Updated WebKit to ad96ca2f9b57271da4ea7432022ac686ee0981c2

Integrated changes:

|| <https://webkit.org/b/37760> || FrameView's layout root can be detached by style recalc ||
|| <https://webkit.org/b/38922> || innerHTML decompilation issues in textarea ||
|| <https://webkit.org/b/36878> || REGRESSION: Trailing colon on hostnames (with no port specified) causes "Not allowed to use restricted network port" ||
|| <https://webkit.org/b/37781> || [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR ||
|| <https://webkit.org/b/36502> || Cross-origin bypass: iFrame.src can be set to a JavaScript URL via nodeValue or textContent ||
|| <https://webkit.org/b/28697> || WebKit crash on WebCore::Node::nodeIndex() ||
|| <https://webkit.org/b/37031> || Cross-origin bypass: Javascript URL can be set as iframe.src via multiple DOM aliases ||
|| <https://webkit.org/b/36522> || [Qt] Rename QWebSettings::XSSAuditorEnabled to XSSAuditingEnabled ||
|| <https://webkit.org/b/38583> || Use of stale pointers whilst normalizing DOM nodes with mutation event handlers that modify element attributes ||
|| <https://webkit.org/b/41412> || [Qt] Canvas arcTo() should draw straight line to p1 if p0, p1 and p2 are collinear ||
|| <https://webkit.org/b/39878> || [Qt]: REGRESSION(r58703): QWebSettings::JavascriptCanAccessClipboard has wrong case in "Javascript" part. ||
|| <https://webkit.org/b/26824> || focus() behavior permits keystrokes to be redirected across domains ||
|| <https://webkit.org/b/39508> || Crash in WebCore::toAlphabetic() while running MangleMe ||
|| <https://webkit.org/b/36571> || WebKit should treat port numbers outside of the valid range as being blacklisted ||
|| <https://webkit.org/b/38497> || Make sure that http URLs always have a host in SecurityOrigin ||
|| <https://webkit.org/b/38626> || ZDI-CAN-765: CSS Charset Text Transformation Vulnerability ||
|| <https://webkit.org/b/36838> || Cross-origin image theft via SVGs as a canvas pattern ||
|| <https://webkit.org/b/27751> || [sg:high] Copying text to the system clipboard can be done in any context ||
|| <https://webkit.org/b/36843> || REGRESSION (r47291): XHR allows arbitrary XSRF across domains ||
|| <https://webkit.org/b/37230> || REGRESSION (4.0.5): Safari asks for credentials all the time when authenticating to Windows IIS Server ||
|| <https://webkit.org/b/37618> || Memory Corruption with Drag-Drop item from a purged document. ||
|| <https://webkit.org/b/38260> || Frame.src allows javascript URLs with starting spaces ||
|| <https://webkit.org/b/38261> || Table layout crash bug ||

7 files changed, 44 insertions, 15 deletions

diff --git a/src/3rdparty/webkit/WebCore/page/DragController.cpp b/src/3rdparty/webkit/WebCore/page/DragController.cpp
index f238b2774b..0da68735c5 100644
--- a/src/3rdparty/webkit/WebCore/page/DragController.cpp
+++ b/src/3rdparty/webkit/WebCore/page/DragController.cpp
@@ -313,7 +313,7 @@ bool DragController::tryDocumentDrag(DragData* dragData, DragDestinationAction a
         }
 
         IntPoint point = frameView->windowToContents(dragData->clientPosition());
-        Element* element = elementUnderMouse(m_documentUnderMouse, point);
+        Element* element = elementUnderMouse(m_documentUnderMouse.get(), point);
         if (!asFileInput(element)) {
             VisibleSelection dragCaret = m_documentUnderMouse->frame()->visiblePositionForPoint(point);
             m_page->dragCaretController()->setSelection(dragCaret);
@@ -363,7 +363,7 @@ bool DragController::concludeEditDrag(DragData* dragData)
         return false;
 
     IntPoint point = m_documentUnderMouse->view()->windowToContents(dragData->clientPosition());
-    Element* element = elementUnderMouse(m_documentUnderMouse, point);
+    Element* element = elementUnderMouse(m_documentUnderMouse.get(), point);
     Frame* innerFrame = element->ownerDocument()->frame();
     ASSERT(innerFrame);
 
@@ -439,7 +439,7 @@ bool DragController::concludeEditDrag(DragData* dragData)
             applyCommand(MoveSelectionCommand::create(fragment, dragCaret.base(), smartInsert, smartDelete));
         } else {
             if (setSelectionToDragCaret(innerFrame, dragCaret, range, point))
-                applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse, fragment, true, dragData->canSmartReplace(), chosePlainText));
+                applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse.get(), fragment, true, dragData->canSmartReplace(), chosePlainText));
         }
     } else {
         String text = dragData->asPlainText();
@@ -450,7 +450,7 @@ bool DragController::concludeEditDrag(DragData* dragData)
 
         m_client->willPerformDragDestinationAction(DragDestinationActionEdit, dragData);
         if (setSelectionToDragCaret(innerFrame, dragCaret, range, point))
-            applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse, createFragmentFromText(range.get(), text), true, false, true));
+            applyCommand(ReplaceSelectionCommand::create(m_documentUnderMouse.get(), createFragmentFromText(range.get(), text), true, false, true));
     }
     loader->setAllowStaleResources(false);
 
diff --git a/src/3rdparty/webkit/WebCore/page/DragController.h b/src/3rdparty/webkit/WebCore/page/DragController.h
index 3b2b0839db..712f9ab3a3 100644
--- a/src/3rdparty/webkit/WebCore/page/DragController.h
+++ b/src/3rdparty/webkit/WebCore/page/DragController.h
@@ -67,13 +67,11 @@ namespace WebCore {
         DragOperation sourceDragOperation() const { return m_sourceDragOperation; }
         void setDraggingImageURL(const KURL& url) { m_draggingImageURL = url; }
         const KURL& draggingImageURL() const { return m_draggingImageURL; }
-        void setDragInitiator(Document* initiator) { m_dragInitiator = initiator; m_didInitiateDrag = true; }
-        Document* dragInitiator() const { return m_dragInitiator; }
         void setDragOffset(const IntPoint& offset) { m_dragOffset = offset; }
         const IntPoint& dragOffset() const { return m_dragOffset; }
         DragSourceAction dragSourceAction() const { return m_dragSourceAction; }
 
-        Document* documentUnderMouse() const { return m_documentUnderMouse; }
+        Document* documentUnderMouse() const { return m_documentUnderMouse.get(); }
         DragDestinationAction dragDestinationAction() const { return m_dragDestinationAction; }
         DragSourceAction delegateDragSourceAction(const IntPoint& pagePoint);
         
@@ -114,8 +112,8 @@ namespace WebCore {
         Page* m_page;
         DragClient* m_client;
         
-        Document* m_documentUnderMouse; // The document the mouse was last dragged over.
-        Document* m_dragInitiator; // The Document (if any) that initiated the drag.
+        RefPtr<Document> m_documentUnderMouse; // The document the mouse was last dragged over.
+        RefPtr<Document> m_dragInitiator; // The Document (if any) that initiated the drag.
         
         DragDestinationAction m_dragDestinationAction;
         DragSourceAction m_dragSourceAction;
diff --git a/src/3rdparty/webkit/WebCore/page/EventHandler.cpp b/src/3rdparty/webkit/WebCore/page/EventHandler.cpp
index 165425713e..f1ee742bcc 100644
--- a/src/3rdparty/webkit/WebCore/page/EventHandler.cpp
+++ b/src/3rdparty/webkit/WebCore/page/EventHandler.cpp
@@ -2163,7 +2163,9 @@ bool EventHandler::keyEvent(const PlatformKeyboardEvent& initialKeyEvent)
 
     if (initialKeyEvent.type() == PlatformKeyboardEvent::RawKeyDown) {
         node->dispatchEvent(keydown, ec);
-        return keydown->defaultHandled() || keydown->defaultPrevented();
+        // If frame changed as a result of keydown dispatch, then return true to avoid sending a subsequent keypress message to the new frame.
+        bool changedFocusedFrame = m_frame->page() && m_frame != m_frame->page()->focusController()->focusedOrMainFrame();
+        return keydown->defaultHandled() || keydown->defaultPrevented() || changedFocusedFrame;
     }
 
     // Run input method in advance of DOM event handling.  This may result in the IM
@@ -2183,7 +2185,9 @@ bool EventHandler::keyEvent(const PlatformKeyboardEvent& initialKeyEvent)
     }
 
     node->dispatchEvent(keydown, ec);
-    bool keydownResult = keydown->defaultHandled() || keydown->defaultPrevented();
+    // If frame changed as a result of keydown dispatch, then return early to avoid sending a subsequent keypress message to the new frame.
+    bool changedFocusedFrame = m_frame->page() && m_frame != m_frame->page()->focusController()->focusedOrMainFrame();
+    bool keydownResult = keydown->defaultHandled() || keydown->defaultPrevented() || changedFocusedFrame;
     if (handledByInputMethod || (keydownResult && !backwardCompatibilityMode))
         return keydownResult;
     
diff --git a/src/3rdparty/webkit/WebCore/page/FrameView.cpp b/src/3rdparty/webkit/WebCore/page/FrameView.cpp
index 639414b428..01f0375214 100644
--- a/src/3rdparty/webkit/WebCore/page/FrameView.cpp
+++ b/src/3rdparty/webkit/WebCore/page/FrameView.cpp
@@ -1315,14 +1315,13 @@ void FrameView::scheduleRelayoutOfSubtree(RenderObject* relayoutRoot)
 {
     ASSERT(m_frame->view() == this);
 
-    if (!m_layoutSchedulingEnabled || (m_frame->contentRenderer()
-            && m_frame->contentRenderer()->needsLayout())) {
+    if (m_frame->contentRenderer() && m_frame->contentRenderer()->needsLayout()) {
         if (relayoutRoot)
             relayoutRoot->markContainingBlocksForLayout(false);
         return;
     }
 
-    if (layoutPending()) {
+    if (layoutPending() || !m_layoutSchedulingEnabled) {
         if (m_layoutRoot != relayoutRoot) {
             if (isObjectAncestorContainerOf(m_layoutRoot, relayoutRoot)) {
                 // Keep the current root
@@ -1339,7 +1338,7 @@ void FrameView::scheduleRelayoutOfSubtree(RenderObject* relayoutRoot)
                 relayoutRoot->markContainingBlocksForLayout(false);
             }
         }
-    } else {
+    } else if (m_layoutSchedulingEnabled) {
         int delay = m_frame->document()->minimumLayoutDelay();
         m_layoutRoot = relayoutRoot;
         m_delayedLayout = delay != 0;
diff --git a/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp b/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp
index c0b3e220ea..516c533a76 100644
--- a/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp
+++ b/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp
@@ -90,6 +90,20 @@ static URLSchemesMap& schemesWithUniqueOrigins()
     return schemesWithUniqueOrigins;
 }
 
+static bool schemeRequiresAuthority(const String& scheme)
+{
+    DEFINE_STATIC_LOCAL(URLSchemesMap, schemes, ());
+
+    if (schemes.isEmpty()) {
+        schemes.add("http");
+        schemes.add("https");
+        schemes.add("ftp");
+    }
+
+    return schemes.contains(scheme);
+}
+
+
 SecurityOrigin::SecurityOrigin(const KURL& url, SandboxFlags sandboxFlags)
     : m_sandboxFlags(sandboxFlags)
     , m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
@@ -103,6 +117,10 @@ SecurityOrigin::SecurityOrigin(const KURL& url, SandboxFlags sandboxFlags)
     if (m_protocol == "about" || m_protocol == "javascript")
         m_protocol = "";
 
+    // For edge case URLs that were probably misparsed, make sure that the origin is unique.
+    if (schemeRequiresAuthority(m_protocol) && m_host.isEmpty())
+        m_isUnique = true;
+
     // document.domain starts as m_host, but can be set by the DOM.
     m_domain = m_host;
 
diff --git a/src/3rdparty/webkit/WebCore/page/Settings.cpp b/src/3rdparty/webkit/WebCore/page/Settings.cpp
index 475d373f00..c0659d259f 100644
--- a/src/3rdparty/webkit/WebCore/page/Settings.cpp
+++ b/src/3rdparty/webkit/WebCore/page/Settings.cpp
@@ -79,6 +79,7 @@ Settings::Settings(Page* page)
     , m_allowUniversalAccessFromFileURLs(true)
     , m_allowFileAccessFromFileURLs(true)
     , m_javaScriptCanOpenWindowsAutomatically(false)
+    , m_javaScriptCanAccessClipboard(false)
     , m_shouldPrintBackgrounds(false)
     , m_textAreasAreResizable(false)
 #if ENABLE(DASHBOARD_SUPPORT)
@@ -291,6 +292,11 @@ void Settings::setJavaScriptCanOpenWindowsAutomatically(bool javaScriptCanOpenWi
     m_javaScriptCanOpenWindowsAutomatically = javaScriptCanOpenWindowsAutomatically;
 }
 
+void Settings::setJavaScriptCanAccessClipboard(bool javaScriptCanAccessClipboard)
+{
+    m_javaScriptCanAccessClipboard = javaScriptCanAccessClipboard;
+}
+
 void Settings::setDefaultTextEncodingName(const String& defaultTextEncodingName)
 {
     m_defaultTextEncodingName = defaultTextEncodingName;
diff --git a/src/3rdparty/webkit/WebCore/page/Settings.h b/src/3rdparty/webkit/WebCore/page/Settings.h
index b6777125c6..a6653ce7ac 100644
--- a/src/3rdparty/webkit/WebCore/page/Settings.h
+++ b/src/3rdparty/webkit/WebCore/page/Settings.h
@@ -122,6 +122,9 @@ namespace WebCore {
         void setJavaScriptCanOpenWindowsAutomatically(bool);
         bool javaScriptCanOpenWindowsAutomatically() const { return m_javaScriptCanOpenWindowsAutomatically; }
 
+        void setJavaScriptCanAccessClipboard(bool);
+        bool javaScriptCanAccessClipboard() const { return m_javaScriptCanAccessClipboard; }
+
         void setSpatialNavigationEnabled(bool);
         bool isSpatialNavigationEnabled() const { return m_isSpatialNavigationEnabled; }
 
@@ -330,6 +333,7 @@ namespace WebCore {
         bool m_allowUniversalAccessFromFileURLs: 1;
         bool m_allowFileAccessFromFileURLs: 1;
         bool m_javaScriptCanOpenWindowsAutomatically : 1;
+        bool m_javaScriptCanAccessClipboard : 1;
         bool m_shouldPrintBackgrounds : 1;
         bool m_textAreasAreResizable : 1;
 #if ENABLE(DASHBOARD_SUPPORT)