From 890da021c4f68abc4069d9e49ed02538f350734d Mon Sep 17 00:00:00 2001
From: Aliaksandr Kalenik <kalenik.aliaksandr@gmail.com>
Date: Tue, 16 Apr 2024 18:29:07 +0200
Subject: [PATCH] LibWeb: Abort ongoing navigation before firing next
 navigation event

I haven't found this being mentioned in the current spec, but that is
what chromium (atm the only other Navigation API implementer) does.

Fixes crashing when location.hash is changed subsequently more than once
using JS.
---
 .../navigation/trigger-fragment-navigation-from-js.txt |  2 ++
 .../trigger-fragment-navigation-from-js.html           | 10 ++++++++++
 Userland/Libraries/LibWeb/HTML/Navigation.cpp          |  4 ++++
 3 files changed, 16 insertions(+)
 create mode 100644 Tests/LibWeb/Text/expected/navigation/trigger-fragment-navigation-from-js.txt
 create mode 100644 Tests/LibWeb/Text/input/navigation/trigger-fragment-navigation-from-js.html

diff --git a/Tests/LibWeb/Text/expected/navigation/trigger-fragment-navigation-from-js.txt b/Tests/LibWeb/Text/expected/navigation/trigger-fragment-navigation-from-js.txt
new file mode 100644
index 00000000000..d440af6d3b5
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/navigation/trigger-fragment-navigation-from-js.txt
@@ -0,0 +1,2 @@
+#1
+#2
diff --git a/Tests/LibWeb/Text/input/navigation/trigger-fragment-navigation-from-js.html b/Tests/LibWeb/Text/input/navigation/trigger-fragment-navigation-from-js.html
new file mode 100644
index 00000000000..f1d1a30ccde
--- /dev/null
+++ b/Tests/LibWeb/Text/input/navigation/trigger-fragment-navigation-from-js.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<script src="../include.js"></script>
+<script>
+    test(() => {
+        location.hash = "#1";
+        println(location.hash);
+        location.hash = "#2";
+        println(location.hash);
+    });
+</script>
diff --git a/Userland/Libraries/LibWeb/HTML/Navigation.cpp b/Userland/Libraries/LibWeb/HTML/Navigation.cpp
index 74e1164278e..124ca4c265d 100644
--- a/Userland/Libraries/LibWeb/HTML/Navigation.cpp
+++ b/Userland/Libraries/LibWeb/HTML/Navigation.cpp
@@ -918,6 +918,10 @@ bool Navigation::inner_navigate_event_firing_algorithm(
     Optional<String> download_request_filename,
     Optional<SerializationRecord> classic_history_api_state)
 {
+    // NOTE: Specification assumes that ongoing navigation event is cancelled before dispatching next navigation event.
+    if (m_ongoing_navigate_event)
+        abort_the_ongoing_navigation();
+
     auto& realm = relevant_realm(*this);
 
     // 1. If navigation has entries and events disabled, then: