2 * Copyright (C) 2008, 2009 Google Inc. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above
11 * copyright notice, this list of conditions and the following disclaimer
12 * in the documentation and/or other materials provided with the
14 * * Neither the name of Google Inc. nor the names of its
15 * contributors may be used to endorse or promote products derived from
16 * this software without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 #include "ChromiumBridge.h"
35 #include "CSSMutableStyleDeclaration.h"
36 #include "DateExtension.h"
37 #include "DOMObjectsInclude.h"
38 #include "DocumentLoader.h"
39 #include "FrameLoaderClient.h"
40 #include "InspectorTimelineAgent.h"
42 #include "PageGroup.h"
43 #include "ScriptController.h"
44 #include "StorageNamespace.h"
45 #include "V8Binding.h"
46 #include "V8Collection.h"
47 #include "V8ConsoleMessage.h"
48 #include "V8CustomBinding.h"
50 #include "V8DOMWindow.h"
51 #include "V8HiddenPropertyName.h"
53 #include "V8IsolatedWorld.h"
54 #include "WorkerContextExecutionProxy.h"
61 #include <wtf/Assertions.h>
62 #include <wtf/OwnArrayPtr.h>
63 #include <wtf/StdLibExtras.h>
64 #include <wtf/StringExtras.h>
65 #include <wtf/UnusedParam.h>
69 v8::Persistent<v8::Context> V8Proxy::m_utilityContext;
71 // Static list of registered extensions
72 V8Extensions V8Proxy::m_extensions;
74 void batchConfigureAttributes(v8::Handle<v8::ObjectTemplate> instance,
75 v8::Handle<v8::ObjectTemplate> proto,
76 const BatchedAttribute* attributes,
77 size_t attributeCount)
79 for (size_t i = 0; i < attributeCount; ++i)
80 configureAttribute(instance, proto, attributes[i]);
83 void batchConfigureCallbacks(v8::Handle<v8::ObjectTemplate> proto,
84 v8::Handle<v8::Signature> signature,
85 v8::PropertyAttribute attributes,
86 const BatchedCallback* callbacks,
89 for (size_t i = 0; i < callbackCount; ++i) {
90 proto->Set(v8::String::New(callbacks[i].name),
91 v8::FunctionTemplate::New(callbacks[i].callback,
92 v8::Handle<v8::Value>(),
98 void batchConfigureConstants(v8::Handle<v8::FunctionTemplate> functionDescriptor,
99 v8::Handle<v8::ObjectTemplate> proto,
100 const BatchedConstant* constants,
101 size_t constantCount)
103 for (size_t i = 0; i < constantCount; ++i) {
104 const BatchedConstant* constant = &constants[i];
105 functionDescriptor->Set(v8::String::New(constant->name), v8::Integer::New(constant->value), v8::ReadOnly);
106 proto->Set(v8::String::New(constant->name), v8::Integer::New(constant->value), v8::ReadOnly);
110 typedef HashMap<Node*, v8::Object*> DOMNodeMap;
111 typedef HashMap<void*, v8::Object*> DOMObjectMap;
114 // Map of SVG objects with contexts to their contexts
115 static HashMap<void*, SVGElement*>& svgObjectToContextMap()
117 typedef HashMap<void*, SVGElement*> SvgObjectToContextMap;
118 DEFINE_STATIC_LOCAL(SvgObjectToContextMap, staticSvgObjectToContextMap, ());
119 return staticSvgObjectToContextMap;
122 void V8Proxy::setSVGContext(void* object, SVGElement* context)
127 SVGElement* oldContext = svgObjectToContextMap().get(object);
129 if (oldContext == context)
138 svgObjectToContextMap().set(object, context);
141 SVGElement* V8Proxy::svgContext(void* object)
143 return svgObjectToContextMap().get(object);
148 typedef HashMap<int, v8::FunctionTemplate*> FunctionTemplateMap;
150 bool AllowAllocation::m_current = false;
152 void logInfo(Frame* frame, const String& message, const String& url)
154 Page* page = frame->page();
157 V8ConsoleMessage consoleMessage(message, url, 0);
158 consoleMessage.dispatchNow(page);
161 enum DelayReporting {
166 static void reportUnsafeAccessTo(Frame* target, DelayReporting delay)
169 Document* targetDocument = target->document();
173 Frame* source = V8Proxy::retrieveFrameForEnteredContext();
174 if (!source || !source->document())
175 return; // Ignore error if the source document is gone.
177 Document* sourceDocument = source->document();
179 // FIXME: This error message should contain more specifics of why the same
180 // origin check has failed.
181 String str = String::format("Unsafe JavaScript attempt to access frame "
182 "with URL %s from frame with URL %s. "
183 "Domains, protocols and ports must match.\n",
184 targetDocument->url().string().utf8().data(),
185 sourceDocument->url().string().utf8().data());
187 // Build a console message with fake source ID and line number.
188 const String kSourceID = "";
189 const int kLineNumber = 1;
190 V8ConsoleMessage message(str, kSourceID, kLineNumber);
192 if (delay == ReportNow) {
193 // NOTE: Safari prints the message in the target page, but it seems like
194 // it should be in the source page. Even for delayed messages, we put it in
195 // the source page; see V8ConsoleMessage::processDelayed().
196 message.dispatchNow(source->page());
198 ASSERT(delay == ReportLater);
199 // We cannot safely report the message eagerly, because this may cause
200 // allocations and GCs internally in V8 and we cannot handle that at this
201 // point. Therefore we delay the reporting.
202 message.dispatchLater();
206 static void reportUnsafeJavaScriptAccess(v8::Local<v8::Object> host, v8::AccessType type, v8::Local<v8::Value> data)
208 Frame* target = V8Custom::GetTargetFrame(host, data);
210 reportUnsafeAccessTo(target, ReportLater);
213 static void handleFatalErrorInV8()
215 // FIXME: We temporarily deal with V8 internal error situations
216 // such as out-of-memory by crashing the renderer.
220 static void reportFatalErrorInV8(const char* location, const char* message)
222 // V8 is shutdown, we cannot use V8 api.
223 // The only thing we can do is to disable JavaScript.
224 // FIXME: clean up V8Proxy and disable JavaScript.
225 printf("V8 error: %s (%s)\n", message, location);
226 handleFatalErrorInV8();
229 V8Proxy::V8Proxy(Frame* frame)
231 , m_inlineCode(false)
232 , m_timerCallback(false)
243 void V8Proxy::destroyGlobal()
245 if (!m_global.IsEmpty()) {
247 V8GCController::unregisterGlobalHandle(this, m_global);
254 v8::Handle<v8::Script> V8Proxy::compileScript(v8::Handle<v8::String> code, const String& fileName, int baseLine)
256 const uint16_t* fileNameString = fromWebCoreString(fileName);
257 v8::Handle<v8::String> name = v8::String::New(fileNameString, fileName.length());
258 v8::Handle<v8::Integer> line = v8::Integer::New(baseLine);
259 v8::ScriptOrigin origin(name, line);
260 v8::Handle<v8::Script> script = v8::Script::Compile(code, &origin);
264 bool V8Proxy::handleOutOfMemory()
266 v8::Local<v8::Context> context = v8::Context::GetCurrent();
268 if (!context->HasOutOfMemoryException())
271 // Warning, error, disable JS for this frame?
272 Frame* frame = V8Proxy::retrieveFrame(context);
274 V8Proxy* proxy = V8Proxy::retrieve(frame);
276 // Clean m_context, and event handlers.
277 proxy->clearForClose();
279 proxy->destroyGlobal();
282 ChromiumBridge::notifyJSOutOfMemory(frame);
285 Settings* settings = frame->settings();
287 settings->setJavaScriptEnabled(false);
292 void V8Proxy::evaluateInIsolatedWorld(int worldID, const Vector<ScriptSourceCode>& sources, int extensionGroup)
294 initContextIfNeeded();
296 v8::HandleScope handleScope;
297 V8IsolatedWorld* world = 0;
300 IsolatedWorldMap::iterator iter = m_isolatedWorlds.find(worldID);
301 if (iter != m_isolatedWorlds.end()) {
302 world = iter->second;
304 world = new V8IsolatedWorld(this, extensionGroup);
305 if (world->context().IsEmpty()) {
310 m_isolatedWorlds.set(worldID, world);
312 // Setup context id for JS debugger.
313 if (!setInjectedScriptContextDebugId(world->context())) {
314 m_isolatedWorlds.take(worldID);
320 world = new V8IsolatedWorld(this, extensionGroup);
321 if (world->context().IsEmpty()) {
327 v8::Local<v8::Context> context = v8::Local<v8::Context>::New(world->context());
328 v8::Context::Scope context_scope(context);
329 for (size_t i = 0; i < sources.size(); ++i)
330 evaluate(sources[i], 0);
336 void V8Proxy::evaluateInNewContext(const Vector<ScriptSourceCode>& sources, int extensionGroup)
338 initContextIfNeeded();
340 v8::HandleScope handleScope;
342 // Set up the DOM window as the prototype of the new global object.
343 v8::Handle<v8::Context> windowContext = m_context;
344 v8::Handle<v8::Object> windowGlobal = windowContext->Global();
345 v8::Handle<v8::Object> windowWrapper = V8DOMWrapper::lookupDOMWrapper(V8ClassIndex::DOMWINDOW, windowGlobal);
347 ASSERT(V8DOMWrapper::convertDOMWrapperToNative<DOMWindow>(windowWrapper) == m_frame->domWindow());
349 v8::Persistent<v8::Context> context = createNewContext(v8::Handle<v8::Object>(), extensionGroup);
350 if (context.IsEmpty())
353 v8::Context::Scope contextScope(context);
355 // Setup context id for JS debugger.
356 if (!setInjectedScriptContextDebugId(context)) {
361 v8::Handle<v8::Object> global = context->Global();
363 v8::Handle<v8::String> implicitProtoString = v8::String::New("__proto__");
364 global->Set(implicitProtoString, windowWrapper);
366 // Give the code running in the new context a way to get access to the
368 global->Set(v8::String::New("contentWindow"), windowGlobal);
370 m_frame->loader()->client()->didCreateIsolatedScriptContext();
372 // Run code in the new context.
373 for (size_t i = 0; i < sources.size(); ++i)
374 evaluate(sources[i], 0);
376 // Using the default security token means that the canAccess is always
377 // called, which is slow.
378 // FIXME: Use tokens where possible. This will mean keeping track of all
379 // created contexts so that they can all be updated when the document domain
381 context->UseDefaultSecurityToken();
385 bool V8Proxy::setInjectedScriptContextDebugId(v8::Handle<v8::Context> targetContext)
387 // Setup context id for JS debugger.
388 v8::Context::Scope contextScope(targetContext);
389 if (m_context.IsEmpty())
391 int debugId = contextDebugId(m_context);
396 snprintf(buffer, sizeof(buffer), "injected,%d", debugId);
397 targetContext->SetData(v8::String::New(buffer));
402 v8::Local<v8::Value> V8Proxy::evaluate(const ScriptSourceCode& source, Node* node)
404 ASSERT(v8::Context::InContext());
406 V8GCController::checkMemoryUsage();
408 #if ENABLE(INSPECTOR)
409 if (InspectorTimelineAgent* timelineAgent = m_frame->page() ? m_frame->page()->inspectorTimelineAgent() : 0)
410 timelineAgent->willEvaluateScript(source.url().isNull() ? String() : source.url().string(), source.startLine());
413 v8::Local<v8::Value> result;
415 // Isolate exceptions that occur when compiling and executing
416 // the code. These exceptions should not interfere with
417 // javascript code we might evaluate from C++ when returning
419 v8::TryCatch tryCatch;
420 tryCatch.SetVerbose(true);
422 // Compile the script.
423 v8::Local<v8::String> code = v8ExternalString(source.source());
424 ChromiumBridge::traceEventBegin("v8.compile", node, "");
426 // NOTE: For compatibility with WebCore, ScriptSourceCode's line starts at
427 // 1, whereas v8 starts at 0.
428 v8::Handle<v8::Script> script = compileScript(code, source.url(), source.startLine() - 1);
429 ChromiumBridge::traceEventEnd("v8.compile", node, "");
431 ChromiumBridge::traceEventBegin("v8.run", node, "");
432 // Set inlineCode to true for <a href="javascript:doSomething()">
433 // and false for <script>doSomething</script>. We make a rough guess at
434 // this based on whether the script source has a URL.
435 result = runScript(script, source.url().string().isNull());
437 ChromiumBridge::traceEventEnd("v8.run", node, "");
439 #if ENABLE(INSPECTOR)
440 if (InspectorTimelineAgent* timelineAgent = m_frame->page() ? m_frame->page()->inspectorTimelineAgent() : 0)
441 timelineAgent->didEvaluateScript();
447 v8::Local<v8::Value> V8Proxy::runScript(v8::Handle<v8::Script> script, bool isInlineCode)
449 if (script.IsEmpty())
450 return notHandledByInterceptor();
452 V8GCController::checkMemoryUsage();
453 // Compute the source string and prevent against infinite recursion.
454 if (m_recursion >= kMaxRecursionDepth) {
455 v8::Local<v8::String> code = v8ExternalString("throw RangeError('Recursion too deep')");
456 // FIXME: Ideally, we should be able to re-use the origin of the
457 // script passed to us as the argument instead of using an empty string
459 script = compileScript(code, "", 0);
462 if (handleOutOfMemory())
463 ASSERT(script.IsEmpty());
465 if (script.IsEmpty())
466 return notHandledByInterceptor();
468 // Save the previous value of the inlineCode flag and update the flag for
469 // the duration of the script invocation.
470 bool previousInlineCode = inlineCode();
471 setInlineCode(isInlineCode);
473 // Run the script and keep track of the current recursion depth.
474 v8::Local<v8::Value> result;
476 V8ConsoleMessage::Scope scope;
478 // See comment in V8Proxy::callFunction.
479 m_frame->keepAlive();
482 result = script->Run();
486 // Release the storage mutex if applicable.
487 releaseStorageMutex();
489 if (handleOutOfMemory())
490 ASSERT(result.IsEmpty());
492 // Handle V8 internal error situation (Out-of-memory).
493 if (result.IsEmpty())
494 return notHandledByInterceptor();
496 // Restore inlineCode flag.
497 setInlineCode(previousInlineCode);
499 if (v8::V8::IsDead())
500 handleFatalErrorInV8();
505 v8::Local<v8::Value> V8Proxy::callFunction(v8::Handle<v8::Function> function, v8::Handle<v8::Object> receiver, int argc, v8::Handle<v8::Value> args[])
507 V8GCController::checkMemoryUsage();
508 v8::Local<v8::Value> result;
510 V8ConsoleMessage::Scope scope;
512 if (m_recursion >= kMaxRecursionDepth) {
513 v8::Local<v8::String> code = v8::String::New("throw new RangeError('Maximum call stack size exceeded.')");
516 v8::Local<v8::Script> script = v8::Script::Compile(code);
517 if (script.IsEmpty())
523 // Evaluating the JavaScript could cause the frame to be deallocated,
524 // so we start the keep alive timer here.
525 // Frame::keepAlive method adds the ref count of the frame and sets a
526 // timer to decrease the ref count. It assumes that the current JavaScript
527 // execution finishs before firing the timer.
528 m_frame->keepAlive();
531 result = function->Call(receiver, argc, args);
535 // Release the storage mutex if applicable.
536 releaseStorageMutex();
538 if (v8::V8::IsDead())
539 handleFatalErrorInV8();
544 v8::Local<v8::Value> V8Proxy::newInstance(v8::Handle<v8::Function> constructor, int argc, v8::Handle<v8::Value> args[])
546 // No artificial limitations on the depth of recursion, see comment in
547 // V8Proxy::callFunction.
548 v8::Local<v8::Value> result;
550 V8ConsoleMessage::Scope scope;
552 // See comment in V8Proxy::callFunction.
553 m_frame->keepAlive();
555 result = constructor->NewInstance(argc, args);
558 if (v8::V8::IsDead())
559 handleFatalErrorInV8();
564 v8::Local<v8::Object> V8Proxy::createWrapperFromCacheSlowCase(V8ClassIndex::V8WrapperType type)
567 int classIndex = V8ClassIndex::ToInt(type);
568 initContextIfNeeded();
569 v8::Context::Scope scope(m_context);
570 v8::Local<v8::Function> function = V8DOMWrapper::getConstructor(type, getHiddenObjectPrototype(m_context));
571 v8::Local<v8::Object> instance = SafeAllocation::newInstance(function);
572 if (!instance.IsEmpty()) {
573 m_wrapperBoilerplates->Set(v8::Integer::New(classIndex), instance);
574 return instance->Clone();
576 return notHandledByInterceptor();
579 bool V8Proxy::isContextInitialized()
581 // m_context, m_global, and m_wrapperBoilerplates should
582 // all be non-empty if if m_context is non-empty.
583 ASSERT(m_context.IsEmpty() || !m_global.IsEmpty());
584 ASSERT(m_context.IsEmpty() || !m_wrapperBoilerplates.IsEmpty());
585 return !m_context.IsEmpty();
588 DOMWindow* V8Proxy::retrieveWindow(v8::Handle<v8::Context> context)
590 v8::Handle<v8::Object> global = context->Global();
591 ASSERT(!global.IsEmpty());
592 global = V8DOMWrapper::lookupDOMWrapper(V8ClassIndex::DOMWINDOW, global);
593 ASSERT(!global.IsEmpty());
594 return V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, global);
597 Frame* V8Proxy::retrieveFrame(v8::Handle<v8::Context> context)
599 DOMWindow* window = retrieveWindow(context);
600 Frame* frame = window->frame();
601 if (frame && frame->domWindow() == window)
603 // We return 0 here because |context| is detached from the Frame. If we
604 // did return |frame| we could get in trouble because the frame could be
605 // navigated to another security origin.
609 Frame* V8Proxy::retrieveFrameForEnteredContext()
611 v8::Handle<v8::Context> context = v8::Context::GetEntered();
612 if (context.IsEmpty())
614 return retrieveFrame(context);
617 Frame* V8Proxy::retrieveFrameForCurrentContext()
619 v8::Handle<v8::Context> context = v8::Context::GetCurrent();
620 if (context.IsEmpty())
622 return retrieveFrame(context);
625 Frame* V8Proxy::retrieveFrameForCallingContext()
627 v8::Handle<v8::Context> context = v8::Context::GetCalling();
628 if (context.IsEmpty())
630 return retrieveFrame(context);
633 V8Proxy* V8Proxy::retrieve()
635 DOMWindow* window = retrieveWindow(currentContext());
637 return retrieve(window->frame());
640 V8Proxy* V8Proxy::retrieve(Frame* frame)
644 return frame->script()->isEnabled() ? frame->script()->proxy() : 0;
647 V8Proxy* V8Proxy::retrieve(ScriptExecutionContext* context)
649 if (!context->isDocument())
651 return retrieve(static_cast<Document*>(context)->frame());
654 void V8Proxy::disconnectFrame()
658 void V8Proxy::updateDocumentWrapper(v8::Handle<v8::Value> wrapper)
660 clearDocumentWrapper();
662 ASSERT(m_document.IsEmpty());
663 m_document = v8::Persistent<v8::Value>::New(wrapper);
665 V8GCController::registerGlobalHandle(PROXY, this, m_document);
669 void V8Proxy::clearDocumentWrapper()
671 if (!m_document.IsEmpty()) {
673 V8GCController::unregisterGlobalHandle(this, m_document);
675 m_document.Dispose();
680 void V8Proxy::updateDocumentWrapperCache()
682 v8::HandleScope handleScope;
683 v8::Context::Scope contextScope(m_context);
685 // If the document has no frame, NodeToV8Object might get the
686 // document wrapper for a document that is about to be deleted.
687 // If the ForceSet below causes a garbage collection, the document
688 // might get deleted and the global handle for the document
689 // wrapper cleared. Using the cleared global handle will lead to
690 // crashes. In this case we clear the cache and let the DOMWindow
691 // accessor handle access to the document.
692 if (!m_frame->document()->frame()) {
693 clearDocumentWrapperCache();
697 v8::Handle<v8::Value> documentWrapper = V8DOMWrapper::convertNodeToV8Object(m_frame->document());
699 // If instantiation of the document wrapper fails, clear the cache
700 // and let the DOMWindow accessor handle access to the document.
701 if (documentWrapper.IsEmpty()) {
702 clearDocumentWrapperCache();
705 m_context->Global()->ForceSet(v8::String::New("document"), documentWrapper, static_cast<v8::PropertyAttribute>(v8::ReadOnly | v8::DontDelete));
708 void V8Proxy::clearDocumentWrapperCache()
710 ASSERT(!m_context.IsEmpty());
711 m_context->Global()->ForceDelete(v8::String::New("document"));
714 void V8Proxy::disposeContextHandles()
716 if (!m_context.IsEmpty()) {
717 m_frame->loader()->client()->didDestroyScriptContextForFrame();
722 if (!m_wrapperBoilerplates.IsEmpty()) {
724 V8GCController::unregisterGlobalHandle(this, m_wrapperBoilerplates);
726 m_wrapperBoilerplates.Dispose();
727 m_wrapperBoilerplates.Clear();
731 void V8Proxy::releaseStorageMutex()
733 // If we've just left a top level script context and local storage has been
734 // instantiated, we must ensure that any storage locks have been freed.
735 // Per http://dev.w3.org/html5/spec/Overview.html#storage-mutex
736 if (m_recursion != 0)
738 Page* page = m_frame->page();
741 if (page->group().hasLocalStorage())
742 page->group().localStorage()->unlock();
745 void V8Proxy::resetIsolatedWorlds()
747 for (IsolatedWorldMap::iterator iter = m_isolatedWorlds.begin();
748 iter != m_isolatedWorlds.end(); ++iter) {
749 iter->second->destroy();
751 m_isolatedWorlds.clear();
754 void V8Proxy::clearForClose()
756 resetIsolatedWorlds();
758 if (!m_context.IsEmpty()) {
759 v8::HandleScope handleScope;
761 clearDocumentWrapper();
762 disposeContextHandles();
766 void V8Proxy::clearForNavigation()
768 resetIsolatedWorlds();
770 if (!m_context.IsEmpty()) {
771 v8::HandleScope handle;
772 clearDocumentWrapper();
774 v8::Context::Scope contextScope(m_context);
776 // Clear the document wrapper cache before turning on access checks on
777 // the old DOMWindow wrapper. This way, access to the document wrapper
778 // will be protected by the security checks on the DOMWindow wrapper.
779 clearDocumentWrapperCache();
781 // Turn on access check on the old DOMWindow wrapper.
782 v8::Handle<v8::Object> wrapper = V8DOMWrapper::lookupDOMWrapper(V8ClassIndex::DOMWINDOW, m_global);
783 ASSERT(!wrapper.IsEmpty());
784 wrapper->TurnOnAccessCheck();
786 // Separate the context from its global object.
787 m_context->DetachGlobal();
789 disposeContextHandles();
793 void V8Proxy::setSecurityToken()
795 Document* document = m_frame->document();
796 // Setup security origin and security token.
798 m_context->UseDefaultSecurityToken();
802 // Ask the document's SecurityOrigin to generate a security token.
803 // If two tokens are equal, then the SecurityOrigins canAccess each other.
804 // If two tokens are not equal, then we have to call canAccess.
805 // Note: we can't use the HTTPOrigin if it was set from the DOM.
806 SecurityOrigin* origin = document->securityOrigin();
808 if (!origin->domainWasSetInDOM())
809 token = document->securityOrigin()->toString();
811 // An empty or "null" token means we always have to call
812 // canAccess. The toString method on securityOrigins returns the
813 // string "null" for empty security origins and for security
814 // origins that should only allow access to themselves. In this
815 // case, we use the global object as the security token to avoid
816 // calling canAccess when a script accesses its own objects.
817 if (token.isEmpty() || token == "null") {
818 m_context->UseDefaultSecurityToken();
822 CString utf8Token = token.utf8();
823 // NOTE: V8 does identity comparison in fast path, must use a symbol
824 // as the security token.
825 m_context->SetSecurityToken(v8::String::NewSymbol(utf8Token.data(), utf8Token.length()));
828 void V8Proxy::updateDocument()
830 if (!m_frame->document())
833 if (m_global.IsEmpty())
836 // There is an existing JavaScript wrapper for the global object
837 // of this frame. JavaScript code in other frames might hold a
838 // reference to this wrapper. We eagerly initialize the JavaScript
839 // context for the new document to make property access on the
840 // global object wrapper succeed.
841 initContextIfNeeded();
843 // Bail out if context initialization failed.
844 if (m_context.IsEmpty())
847 // We have a new document and we need to update the cache.
848 updateDocumentWrapperCache();
850 updateSecurityOrigin();
853 void V8Proxy::updateSecurityOrigin()
855 v8::HandleScope scope;
859 // Same origin policy implementation:
861 // Same origin policy prevents JS code from domain A access JS & DOM objects
862 // in a different domain B. There are exceptions and several objects are
863 // accessible by cross-domain code. For example, the window.frames object is
864 // accessible by code from a different domain, but window.document is not.
866 // The binding code sets security check callbacks on a function template,
867 // and accessing instances of the template calls the callback function.
868 // The callback function checks same origin policy.
870 // Callback functions are expensive. V8 uses a security token string to do
871 // fast access checks for the common case where source and target are in the
872 // same domain. A security token is a string object that represents
873 // the protocol/url/port of a domain.
875 // There are special cases where a security token matching is not enough.
876 // For example, JavaScript can set its domain to a super domain by calling
877 // document.setDomain(...). In these cases, the binding code can reset
878 // a context's security token to its global object so that the fast access
879 // check will always fail.
881 // Check if the current execution context can access a target frame.
882 // First it checks same domain policy using the lexical context
884 // This is equivalent to KJS::Window::allowsAccessFrom(ExecState*, String&).
885 bool V8Proxy::canAccessPrivate(DOMWindow* targetWindow)
887 ASSERT(targetWindow);
891 DOMWindow* originWindow = retrieveWindow(currentContext());
892 if (originWindow == targetWindow)
898 const SecurityOrigin* activeSecurityOrigin = originWindow->securityOrigin();
899 const SecurityOrigin* targetSecurityOrigin = targetWindow->securityOrigin();
901 // We have seen crashes were the security origin of the target has not been
902 // initialized. Defend against that.
903 if (!targetSecurityOrigin)
906 if (activeSecurityOrigin->canAccess(targetSecurityOrigin))
909 // Allow access to a "about:blank" page if the dynamic context is a
910 // detached context of the same frame as the blank page.
911 if (targetSecurityOrigin->isEmpty() && originWindow->frame() == targetWindow->frame())
917 bool V8Proxy::canAccessFrame(Frame* target, bool reportError)
919 // The subject is detached from a frame, deny accesses.
923 if (!canAccessPrivate(target->domWindow())) {
925 reportUnsafeAccessTo(target, ReportNow);
931 bool V8Proxy::checkNodeSecurity(Node* node)
936 Frame* target = node->document()->frame();
941 return canAccessFrame(target, true);
944 v8::Persistent<v8::Context> V8Proxy::createNewContext(v8::Handle<v8::Object> global, int extensionGroup)
946 v8::Persistent<v8::Context> result;
948 // The activeDocumentLoader pointer could be NULL during frame shutdown.
949 if (!m_frame->loader()->activeDocumentLoader())
952 // Create a new environment using an empty template for the shadow
953 // object. Reuse the global object if one has been created earlier.
954 v8::Persistent<v8::ObjectTemplate> globalTemplate = V8DOMWindow::GetShadowObjectTemplate();
955 if (globalTemplate.IsEmpty())
958 // Install a security handler with V8.
959 globalTemplate->SetAccessCheckCallbacks(V8Custom::v8DOMWindowNamedSecurityCheck, V8Custom::v8DOMWindowIndexedSecurityCheck, v8::Integer::New(V8ClassIndex::DOMWINDOW));
960 globalTemplate->SetInternalFieldCount(V8Custom::kDOMWindowInternalFieldCount);
962 // Used to avoid sleep calls in unload handlers.
963 if (!registeredExtensionWithV8(DateExtension::get()))
964 registerExtension(DateExtension::get(), String());
966 // Dynamically tell v8 about our extensions now.
967 OwnArrayPtr<const char*> extensionNames(new const char*[m_extensions.size()]);
969 for (size_t i = 0; i < m_extensions.size(); ++i) {
970 if (m_extensions[i].group && m_extensions[i].group != extensionGroup)
973 // Note: we check the loader URL here instead of the document URL
974 // because we might be currently loading an URL into a blank page.
975 // See http://code.google.com/p/chromium/issues/detail?id=10924
976 if (m_extensions[i].scheme.length() > 0 && (m_extensions[i].scheme != m_frame->loader()->activeDocumentLoader()->url().protocol() || m_extensions[i].scheme != m_frame->page()->mainFrame()->loader()->activeDocumentLoader()->url().protocol()))
979 extensionNames[index++] = m_extensions[i].extension->name();
981 v8::ExtensionConfiguration extensions(index, extensionNames.get());
982 result = v8::Context::New(&extensions, globalTemplate, global);
987 bool V8Proxy::installDOMWindow(v8::Handle<v8::Context> context, DOMWindow* window)
989 v8::Handle<v8::String> implicitProtoString = v8::String::New("__proto__");
990 if (implicitProtoString.IsEmpty())
993 // Create a new JS window object and use it as the prototype for the shadow global object.
994 v8::Handle<v8::Function> windowConstructor = V8DOMWrapper::getConstructor(V8ClassIndex::DOMWINDOW, getHiddenObjectPrototype(context));
995 v8::Local<v8::Object> jsWindow = SafeAllocation::newInstance(windowConstructor);
996 // Bail out if allocation failed.
997 if (jsWindow.IsEmpty())
1001 V8DOMWrapper::setDOMWrapper(jsWindow, V8ClassIndex::ToInt(V8ClassIndex::DOMWINDOW), window);
1002 V8DOMWrapper::setDOMWrapper(v8::Handle<v8::Object>::Cast(jsWindow->GetPrototype()), V8ClassIndex::ToInt(V8ClassIndex::DOMWINDOW), window);
1005 V8DOMWrapper::setJSWrapperForDOMObject(window, v8::Persistent<v8::Object>::New(jsWindow));
1007 // Insert the window instance as the prototype of the shadow object.
1008 v8::Handle<v8::Object> v8Global = context->Global();
1009 V8DOMWrapper::setDOMWrapper(v8::Handle<v8::Object>::Cast(v8Global->GetPrototype()), V8ClassIndex::ToInt(V8ClassIndex::DOMWINDOW), window);
1010 v8Global->Set(implicitProtoString, jsWindow);
1014 // Create a new environment and setup the global object.
1016 // The global object corresponds to a DOMWindow instance. However, to
1017 // allow properties of the JS DOMWindow instance to be shadowed, we
1018 // use a shadow object as the global object and use the JS DOMWindow
1019 // instance as the prototype for that shadow object. The JS DOMWindow
1020 // instance is undetectable from javascript code because the __proto__
1021 // accessors skip that object.
1023 // The shadow object and the DOMWindow instance are seen as one object
1024 // from javascript. The javascript object that corresponds to a
1025 // DOMWindow instance is the shadow object. When mapping a DOMWindow
1026 // instance to a V8 object, we return the shadow object.
1028 // To implement split-window, see
1029 // 1) https://bugs.webkit.org/show_bug.cgi?id=17249
1030 // 2) https://wiki.mozilla.org/Gecko:SplitWindow
1031 // 3) https://bugzilla.mozilla.org/show_bug.cgi?id=296639
1032 // we need to split the shadow object further into two objects:
1033 // an outer window and an inner window. The inner window is the hidden
1034 // prototype of the outer window. The inner window is the default
1035 // global object of the context. A variable declared in the global
1036 // scope is a property of the inner window.
1038 // The outer window sticks to a Frame, it is exposed to JavaScript
1039 // via window.window, window.self, window.parent, etc. The outer window
1040 // has a security token which is the domain. The outer window cannot
1041 // have its own properties. window.foo = 'x' is delegated to the
1044 // When a frame navigates to a new page, the inner window is cut off
1045 // the outer window, and the outer window identify is preserved for
1046 // the frame. However, a new inner window is created for the new page.
1047 // If there are JS code holds a closure to the old inner window,
1048 // it won't be able to reach the outer window via its global object.
1049 void V8Proxy::initContextIfNeeded()
1051 // Bail out if the context has already been initialized.
1052 if (!m_context.IsEmpty())
1055 // Create a handle scope for all local handles.
1056 v8::HandleScope handleScope;
1058 // Setup the security handlers and message listener. This only has
1060 static bool isV8Initialized = false;
1061 if (!isV8Initialized) {
1062 // Tells V8 not to call the default OOM handler, binding code
1064 v8::V8::IgnoreOutOfMemoryException();
1065 v8::V8::SetFatalErrorHandler(reportFatalErrorInV8);
1067 v8::V8::SetGlobalGCPrologueCallback(&V8GCController::gcPrologue);
1068 v8::V8::SetGlobalGCEpilogueCallback(&V8GCController::gcEpilogue);
1070 v8::V8::AddMessageListener(&V8ConsoleMessage::handler);
1072 v8::V8::SetFailedAccessCheckCallbackFunction(reportUnsafeJavaScriptAccess);
1074 isV8Initialized = true;
1078 m_context = createNewContext(m_global, 0);
1079 if (m_context.IsEmpty())
1082 v8::Local<v8::Context> v8Context = v8::Local<v8::Context>::New(m_context);
1083 v8::Context::Scope contextScope(v8Context);
1085 // Store the first global object created so we can reuse it.
1086 if (m_global.IsEmpty()) {
1087 m_global = v8::Persistent<v8::Object>::New(v8Context->Global());
1088 // Bail out if allocation of the first global objects fails.
1089 if (m_global.IsEmpty()) {
1090 disposeContextHandles();
1094 V8GCController::registerGlobalHandle(PROXY, this, m_global);
1098 installHiddenObjectPrototype(v8Context);
1099 m_wrapperBoilerplates = v8::Persistent<v8::Array>::New(v8::Array::New(V8ClassIndex::WRAPPER_TYPE_COUNT));
1100 // Bail out if allocation failed.
1101 if (m_wrapperBoilerplates.IsEmpty()) {
1102 disposeContextHandles();
1106 V8GCController::registerGlobalHandle(PROXY, this, m_wrapperBoilerplates);
1109 if (!installDOMWindow(v8Context, m_frame->domWindow()))
1110 disposeContextHandles();
1116 m_frame->loader()->client()->didCreateScriptContextForFrame();
1118 // FIXME: This is wrong. We should actually do this for the proper world once
1119 // we do isolated worlds the WebCore way.
1120 m_frame->loader()->dispatchDidClearWindowObjectInWorld(0);
1123 void V8Proxy::setDOMException(int exceptionCode)
1125 if (exceptionCode <= 0)
1128 ExceptionCodeDescription description;
1129 getExceptionCodeDescription(exceptionCode, description);
1131 v8::Handle<v8::Value> exception;
1132 switch (description.type) {
1133 case DOMExceptionType:
1134 exception = V8DOMWrapper::convertToV8Object(V8ClassIndex::DOMCOREEXCEPTION, DOMCoreException::create(description));
1136 case RangeExceptionType:
1137 exception = V8DOMWrapper::convertToV8Object(V8ClassIndex::RANGEEXCEPTION, RangeException::create(description));
1139 case EventExceptionType:
1140 exception = V8DOMWrapper::convertToV8Object(V8ClassIndex::EVENTEXCEPTION, EventException::create(description));
1142 case XMLHttpRequestExceptionType:
1143 exception = V8DOMWrapper::convertToV8Object(V8ClassIndex::XMLHTTPREQUESTEXCEPTION, XMLHttpRequestException::create(description));
1146 case SVGExceptionType:
1147 exception = V8DOMWrapper::convertToV8Object(V8ClassIndex::SVGEXCEPTION, SVGException::create(description));
1151 case XPathExceptionType:
1152 exception = V8DOMWrapper::convertToV8Object(V8ClassIndex::XPATHEXCEPTION, XPathException::create(description));
1157 ASSERT(!exception.IsEmpty());
1158 v8::ThrowException(exception);
1161 v8::Handle<v8::Value> V8Proxy::throwError(ErrorType type, const char* message)
1165 return v8::ThrowException(v8::Exception::RangeError(v8String(message)));
1166 case ReferenceError:
1167 return v8::ThrowException(v8::Exception::ReferenceError(v8String(message)));
1169 return v8::ThrowException(v8::Exception::SyntaxError(v8String(message)));
1171 return v8::ThrowException(v8::Exception::TypeError(v8String(message)));
1173 return v8::ThrowException(v8::Exception::Error(v8String(message)));
1175 ASSERT_NOT_REACHED();
1176 return notHandledByInterceptor();
1180 v8::Local<v8::Context> V8Proxy::context(Frame* frame)
1182 v8::Local<v8::Context> context = V8Proxy::mainWorldContext(frame);
1183 if (context.IsEmpty())
1184 return v8::Local<v8::Context>();
1186 if (V8IsolatedWorld* world = V8IsolatedWorld::getEntered()) {
1187 context = v8::Local<v8::Context>::New(world->context());
1188 if (frame != V8Proxy::retrieveFrame(context))
1189 return v8::Local<v8::Context>();
1195 v8::Local<v8::Context> V8Proxy::context()
1197 if (V8IsolatedWorld* world = V8IsolatedWorld::getEntered()) {
1198 RefPtr<SharedPersistent<v8::Context> > context = world->sharedContext();
1199 if (m_frame != V8Proxy::retrieveFrame(context->get()))
1200 return v8::Local<v8::Context>();
1201 return v8::Local<v8::Context>::New(context->get());
1203 initContextIfNeeded();
1204 return v8::Local<v8::Context>::New(m_context);;
1207 v8::Local<v8::Context> V8Proxy::mainWorldContext(Frame* frame)
1209 V8Proxy* proxy = retrieve(frame);
1211 return v8::Local<v8::Context>();
1213 proxy->initContextIfNeeded();
1214 return v8::Local<v8::Context>::New(proxy->m_context);
1217 v8::Local<v8::Context> V8Proxy::currentContext()
1219 return v8::Context::GetCurrent();
1222 v8::Handle<v8::Value> V8Proxy::checkNewLegal(const v8::Arguments& args)
1224 if (!AllowAllocation::m_current)
1225 return throwError(TypeError, "Illegal constructor");
1230 void V8Proxy::bindJsObjectToWindow(Frame* frame, const char* name, int type, v8::Handle<v8::FunctionTemplate> descriptor, void* impl)
1233 v8::Handle<v8::Context> v8Context = V8Proxy::mainWorldContext(frame);
1234 if (v8Context.IsEmpty())
1235 return; // JS not enabled.
1237 v8::Context::Scope scope(v8Context);
1238 v8::Handle<v8::Object> instance = descriptor->GetFunction();
1239 V8DOMWrapper::setDOMWrapper(instance, type, impl);
1241 v8::Handle<v8::Object> global = v8Context->Global();
1242 global->Set(v8::String::New(name), instance);
1245 void V8Proxy::processConsoleMessages()
1247 V8ConsoleMessage::processDelayed();
1250 // Create the utility context for holding JavaScript functions used internally
1251 // which are not visible to JavaScript executing on the page.
1252 void V8Proxy::createUtilityContext()
1254 ASSERT(m_utilityContext.IsEmpty());
1256 v8::HandleScope scope;
1257 v8::Handle<v8::ObjectTemplate> globalTemplate = v8::ObjectTemplate::New();
1258 m_utilityContext = v8::Context::New(0, globalTemplate);
1259 v8::Context::Scope contextScope(m_utilityContext);
1261 // Compile JavaScript function for retrieving the source line of the top
1262 // JavaScript stack frame.
1263 DEFINE_STATIC_LOCAL(const char*, frameSourceLineSource,
1264 ("function frameSourceLine(exec_state) {"
1265 " return exec_state.frame(0).sourceLine();"
1267 v8::Script::Compile(v8::String::New(frameSourceLineSource))->Run();
1269 // Compile JavaScript function for retrieving the source name of the top
1270 // JavaScript stack frame.
1271 DEFINE_STATIC_LOCAL(const char*, frameSourceNameSource,
1272 ("function frameSourceName(exec_state) {"
1273 " var frame = exec_state.frame(0);"
1274 " if (frame.func().resolved() && "
1275 " frame.func().script() && "
1276 " frame.func().script().name()) {"
1277 " return frame.func().script().name();"
1280 v8::Script::Compile(v8::String::New(frameSourceNameSource))->Run();
1283 bool V8Proxy::sourceLineNumber(int& result)
1285 v8::HandleScope scope;
1286 v8::Handle<v8::Context> v8UtilityContext = V8Proxy::utilityContext();
1287 if (v8UtilityContext.IsEmpty())
1289 v8::Context::Scope contextScope(v8UtilityContext);
1290 v8::Handle<v8::Function> frameSourceLine;
1291 frameSourceLine = v8::Local<v8::Function>::Cast(v8UtilityContext->Global()->Get(v8::String::New("frameSourceLine")));
1292 if (frameSourceLine.IsEmpty())
1294 v8::Handle<v8::Value> value = v8::Debug::Call(frameSourceLine);
1295 if (value.IsEmpty())
1297 result = value->Int32Value();
1301 bool V8Proxy::sourceName(String& result)
1303 v8::HandleScope scope;
1304 v8::Handle<v8::Context> v8UtilityContext = utilityContext();
1305 if (v8UtilityContext.IsEmpty())
1307 v8::Context::Scope contextScope(v8UtilityContext);
1308 v8::Handle<v8::Function> frameSourceName;
1309 frameSourceName = v8::Local<v8::Function>::Cast(v8UtilityContext->Global()->Get(v8::String::New("frameSourceName")));
1310 if (frameSourceName.IsEmpty())
1312 v8::Handle<v8::Value> value = v8::Debug::Call(frameSourceName);
1313 if (value.IsEmpty())
1315 result = toWebCoreString(value);
1319 void V8Proxy::registerExtensionWithV8(v8::Extension* extension)
1321 // If the extension exists in our list, it was already registered with V8.
1322 if (!registeredExtensionWithV8(extension))
1323 v8::RegisterExtension(extension);
1326 bool V8Proxy::registeredExtensionWithV8(v8::Extension* extension)
1328 for (size_t i = 0; i < m_extensions.size(); ++i) {
1329 if (m_extensions[i].extension == extension)
1336 void V8Proxy::registerExtension(v8::Extension* extension, const String& schemeRestriction)
1338 registerExtensionWithV8(extension);
1339 V8ExtensionInfo info = {schemeRestriction, 0, extension};
1340 m_extensions.append(info);
1343 void V8Proxy::registerExtension(v8::Extension* extension, int extensionGroup)
1345 registerExtensionWithV8(extension);
1346 V8ExtensionInfo info = {String(), extensionGroup, extension};
1347 m_extensions.append(info);
1350 bool V8Proxy::setContextDebugId(int debugId)
1352 ASSERT(debugId > 0);
1353 if (m_context.IsEmpty())
1355 v8::HandleScope scope;
1356 if (!m_context->GetData()->IsUndefined())
1359 v8::Context::Scope contextScope(m_context);
1362 snprintf(buffer, sizeof(buffer), "page,%d", debugId);
1363 m_context->SetData(v8::String::New(buffer));
1368 int V8Proxy::contextDebugId(v8::Handle<v8::Context> context)
1370 v8::HandleScope scope;
1371 if (!context->GetData()->IsString())
1373 v8::String::AsciiValue ascii(context->GetData());
1374 char* comma = strnstr(*ascii, ",", ascii.length());
1375 return atoi(comma + 1);
1378 v8::Handle<v8::Value> V8Proxy::getHiddenObjectPrototype(v8::Handle<v8::Context> context)
1380 return context->Global()->GetHiddenValue(V8HiddenPropertyName::objectPrototype());
1383 void V8Proxy::installHiddenObjectPrototype(v8::Handle<v8::Context> context)
1385 v8::Handle<v8::String> objectString = v8::String::New("Object");
1386 v8::Handle<v8::String> prototypeString = v8::String::New("prototype");
1387 v8::Handle<v8::String> hiddenObjectPrototypeString = V8HiddenPropertyName::objectPrototype();
1388 // Bail out if allocation failed.
1389 if (objectString.IsEmpty() || prototypeString.IsEmpty() || hiddenObjectPrototypeString.IsEmpty())
1392 v8::Handle<v8::Object> object = v8::Handle<v8::Object>::Cast(context->Global()->Get(objectString));
1393 v8::Handle<v8::Value> objectPrototype = object->Get(prototypeString);
1395 context->Global()->SetHiddenValue(hiddenObjectPrototypeString, objectPrototype);
1398 v8::Local<v8::Context> toV8Context(ScriptExecutionContext* context)
1400 if (context->isDocument()) {
1401 if (V8Proxy* proxy = V8Proxy::retrieve(context))
1402 return proxy->context();
1403 } else if (context->isWorkerContext()) {
1404 if (WorkerContextExecutionProxy* proxy = static_cast<WorkerContext*>(context)->script()->proxy())
1405 return proxy->context();
1407 return v8::Local<v8::Context>();
1410 } // namespace WebCore