2 if (window
.testRunner
) {
3 testRunner
.waitUntilDone();
4 testRunner
.dumpAsText();
7 var haveAddedIFrame
= false;
9 window
.onbeforeunload = function() {
11 alert("onbeforeunload called, and iframe hasn't been added yet.");
12 var a
= document
.createEvent("MouseEvents");
13 a
.initEvent("click", true, true);
14 var d
= document
.createElement("a");
15 d
.href
= "http://localhost:1234/";
20 window
.location
.href
="http://127.0.0.1:1234/";
23 function addiframe() {
24 alert("Adding iframe");
25 var frame
= document
.createElement("iframe");
26 frame
.src
= "http://localhost:1234/"
27 document
.body
.appendChild(frame
);
28 haveAddedIFrame
= true;
29 if (window
.testRunner
)
30 testRunner
.notifyDone();
35 setTimeout("addiframe();", 0);
39 <body onload=
"runTest();">
40 This test demonstrates a problem with our handling of the beforeunload event.
<br>
41 If a script manages to try and navigate the frame from beforeunload - when a navigation is already pending - we end up blowing out the stack by recursively consulting the policy delegate then running onbeforeunload repeatedly.
<br>
42 After this happens, the FrameLoader is in a bogus state where it thinks it is in the middle of a provisional load, but it doesn't have a provisional document loader.
<br>
43 In this state, the frame is very difficult to navigate anywhere else, and attempts to load new things within the frame can result in a crash.
<br>
44 This was reproducibly identified on sears.com following a bizarre Safari specific code path.
<br>
45 <a href=
"javascript:void(clicked())">Click here to run the beforeunload test and blow out the stack
</a><br>
46 <a href=
"javascript:void(addiframe())">Click here to append an iframe and crash
</a><br>