Object.getOwnPropertyDescriptor() does not work correctly cross origin
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 21 Sep 2016 18:23:33 +0000 (18:23 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 21 Sep 2016 18:23:33 +0000 (18:23 +0000)
commitefc32c9ca6490d5a01d8b5d1946e541ad9ec23e9
tree2906ca80e4540152bdf08fad2d0a07ad96e349dd
parentd749d5036cc6188015fb496ae5723d4c6a818515
Object.getOwnPropertyDescriptor() does not work correctly cross origin
https://bugs.webkit.org/show_bug.cgi?id=162311

Reviewed by Gavin Barraclough.

LayoutTests/imported/w3c:

Rebaseline W3C test now that more checks are passing.

* web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt:

Source/JavaScriptCore:

Add a CustomGetterSetter field to PropertySlot that gets populated
by getOwnPropertySlot() and use it in getOwnPropertyDescriptor()
to properly populate the descriptor. We used to rely on reifying
the properties and then call getDirect() in order to get the
CustomGetterSetter. However, this hack was insufficient to support
the cross-origin case because we need to control more precisely
the visibility of the getter and the setter. For example, Location's
href property has both a getter and a setter in the same origin
case but only has a setter in the cross-origin case.

In the future, we can extend the use of PropertySlot's
customGetterSetter field to the same origin case and get rid of the
reification + getDirect() hack in getOwnPropertyDescriptor().

* runtime/JSObject.cpp:
(JSC::JSObject::getOwnPropertyDescriptor):
* runtime/PropertySlot.cpp:
(JSC::PropertySlot::customAccessorGetter):
* runtime/PropertySlot.h:

Source/WebCore:

Object.getOwnPropertyDescriptor() does not work correctly cross origin. In particular:
- We return value descriptors for attributes instead of getter/setter descriptors
- attributes / operations are wrongly marked as non-configurable

Corresponding specification:
- https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
- https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-)

Test: http/tests/security/cross-origin-descriptors.html

* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):
* bindings/js/JSLocationCustom.cpp:
(WebCore::JSLocation::getOwnPropertySlotDelegate):

LayoutTests:

Add layout test coverage.

* http/tests/security/cross-origin-descriptors-expected.txt: Added.
* http/tests/security/cross-origin-descriptors.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@206221 268f45cc-cd09-0410-ab3c-d52691b4dbfc
12 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/cross-origin-descriptors-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/cross-origin-descriptors.html [new file with mode: 0644]
LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSObject.cpp
Source/JavaScriptCore/runtime/PropertySlot.cpp
Source/JavaScriptCore/runtime/PropertySlot.h
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSDOMWindowCustom.cpp
Source/WebCore/bindings/js/JSLocationCustom.cpp