[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.17-1283-gcf603cf
abarth at webkit.org
abarth at webkit.org
Tue Jan 5 23:48:46 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit 679a5f311d2a22451b09f266eb3fc4112ffc8622
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Dec 14 05:01:01 2009 +0000
2009-12-13 Charles Reis <creis at chromium.org>
Reviewed by Adam Barth.
Refactor some security code out of V8 bindings
https://bugs.webkit.org/show_bug.cgi?id=32326
No new tests. There should be no functionality changes in this patch,
since it is only refactoring code.
* WebCore.gyp/WebCore.gyp:
* WebCore.gypi:
* bindings/BindingSecurity.h: Added.
(WebCore::BindingSecurity::BindingSecurity):
(WebCore::::canAccessWindow):
(WebCore::::canAccessFrame):
(WebCore::::checkNodeSecurity):
* bindings/BindingSecurityBase.cpp: Added.
(WebCore::BindingSecurityBase::getDOMWindow):
(WebCore::BindingSecurityBase::getFrame):
(WebCore::BindingSecurityBase::canAccessWindow):
* bindings/BindingSecurityBase.h: Added.
* bindings/GenericBinding.h: Added.
(WebCore::):
* bindings/scripts/CodeGeneratorV8.pm:
* bindings/v8/ScriptController.cpp:
(WebCore::ScriptController::isSafeScript):
* bindings/v8/V8Binding.h:
* bindings/v8/V8BindingState.cpp: Added.
(WebCore::::Only):
(WebCore::::getActiveWindow):
(WebCore::::immediatelyReportUnsafeAccessTo):
* bindings/v8/V8BindingState.h: Added.
(WebCore::):
* bindings/v8/V8Proxy.cpp:
(WebCore::V8Proxy::reportUnsafeAccessTo):
(WebCore::reportUnsafeJavaScriptAccess):
* bindings/v8/V8Proxy.h:
(WebCore::V8Proxy::):
* bindings/v8/custom/V8CustomBinding.cpp:
(WebCore::allowSettingFrameSrcToJavascriptUrl):
(WebCore::INDEXED_ACCESS_CHECK):
(WebCore::NAMED_ACCESS_CHECK):
* bindings/v8/custom/V8DOMWindowCustom.cpp:
(WebCore::V8Custom::WindowSetTimeoutImpl):
(WebCore::ACCESSOR_GETTER):
(WebCore::ACCESSOR_SETTER):
(WebCore::CALLBACK_FUNC_DECL):
(WebCore::V8Custom::ClearTimeoutImpl):
(WebCore::NAMED_ACCESS_CHECK):
(WebCore::INDEXED_ACCESS_CHECK):
* bindings/v8/custom/V8LocationCustom.cpp:
(WebCore::ACCESSOR_GETTER):
(WebCore::CALLBACK_FUNC_DECL):
(WebCore::INDEXED_ACCESS_CHECK):
(WebCore::NAMED_ACCESS_CHECK):
2009-12-13 Charles Reis <creis at chromium.org>
Reviewed by Adam Barth.
Refactor some security code out of V8 bindings
https://bugs.webkit.org/show_bug.cgi?id=32326
* src/WebBindings.cpp:
(WebKit::getDragDataImpl):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@52080 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 7080227..93b8844 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,60 @@
+2009-12-13 Charles Reis <creis at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Refactor some security code out of V8 bindings
+ https://bugs.webkit.org/show_bug.cgi?id=32326
+
+ No new tests. There should be no functionality changes in this patch,
+ since it is only refactoring code.
+
+ * WebCore.gyp/WebCore.gyp:
+ * WebCore.gypi:
+ * bindings/BindingSecurity.h: Added.
+ (WebCore::BindingSecurity::BindingSecurity):
+ (WebCore::::canAccessWindow):
+ (WebCore::::canAccessFrame):
+ (WebCore::::checkNodeSecurity):
+ * bindings/BindingSecurityBase.cpp: Added.
+ (WebCore::BindingSecurityBase::getDOMWindow):
+ (WebCore::BindingSecurityBase::getFrame):
+ (WebCore::BindingSecurityBase::canAccessWindow):
+ * bindings/BindingSecurityBase.h: Added.
+ * bindings/GenericBinding.h: Added.
+ (WebCore::):
+ * bindings/scripts/CodeGeneratorV8.pm:
+ * bindings/v8/ScriptController.cpp:
+ (WebCore::ScriptController::isSafeScript):
+ * bindings/v8/V8Binding.h:
+ * bindings/v8/V8BindingState.cpp: Added.
+ (WebCore::::Only):
+ (WebCore::::getActiveWindow):
+ (WebCore::::immediatelyReportUnsafeAccessTo):
+ * bindings/v8/V8BindingState.h: Added.
+ (WebCore::):
+ * bindings/v8/V8Proxy.cpp:
+ (WebCore::V8Proxy::reportUnsafeAccessTo):
+ (WebCore::reportUnsafeJavaScriptAccess):
+ * bindings/v8/V8Proxy.h:
+ (WebCore::V8Proxy::):
+ * bindings/v8/custom/V8CustomBinding.cpp:
+ (WebCore::allowSettingFrameSrcToJavascriptUrl):
+ (WebCore::INDEXED_ACCESS_CHECK):
+ (WebCore::NAMED_ACCESS_CHECK):
+ * bindings/v8/custom/V8DOMWindowCustom.cpp:
+ (WebCore::V8Custom::WindowSetTimeoutImpl):
+ (WebCore::ACCESSOR_GETTER):
+ (WebCore::ACCESSOR_SETTER):
+ (WebCore::CALLBACK_FUNC_DECL):
+ (WebCore::V8Custom::ClearTimeoutImpl):
+ (WebCore::NAMED_ACCESS_CHECK):
+ (WebCore::INDEXED_ACCESS_CHECK):
+ * bindings/v8/custom/V8LocationCustom.cpp:
+ (WebCore::ACCESSOR_GETTER):
+ (WebCore::CALLBACK_FUNC_DECL):
+ (WebCore::INDEXED_ACCESS_CHECK):
+ (WebCore::NAMED_ACCESS_CHECK):
+
2009-11-30 Holger Hans Peter Freyther <zecke at selfish.org>
Reviewed by Simon Hausmann.
diff --git a/WebCore/WebCore.gyp/WebCore.gyp b/WebCore/WebCore.gyp/WebCore.gyp
index 374d01b..0eb1ff3 100644
--- a/WebCore/WebCore.gyp/WebCore.gyp
+++ b/WebCore/WebCore.gyp/WebCore.gyp
@@ -106,6 +106,7 @@
'../',
'../accessibility',
'../accessibility/chromium',
+ '../bindings',
'../bindings/v8',
'../bindings/v8/custom',
'../bridge',
diff --git a/WebCore/WebCore.gypi b/WebCore/WebCore.gypi
index ab7a376..abd0de0 100644
--- a/WebCore/WebCore.gypi
+++ b/WebCore/WebCore.gypi
@@ -434,6 +434,10 @@
'accessibility/win/AccessibilityObjectWin.cpp',
'accessibility/win/AccessibilityObjectWrapperWin.h',
'accessibility/wx/AccessibilityObjectWx.cpp',
+ 'bindings/BindingSecurity.h',
+ 'bindings/BindingSecurityBase.cpp',
+ 'bindings/BindingSecurityBase.h',
+ 'bindings/GenericBinding.h',
'bindings/js/CachedScriptSourceProvider.h',
'bindings/js/DOMObjectWithSVGContext.h',
'bindings/js/GCController.cpp',
@@ -797,6 +801,8 @@
'bindings/v8/V8AbstractEventListener.h',
'bindings/v8/V8Binding.cpp',
'bindings/v8/V8Binding.h',
+ 'bindings/v8/V8BindingState.cpp',
+ 'bindings/v8/V8BindingState.h',
'bindings/v8/V8Collection.cpp',
'bindings/v8/V8Collection.h',
'bindings/v8/V8ConsoleMessage.cpp',
diff --git a/WebCore/bindings/BindingSecurity.h b/WebCore/bindings/BindingSecurity.h
new file mode 100644
index 0000000..cd01403
--- /dev/null
+++ b/WebCore/bindings/BindingSecurity.h
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2009 Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef BindingSecurity_h
+#define BindingSecurity_h
+
+#include "BindingSecurityBase.h"
+#include "GenericBinding.h"
+
+namespace WebCore {
+
+class DOMWindow;
+class Frame;
+class Node;
+
+// Security functions shared by various language bindings.
+template <class Binding>
+class BindingSecurity : public BindingSecurityBase {
+public:
+ // Check if the active execution context can access the target frame.
+ static bool canAccessFrame(State<Binding>*, Frame*, bool reportError);
+
+ // Check if it is safe to access the given node from the
+ // current security context.
+ static bool checkNodeSecurity(State<Binding>*, Node* target);
+
+private:
+ explicit BindingSecurity() {}
+ ~BindingSecurity();
+
+ // Check if the current DOMWindow's security context can access the target
+ // DOMWindow. This function does not report errors, so most callers should
+ // use canAccessFrame instead.
+ static bool canAccessWindow(State<Binding>*, DOMWindow* target);
+};
+
+// Implementations of templated methods must be in this file.
+
+template <class Binding>
+bool BindingSecurity<Binding>::canAccessWindow(State<Binding>* state,
+ DOMWindow* targetWindow)
+{
+ DOMWindow* activeWindow = state->getActiveWindow();
+ return canAccess(activeWindow, targetWindow);
+}
+
+template <class Binding>
+bool BindingSecurity<Binding>::canAccessFrame(State<Binding>* state,
+ Frame* target,
+ bool reportError)
+{
+ // The subject is detached from a frame, deny accesses.
+ if (!target)
+ return false;
+
+ if (!canAccessWindow(state, getDOMWindow(target))) {
+ if (reportError)
+ state->immediatelyReportUnsafeAccessTo(target);
+ return false;
+ }
+ return true;
+}
+
+template <class Binding>
+bool BindingSecurity<Binding>::checkNodeSecurity(State<Binding>* state, Node* node)
+{
+ if (!node)
+ return false;
+
+ Frame* target = getFrame(node);
+
+ if (!target)
+ return false;
+
+ return canAccessFrame(state, target, true);
+}
+
+}
+
+#endif // BindingSecurity_h
diff --git a/WebCore/bindings/BindingSecurityBase.cpp b/WebCore/bindings/BindingSecurityBase.cpp
new file mode 100644
index 0000000..4c473f8
--- /dev/null
+++ b/WebCore/bindings/BindingSecurityBase.cpp
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2009 Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "BindingSecurityBase.h"
+
+#include "DOMWindow.h"
+#include "Frame.h"
+#include "SecurityOrigin.h"
+#include "V8BindingState.h"
+
+namespace WebCore {
+
+DOMWindow* BindingSecurityBase::getDOMWindow(Frame* frame)
+{
+ return frame->domWindow();
+}
+
+Frame* BindingSecurityBase::getFrame(Node* node)
+{
+ return node->document()->frame();
+}
+
+// Same origin policy implementation:
+//
+// Same origin policy prevents JS code from domain A from accessing JS & DOM
+// objects in a different domain B. There are exceptions and several objects
+// are accessible by cross-domain code. For example, the window.frames object
+// is accessible by code from a different domain, but window.document is not.
+//
+// The JS binding code sets security check callbacks on a function template,
+// and accessing instances of the template calls the callback function.
+// The callback function enforces the same origin policy.
+//
+// Callback functions are expensive. Binding code should use a security token
+// string to do fast access checks for the common case where source and target
+// are in the same domain. A security token is a string object that represents
+// the protocol/url/port of a domain.
+//
+// There are special cases where security token matching is not enough.
+// For example, JS can set its domain to a super domain by calling
+// document.setDomain(...). In these cases, the binding code can reset
+// a context's security token to its global object so that the fast access
+// check will always fail.
+
+// Helper to check if the current execution context can access a target frame.
+// First it checks same domain policy using the lexical context.
+//
+// This is equivalent to KJS::Window::allowsAccessFrom(ExecState*).
+bool BindingSecurityBase::canAccess(DOMWindow* activeWindow,
+ DOMWindow* targetWindow)
+{
+ ASSERT(targetWindow);
+
+ String message;
+
+ if (activeWindow == targetWindow)
+ return true;
+
+ if (!activeWindow)
+ return false;
+
+ const SecurityOrigin* activeSecurityOrigin = activeWindow->securityOrigin();
+ const SecurityOrigin* targetSecurityOrigin = targetWindow->securityOrigin();
+
+ // We have seen crashes were the security origin of the target has not been
+ // initialized. Defend against that.
+ if (!targetSecurityOrigin)
+ return false;
+
+ if (activeSecurityOrigin->canAccess(targetSecurityOrigin))
+ return true;
+
+ // Allow access to a "about:blank" page if the dynamic context is a
+ // detached context of the same frame as the blank page.
+ if (targetSecurityOrigin->isEmpty() && activeWindow->frame() == targetWindow->frame())
+ return true;
+
+ return false;
+}
+
+} // namespace WebCore
diff --git a/WebCore/bindings/BindingSecurityBase.h b/WebCore/bindings/BindingSecurityBase.h
new file mode 100644
index 0000000..cfa2e99
--- /dev/null
+++ b/WebCore/bindings/BindingSecurityBase.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2009 Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef BindingSecurityBase_h
+#define BindingSecurityBase_h
+
+namespace WebCore {
+
+class DOMWindow;
+class Frame;
+class Node;
+
+// Helper functions for BindingSecurity that depend on WebCore classes, and
+// thus should not be implemented in BindingSecurity.h, which contains template
+// method definitions.
+class BindingSecurityBase {
+protected:
+ static DOMWindow* getDOMWindow(Frame*);
+ static Frame* getFrame(Node*);
+ static bool canAccess(DOMWindow* active, DOMWindow* target);
+};
+
+}
+
+#endif // BindingSecurityBase_h
diff --git a/WebCore/bindings/GenericBinding.h b/WebCore/bindings/GenericBinding.h
new file mode 100644
index 0000000..d030b45
--- /dev/null
+++ b/WebCore/bindings/GenericBinding.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2009 Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef GenericBinding_h
+#define GenericBinding_h
+
+namespace WebCore {
+
+// Used to instantiate binding templates for any methods shared among all
+// language bindings.
+class GenericBinding {};
+
+// Class to represent execution state for each language binding.
+template <class T>
+class State {};
+
+// Common notion of execution state for language bindings.
+template <>
+class State<GenericBinding> {
+ // Any methods shared across bindings can go here.
+};
+
+}
+
+#endif // GenericBinding_h
diff --git a/WebCore/bindings/scripts/CodeGeneratorV8.pm b/WebCore/bindings/scripts/CodeGeneratorV8.pm
index 0921e9e..23b74e3 100644
--- a/WebCore/bindings/scripts/CodeGeneratorV8.pm
+++ b/WebCore/bindings/scripts/CodeGeneratorV8.pm
@@ -401,7 +401,7 @@ END
HolderToNative($dataNode, $implClassName, $classIndex);
push(@implContentDecls, <<END);
- if (!V8Proxy::canAccessFrame(imp->frame(), false)) {
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), false)) {
static v8::Persistent<v8::FunctionTemplate> shared_template =
v8::Persistent<v8::FunctionTemplate>::New($newTemplateString);
return shared_template->GetFunction();
@@ -548,9 +548,9 @@ END
# Generate security checks if necessary
if ($attribute->signature->extendedAttributes->{"CheckNodeSecurity"}) {
- push(@implContentDecls, " if (!V8Proxy::checkNodeSecurity(imp->$attrName())) return v8::Handle<v8::Value>();\n\n");
+ push(@implContentDecls, " if (!V8BindingSecurity::checkNodeSecurity(V8BindingState::Only(), imp->$attrName())) return v8::Handle<v8::Value>();\n\n");
} elsif ($attribute->signature->extendedAttributes->{"CheckFrameSecurity"}) {
- push(@implContentDecls, " if (!V8Proxy::checkNodeSecurity(imp->contentDocument())) return v8::Handle<v8::Value>();\n\n");
+ push(@implContentDecls, " if (!V8BindingSecurity::checkNodeSecurity(V8BindingState::Only(), imp->contentDocument())) return v8::Handle<v8::Value>();\n\n");
}
my $useExceptions = 1 if @{$attribute->getterExceptions} and !($isPodType);
@@ -898,7 +898,7 @@ END
&& !$function->signature->extendedAttributes->{"DoNotCheckDomainSecurity"}) {
# We have not find real use cases yet.
push(@implContentDecls,
-" if (!V8Proxy::canAccessFrame(imp->frame(), true)) {\n".
+" if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), true)) {\n".
" return v8::Handle<v8::Value>();\n" .
" }\n");
}
@@ -930,7 +930,7 @@ END
}
if ($function->signature->extendedAttributes->{"SVGCheckSecurityDocument"}) {
push(@implContentDecls,
-" if (!V8Proxy::checkNodeSecurity(imp->getSVGDocument(ec)))\n" .
+" if (!V8BindingSecurity::checkNodeSecurity(V8BindingState::Only(), imp->getSVGDocument(ec)))\n" .
" return v8::Handle<v8::Value>();\n");
}
@@ -1145,7 +1145,8 @@ sub GenerateImplementation
push(@implFixedHeader,
"#include \"config.h\"\n" .
"#include \"V8Proxy.h\"\n" .
- "#include \"V8Binding.h\"\n\n" .
+ "#include \"V8Binding.h\"\n" .
+ "#include \"V8BindingState.h\"\n\n" .
"#undef LOG\n\n");
push(@implFixedHeader, "\n#if ${conditionalString}\n\n") if $conditionalString;
diff --git a/WebCore/bindings/v8/ScriptController.cpp b/WebCore/bindings/v8/ScriptController.cpp
index cdb18e6..da20939 100644
--- a/WebCore/bindings/v8/ScriptController.cpp
+++ b/WebCore/bindings/v8/ScriptController.cpp
@@ -50,6 +50,7 @@
#include "ScriptState.h"
#include "Settings.h"
#include "V8Binding.h"
+#include "V8BindingState.h"
#include "V8NPObject.h"
#include "V8Proxy.h"
#include "Widget.h"
@@ -84,7 +85,7 @@ Frame* ScriptController::retrieveFrameForCurrentContext()
bool ScriptController::isSafeScript(Frame* target)
{
- return V8Proxy::canAccessFrame(target, true);
+ return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, true);
}
void ScriptController::gcProtectJSWrapper(void* domObject)
diff --git a/WebCore/bindings/v8/V8Binding.h b/WebCore/bindings/v8/V8Binding.h
index de5bb4c..f9f94d7 100644
--- a/WebCore/bindings/v8/V8Binding.h
+++ b/WebCore/bindings/v8/V8Binding.h
@@ -32,6 +32,7 @@
#define V8Binding_h
#include "AtomicString.h"
+#include "BindingSecurity.h"
#include "MathExtras.h"
#include "PlatformString.h"
#include "V8DOMWrapper.h"
@@ -43,6 +44,10 @@ namespace WebCore {
class EventListener;
class EventTarget;
+
+ // Instantiate binding template classes for V8.
+ class V8Binding {};
+ typedef BindingSecurity<V8Binding> V8BindingSecurity;
// A helper function extract native object pointer from a DOM wrapper
// and cast to the specified type.
diff --git a/WebCore/bindings/v8/V8BindingState.cpp b/WebCore/bindings/v8/V8BindingState.cpp
new file mode 100644
index 0000000..30f750d
--- /dev/null
+++ b/WebCore/bindings/v8/V8BindingState.cpp
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2009 Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "V8BindingState.h"
+
+#include "V8Proxy.h"
+#include <wtf/StdLibExtras.h>
+
+namespace WebCore {
+
+State<V8Binding>* State<V8Binding>::Only()
+{
+ DEFINE_STATIC_LOCAL(State, globalV8BindingState, ());
+ return &globalV8BindingState;
+}
+
+DOMWindow* State<V8Binding>::getActiveWindow()
+{
+ v8::Local<v8::Context> activeContext = v8::Context::GetCalling();
+ if (activeContext.IsEmpty()) {
+ // There is a single activation record on the stack, so that must
+ // be the activeContext.
+ activeContext = v8::Context::GetCurrent();
+ }
+ return V8Proxy::retrieveWindow(activeContext);
+}
+
+void State<V8Binding>::immediatelyReportUnsafeAccessTo(Frame* target)
+{
+ V8Proxy::reportUnsafeAccessTo(target, V8Proxy::ReportNow);
+}
+
+} // namespace WebCore
diff --git a/WebCore/bindings/v8/V8BindingState.h b/WebCore/bindings/v8/V8BindingState.h
new file mode 100644
index 0000000..f305c14
--- /dev/null
+++ b/WebCore/bindings/v8/V8BindingState.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2009 Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef V8BindingState_h
+#define V8BindingState_h
+
+#include "GenericBinding.h"
+#include "V8Binding.h"
+
+namespace WebCore {
+
+// Singleton implementation of State<V8Binding>. Uses V8's global data
+// structures to return information about relevant execution state.
+template <>
+class State<V8Binding> : public State<GenericBinding> {
+public:
+ // Singleton
+ static State* Only();
+
+ // The DOMWindow corresponding to the 'calling context' of execution.
+ DOMWindow* getActiveWindow();
+
+ // Reports an error message (without delay) if the security check fails.
+ static void immediatelyReportUnsafeAccessTo(Frame*);
+
+private:
+ explicit State() {}
+ ~State();
+};
+
+typedef State<V8Binding> V8BindingState;
+
+}
+
+#endif // V8BindingState_h
diff --git a/WebCore/bindings/v8/V8Proxy.cpp b/WebCore/bindings/v8/V8Proxy.cpp
index e4ee99f..c793469 100644
--- a/WebCore/bindings/v8/V8Proxy.cpp
+++ b/WebCore/bindings/v8/V8Proxy.cpp
@@ -43,6 +43,7 @@
#include "ScriptController.h"
#include "StorageNamespace.h"
#include "V8Binding.h"
+#include "V8BindingState.h"
#include "V8Collection.h"
#include "V8ConsoleMessage.h"
#include "V8CustomBinding.h"
@@ -163,7 +164,7 @@ enum DelayReporting {
ReportNow
};
-static void reportUnsafeAccessTo(Frame* target, DelayReporting delay)
+void V8Proxy::reportUnsafeAccessTo(Frame* target, DelayReporting delay)
{
ASSERT(target);
Document* targetDocument = target->document();
@@ -207,7 +208,7 @@ static void reportUnsafeJavaScriptAccess(v8::Local<v8::Object> host, v8::AccessT
{
Frame* target = V8Custom::GetTargetFrame(host, data);
if (target)
- reportUnsafeAccessTo(target, ReportLater);
+ V8Proxy::reportUnsafeAccessTo(target, V8Proxy::ReportLater);
}
static void handleFatalErrorInV8()
@@ -857,97 +858,6 @@ void V8Proxy::updateSecurityOrigin()
setSecurityToken();
}
-// Same origin policy implementation:
-//
-// Same origin policy prevents JS code from domain A access JS & DOM objects
-// in a different domain B. There are exceptions and several objects are
-// accessible by cross-domain code. For example, the window.frames object is
-// accessible by code from a different domain, but window.document is not.
-//
-// The binding code sets security check callbacks on a function template,
-// and accessing instances of the template calls the callback function.
-// The callback function checks same origin policy.
-//
-// Callback functions are expensive. V8 uses a security token string to do
-// fast access checks for the common case where source and target are in the
-// same domain. A security token is a string object that represents
-// the protocol/url/port of a domain.
-//
-// There are special cases where a security token matching is not enough.
-// For example, JavaScript can set its domain to a super domain by calling
-// document.setDomain(...). In these cases, the binding code can reset
-// a context's security token to its global object so that the fast access
-// check will always fail.
-
-// Check if the current execution context can access a target frame.
-// First it checks same domain policy using the lexical context
-//
-// This is equivalent to KJS::Window::allowsAccessFrom(ExecState*, String&).
-bool V8Proxy::canAccessPrivate(DOMWindow* targetWindow)
-{
- ASSERT(targetWindow);
-
- String message;
-
- v8::Local<v8::Context> activeContext = v8::Context::GetCalling();
- if (activeContext.IsEmpty()) {
- // There is a single activation record on the stack, so that must
- // be the activeContext.
- activeContext = v8::Context::GetCurrent();
- }
- DOMWindow* activeWindow = retrieveWindow(activeContext);
- if (activeWindow == targetWindow)
- return true;
-
- if (!activeWindow)
- return false;
-
- const SecurityOrigin* activeSecurityOrigin = activeWindow->securityOrigin();
- const SecurityOrigin* targetSecurityOrigin = targetWindow->securityOrigin();
-
- // We have seen crashes were the security origin of the target has not been
- // initialized. Defend against that.
- if (!targetSecurityOrigin)
- return false;
-
- if (activeSecurityOrigin->canAccess(targetSecurityOrigin))
- return true;
-
- // Allow access to a "about:blank" page if the dynamic context is a
- // detached context of the same frame as the blank page.
- if (targetSecurityOrigin->isEmpty() && activeWindow->frame() == targetWindow->frame())
- return true;
-
- return false;
-}
-
-bool V8Proxy::canAccessFrame(Frame* target, bool reportError)
-{
- // The subject is detached from a frame, deny accesses.
- if (!target)
- return false;
-
- if (!canAccessPrivate(target->domWindow())) {
- if (reportError)
- reportUnsafeAccessTo(target, ReportNow);
- return false;
- }
- return true;
-}
-
-bool V8Proxy::checkNodeSecurity(Node* node)
-{
- if (!node)
- return false;
-
- Frame* target = node->document()->frame();
-
- if (!target)
- return false;
-
- return canAccessFrame(target, true);
-}
-
v8::Persistent<v8::Context> V8Proxy::createNewContext(v8::Handle<v8::Object> global, int extensionGroup)
{
v8::Persistent<v8::Context> result;
diff --git a/WebCore/bindings/v8/V8Proxy.h b/WebCore/bindings/v8/V8Proxy.h
index b1fdb80..dd157fa 100644
--- a/WebCore/bindings/v8/V8Proxy.h
+++ b/WebCore/bindings/v8/V8Proxy.h
@@ -139,6 +139,12 @@ namespace WebCore {
GeneralError
};
+ // When to report errors.
+ enum DelayReporting {
+ ReportLater,
+ ReportNow
+ };
+
explicit V8Proxy(Frame*);
~V8Proxy();
@@ -301,13 +307,6 @@ namespace WebCore {
// is disabled and it returns true.
static bool handleOutOfMemory();
- // Check if the active execution context can access the target frame.
- static bool canAccessFrame(Frame*, bool reportError);
-
- // Check if it is safe to access the given node from the
- // current security context.
- static bool checkNodeSecurity(Node*);
-
static v8::Handle<v8::Value> checkNewLegal(const v8::Arguments&);
static v8::Handle<v8::Script> compileScript(v8::Handle<v8::String> code, const String& fileName, int baseLine);
@@ -365,6 +364,9 @@ namespace WebCore {
void initContextIfNeeded();
void updateDocumentWrapper(v8::Handle<v8::Value> wrapper);
+
+ // Report an unsafe attempt to access the given frame on the console.
+ static void reportUnsafeAccessTo(Frame* target, DelayReporting delay);
private:
void setSecurityToken();
@@ -389,8 +391,6 @@ namespace WebCore {
// Returns false when we're out of memory in V8.
bool setInjectedScriptContextDebugId(v8::Handle<v8::Context> targetContext);
- static bool canAccessPrivate(DOMWindow*);
-
static const char* rangeExceptionName(int exceptionCode);
static const char* eventExceptionName(int exceptionCode);
static const char* xmlHttpRequestExceptionName(int exceptionCode);
diff --git a/WebCore/bindings/v8/custom/V8CustomBinding.cpp b/WebCore/bindings/v8/custom/V8CustomBinding.cpp
index 510aded..032912e 100644
--- a/WebCore/bindings/v8/custom/V8CustomBinding.cpp
+++ b/WebCore/bindings/v8/custom/V8CustomBinding.cpp
@@ -39,6 +39,8 @@
#include "HTMLNames.h"
#include "HTMLFrameElementBase.h"
#include "Location.h"
+#include "V8Binding.h"
+#include "V8BindingState.h"
#include "V8Proxy.h"
#if ENABLE(SVG)
@@ -51,7 +53,7 @@ bool allowSettingFrameSrcToJavascriptUrl(HTMLFrameElementBase* frame, String val
{
if (protocolIs(deprecatedParseURL(value), "javascript")) {
Node* contentDoc = frame->contentDocument();
- if (contentDoc && !V8Proxy::checkNodeSecurity(contentDoc))
+ if (contentDoc && !V8BindingSecurity::checkNodeSecurity(V8BindingState::Only(), contentDoc))
return false;
}
return true;
@@ -97,7 +99,7 @@ INDEXED_ACCESS_CHECK(History)
ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::HISTORY);
// Only allow same origin access.
History* history = V8DOMWrapper::convertToNativeObject<History>(V8ClassIndex::HISTORY, host);
- return V8Proxy::canAccessFrame(history->frame(), false);
+ return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), history->frame(), false);
}
NAMED_ACCESS_CHECK(History)
@@ -105,7 +107,7 @@ NAMED_ACCESS_CHECK(History)
ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::HISTORY);
// Only allow same origin access.
History* history = V8DOMWrapper::convertToNativeObject<History>(V8ClassIndex::HISTORY, host);
- return V8Proxy::canAccessFrame(history->frame(), false);
+ return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), history->frame(), false);
}
#undef INDEXED_ACCESS_CHECK
diff --git a/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp b/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp
index 46c33b9..ecd016d 100644
--- a/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp
+++ b/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp
@@ -32,6 +32,7 @@
#include "DOMWindow.h"
#include "V8Binding.h"
+#include "V8BindingState.h"
#include "V8CustomBinding.h"
#include "V8CustomEventListener.h"
#include "V8MessagePortCustom.h"
@@ -101,7 +102,7 @@ v8::Handle<v8::Value> V8Custom::WindowSetTimeoutImpl(const v8::Arguments& args,
DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, args.Holder());
- if (!V8Proxy::canAccessFrame(imp->frame(), true))
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), true))
return v8::Undefined();
ScriptExecutionContext* scriptContext = static_cast<ScriptExecutionContext*>(imp->document());
@@ -171,7 +172,7 @@ ACCESSOR_GETTER(DOMWindowEvent)
return v8::Undefined();
Frame* frame = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, holder)->frame();
- if (!V8Proxy::canAccessFrame(frame, true))
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), frame, true))
return v8::Undefined();
v8::Local<v8::Context> context = V8Proxy::context(frame);
@@ -192,7 +193,7 @@ ACCESSOR_SETTER(DOMWindowEvent)
return;
Frame* frame = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, holder)->frame();
- if (!V8Proxy::canAccessFrame(frame, true))
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), frame, true))
return;
v8::Local<v8::Context> context = V8Proxy::context(frame);
@@ -220,7 +221,7 @@ ACCESSOR_SETTER(DOMWindowOpener)
{
DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, info.Holder());
- if (!V8Proxy::canAccessFrame(imp->frame(), true))
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), true))
return;
// Opener can be shadowed if it is in the same domain.
@@ -343,7 +344,7 @@ CALLBACK_FUNC_DECL(DOMWindowAddEventListener)
DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, args.Holder());
- if (!V8Proxy::canAccessFrame(imp->frame(), true))
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), true))
return v8::Undefined();
Document* doc = imp->document();
@@ -376,7 +377,7 @@ CALLBACK_FUNC_DECL(DOMWindowRemoveEventListener)
DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, args.Holder());
- if (!V8Proxy::canAccessFrame(imp->frame(), true))
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), true))
return v8::Undefined();
Document* doc = imp->document();
@@ -441,7 +442,7 @@ CALLBACK_FUNC_DECL(DOMWindowAtob)
DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, args.Holder());
- if (!V8Proxy::canAccessFrame(imp->frame(), true))
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), true))
return v8::Undefined();
if (args.Length() < 1)
@@ -460,7 +461,7 @@ CALLBACK_FUNC_DECL(DOMWindowBtoa)
DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, args.Holder());
- if (!V8Proxy::canAccessFrame(imp->frame(), true))
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), true))
return v8::Undefined();
if (args.Length() < 1)
@@ -621,7 +622,7 @@ CALLBACK_FUNC_DECL(DOMWindowShowModalDialog)
V8ClassIndex::DOMWINDOW, args.Holder());
Frame* frame = window->frame();
- if (!V8Proxy::canAccessFrame(frame, true))
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), frame, true))
return v8::Undefined();
Frame* callingFrame = V8Proxy::retrieveFrameForCallingContext();
@@ -709,7 +710,7 @@ CALLBACK_FUNC_DECL(DOMWindowOpen)
DOMWindow* parent = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, args.Holder());
Frame* frame = parent->frame();
- if (!V8Proxy::canAccessFrame(frame, true))
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), frame, true))
return v8::Undefined();
Frame* enteredFrame = V8Proxy::retrieveFrameForEnteredContext();
@@ -925,7 +926,7 @@ void V8Custom::ClearTimeoutImpl(const v8::Arguments& args)
v8::Handle<v8::Object> holder = args.Holder();
DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, holder);
- if (!V8Proxy::canAccessFrame(imp->frame(), true))
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), true))
return;
ScriptExecutionContext* context = static_cast<ScriptExecutionContext*>(imp->document());
if (!context)
@@ -971,7 +972,7 @@ NAMED_ACCESS_CHECK(DOMWindow)
return true;
}
- return V8Proxy::canAccessFrame(target, false);
+ return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, false);
}
INDEXED_ACCESS_CHECK(DOMWindow)
@@ -993,7 +994,7 @@ INDEXED_ACCESS_CHECK(DOMWindow)
if ((type == v8::ACCESS_GET || type == v8::ACCESS_HAS) && target->tree()->child(index))
return true;
- return V8Proxy::canAccessFrame(target, false);
+ return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, false);
}
} // namespace WebCore
diff --git a/WebCore/bindings/v8/custom/V8LocationCustom.cpp b/WebCore/bindings/v8/custom/V8LocationCustom.cpp
index 1ed4c51..af636f1 100644
--- a/WebCore/bindings/v8/custom/V8LocationCustom.cpp
+++ b/WebCore/bindings/v8/custom/V8LocationCustom.cpp
@@ -32,6 +32,7 @@
#include "Location.h"
#include "V8Binding.h"
+#include "V8BindingState.h"
#include "V8CustomBinding.h"
#include "V8CustomEventListener.h"
#include "V8Location.h"
@@ -217,11 +218,11 @@ ACCESSOR_GETTER(LocationReload)
return privateTemplate->GetFunction();
}
Location* imp = V8DOMWrapper::convertToNativeObject<Location>(V8ClassIndex::LOCATION, holder);
- if (!V8Proxy::canAccessFrame(imp->frame(), false)) {
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), false)) {
static v8::Persistent<v8::FunctionTemplate> sharedTemplate = v8::Persistent<v8::FunctionTemplate>::New(v8::FunctionTemplate::New(v8LocationReloadCallback, v8::Handle<v8::Value>(), v8::Signature::New(V8Location::GetRawTemplate())));
return sharedTemplate->GetFunction();
- } else
- return privateTemplate->GetFunction();
+ }
+ return privateTemplate->GetFunction();
}
ACCESSOR_GETTER(LocationReplace)
@@ -235,11 +236,11 @@ ACCESSOR_GETTER(LocationReplace)
return privateTemplate->GetFunction();
}
Location* imp = V8DOMWrapper::convertToNativeObject<Location>(V8ClassIndex::LOCATION, holder);
- if (!V8Proxy::canAccessFrame(imp->frame(), false)) {
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), false)) {
static v8::Persistent<v8::FunctionTemplate> sharedTemplate = v8::Persistent<v8::FunctionTemplate>::New(v8::FunctionTemplate::New(v8LocationReplaceCallback, v8::Handle<v8::Value>(), v8::Signature::New(V8Location::GetRawTemplate())));
return sharedTemplate->GetFunction();
- } else
- return privateTemplate->GetFunction();
+ }
+ return privateTemplate->GetFunction();
}
ACCESSOR_GETTER(LocationAssign)
@@ -254,11 +255,11 @@ ACCESSOR_GETTER(LocationAssign)
return privateTemplate->GetFunction();
}
Location* imp = V8DOMWrapper::convertToNativeObject<Location>(V8ClassIndex::LOCATION, holder);
- if (!V8Proxy::canAccessFrame(imp->frame(), false)) {
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), false)) {
static v8::Persistent<v8::FunctionTemplate> sharedTemplate = v8::Persistent<v8::FunctionTemplate>::New(v8::FunctionTemplate::New(v8LocationAssignCallback, v8::Handle<v8::Value>(), v8::Signature::New(V8Location::GetRawTemplate())));
return sharedTemplate->GetFunction();
- } else
- return privateTemplate->GetFunction();
+ }
+ return privateTemplate->GetFunction();
}
CALLBACK_FUNC_DECL(LocationReload)
@@ -335,7 +336,7 @@ CALLBACK_FUNC_DECL(LocationToString)
INC_STATS("DOM.Location.toString");
v8::Handle<v8::Object> holder = args.Holder();
Location* imp = V8DOMWrapper::convertToNativeObject<Location>(V8ClassIndex::LOCATION, holder);
- if (!V8Proxy::canAccessFrame(imp->frame(), true))
+ if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), true))
return v8::Undefined();
String result = imp->href();
return v8String(result);
@@ -346,7 +347,7 @@ INDEXED_ACCESS_CHECK(Location)
ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::LOCATION);
// Only allow same origin access
Location* imp = V8DOMWrapper::convertToNativeObject<Location>(V8ClassIndex::LOCATION, host);
- return V8Proxy::canAccessFrame(imp->frame(), false);
+ return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), false);
}
NAMED_ACCESS_CHECK(Location)
@@ -354,7 +355,7 @@ NAMED_ACCESS_CHECK(Location)
ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::LOCATION);
// Only allow same origin access
Location* imp = V8DOMWrapper::convertToNativeObject<Location>(V8ClassIndex::LOCATION, host);
- return V8Proxy::canAccessFrame(imp->frame(), false);
+ return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), false);
}
} // namespace WebCore
diff --git a/WebKit/chromium/ChangeLog b/WebKit/chromium/ChangeLog
index 42ab885..3bf2391 100644
--- a/WebKit/chromium/ChangeLog
+++ b/WebKit/chromium/ChangeLog
@@ -1,3 +1,13 @@
+2009-12-13 Charles Reis <creis at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Refactor some security code out of V8 bindings
+ https://bugs.webkit.org/show_bug.cgi?id=32326
+
+ * src/WebBindings.cpp:
+ (WebKit::getDragDataImpl):
+
2009-12-11 Nate Chapin <japhet at chromium.org>
Reviewed by Darin Fisher.
diff --git a/WebKit/chromium/src/WebBindings.cpp b/WebKit/chromium/src/WebBindings.cpp
index 0bc67b6..5e68fa3 100644
--- a/WebKit/chromium/src/WebBindings.cpp
+++ b/WebKit/chromium/src/WebBindings.cpp
@@ -44,6 +44,7 @@
#include "MouseEvent.h"
#include "NPV8Object.h" // for PrivateIdentifier
#include "Range.h"
+#include "V8BindingState.h"
#include "V8DOMWrapper.h"
#include "V8Helpers.h"
#include "V8Proxy.h"
@@ -236,7 +237,7 @@ static bool getDragDataImpl(NPObject* npobj, int* eventId, WebDragData* data)
// Check the execution frames are same origin.
V8Proxy* current = V8Proxy::retrieve(V8Proxy::retrieveFrameForCurrentContext());
Frame* frame = V8Proxy::retrieveFrame(context);
- if (!current || !current->canAccessFrame(frame, false))
+ if (!current || !V8BindingSecurity::canAccessFrame(V8BindingState::Only(), frame, false))
return false;
const EventNames& names(eventNames());
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list