LibWeb: Use the correct target realm to tee a stream

We currently store Web::Fetch::Infrastructure::Response objects in the HTTP cache. They are associated with their original realm, but when we use a cached response, we clone it into the target realm. For example, two <iframe> objects loading the same HTML will be in different realms. When we clone the response, we must use the target realm throughout the entire cloning process. We neglected to do this for the cloned response body stream, which is cloned via teeing. The result was the the stream for the "cloned" response was created in the original realm, causing issues down the line when reading from that stream tried to handle read promises on behalf of the original realm. There are protections in place to prevent this from happening, and the cached response read would never complete.
Author: https://github.com/trflynn89 Commit: 0cd5e99066 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/4532 Reviewed-by: https://github.com/awesomekling ✅
2025-07-28 19:59:17 +00:00 · 2025-04-30 07:31:15 -04:00 · 2025-04-30 07:31:15 -04:00 · 0cd5e99066 · 2025-04-30 13:31:23 +00:00
commit 0cd5e99066
parent 6cc5ac8f82
3 changed files with 7 additions and 4 deletions
--- a/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Bodies.cpp
+++ b/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Bodies.cpp
@ -54,7 +54,7 @@ GC::Ref<Body> Body::clone(JS::Realm& realm)

    // To clone a body body, run these steps:
    // 1. Let « out1, out2 » be the result of teeing body’s stream.
-    auto [out1, out2] = m_stream->tee().release_value_but_fixme_should_propagate_errors();
+    auto [out1, out2] = m_stream->tee(&realm).release_value_but_fixme_should_propagate_errors();

    // 2. Set body’s stream to out1.
    m_stream = out1;