatusAtIndex): * platform/graphics/ImageTypes.h: * platform/image-decoders/bmp/BMPImageReader.cpp: (WebCore::BMPImageReader::decodeBMP): * platform/image-decoders/gif/GIFImageDecoder.cpp: (WebCore::GIFImageDecoder::frameComplete): (WebCore::GIFImageDecoder::initFrameBuffer): * platform/image-decoders/jpeg/JPEGImageDecoder.cpp: (WebCore::JPEGImageDecoder::outputScanlines): (WebCore::JPEGImageDecoder::jpegComplete): * platform/image-decoders/png/PNGImageDecoder.cpp: (WebCore::PNGImageDecoder::rowAvailable): (WebCore::PNGImageDecoder::pngComplete): (WebCore::PNGImageDecoder::frameComplete): * platform/image-decoders/webp/WEBPImageDecoder.cpp: (WebCore::WEBPImageDecoder::decode): * rendering/RenderBoxModelObject.cpp: (WebCore::RenderBoxModelObject::decodingModeForImageDraw): 2017-07-26 Jason Marcell Cherry-pick r219738. rdar://problem/33523826 2017-07-21 Said Abou-Hallawa [CG] An image should not invoke many system calls before confirming its format is supported https://bugs.webkit.org/show_bug.cgi?id=174692 Reviewed by Tim Horton. We should be careful when invoking system calls before confirming that the image type is available and it is one of the whitelist formats. Otherwise we will be calling the parsers of the unsupported formats. * loader/cache/CachedImage.cpp: (WebCore::CachedImage::setImageDataBuffer): The check isAllowedImageUTI() is now done in ImageDecoder::encodedDataStatus() which will return Error if there is an error in the data or "isAllowedImageUTI() returns false." * platform/graphics/BitmapImage.cpp: (WebCore::BitmapImage::dataChanged): Avoid calling canUseAsyncDecodingForLargeImages() before confirming the image type is available and it's supported by WebKit. canUseAsyncDecodingForLargeImages() tries to cache the first frame of the image to know its size. Asking the ImageFrameCache to destroy its decoded frames is not needed unless ImageFrameCache::decodedSize() is not zero. * platform/graphics/cg/ImageDecoderCG.cpp: (WebCore::ImageDecoder::encodedDataStatus): Avoid calling CGImageSourceGetStatus() before knowing the UTI of the image. When knowing it, we call CGImageSourceGetStatus() and if it returns kCGImageStatusIncomplete or kCGImageStatusComplete, we check whether isAllowedImageUTI() or not. If isAllowedImageUTI() returns false, return Error which will make the CachedImage cancel loading the rest of the image. 2017-07-26 Jason Marcell Cherry-pick r219829. rdar://problem/33523803 2017-07-24 Simon Fraser Change "client" coordinates back to match scrolling coordinates https://bugs.webkit.org/show_bug.cgi?id=174734 rdar://problem/33336930 Reviewed by Tim Horton. Baidu.com (which uses jQuery), and various iOS apps make the assumption that getBoundingClientRect() returns a rectangle that can be used to set or compare with the scroll position. With visual viewports, that assumption is no longer valid when the page is zoomed, or when the keyboard has caused the visual viewport to detach from the layout viewport. At this point the compatibility cost of shipping layout viewport-based client rects seems higher than the gain, so revert to the shipping behavior. This reverts r216803, and will re-introduce bugs that occurred on zoomed pages on macOS, many of which are noted in webkit.org/b/170981. * page/FrameView.cpp: (WebCore::FrameView::documentToClientOffset): 2017-07-26 Jason Marcell Cherry-pick r219761. rdar://problem/33523829 2017-07-22 Timothy Horton Drag and Drop preview image for Twitter link is the wrong shape ​https://bugs.webkit.org/show_bug.cgi?id=174731 * dom/Range.cpp: (WebCore::Range::absoluteRectsForRangeInText): * page/TextIndicator.cpp: (WebCore::initializeIndicator): Apply some post-landing review feedback for r219756. 2017-07-26 Jason Marcell Cherry-pick r219756. rdar://problem/33523829 2017-07-21 Timothy Horton Drag and Drop preview image for Twitter link is the wrong shape https://bugs.webkit.org/show_bug.cgi?id=174731 Reviewed by Zalan Bujtas. TextIndicator uses Range::borderAndTextQuads and ::absoluteTextRects in order to get the rects of the indicated text. Currently, these functions do not respect clipping, so clipped-out text (e.g. as seen inside links on Twitter) generates lots of meaningless indicated rects. * page/TextIndicator.cpp: (WebCore::estimatedBackgroundColorForRange): (WebCore::hasAnyIllegibleColors): Change adjustTextIndicatorDataOptionsForEstimatedColorsIfNecessary to instead be hasAnyIllegibleColors, and referred to in the same place as hasNonInlineOrReplacedElements, so that it follows the same upgrade path (leaving textRects empty, so that it is later filled in with the absoluteBoundingRect). This was a mistake in r219033, which instead would end up painting all content, but filling in textRects with the actual individual text rects. This alone changes the behavior on Twitter from lots of jagged misplaced rects to a too-large bounding rect. Combined with the following changes, the bounding rect is reduced to the right size: (WebCore::initializeIndicator): Adopt the new Range::borderAndTextQuads and ::absoluteTextRects parameter and opt-in to respecting clipping for text rects. * dom/DOMRectList.cpp: (WebCore::DOMRectList::DOMRectList): * dom/DOMRectList.h: (WebCore::DOMRectList::create): Add a DOMRectList constructor and create() that take FloatRects, similar to the one that takes FloatQuads, but without the boundingRect() calls. * dom/Document.h: * dom/Document.cpp: (WebCore::Document::convertAbsoluteToClientRects): Add convertAbsoluteToClientRects, similar to covertAbsoluteToClientQuads, except acting on rects instead of quads. * dom/Range.cpp: (WebCore::Range::absoluteRectsForRangeInText): (WebCore::Range::absoluteTextRects): (WebCore::Range::getClientRects): (WebCore::Range::borderAndTextRects): (WebCore::Range::boundingRect): (WebCore::Range::absoluteBoundingRect): (WebCore::Range::borderAndTextQuads): Deleted. * dom/Range.h: Replace borderAndTextQuads with borderAndTextRects, because all callers just ended up calling boundingBox() on the quads. Factor absoluteRectsForRangeInText out of absoluteTextRects and borderAndTextQuads, and teach it to optionally intersect the text rects with their renderer's absoluteClippedOverflowRect. 2017-07-26 Jason Marcell Cherry-pick r219755. rdar://problem/33523843 2017-07-21 Per Arne Vollan Round-tripping stroke-width styles through getComputedStyle cause the text to gain a stroke. https://bugs.webkit.org/show_bug.cgi?id=174701 Reviewed by Simon Fraser. The initial value of stroke-color should be transparent, see https://www.w3.org/TR/fill-stroke-3/#stroke-color. Also, there is no need to set the graphics context in text stroke mode, if the stroke color is not visible. Test: fast/css/round-trip-stroke-width-using-computed-style.html * rendering/TextPaintStyle.cpp: (WebCore::updateGraphicsContext): * rendering/style/RenderStyle.h: (WebCore::RenderStyle::initialStrokeWidth): (WebCore::RenderStyle::initialStrokeColor): * rendering/style/StyleRareInheritedData.cpp: (WebCore::StyleRareInheritedData::StyleRareInheritedData): 2017-07-26 Jason Marcell Cherry-pick r219752. rdar://problem/33524766 2017-07-21 Timothy Horton TextIndicator::estimatedTextColorsForRange asserts inside HashSet code (inserting reserved value) https://bugs.webkit.org/show_bug.cgi?id=174733 Reviewed by Wenson Hsieh. * page/TextIndicator.cpp: (WebCore::estimatedTextColorsForRange): (WebCore::adjustTextIndicatorDataOptionsForEstimatedColorsIfNecessary): RGBA32 isn't a valid hash key, because we have no traits that define the empty or deleted values, nor do we have any bits we could feasibly use -- the full range of RGBA32 is easy to reach with various colors. Instead, hash Color directly. 2017-07-26 Jason Marcell Cherry-pick r219751. rdar://problem/33523861 2017-07-21 Nan Wang AX: Expose form validation on iOS as hint https://bugs.webkit.org/show_bug.cgi?id=174722 Reviewed by Chris Fleizach. Adding the validation message to the hint of the form control element. Test: accessibility/ios-simulator/form-control-validation-message.html * accessibility/AccessibilityObject.cpp: (WebCore::AccessibilityObject::isShowingValidationMessage): (WebCore::AccessibilityObject::validationMessage): * accessibility/AccessibilityObject.h: * accessibility/ios/WebAccessibilityObjectWrapperIOS.mm: (-[WebAccessibilityObjectWrapper accessibilityHint]): (-[WebAccessibilityObjectWrapper accessibilityIsShowingValidationMessage]): * html/HTMLFormControlElement.cpp: (WebCore::HTMLFormControlElement::isShowingValidationMessage): * html/HTMLFormControlElement.h: 2017-07-26 Jason Marcell Cherry-pick r219742. rdar://problem/33523798 2017-07-21 Zalan Bujtas iBooks: Overlapping/missing content at beginning/end of paragraph. https://bugs.webkit.org/show_bug.cgi?id=174717 Reviewed by Simon Fraser. By definiton simple and normal line layout should always produce the exact same lineboxes. It enables us not to force repaint while swapping between these 2 line layouts. However in certain cases (font size pixel rounding as an example) they don't agree on how much content fits the line and that could result in missing/overlapping content due to the lack of repaint. Unable to test. * rendering/RenderBlockFlow.cpp: (WebCore::RenderBlockFlow::ensureLineBoxes): 2017-07-26 Jason Marcell Cherry-pick r219737. rdar://problem/33523854 2017-07-21 Jeremy Jones AudioTrackPrivateMediaStreamCocoa shouldn't set AudioSession::setPreferredBufferSize https://bugs.webkit.org/show_bug.cgi?id=174707 rdar://problem/33446809 Reviewed by Eric Carlson. Manually tested for audio side effects. AudioChannel::copyFrom fails when AudioChannel lengths don't match. This happens because PlatformMediaSessionManager::updateSessionState() owns and sets AudioSession::setPreferredBufferSize(). However, AudioTrackPrivateMediaStreamCocoa::createAudioUnit, when it creates an input audio unit is setting AudioSession::setPreferredBufferSize() directly to its own arbitrary value. AudioSession::setPreferredBufferSize() should be managed by the higher level PlatformMediaSessionManager, and not modified by audio unit creation, in order to keep harmony within the audio pipeline. * platform/mediastream/mac/AudioTrackPrivateMediaStreamCocoa.cpp: (WebCore::AudioTrackPrivateMediaStreamCocoa::createAudioUnit): 2017-07-26 Jason Marcell Cherry-pick r219736. rdar://problem/33523835 2017-07-21 Jeremy Jones Noise when AudioChannel lengths don't match. https://bugs.webkit.org/show_bug.cgi?id=174706 rdar://problem/33389856 Reviewed by Eric Carlson. When AudioChannel lengths don't match, copyFrom() returns early leaving uninitialized data in the audio buffer. This change zeros out the data, so there isn't objectionable noise sent to the speaker. * platform/audio/AudioChannel.cpp: (WebCore::AudioChannel::copyFrom): 2017-07-26 Jason Marcell Cherry-pick r219638. rdar://problem/33523787 2017-07-18 Ryosuke Niwa REGRESSION(r218910): Crash when password field changes to text field https://bugs.webkit.org/show_bug.cgi?id=174560 Reviewed by Zalan Bujtas. The crash was caused by textMarkerDataForFirstPositionInTextControl accessing a nullptr returned by getOrCreate. Unfortunately, in order to this fix bug while preserving the exact behavior would require synchronously creating a renderer for the editing host when the input type changed since we can't create an accessbility object out of a renderer-less node. Instead, revert back to pre-r218910 behavior of always using the text control element's axID when notifying the value change. While this is inconsistent with the way editing commands report content changes, I've since learned that VoiceOver has code to deal with this exact situation. Test: accessibility/mac/input-type-change-crash-2.html * accessibility/AXObjectCache.cpp: (WebCore::AXObjectCache::textMarkerDataForFirstPositionInTextControl): 2017-07-26 Jason Marcell Cherry-pick r219610. rdar://problem/33523847 2017-07-18 Said Abou-Hallawa Async image decoding for large images should be disabled after the first time a tile is painted https://bugs.webkit.org/show_bug.cgi?id=174451 Reviewed by Simon Fraser. Flashing because of DOM mutation can be fixed by disabling the asynchronous image decoding after the first time a tile was painted. We can detect this by consulting the tile repaintCount. If it is zero, then it is safe to use asynchronous image decoded. If the tile repaintCount is greater than zero, we are not sure if the renderer rectangle has an image drawn in it already or not. In this case we have to use the synchronous image decoding to avoid causing a flash. Tests: fast/images/async-image-background-change.html fast/images/async-image-src-change.html http/tests/multipart/multipart-async-image.html * page/PageOverlayController.cpp: (WebCore::PageOverlayController::paintContents): * page/PageOverlayController.h: * page/linux/ResourceUsageOverlayLinux.cpp: * page/mac/ServicesOverlayController.h: * page/mac/ServicesOverlayController.mm: (WebCore::ServicesOverlayController::Highlight::paintContents): * platform/graphics/BitmapImage.h: * platform/graphics/GraphicsLayer.cpp: (WebCore::GraphicsLayer::paintGraphicsLayerContents): * platform/graphics/GraphicsLayer.h: * platform/graphics/GraphicsLayerClient.h: (WebCore::GraphicsLayerClient::paintContents): * platform/graphics/avfoundation/cf/MediaPlayerPrivateAVFoundationCF.cpp: (WebCore::LayerClient::platformCALayerPaintContents): * platform/graphics/ca/GraphicsLayerCA.cpp: (WebCore::GraphicsLayerCA::platformCALayerPaintContents): * platform/graphics/ca/GraphicsLayerCA.h: * platform/graphics/ca/PlatformCALayer.h: * platform/graphics/ca/PlatformCALayerClient.h: (WebCore::PlatformCALayerClient::platformCALayerRepaintCount): * platform/graphics/ca/TileCoverageMap.cpp: (WebCore::TileCoverageMap::platformCALayerPaintContents): * platform/graphics/ca/TileCoverageMap.h: * platform/graphics/ca/TileGrid.cpp: (WebCore::TileGrid::platformCALayerPaintContents): (WebCore::TileGrid::platformCALayerRepaintCount): * platform/graphics/ca/TileGrid.h: * platform/graphics/ca/cocoa/PlatformCALayerCocoa.mm: (PlatformCALayer::drawLayerContents): * platform/graphics/ca/win/PlatformCALayerWin.cpp: (PlatformCALayer::drawLayerContents): * platform/graphics/ca/win/PlatformCALayerWinInternal.cpp: (PlatformCALayerWinInternal::displayCallback): * platform/graphics/ca/win/WebTiledBackingLayerWin.cpp: (WebTiledBackingLayerWin::displayCallback): * platform/graphics/mac/WebLayer.mm: (-[WebLayer drawInContext:]): (-[WebSimpleLayer drawInContext:]): * rendering/RenderBoxModelObject.cpp: (WebCore::RenderBoxModelObject::decodingModeForImageDraw): * rendering/RenderElement.h: * rendering/RenderLayerBacking.cpp: (WebCore::RenderLayerBacking::paintContents): * rendering/RenderLayerBacking.h: * rendering/RenderLayerCompositor.cpp: (WebCore::RenderLayerCompositor::paintContents): * rendering/RenderLayerCompositor.h: * testing/Internals.cpp: (WebCore::imageFromImageElement): (WebCore::bitmapImageFromImageElement): (WebCore::Internals::imageFrameIndex): (WebCore::Internals::setImageFrameDecodingDuration): (WebCore::Internals::resetImageAnimation): (WebCore::Internals::isImageAnimating): (WebCore::Internals::setClearDecoderAfterAsyncFrameRequestForTesting): (WebCore::Internals::imageDecodeCount): (WebCore::Internals::setLargeImageAsyncDecodingEnabledForTesting): * testing/Internals.h: * testing/Internals.idl: 2017-07-26 Jason Marcell Revert r219342. rdar://problem/33523803 2017-07-24 Jason Marcell Cherry-pick r219665. 2017-07-19 Myles C. Maxfield Setting the minimum font size preference doesn’t affect absolute line-height values, so lines overlap https://bugs.webkit.org/show_bug.cgi?id=174406 Reviewed by Simon Fraser. Reviewed by NOBODY. When the minimumFontSize API preference is set, we will increase the font size without increasing the line height. If the content specifies line-height as an absolute value, there can be two unfortunate results: - Adjacent lines in a paragraph can overlap - If the paragraph (or containin block or whatever) uses overflow: hidden, the first and last lines can be cut off and potentially indecipherable. Instead, we should use the minimum font size preference as a signal that we should increase the line-height as well as the font-size. Eventually, we will want to increase it by an amount proportional to the increase in font-size (which can be due to minimumFontSize, minimumLogicalFontSize, text autosizing, etc.). However, because minimumLogicalFontSize is on by default, this would cause a behavior change on many webpages which use small text, so such a change would be too risky right now. Instead, we can pretend that minimumFontSize is the only cause that text increases, and use this as the only signal to boost the corresponding line-height. Tests: fast/text/line-height-minimumFontSize-text-zoom.html fast/text/line-height-minimumFontSize-visual.html fast/text/line-height-minimumFontSize-zoom.html fast/text/line-height-minimumFontSize.html fast/text/line-height-minimumFontSize-autosize.html * css/StyleBuilderCustom.h: (WebCore::computeBaseSpecifiedFontSize): (WebCore::computeLineHeightMultiplierDueToFontSize): (WebCore::StyleBuilderCustom::applyValueLineHeight): (WebCore::StyleBuilderCustom::applyValueFill): (WebCore::StyleBuilderCustom::applyValueStroke): (WebCore::StyleBuilderCustom::applyValueContent): * rendering/TextAutoSizing.cpp: 2017-07-18 Myles C. Maxfield Setting the minimum font size preference doesn’t affect absolute line-height values, so lines overlap https://bugs.webkit.org/show_bug.cgi?id=174406 Reviewed by Simon Fraser. When the minimumFontSize API preference is set, we will increase the font size without increasing the line height. If the content specifies line-height as an absolute value, there can be two unfortunate results: - Adjacent lines in a paragraph can overlap - If the paragraph (or containin block or whatever) uses overflow: hidden, the first and last lines can be cut off and potentially indecipherable. Instead, we should use the minimum font size preference as a signal that we should increase the line-height as well as the font-size. Eventually, we will want to increase it by an amount proportional to the increase in font-size (which can be due to minimumFontSize, minimumLogicalFontSize, text autosizing, etc.). However, because minimumLogicalFontSize is on by default, this would cause a behavior change on many webpages which use small text, so such a change would be too risky right now. Instead, we can pretend that minimumFontSize is the only cause that text increases, and use this as the only signal to boost the corresponding line-height. Tests: fast/text/line-height-minimumFontSize-text-zoom.html fast/text/line-height-minimumFontSize-visual.html fast/text/line-height-minimumFontSize-zoom.html fast/text/line-height-minimumFontSize.html fast/text/line-height-minimumFontSize-autosize.html * css/StyleBuilderCustom.h: (WebCore::computeBaseSpecifiedFontSize): (WebCore::computeLineHeightMultiplierDueToFontSize): (WebCore::StyleBuilderCustom::applyValueLineHeight): (WebCore::StyleBuilderCustom::applyValueFill): (WebCore::StyleBuilderCustom::applyValueStroke): (WebCore::StyleBuilderCustom::applyValueContent): * rendering/TextAutoSizing.cpp: 2017-07-23 Jason Marcell Cherry-pick r219571. rdar://problem/33464710 2017-07-17 Simon Fraser clientX/clientY on TouchEvent.touches are wrong https://bugs.webkit.org/show_bug.cgi?id=174561 rdar://problem/33336041 Reviewed by Tim Horton. Do some refactoring so that WebKitAdditions code that computes Touch coordinates can use the same code that MouseRelatedEvent uses. There is no behavior change in this patch, but the test exercises a behavior change in WebKitAdditions code. Test: fast/events/touch/ios/touches-client-coords-after-zoom.html * dom/MouseRelatedEvent.cpp: (WebCore::MouseRelatedEvent::init): (WebCore::MouseRelatedEvent::frameViewFromDOMWindow): (WebCore::MouseRelatedEvent::pagePointToClientPoint): (WebCore::MouseRelatedEvent::pagePointToAbsolutePoint): (WebCore::MouseRelatedEvent::initCoordinates): (WebCore::MouseRelatedEvent::documentToAbsoluteScaleFactor): (WebCore::MouseRelatedEvent::computePageLocation): (WebCore::MouseRelatedEvent::locationInRootViewCoordinates): (WebCore::MouseRelatedEvent::frameView): Deleted. * dom/MouseRelatedEvent.h: 2017-07-22 Jason Marcell Cherry-pick r219662. rdar://problem/33464110 2017-07-19 Antoine Quint [iOS] REGRESSION: Scrubbing media using built-in controls does not pause media https://bugs.webkit.org/show_bug.cgi?id=174650 Reviewed by Dean Jackson. We would only pause when scrubbing on macOS because we only listened to "mousedown" events on the scrubber's backing element to identify that the user had started interacting with the scrubber. Implementing the same technique on iOS required a little more work than just listening to "touchstart" events on the same element. On top of that, we needed to make sure that we would only respond to "touchstart" events on the slider's thumb, and not on the track, since only on macOS should the user be able to click anywhere on the track to scrub. So we turn off pointer-events for the on iOS only, and turn them back on specifically for the thumb. There is also some finessing when dealing with touch events where we need to track the identifier of the touch that started the user interaction. So we keep track of it in an ivar and wait until we get a "touchend" event where the changedTouches list contains a touch with that same identifier to ensure the same touch that initiates and ends the scrubbing interaction. Finally, we fix another issue that was uncovered while turning back on the ScrubbingSupport tests where we would not trash the cached _value ivar when we initiated scrubbing, which was important since we would mistakenly use the pre-srubbing value during a scrub. * Modules/modern-media-controls/controls/slider.css: (.ios .slider > input): (.slider > input::-webkit-slider-thumb): * Modules/modern-media-controls/controls/slider.js: (Slider.prototype.handleEvent): (Slider.prototype._handleMousedownEvent): (Slider.prototype._interactionEndTarget): (Slider.prototype._handleTouchstartEvent): (Slider.prototype._valueWillStartChanging): (Slider.prototype._valueDidStopChanging): (Slider.prototype._handleMouseupEvent): (Slider.prototype._handleTouchendEvent): 2017-07-22 Jason Marcell Cherry-pick r219711. rdar://problem/33465715 2017-07-20 Chris Dumez Hook up ITP quirks to the needsSiteSpecificQuirks setting https://bugs.webkit.org/show_bug.cgi?id=174691 Reviewed by Darin Adler. Hook up ITP quirks to the needsSiteSpecificQuirks setting to make it easier for Web-developers to test their fixes. * loader/ResourceLoadObserver.cpp: (WebCore::shouldEnableSiteSpecificQuirks): (WebCore::areDomainsAssociated): (WebCore::ResourceLoadObserver::logFrameNavigation): (WebCore::resourceNeedsSSOQuirk): (WebCore::ResourceLoadObserver::logSubresourceLoading): (WebCore::ResourceLoadObserver::logWebSocketLoading): 2017-07-22 Jason Marcell Cherry-pick r219709. rdar://problem/33462692 2017-07-20 David Quesada Add SPI to notify WKNavigationDelegate about client redirects https://bugs.webkit.org/show_bug.cgi?id=174680 rdar://problem/33184886 Reviewed by Brady Eidson. * loader/FrameLoader.cpp: (WebCore::FrameLoader::performClientRedirect): * loader/FrameLoader.h: Add a convenience method for NavigationScheduler that handles a FrameLoadRequest as a client redirect. Currently this means loading the request and informing the client about it. * loader/FrameLoaderClient.h: Add FrameLoaderClient::dispatchDidPerformClientRedirect() to inform the client when a client redirect occurs. * loader/NavigationScheduler.cpp: Removed ScheduledURLNavigation::fire(). This class was never instantiated directly, and all subclasses override fire(), so this was unused code. For ScheduledRedirects and ScheduledLocationChange, use FrameLoader's new method to load the request as a client redirect. 2017-07-22 Jason Marcell Cherry-pick r219703. rdar://problem/33462696 2017-07-20 Chris Dumez Regression(ITP): May get frequently logged out of wsj.com https://bugs.webkit.org/show_bug.cgi?id=174661 Reviewed by Geoffrey Garen. Add the concept of associated domains in the ResourceLoadObserver. We previously ignore loads to and from the same domains. We now do the same if the to and from domains are associated (i.e. owned by the same entity). For now, only add domains owned by Dow Jones & Company, Inc. to the list, to address login issues on wsj.com. No new tests, verified manually on wsj.com. * loader/ResourceLoadObserver.cpp: (WebCore::areDomainsAssociated): (WebCore::ResourceLoadObserver::logFrameNavigation): (WebCore::ResourceLoadObserver::logSubresourceLoading): (WebCore::ResourceLoadObserver::logWebSocketLoading): 2017-07-22 Jason Marcell Cherry-pick r219701. rdar://problem/33465715 2017-07-20 Chris Dumez Regression(ITP): Can no longer log in on abc.go.com https://bugs.webkit.org/show_bug.cgi?id=174533 Reviewed by Geoffrey Garen. Add quirk for sp.auth.adobe.com which is used for SSO by web sites such as abc.go.com. This would otherwise cause adobe.com to be identified as a tracker and log in on abc.go.com would break. No new tests, tested manually on abc.go.com. * loader/ResourceLoadObserver.cpp: (WebCore::resourceNeedsSSOQuirk): (WebCore::ResourceLoadObserver::logSubresourceLoading): 2017-07-22 Jason Marcell Cherry-pick r219683. rdar://problem/33464463 2017-07-20 Brady Eidson WKHTTPCookieStore API tests fail on High Sierra. and https://bugs.webkit.org/show_bug.cgi?id=174666 Reviewed by Andy Estes. Covered by existing API tests. In r219567 I'd moved cookie storage observation off of NSHTTPCookieStorage and NSNotificationCenter to CFHTTPCookieStorage observation callbacks. This is because notifications were only sent for the default [NSHTTPCookieStorage sharedHTTPCookieStorage] and not any of the other ones we keep in flight. Unfortunately that SPI has been disabled in High Sierra. Fortunately we found a way we can get non-shared NSHTTPCookieStorages to send notifications that works everywhere. * platform/network/cocoa/CookieStorageObserver.h: * platform/network/cocoa/CookieStorageObserver.mm: (-[WebCookieObserverAdapter initWithObserver:]): (-[WebCookieObserverAdapter cookiesChangedNotificationHandler:]): (WebCore::CookieStorageObserver::create): (WebCore::CookieStorageObserver::CookieStorageObserver): (WebCore::CookieStorageObserver::~CookieStorageObserver): (WebCore::CookieStorageObserver::startObserving): Use a trick to call some SPI on non-shared NSHTTPCookieStorages to get them to send notifications. (WebCore::CookieStorageObserver::stopObserving): (WebCore::cookiesChanged): Deleted. * platform/network/cocoa/NetworkStorageSessionCocoa.mm: (WebCore::NetworkStorageSession::cookieStorageObserver): 2017-07-22 Jason Marcell Cherry-pick r219668. rdar://problem/33462676 2017-07-19 Simon Fraser getBoundingClientRects not updated for programmatic scrolls https://bugs.webkit.org/show_bug.cgi?id=174538 rdar://problem/33049012 Reviewed by Tim Horton. Baidu.com has two event handlers on its , and both query the input location with getBoundingClientRect() and the current pageYOffset (via jQuery), then try to scroll the input to the top of the screen. The bug is that programmatic scrolls did not immediately update the layout viewport rect, so the second call to getBoundingClientRect() would return stale coordinates, triggering an extra scroll. To fix this, undo the fix for r219320 which tried to keep getBoundingClientRect() current during unstable scroll updates by adding a shadow layout viewport rect. Instead, almost always update the layout viewport rect on FrameView, even during unstable visible rect updates, but not if content insets are being changed interactively, since changing viewport heights cause problems with bottom-fixed elements. Also, we need to compute a new layout viewport rect in FrameView::updateLayoutViewport() for programmatic scrolls. However, always updating the layout viewport triggered issues with the scrolling tree. The scrolling state tree fossilizes layer positions relative to a specific viewport rect, and that relationship has to be maintained. There are code paths that recompute fixed/sticky viewport constraints when the layout viewport has changed but we haven't done layout or recomputed layer positions (e.g. updating viewport-constrained layers via updateScrollCoordinatedLayersAfterFlush()) and in these cases using a new layout viewport for those computations results in an inconsistent scrolling tree. Fix this by not updating scrolling constraints every time we have to re-register scrolling nodes. updateScrollCoordinatedLayersAfterFlush() only needs to update the layer on the scrolling node (to handle tiled/non-tiled switches), so make updateScrollCoordinatedLayer() a little more fine-grained, and only update constraints when we've just computed layer geometry. This allows for different scrolling nodes to have constraints computed at different times, with different layout viewports, which happens. Two additional fixes were required to make bottom-fixed bars behave correctly. First, FrameView::computeLayoutViewportOrigin() had a bug where rounding of half-pixel values would cause it to fall into the if (visualViewport.height() > layoutViewport.height()) clause, but then fail to clamp for rubber-banding. Second, the FrameView::unscaledMaximumScrollPosition() was wrong after zooming on iOS, since it uses visibleSize() which is affected by page scale on iOS only (and the function wants scale-independent values). Fix with a hack that should be cleaned up via webkit.org/b/174648. Tested by existing tests. * page/FrameView.cpp: (WebCore::FrameView::computeUpdatedLayoutViewportRect): (WebCore::FrameView::computeLayoutViewportOrigin): (WebCore::FrameView::setLayoutViewportOverrideRect): (WebCore::FrameView::updateLayoutViewport): (WebCore::FrameView::unscaledMaximumScrollPosition): (WebCore::FrameView::documentToClientOffset): (WebCore::FrameView::setUnstableLayoutViewportRect): Deleted. * page/FrameView.h: * page/scrolling/AsyncScrollingCoordinator.cpp: (WebCore::AsyncScrollingCoordinator::updateScrollPositionAfterAsyncScroll): (WebCore::AsyncScrollingCoordinator::reconcileScrollingState): (WebCore::AsyncScrollingCoordinator::reconcileViewportConstrainedLayerPositions): (WebCore::AsyncScrollingCoordinator::updateNodeLayer): (WebCore::AsyncScrollingCoordinator::updateNodeViewportConstraints): (WebCore::AsyncScrollingCoordinator::updateViewportConstrainedNode): Deleted. * page/scrolling/AsyncScrollingCoordinator.h: * page/scrolling/ScrollingCoordinator.cpp: (WebCore::operator<<): * page/scrolling/ScrollingCoordinator.h: (WebCore::ScrollingCoordinator::reconcileScrollingState): (WebCore::ScrollingCoordinator::updateNodeLayer): (WebCore::ScrollingCoordinator::updateNodeViewportConstraints): (WebCore::ScrollingCoordinator::updateViewportConstrainedNode): Deleted. * page/scrolling/ScrollingStateFixedNode.cpp: (WebCore::ScrollingStateFixedNode::updateConstraints): * page/scrolling/ScrollingStateStickyNode.cpp: (WebCore::ScrollingStateStickyNode::updateConstraints): (WebCore::ScrollingStateStickyNode::reconcileLayerPositionForViewportRect): * page/scrolling/ScrollingTree.cpp: (WebCore::ScrollingTree::commitTreeState): * page/scrolling/mac/ScrollingTreeFixedNode.mm: (WebCore::ScrollingTreeFixedNode::updateLayersAfterAncestorChange): * page/scrolling/mac/ScrollingTreeStickyNode.mm: (WebCore::ScrollingTreeStickyNode::updateLayersAfterAncestorChange): * rendering/RenderLayerBacking.cpp: (WebCore::RenderLayerBacking::updateGeometry): * rendering/RenderLayerCompositor.cpp: (WebCore::RenderLayerCompositor::updateScrollCoordinatedLayersAfterFlush): (WebCore::RenderLayerCompositor::updateBacking): (WebCore::RenderLayerCompositor::fixedRootBackgroundLayerChanged): (WebCore::RenderLayerCompositor::requiresCompositingForPosition): (WebCore::RenderLayerCompositor::updateScrollCoordinatedStatus): (WebCore::RenderLayerCompositor::computeFixedViewportConstraints): (WebCore::RenderLayerCompositor::computeStickyViewportConstraints): (WebCore::RenderLayerCompositor::updateScrollCoordinatedLayer): (WebCore::RenderLayerCompositor::didAddScrollingLayer): * rendering/RenderLayerCompositor.h: 2017-07-22 Jason Marcell Cherry-pick r219666. rdar://problem/33464328 2017-07-19 Megan Gardner Don't write file URLs to iOS Pasteboard https://bugs.webkit.org/show_bug.cgi?id=174647 Reviewed by Wenson Hsieh. Tests updated to reflect the changes. We are no longer vending file URLs in Drag & Drop and Copy/Paste. * editing/ios/EditorIOS.mm: (WebCore::Editor::writeImageToPasteboard): * platform/ios/PlatformPasteboardIOS.mm: (WebCore::PlatformPasteboard::write): 2017-07-22 Jason Marcell Cherry-pick r219661. rdar://problem/33465132 2017-07-19 Nan Wang AX: Web page reloaded when a node is labelling multiple childnodes https://bugs.webkit.org/show_bug.cgi?id=174655 Reviewed by Chris Fleizach. When we are asking for the aria-labelledby attribute of a node and its sibling is also labelled by the same node, we get into an infinite loop in textUnderElement since we only ignore one child. Added checks for siblings to avoid such loop. Test: accessibility/mac/aria-labelledby-multiple-child-crash.html * accessibility/AccessibilityNodeObject.cpp: (WebCore::AccessibilityNodeObject::textUnderElement): 2017-07-22 Jason Marcell Cherry-pick r219645. rdar://problem/33464440 2017-07-18 Zalan Bujtas Media controls are missing content in fullscreen when document has scroll offset. https://bugs.webkit.org/show_bug.cgi?id=174644 Reviewed by Simon Fraser. If a non-user initiated scrolling (result of resize for example) is processed asynchronously, it might leapfrog other, programatic scrollings and trigger unintentional scroll offsets (and turn into unwanted clippings). This patch ensures that both resize and top content inset change are translated into programatic scrolling. Unable to test full screen video. * page/FrameView.cpp: (WebCore::FrameView::setFrameRect): (WebCore::FrameView::topContentInsetDidChange): 2017-07-22 Jason Marcell Cherry-pick r219641. rdar://problem/33464325 2017-07-18 Chris Dumez HysteresisActivity cannot be used in the UIProcess https://bugs.webkit.org/show_bug.cgi?id=174643 Reviewed by Tim Horton. Port HysteresisActivity to RunLoop::Timer so that it can safely be used in the UIProcess as well. * platform/HysteresisActivity.h: 2017-07-22 Jason Marcell Cherry-pick r219625. rdar://problem/33465689 2017-07-18 Antoine Quint [macOS] Mouse pointer does not hide during fullscreen playback https://bugs.webkit.org/show_bug.cgi?id=174638 Reviewed by Dean Jackson. Test: media/modern-media-controls/css/webkit-cursor-visibility-auto-hide.html The user-agent stylesheet sets the "-webkit-cursor-visibility" to "auto-hide" for fullscreen