Index: Source/core/loader/FrameLoader.cpp |
diff --git a/Source/core/loader/FrameLoader.cpp b/Source/core/loader/FrameLoader.cpp |
index a291a62c83023f79e55965421ee5dd2896fc0b28..af96d5fc8f1ec9c2ad998e2d03af725fd3137c44 100644 |
--- a/Source/core/loader/FrameLoader.cpp |
+++ b/Source/core/loader/FrameLoader.cpp |
@@ -965,21 +965,15 @@ void FrameLoader::commitProvisionalLoad() |
// The call to closeURL() invokes the unload event handler, which can execute arbitrary |
// JavaScript. If the script initiates a new load, we need to abandon the current load, |
// or the two will stomp each other. |
+ // detachChildren will similarly trigger child frame unload event handlers. |
if (m_documentLoader) |
closeURL(); |
+ detachChildren(); |
if (pdl != m_provisionalDocumentLoader) |
return; |
- |
- // detachChildren() can trigger this frame's unload event, and therefore |
- // script can run and do just about anything. For example, an unload event that calls |
- // document.write("") on its parent frame can lead to a recursive detachChildren() |
- // invocation for this frame. Leave the loader that is being committed in a temporarily |
- // detached state, such that it can't be found and cancelled. |
- RefPtr<DocumentLoader> loaderBeingCommitted = m_provisionalDocumentLoader.release(); |
- detachChildren(); |
if (m_documentLoader) |
m_documentLoader->detachFromFrame(); |
- m_documentLoader = loaderBeingCommitted; |
+ m_documentLoader = m_provisionalDocumentLoader.release(); |
m_state = FrameStateCommittedPage; |
if (isLoadingMainFrame()) |