From 42d7e3bb7ed56dcd9c1b1ff7f445b078e8a203d2 Mon Sep 17 00:00:00 2001
From: Henri Sivonen <hsivonen@hsivonen.fi>
Date: Tue, 13 Aug 2024 15:15:03 +0000
Subject: [PATCH] Bug 1910951 - Avoid incorrect use of nsParser when meta
 refresh is added to about:blank. r=sefeng, a=dsmith

Differential Revision: https://phabricator.services.mozilla.com/D218926
---
 dom/html/nsHTMLDocument.cpp                         |  2 +-
 parser/htmlparser/tests/crashtests/1910951-1.html   | 13 +++++++++++++
 parser/htmlparser/tests/crashtests/crashtests.list  |  1 +
 .../htmlparser/tests/crashtests/file_1910951-1.html |  1 +
 4 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 parser/htmlparser/tests/crashtests/1910951-1.html
 create mode 100644 parser/htmlparser/tests/crashtests/file_1910951-1.html

diff --git a/dom/html/nsHTMLDocument.cpp b/dom/html/nsHTMLDocument.cpp
index 8db05f826b38..629ccb13aa79 100644
--- a/dom/html/nsHTMLDocument.cpp
+++ b/dom/html/nsHTMLDocument.cpp
@@ -338,7 +338,7 @@ nsresult nsHTMLDocument::StartDocumentLoad(
   if (loadAsHtml5 && view) {
     // mDocumentURI hasn't been set, yet, so get the URI from the channel
     nsCOMPtr<nsIURI> uri;
-    aChannel->GetOriginalURI(getter_AddRefs(uri));
+    aChannel->GetURI(getter_AddRefs(uri));
     if (NS_IsAboutBlankAllowQueryAndFragment(uri)) {
       loadAsHtml5 = false;
     }
diff --git a/parser/htmlparser/tests/crashtests/1910951-1.html b/parser/htmlparser/tests/crashtests/1910951-1.html
new file mode 100644
index 000000000000..cd7d719e306e
--- /dev/null
+++ b/parser/htmlparser/tests/crashtests/1910951-1.html
@@ -0,0 +1,13 @@
+<html class="reftest-wait">
+  <iframe></iframe>
+  <script>
+    onmessage = function() {
+        document.documentElement.className = "";
+    }
+    const iframe = document.querySelector("iframe");
+    const meta = iframe.contentDocument.createElement('meta');
+    meta.httpEquiv = 'Refresh';
+    meta.content = '0; url=file_1910951-1.html';
+    iframe.contentDocument.head.append(meta);
+  </script>
+</html>
diff --git a/parser/htmlparser/tests/crashtests/crashtests.list b/parser/htmlparser/tests/crashtests/crashtests.list
index 9c42436efe6f..d192947f8eea 100644
--- a/parser/htmlparser/tests/crashtests/crashtests.list
+++ b/parser/htmlparser/tests/crashtests/crashtests.list
@@ -66,3 +66,4 @@ load 1547895-1.html
 skip-if(Android||isDebugBuild||AddressSanitizer||ThreadSanitizer) load 1747514.html # Too slow for some configurations, see bug 1780219 for android for example.
 HTTP load 1810896-1.html
 load 1854907-1.html
+load 1910951-1.html
diff --git a/parser/htmlparser/tests/crashtests/file_1910951-1.html b/parser/htmlparser/tests/crashtests/file_1910951-1.html
new file mode 100644
index 000000000000..98e09bfcca4c
--- /dev/null
+++ b/parser/htmlparser/tests/crashtests/file_1910951-1.html
@@ -0,0 +1 @@
+<script>parent.postMessage("done", "*");</script>