Closed Bug 1588225 Opened 6 years ago Closed 6 years ago

[wpt-sync] Sync PR 19649 - Fix a bug that could allow duplicate form submissions

Categories

(Core :: DOM: Core & HTML, task, P4)

Product:
Core
Component:
DOM: Core & HTML
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox72 --- fixed

People

(Reporter: wpt-sync, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 19649 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/19649
Details from upstream follow.

Joey Arhar <jarhar@chromium.org> wrote:

Fix a bug that could allow duplicate form submissions

Previous to this CL, and after [1], if a form Submit button had an
onclick handler that also called form.submit() and did not call
event.preventDefault(), the form would get submitted twice. The second
request was eventually cancelled, but not before it hit the network.
This behavior is specified in [2], through the "plan to navigate"
mechanism. In the case of this bug, the "click" event occurs first,
and changes the "planned navigation". Then, because the click handler
does not preventDefault(), the default submit action is executed,
which changes the "planned navigation", replacing the navigation
queued by the onclick handler. Therefore, only the default submit
navigation is performed.

Note that there are other potential interactions which are less
clearly specified, and which are not addressed in this CL.
For example:

\<iframe id="test" name="test">\</iframe>
\<form id=form1 target="test" action="click.html">\</form>
\<a target="test" onclick="form1.submit()" href="href.html">Test\</a>

In this case, clicking the \<a> link first submits the form (to
click.html), and then queues a navigation to href.html. Because
the navigation to href.html is specified (in [3]) to "queue a
navigation", independently of the planned navigation specified
in [2], it is unclear when/whether the form submission should
take place. The spec ([4]) does have provisions for canceling
existing navigations, but that leaves room for the form to still
get to the network in this case, before getting canceled.

[1] https://chromium.googlesource.com/chromium/src/+/6931ab86f19aa79abbdd0c1062084e16b5c4f0f6
[2] https://www.w3.org/TR/html52/sec-forms.html#form-submission-algorithm
[3] https://html.spec.whatwg.org/#following-hyperlinks
[4] https://html.spec.whatwg.org/#navigating-across-documents

Bug: 977882
Change-Id: I693f3bdccb17c5e64df75c2e569fab589c02e88c
Reviewed-on: https://chromium-review.googlesource.com/1850358
WPT-Export-Revision: eda4d1b2a07cadceb999253eae9bb14ec0e28d54

Component: web-platform-tests → DOM: Core & HTML
Product: Testing → Core

GitHub CI Results

wpt.fyi PR Results Base Results

Ran 3 tests and 3 subtests

Firefox

OK : 3
PASS: 3

Chrome

OK : 3
PASS: 1
FAIL: 2

Safari

OK : 3
PASS: 2
FAIL: 1

Pushed by james@hoppipolla.co.uk: https://hg.mozilla.org/integration/mozilla-inbound/rev/b42250684411 [wpt PR 19649] - Fix a bug that could allow duplicate form submissions, a=testonly

https://hg.mozilla.org/mozilla-central/rev/b42250684411

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in before you can comment on or make changes to this bug.