JavaScriptCore:
authorandersca@apple.com <andersca@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 14 Dec 2007 19:47:16 +0000 (19:47 +0000)
committerandersca@apple.com <andersca@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 14 Dec 2007 19:47:16 +0000 (19:47 +0000)
commit03d094a554f315e7597571f1832c74edd7b232da
tree69a87c4705ba26c113e46b0e12be885cca45264e
parent172622cd8204fd9d53a24ad7c9008e479330e2e2
JavaScriptCore:

        Reviewed by Darin and Geoff.

        <rdar://problem/5619295>
        REGRESSION: 303-304: Embedded YouTube video fails to render- JS errors (16150) (Flash 9)

        Get rid of unnecessary and incorrect security checks for plug-ins accessing JavaScript objects.

        The way this used to work was that each NPObject that wrapped a JSObject would have a root object
        corresponding to the frame object (used for managing the lifecycle) and an origin root object (used for
        doing security checks).

        This would prevent a plug-in from accessing a frame's window object if it's security origin was different
        (some parts of the window, such as the location object, can be accessed from frames with different security
        origins, and those checks are being done in WebCore).

        Also, if a plug-in were to access a window object of a frame that later went away, it could lead to that
        Window JSObject being garbage collected and the NPObject pointing to freed memory.

        How this works now is that there is no origin root object anymore, and all NPObject wrappers that are created
        for a plug-in will have the root object of the containing frame of that plug-in.

        * bindings/NP_jsobject.cpp:
        (jsDeallocate):
        Don't free the origin root object.

        (_NPN_CreateScriptObject):
        Remove the origin root object parameter.

        (_NPN_InvokeDefault):
        (_NPN_Invoke):
        (_NPN_Evaluate):
        (_NPN_GetProperty):
        (_NPN_SetProperty):
        (_NPN_RemoveProperty):
        (_NPN_HasProperty):
        (_NPN_HasMethod):
        (_NPN_Enumerate):
        Get rid of all security checks.

        * bindings/NP_jsobject.h:
        Remove originRootObject from the JavaScriptObject struct.

        * bindings/c/c_utility.cpp:
        (KJS::Bindings::convertValueToNPVariant):
        Always use the root object from the ExecState.

WebCore:

        Reviewed by Darin and Geoff.

        <rdar://problem/5619295>
        REGRESSION: 303-304: Embedded YouTube video fails to render- JS errors (16150) (Flash 9)

        _NPN_CreateScriptObject doesn't take an origin root object anymore.

        * html/HTMLPlugInElement.cpp:
        (WebCore::HTMLPlugInElement::createNPObject):
        * page/Frame.cpp:
        (WebCore::Frame::windowScriptNPObject):

WebKitTools:

        Reviewed by Darin and Geoff.

        <rdar://problem/5619295>
        REGRESSION: 303-304: Embedded YouTube video fails to render- JS errors (16150) (Flash 9)

        Add property getting methods to the plug-in.

        * DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.cpp:
        (pluginInvoke):

LayoutTests:

        Reviewed by Darin and Geoff.

        <rdar://problem/5619295>
        REGRESSION: 303-304: Embedded YouTube video fails to render- JS errors (16150) (Flash 9)

        Add cross frame plug/in test where a plug/in inside an iframe tries to access properties of the
        top-level frame.

        * http/tests/plugins/cross-frame-object-access-expected.txt: Added.
        * http/tests/plugins/cross-frame-object-access.html: Added.
        * http/tests/plugins/resources/cross-frame-object-access.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@28715 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
JavaScriptCore/ChangeLog
JavaScriptCore/JavaScriptCore.exp
JavaScriptCore/bindings/NP_jsobject.cpp
JavaScriptCore/bindings/NP_jsobject.h
JavaScriptCore/bindings/c/c_utility.cpp
LayoutTests/ChangeLog
LayoutTests/http/tests/plugins/cross-frame-object-access-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/plugins/cross-frame-object-access.html [new file with mode: 0644]
LayoutTests/http/tests/plugins/resources/cross-frame-object-access.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/html/HTMLPlugInElement.cpp
WebCore/page/Frame.cpp
WebKitTools/ChangeLog
WebKitTools/DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.cpp