LibWeb: Abort ongoing navigation before firing next navigation event

I haven't found this being mentioned in the current spec, but that is what chromium (atm the only other Navigation API implementer) does. Fixes crashing when location.hash is changed subsequently more than once using JS.
Author: https://github.com/kalenikaliaksandr Commit: 890da021c4 Pull-request: https://github.com/SerenityOS/serenity/pull/23983
2025-09-10 11:36:22 +00:00 · 2024-04-16 18:29:07 +02:00 · 2024-04-16 18:29:07 +02:00 · 890da021c4 · 2024-07-17 02:59:43 +09:00
commit 890da021c4
parent 0389f01cc8
3 changed files with 16 additions and 0 deletions
--- a/Tests/LibWeb/Text/expected/navigation/trigger-fragment-navigation-from-js.txt
+++ b/Tests/LibWeb/Text/expected/navigation/trigger-fragment-navigation-from-js.txt
@ -0,0 +1,2 @@
+#1
+#2
--- a/Tests/LibWeb/Text/input/navigation/trigger-fragment-navigation-from-js.html
+++ b/Tests/LibWeb/Text/input/navigation/trigger-fragment-navigation-from-js.html
@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<script src="../include.js"></script>
+<script>
+    test(() => {
+        location.hash = "#1";
+        println(location.hash);
+        location.hash = "#2";
+        println(location.hash);
+    });
+</script>
--- a/Userland/Libraries/LibWeb/HTML/Navigation.cpp
+++ b/Userland/Libraries/LibWeb/HTML/Navigation.cpp
@ -918,6 +918,10 @@ bool Navigation::inner_navigate_event_firing_algorithm(
    Optional<String> download_request_filename,
    Optional<SerializationRecord> classic_history_api_state)
 {
+    // NOTE: Specification assumes that ongoing navigation event is cancelled before dispatching next navigation event.
+    if (m_ongoing_navigate_event)
+        abort_the_ongoing_navigation();
+
    auto& realm = relevant_realm(*this);

    // 1. If navigation has entries and events disabled, then: