JavaScriptCore:

JavaScriptCore:

        Reviewed by Darin and Geoff.

        <rdar://problem/5619295>
        REGRESSION: 303-304: Embedded YouTube video fails to render- JS errors (16150) (Flash 9)

        Get rid of unnecessary and incorrect security checks for plug-ins accessing JavaScript objects.

        The way this used to work was that each NPObject that wrapped a JSObject would have a root object
        corresponding to the frame object (used for managing the lifecycle) and an origin root object (used for
        doing security checks).

        This would prevent a plug-in from accessing a frame's window object if it's security origin was different
        (some parts of the window, such as the location object, can be accessed from frames with different security
        origins, and those checks are being done in WebCore).

        Also, if a plug-in were to access a window object of a frame that later went away, it could lead to that
        Window JSObject being garbage collected and the NPObject pointing to freed memory.

        How this works now is that there is no origin root object anymore, and all NPObject wrappers that are created
        for a plug-in will have the root object of the containing frame of that plug-in.

        * bindings/NP_jsobject.cpp:
        (jsDeallocate):
        Don't free the origin root object.

        (_NPN_CreateScriptObject):
        Remove the origin root object parameter.

        (_NPN_InvokeDefault):
        (_NPN_Invoke):
        (_NPN_Evaluate):
        (_NPN_GetProperty):
        (_NPN_SetProperty):
        (_NPN_RemoveProperty):
        (_NPN_HasProperty):
        (_NPN_HasMethod):
        (_NPN_Enumerate):
        Get rid of all security checks.

        * bindings/NP_jsobject.h:
        Remove originRootObject from the JavaScriptObject struct.

        * bindings/c/c_utility.cpp:
        (KJS::Bindings::convertValueToNPVariant):
        Always use the root object from the ExecState.

WebCore:

        Reviewed by Darin and Geoff.

        <rdar://problem/5619295>
        REGRESSION: 303-304: Embedded YouTube video fails to render- JS errors (16150) (Flash 9)

        _NPN_CreateScriptObject doesn't take an origin root object anymore.

        * html/HTMLPlugInElement.cpp:
        (WebCore::HTMLPlugInElement::createNPObject):
        * page/Frame.cpp:
        (WebCore::Frame::windowScriptNPObject):

WebKitTools:

        Reviewed by Darin and Geoff.

        <rdar://problem/5619295>
        REGRESSION: 303-304: Embedded YouTube video fails to render- JS errors (16150) (Flash 9)

        Add property getting methods to the plug-in.

        * DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.cpp:
        (pluginInvoke):

LayoutTests:

        Reviewed by Darin and Geoff.

        <rdar://problem/5619295>
        REGRESSION: 303-304: Embedded YouTube video fails to render- JS errors (16150) (Flash 9)

        Add cross frame plug/in test where a plug/in inside an iframe tries to access properties of the
        top-level frame.

        * http/tests/plugins/cross-frame-object-access-expected.txt: Added.
        * http/tests/plugins/cross-frame-object-access.html: Added.
        * http/tests/plugins/resources/cross-frame-object-access.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@28715 268f45cc-cd09-0410-ab3c-d52691b4dbfc