2011-06-26 Adam Barth <abarth@webkit.org>
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 27 Jun 2011 04:49:46 +0000 (04:49 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 27 Jun 2011 04:49:46 +0000 (04:49 +0000)
        Reviewed by Eric Seidel.

        window.location should use the holder's prototype chain
        https://bugs.webkit.org/show_bug.cgi?id=63411

        * http/tests/security/location-prototype-expected.txt: Added.
        * http/tests/security/location-prototype.html: Added.
        * http/tests/security/resources/location-prototype-overwrite.html: Added.
2011-06-26  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        window.location should use the holder's prototype chain
        https://bugs.webkit.org/show_bug.cgi?id=63411

        This patch corrects the prototype chain for Location, but we really
        should do a complete cleanup of the prototype chain generation, like we
        did for JavaScriptCore.

        Test: http/tests/security/location-prototype.html

        * bindings/scripts/CodeGeneratorV8.pm:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@89782 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/location-prototype-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/location-prototype.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/location-prototype-overwrite.html [new file with mode: 0644]
LayoutTests/platform/chromium/fast/dom/prototype-inheritance-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/bindings/scripts/CodeGeneratorV8.pm

index 5835169..fdf1d25 100644 (file)
@@ -1,5 +1,16 @@
 2011-06-26  Adam Barth  <abarth@webkit.org>
 
+        Reviewed by Eric Seidel.
+
+        window.location should use the holder's prototype chain
+        https://bugs.webkit.org/show_bug.cgi?id=63411
+
+        * http/tests/security/location-prototype-expected.txt: Added.
+        * http/tests/security/location-prototype.html: Added.
+        * http/tests/security/resources/location-prototype-overwrite.html: Added.
+
+2011-06-26  Adam Barth  <abarth@webkit.org>
+
         Reviewed by Kent Tamura.
 
         m_formElementsWithFormAttribute doesn't ref the objects it holds
diff --git a/LayoutTests/http/tests/security/location-prototype-expected.txt b/LayoutTests/http/tests/security/location-prototype-expected.txt
new file mode 100644 (file)
index 0000000..0970a03
--- /dev/null
@@ -0,0 +1,2 @@
+ALERT: Yay! Calling a function that shouldn't exist threw an exception.
+This test passes if it doesn't alert the string "fail". 
diff --git a/LayoutTests/http/tests/security/location-prototype.html b/LayoutTests/http/tests/security/location-prototype.html
new file mode 100644 (file)
index 0000000..9da5c66
--- /dev/null
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function loaded() {
+  try {
+    window.location.fail();
+  } catch(ex) {
+    alert("Yay! Calling a function that shouldn't exist threw an exception.");
+  }
+}
+
+</script>
+</head>
+<body onload="loaded()">
+This test passes if it doesn't alert the string "fail".
+<iframe src="http://127.0.0.1:8080/security/resources/location-prototype-overwrite.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/resources/location-prototype-overwrite.html b/LayoutTests/http/tests/security/resources/location-prototype-overwrite.html
new file mode 100644 (file)
index 0000000..c41da55
--- /dev/null
@@ -0,0 +1,9 @@
+<!DOCTYPE HTML>
+<script>
+// Make sure touch top window location first, get the hook to inject function.
+window.top.location;
+
+Object.prototype.fail = function() {
+  alert('FAIL!');
+};
+</script>
index 80dfbea..97f9f00 100644 (file)
@@ -717,16 +717,16 @@ PASS inner.getMatchedCSSRules.isInner is true
 PASS inner.getMatchedCSSRules.constructor.isInner is true
 PASS inner.getSelection.isInner is true
 PASS inner.getSelection.constructor.isInner is true
-FAIL inner.history.isInner should be true. Was false.
-FAIL inner.history.constructor.isInner should be true. Was false.
+PASS inner.history.isInner is true
+PASS inner.history.constructor.isInner is true
 PASS inner.isFinite.isInner is true
 PASS inner.isFinite.constructor.isInner is true
 PASS inner.isNaN.isInner is true
 PASS inner.isNaN.constructor.isInner is true
 FAIL inner.localStorage.isInner should be true. Was false.
 FAIL inner.localStorage.constructor.isInner should be true. Was false.
-FAIL inner.location.isInner should be true. Was false.
-FAIL inner.location.constructor.isInner should be true. Was false.
+PASS inner.location.isInner is true
+PASS inner.location.constructor.isInner is true
 FAIL inner.locationbar.isInner should be true. Was false.
 FAIL inner.locationbar.constructor.isInner should be true. Was false.
 PASS inner.matchMedia.isInner is true
index 432eeb6..da38775 100644 (file)
@@ -2,6 +2,21 @@
 
         Reviewed by Eric Seidel.
 
+        window.location should use the holder's prototype chain
+        https://bugs.webkit.org/show_bug.cgi?id=63411
+
+        This patch corrects the prototype chain for Location, but we really
+        should do a complete cleanup of the prototype chain generation, like we
+        did for JavaScriptCore.
+
+        Test: http/tests/security/location-prototype.html
+
+        * bindings/scripts/CodeGeneratorV8.pm:
+
+2011-06-26  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
         Add [Optional] attributes where appropriate for addEventListener and removeEventListener
         https://bugs.webkit.org/show_bug.cgi?id=63417
 
index 4f6184c..b5982b3 100644 (file)
@@ -634,6 +634,12 @@ sub IsNodeSubType
     return IsSubType($dataNode, "Node");
 }
 
+sub IsVisibleAcrossOrigins
+{
+    my $dataNode = shift;
+    return $dataNode->extendedAttributes->{"CheckDomainSecurity"} && !($dataNode->name eq "DOMWindow");
+}
+
 sub GenerateDomainSafeFunctionGetter
 {
     my $function = shift;
@@ -2525,7 +2531,20 @@ END
 END
     }
 
-    if (IsNodeSubType($dataNode)) {
+    # FIXME: We need a better way of recovering the correct prototype chain
+    # for every sort of object. For now, we special-case cross-origin visible
+    # objects (i.e., those with CheckDomainSecurity).
+    if (IsVisibleAcrossOrigins($dataNode)) {
+        push(@implContent, <<END);
+    if (impl->frame()) {
+        proxy = V8Proxy::retrieve(impl->frame());
+        if (proxy)
+            proxy->windowShell()->initContextIfNeeded();
+    }
+END
+    }
+
+    if (IsNodeSubType($dataNode) || IsVisibleAcrossOrigins($dataNode)) {
         push(@implContent, <<END);
 
     v8::Handle<v8::Context> context;
@@ -2541,7 +2560,7 @@ END
     push(@implContent, <<END);
     wrapper = V8DOMWrapper::instantiateV8Object(proxy, &info, impl);
 END
-    if (IsNodeSubType($dataNode)) {
+    if (IsNodeSubType($dataNode) || IsVisibleAcrossOrigins($dataNode)) {
         push(@implContent, <<END);
     // Exit the node's context if it was entered.
     if (!context.IsEmpty())