Luke Wilde 52a6f1ff8c LibWeb: Bail FrameLoader's load callbacks if associated BC is discarded ...

This prevents us setting up the document of a removed browsing context
container (BCC, e.g. <iframe>), which will cause a crash if the
document contains a script that inserts another BCC as this will use
the stale browsing context it previously set up, even if it's
reinserted.

Required by Prebid.js, which does this by inserting an `<iframe>` into
a `<div>` in the active document via innerHTML, then transfers it to
the `<html>` element:
7b7389c5ab/src/utils.js (L597)

This is done in the spec by removing all tasks and aborting all fetches
when a document is destroyed:
https://html.spec.whatwg.org/multipage/document-lifecycle.html#destroy-a-document

See the code comments for a simplified example.

2023-03-01 10:51:04 +01:00

18 KiB

Raw Blame History

View Raw