WebKit GIT trees - WebKit.git/commit

Named property confusion with __proto__
https://bugs.webkit.org/show_bug.cgi?id=68221

Reviewed by Eric Seidel.

Source/WebCore:

The __proto__ property is super magical because it's not a real named
property and it has higher precedence than even interceptors. This
confuses this check, which is meant to detech which names will get
handled by our interceptor.

Test: http/tests/security/window-named-proto.html

* bindings/v8/custom/V8DOMWindowCustom.cpp:
(WebCore::V8DOMWindow::namedSecurityCheck):

LayoutTests:

* http/tests/security/resources/innocent-victim-with-iframe.html: Added.
* http/tests/security/window-named-proto-expected.txt: Added.
* http/tests/security/window-named-proto.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95488 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Mon, 19 Sep 2011 22:56:22 +0000 (22:56 +0000)
committer	abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Mon, 19 Sep 2011 22:56:22 +0000 (22:56 +0000)
commit	9e21c2a8410d12e9c5b9cde20b353fc060b62184
tree	5c9501a5fa4b564a0bd46ec48880a9908361dc6a	tree \| snapshot
parent	2fca7fac029cfd9f10cd3d780d58e2f962a78594	commit \| diff

LayoutTests/ChangeLog		diff \| blob \| history
LayoutTests/http/tests/security/resources/innocent-victim-with-iframe.html	[new file with mode: 0644]	blob
LayoutTests/http/tests/security/window-named-proto-expected.txt	[new file with mode: 0644]	blob
LayoutTests/http/tests/security/window-named-proto.html	[new file with mode: 0644]	blob
Source/WebCore/ChangeLog		diff \| blob \| history
Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp		diff \| blob \| history