• cwzwarich@webkit.org's avatar
    2009-03-19 Cameron Zwarich <cwzwarich@uwaterloo.ca> · 78200f54
    cwzwarich@webkit.org authored
            Reviewed by Oliver Hunt.
    
            Bug 24596: ASSERT in JSC::PropertySlot::slotBase @ iGoogle homepage
            <https://bugs.webkit.org/show_bug.cgi?id=24596>
            <rdar://problem/6686493>
    
            JSDOMWindow::customGetOwnPropertySlot() does an access check after calling
            JSGlobalObject::getOwnPropertySlot(). This causes the PropertySlot to be
            set twice, once to the value that is illegal to access, and then to undefined
            This causes an assertion failure in property access caching code.
    
            The fix is to do the access check before calling JSGlobalObject::getOwnPropertySlot().
    
            WebCore:
    
            * bindings/js/JSDOMWindowCustom.h:
            (WebCore::JSDOMWindow::customGetOwnPropertySlot):
    
            LayoutTests:
    
            * http/tests/security/cross-frame-access-get-custom-property-cached-expected.txt: Added.
            * http/tests/security/cross-frame-access-get-custom-property-cached.html: Added.
            * http/te...
    78200f54