Commit 37eb477c authored by yaar@chromium.org's avatar yaar@chromium.org

2010-05-20 Justin Schuh <jschuh@chromium.org>

        Reviewed by Adam Barth.

        Moving frame.src checks out of the bindings
        https://bugs.webkit.org/show_bug.cgi?id=37815

        Moved JavaScript frame.src checks out of bindings and into
        HTMLFrameElementBase. Added main thread state stack to JavaScriptCore
        so ExecState is available inside core DOM. Updated affected bindings
        (except for GObject, which will need to be updated to avoid origin
        failures inside native code).

        * Android.jscbindings.mk:
        * CMakeLists.txt:
        * GNUmakefile.am:
        * WebCore.gypi:
        * WebCore.pro:
        * WebCore.vcproj/WebCore.vcproj:
        * WebCore.xcodeproj/project.pbxproj:
        * bindings/js/JSBindingsAllInOne.cpp:
        * bindings/js/JSCallbackData.cpp:
        (WebCore::JSCallbackData::invokeCallback):
        * bindings/js/JSEventListener.cpp:
        (WebCore::JSEventListener::handleEvent):
        * bindings/js/JSInjectedScriptHostCustom.cpp:
        (WebCore::InjectedScriptHost::createInjectedScript):
        * bindings/js/JSMainThreadExecState.cpp: Added.
        * bindings/js/JSMainThreadExecState.h: Added.
        (WebCore::JSMainThreadExecState::currentState):
        (WebCore::JSMainThreadExecState::call):
        (WebCore::JSMainThreadExecState::evaluate):
        (WebCore::JSMainThreadExecState::JSMainThreadExecState):
        (WebCore::JSMainThreadExecState::~JSMainThreadExecState):
        (WebCore::JSMainThreadNullState::JSMainThreadNullState):
        * bindings/js/ScheduledAction.cpp:
        (WebCore::ScheduledAction::executeFunctionInContext):
        (WebCore::ScheduledAction::execute):
        * bindings/js/ScheduledAction.h:
        * bindings/js/ScriptController.cpp:
        (WebCore::ScriptController::evaluateInWorld):
        (WebCore::ScriptController::canAccessFromCurrentOrigin):
        * bindings/js/ScriptController.h:
        * bindings/js/ScriptFunctionCall.cpp:
        (WebCore::ScriptFunctionCall::call):
        * bindings/objc/ObjCEventListener.mm:
        * bindings/objc/WebScriptObject.mm:
        (-[WebScriptObject callWebScriptMethod:withArguments:]):
        (-[WebScriptObject evaluateWebScript:]):
        * bindings/scripts/CodeGeneratorObjC.pm:
        * bindings/scripts/test/ObjC/DOMTestCallback.mm:
        (-[DOMTestCallback callbackWithClass1Param:]):
        (-[DOMTestCallback callbackWithClass2Param:strArg:]):
        (-[DOMTestCallback callbackWithNonBoolReturnType:]):
        (-[DOMTestCallback customCallback:class6Param:]):
        * bindings/scripts/test/ObjC/DOMTestInterface.mm:
        * bindings/scripts/test/ObjC/DOMTestObj.mm:
        (-[DOMTestObj readOnlyIntAttr]):
        (-[DOMTestObj readOnlyStringAttr]):
        (-[DOMTestObj readOnlyTestObjAttr]):
        (-[DOMTestObj intAttr]):
        (-[DOMTestObj setIntAttr:]):
        (-[DOMTestObj longLongAttr]):
        (-[DOMTestObj setLongLongAttr:]):
        (-[DOMTestObj unsignedLongLongAttr]):
        (-[DOMTestObj setUnsignedLongLongAttr:]):
        (-[DOMTestObj stringAttr]):
        (-[DOMTestObj setStringAttr:]):
        (-[DOMTestObj testObjAttr]):
        (-[DOMTestObj setTestObjAttr:]):
        (-[DOMTestObj attrWithException]):
        (-[DOMTestObj setAttrWithException:]):
        (-[DOMTestObj attrWithSetterException]):
        (-[DOMTestObj setAttrWithSetterException:]):
        (-[DOMTestObj attrWithGetterException]):
        (-[DOMTestObj setAttrWithGetterException:]):
        (-[DOMTestObj customAttr]):
        (-[DOMTestObj setCustomAttr:]):
        (-[DOMTestObj scriptStringAttr]):
        (-[DOMTestObj voidMethod]):
        (-[DOMTestObj voidMethodWithArgs:strArg:objArg:]):
        (-[DOMTestObj intMethod]):
        (-[DOMTestObj intMethodWithArgs:strArg:objArg:]):
        (-[DOMTestObj objMethod]):
        (-[DOMTestObj objMethodWithArgs:strArg:objArg:]):
        (-[DOMTestObj methodThatRequiresAllArgs:objArg:]):
        (-[DOMTestObj methodThatRequiresAllArgsAndThrows:objArg:]):
        (-[DOMTestObj serializedValue:]):
        (-[DOMTestObj methodWithException]):
        (-[DOMTestObj customMethod]):
        (-[DOMTestObj customMethodWithArgs:strArg:objArg:]):
        (-[DOMTestObj customArgsAndException:]):
        (-[DOMTestObj addEventListener:listener:useCapture:]):
        (-[DOMTestObj removeEventListener:listener:useCapture:]):
        (-[DOMTestObj withDynamicFrame]):
        (-[DOMTestObj withDynamicFrameAndArg:]):
        (-[DOMTestObj withDynamicFrameAndOptionalArg:optionalArg:]):
        (-[DOMTestObj withDynamicFrameAndUserGesture:]):
        (-[DOMTestObj withDynamicFrameAndUserGestureASAD:optionalArg:]):
        (-[DOMTestObj withScriptStateVoid]):
        (-[DOMTestObj withScriptStateObj]):
        (-[DOMTestObj withScriptStateVoidException]):
        (-[DOMTestObj withScriptStateObjException]):
        (-[DOMTestObj methodWithOptionalArg:]):
        (-[DOMTestObj methodWithNonOptionalArgAndOptionalArg:opt:]):
        (-[DOMTestObj methodWithNonOptionalArgAndTwoOptionalArgs:opt1:opt2:]):
        * bindings/v8/ScriptController.cpp:
        (WebCore::ScriptController::canAccessFromCurrentOrigin):
        * bindings/v8/ScriptController.h:
        * html/HTMLFrameElementBase.cpp:
        (WebCore::HTMLFrameElementBase::isURLAllowed):
2010-05-20  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Adam Barth.

        Moving frame.src checks out of the bindings
        https://bugs.webkit.org/show_bug.cgi?id=37815

        * http/tests/security/xss-DENIED-iframe-src-alias-expected.txt:
        * http/tests/security/xss-DENIED-iframe-src-alias.html:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59866 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 333ad92d
2010-05-20 Justin Schuh <jschuh@chromium.org>
Reviewed by Adam Barth.
Moving frame.src checks out of the bindings
https://bugs.webkit.org/show_bug.cgi?id=37815
* http/tests/security/xss-DENIED-iframe-src-alias-expected.txt:
* http/tests/security/xss-DENIED-iframe-src-alias.html:
2010-05-20 Martin Robinson <mrobinson@igalia.com>
Unreviewed.
......@@ -16,6 +16,10 @@ CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http
CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
This script tests if iframe.src can be set to a JavaScript URL via alternate DOM interfaces (such as Node.textContent or NamedNode.setNamedItem). The test is successful if no alerts appear and the page finishes loading.
......@@ -33,3 +37,5 @@ This script tests if iframe.src can be set to a JavaScript URL via alternate DOM
......@@ -17,6 +17,11 @@ window.onload = function()
function(iFrame) { iFrame.attributes['src'].value = alertMsg("value"); iFrame.src = iFrame.src;},
function(iFrame) { iFrame.attributes['src'].textContent = alertMsg("textContent");},
function(iFrame) { iFrame.attributes['src'].nodeValue = alertMsg("nodeValue");},
// Text Node Manipulation
function(iFrame) { iFrame.attributes['src'].firstChild.replaceWholeText(alertMsg("nodeValue"));},
function(iFrame) { iFrame.attributes['src'].firstChild.data = alertMsg("nodeValue");},
// Node attribute manipulation functions
function(iFrame) { iFrame.setAttribute("src", alertMsg("setAttribute"));},
function(iFrame) { iFrame.setAttributeNS(null, "src", alertMsg("setAttributeNS"));},
......
......@@ -120,6 +120,7 @@ LOCAL_SRC_FILES += \
bindings/js/JSImageDataCustom.cpp \
bindings/js/JSLazyEventListener.cpp \
bindings/js/JSLocationCustom.cpp \
bindings/js/JSMainThreadExecState.cpp \
bindings/js/JSMessageChannelConstructor.cpp \
bindings/js/JSMessageChannelCustom.cpp \
bindings/js/JSMessageEventCustom.cpp \
......
......@@ -590,6 +590,7 @@ SET(WebCore_SOURCES
bindings/js/JSJavaScriptCallFrameCustom.cpp
bindings/js/JSLazyEventListener.cpp
bindings/js/JSLocationCustom.cpp
bindings/js/JSMainThreadExecState.cpp
bindings/js/JSMessageChannelConstructor.cpp
bindings/js/JSMessageChannelCustom.cpp
bindings/js/JSMessageEventCustom.cpp
......
2010-05-20 Justin Schuh <jschuh@chromium.org>
Reviewed by Adam Barth.
Moving frame.src checks out of the bindings
https://bugs.webkit.org/show_bug.cgi?id=37815
Moved JavaScript frame.src checks out of bindings and into
HTMLFrameElementBase. Added main thread state stack to JavaScriptCore
so ExecState is available inside core DOM. Updated affected bindings
(except for GObject, which will need to be updated to avoid origin
failures inside native code).
* Android.jscbindings.mk:
* CMakeLists.txt:
* GNUmakefile.am:
* WebCore.gypi:
* WebCore.pro:
* WebCore.vcproj/WebCore.vcproj:
* WebCore.xcodeproj/project.pbxproj:
* bindings/js/JSBindingsAllInOne.cpp:
* bindings/js/JSCallbackData.cpp:
(WebCore::JSCallbackData::invokeCallback):
* bindings/js/JSEventListener.cpp:
(WebCore::JSEventListener::handleEvent):
* bindings/js/JSInjectedScriptHostCustom.cpp:
(WebCore::InjectedScriptHost::createInjectedScript):
* bindings/js/JSMainThreadExecState.cpp: Added.
* bindings/js/JSMainThreadExecState.h: Added.
(WebCore::JSMainThreadExecState::currentState):
(WebCore::JSMainThreadExecState::call):
(WebCore::JSMainThreadExecState::evaluate):
(WebCore::JSMainThreadExecState::JSMainThreadExecState):
(WebCore::JSMainThreadExecState::~JSMainThreadExecState):
(WebCore::JSMainThreadNullState::JSMainThreadNullState):
* bindings/js/ScheduledAction.cpp:
(WebCore::ScheduledAction::executeFunctionInContext):
(WebCore::ScheduledAction::execute):
* bindings/js/ScheduledAction.h:
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::evaluateInWorld):
(WebCore::ScriptController::canAccessFromCurrentOrigin):
* bindings/js/ScriptController.h:
* bindings/js/ScriptFunctionCall.cpp:
(WebCore::ScriptFunctionCall::call):
* bindings/objc/ObjCEventListener.mm:
* bindings/objc/WebScriptObject.mm:
(-[WebScriptObject callWebScriptMethod:withArguments:]):
(-[WebScriptObject evaluateWebScript:]):
* bindings/scripts/CodeGeneratorObjC.pm:
* bindings/scripts/test/ObjC/DOMTestCallback.mm:
(-[DOMTestCallback callbackWithClass1Param:]):
(-[DOMTestCallback callbackWithClass2Param:strArg:]):
(-[DOMTestCallback callbackWithNonBoolReturnType:]):
(-[DOMTestCallback customCallback:class6Param:]):
* bindings/scripts/test/ObjC/DOMTestInterface.mm:
* bindings/scripts/test/ObjC/DOMTestObj.mm:
(-[DOMTestObj readOnlyIntAttr]):
(-[DOMTestObj readOnlyStringAttr]):
(-[DOMTestObj readOnlyTestObjAttr]):
(-[DOMTestObj intAttr]):
(-[DOMTestObj setIntAttr:]):
(-[DOMTestObj longLongAttr]):
(-[DOMTestObj setLongLongAttr:]):
(-[DOMTestObj unsignedLongLongAttr]):
(-[DOMTestObj setUnsignedLongLongAttr:]):
(-[DOMTestObj stringAttr]):
(-[DOMTestObj setStringAttr:]):
(-[DOMTestObj testObjAttr]):
(-[DOMTestObj setTestObjAttr:]):
(-[DOMTestObj attrWithException]):
(-[DOMTestObj setAttrWithException:]):
(-[DOMTestObj attrWithSetterException]):
(-[DOMTestObj setAttrWithSetterException:]):
(-[DOMTestObj attrWithGetterException]):
(-[DOMTestObj setAttrWithGetterException:]):
(-[DOMTestObj customAttr]):
(-[DOMTestObj setCustomAttr:]):
(-[DOMTestObj scriptStringAttr]):
(-[DOMTestObj voidMethod]):
(-[DOMTestObj voidMethodWithArgs:strArg:objArg:]):
(-[DOMTestObj intMethod]):
(-[DOMTestObj intMethodWithArgs:strArg:objArg:]):
(-[DOMTestObj objMethod]):
(-[DOMTestObj objMethodWithArgs:strArg:objArg:]):
(-[DOMTestObj methodThatRequiresAllArgs:objArg:]):
(-[DOMTestObj methodThatRequiresAllArgsAndThrows:objArg:]):
(-[DOMTestObj serializedValue:]):
(-[DOMTestObj methodWithException]):
(-[DOMTestObj customMethod]):
(-[DOMTestObj customMethodWithArgs:strArg:objArg:]):
(-[DOMTestObj customArgsAndException:]):
(-[DOMTestObj addEventListener:listener:useCapture:]):
(-[DOMTestObj removeEventListener:listener:useCapture:]):
(-[DOMTestObj withDynamicFrame]):
(-[DOMTestObj withDynamicFrameAndArg:]):
(-[DOMTestObj withDynamicFrameAndOptionalArg:optionalArg:]):
(-[DOMTestObj withDynamicFrameAndUserGesture:]):
(-[DOMTestObj withDynamicFrameAndUserGestureASAD:optionalArg:]):
(-[DOMTestObj withScriptStateVoid]):
(-[DOMTestObj withScriptStateObj]):
(-[DOMTestObj withScriptStateVoidException]):
(-[DOMTestObj withScriptStateObjException]):
(-[DOMTestObj methodWithOptionalArg:]):
(-[DOMTestObj methodWithNonOptionalArgAndOptionalArg:opt:]):
(-[DOMTestObj methodWithNonOptionalArgAndTwoOptionalArgs:opt1:opt2:]):
* bindings/v8/ScriptController.cpp:
(WebCore::ScriptController::canAccessFromCurrentOrigin):
* bindings/v8/ScriptController.h:
* html/HTMLFrameElementBase.cpp:
(WebCore::HTMLFrameElementBase::isURLAllowed):
2010-05-20 Adam Roben <aroben@apple.com>
Fix an HRGN leak in WKCACFLayerRenderer
......@@ -468,6 +468,8 @@ webcore_sources += \
WebCore/bindings/js/JSLazyEventListener.h \
WebCore/bindings/js/JSLocationCustom.cpp \
WebCore/bindings/js/JSLocationCustom.h \
WebCore/bindings/js/JSMainThreadExecState.cpp \
WebCore/bindings/js/JSMainThreadExecState.h \
WebCore/bindings/js/JSMessageChannelConstructor.cpp \
WebCore/bindings/js/JSMessageChannelConstructor.h \
WebCore/bindings/js/JSMessageChannelCustom.cpp \
......
......@@ -582,6 +582,8 @@
'bindings/js/JSLazyEventListener.h',
'bindings/js/JSLocationCustom.cpp',
'bindings/js/JSLocationCustom.h',
'bindings/js/JSMainThreadExecState.cpp',
'bindings/js/JSMainThreadExecState.h',
'bindings/js/JSMessageChannelConstructor.cpp',
'bindings/js/JSMessageChannelConstructor.h',
'bindings/js/JSMessageChannelCustom.cpp',
......
......@@ -351,6 +351,7 @@ SOURCES += \
bindings/js/JSDOMBinding.cpp \
bindings/js/JSEventListener.cpp \
bindings/js/JSLazyEventListener.cpp \
bindings/js/JSMainThreadExecState.cpp \
bindings/js/JSPluginElementFunctions.cpp \
bindings/js/JSPopStateEventCustom.cpp \
bindings/js/JSWorkerContextErrorHandler.cpp \
......
......@@ -38955,6 +38955,62 @@
/>
</FileConfiguration>
</File>
<File
RelativePath="..\bindings\js\JSMainThreadExecState.cpp"
>
<FileConfiguration
Name="Debug|Win32"
ExcludedFromBuild="true"
>
<Tool
Name="VCCLCompilerTool"
/>
</FileConfiguration>
<FileConfiguration
Name="Release|Win32"
ExcludedFromBuild="true"
>
<Tool
Name="VCCLCompilerTool"
/>
</FileConfiguration>
<FileConfiguration
Name="Debug_Internal|Win32"
ExcludedFromBuild="true"
>
<Tool
Name="VCCLCompilerTool"
/>
</FileConfiguration>
<FileConfiguration
Name="Debug_Cairo|Win32"
ExcludedFromBuild="true"
>
<Tool
Name="VCCLCompilerTool"
/>
</FileConfiguration>
<FileConfiguration
Name="Release_Cairo|Win32"
ExcludedFromBuild="true"
>
<Tool
Name="VCCLCompilerTool"
/>
</FileConfiguration>
<FileConfiguration
Name="Debug_All|Win32"
ExcludedFromBuild="true"
>
<Tool
Name="VCCLCompilerTool"
/>
</FileConfiguration>
</File>
<File
RelativePath="..\bindings\js\JSMainThreadExecState.h"
>
</File>
<File
RelativePath="..\bindings\js\JSMessageChannelConstructor.cpp"
>
......@@ -2272,6 +2272,7 @@
895253DC116C4EF500CABF00 /* FileStreamProxy.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 895253DA116C4EF500CABF00 /* FileStreamProxy.cpp */; };
895253DD116C4EF500CABF00 /* FileStreamProxy.h in Headers */ = {isa = PBXBuildFile; fileRef = 895253DB116C4EF500CABF00 /* FileStreamProxy.h */; };
895253DF116C4F0600CABF00 /* FileThreadTask.h in Headers */ = {isa = PBXBuildFile; fileRef = 895253DE116C4F0600CABF00 /* FileThreadTask.h */; };
8FAC774D119872CB0015AE94 /* JSMainThreadExecState.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 8F934D841189F1EE00508D5D /* JSMainThreadExecState.cpp */; };
9302B0BD0D79F82900C7EE83 /* PageGroup.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 9302B0BC0D79F82900C7EE83 /* PageGroup.cpp */; };
9302B0BF0D79F82C00C7EE83 /* PageGroup.h in Headers */ = {isa = PBXBuildFile; fileRef = 9302B0BE0D79F82C00C7EE83 /* PageGroup.h */; settings = {ATTRIBUTES = (Private, ); }; };
9305B24D098F1B6B00C28855 /* Timer.h in Headers */ = {isa = PBXBuildFile; fileRef = 9305B24C098F1B6B00C28855 /* Timer.h */; settings = {ATTRIBUTES = (Private, ); }; };
......@@ -7846,6 +7847,8 @@
895253DA116C4EF500CABF00 /* FileStreamProxy.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = FileStreamProxy.cpp; sourceTree = "<group>"; };
895253DB116C4EF500CABF00 /* FileStreamProxy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = FileStreamProxy.h; sourceTree = "<group>"; };
895253DE116C4F0600CABF00 /* FileThreadTask.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = FileThreadTask.h; sourceTree = "<group>"; };
8F934D831189F1EE00508D5D /* JSMainThreadExecState.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSMainThreadExecState.h; sourceTree = "<group>"; };
8F934D841189F1EE00508D5D /* JSMainThreadExecState.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSMainThreadExecState.cpp; sourceTree = "<group>"; };
9302B0BC0D79F82900C7EE83 /* PageGroup.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PageGroup.cpp; sourceTree = "<group>"; };
9302B0BE0D79F82C00C7EE83 /* PageGroup.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PageGroup.h; sourceTree = "<group>"; };
9305B24C098F1B6B00C28855 /* Timer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Timer.h; sourceTree = "<group>"; };
......@@ -15218,6 +15221,8 @@
BC60901D0E91B8EC000C68B5 /* JSEventTarget.h */,
3314ACE910892086000F0E56 /* JSExceptionBase.cpp */,
3314ACEA10892086000F0E56 /* JSExceptionBase.h */,
8F934D841189F1EE00508D5D /* JSMainThreadExecState.cpp */,
8F934D831189F1EE00508D5D /* JSMainThreadExecState.h */,
93B70D4F09EB0C7C009D8468 /* JSPluginElementFunctions.cpp */,
93B70D5009EB0C7C009D8468 /* JSPluginElementFunctions.h */,
415B7C550FF598E6006770F7 /* JSSharedWorkerConstructor.cpp */,
......@@ -21526,6 +21531,7 @@
B59DD6A211902A52007E9684 /* JSSQLTransactionErrorCallback.cpp in Sources */,
B59DD6A611902A62007E9684 /* JSSQLStatementCallback.cpp in Sources */,
B59DD6AA11902A71007E9684 /* JSSQLStatementErrorCallback.cpp in Sources */,
8FAC774D119872CB0015AE94 /* JSMainThreadExecState.cpp in Sources */,
B55D5AA5119131FC00BCC315 /* JSSQLTransactionSyncCallback.cpp in Sources */,
B55D5AA81191325000BCC315 /* JSDatabaseSyncCustom.cpp in Sources */,
B55D5AA91191325000BCC315 /* JSSQLTransactionSyncCustom.cpp in Sources */,
......@@ -85,6 +85,7 @@
#include "JSJavaScriptCallFrameCustom.cpp"
#include "JSLazyEventListener.cpp"
#include "JSLocationCustom.cpp"
#include "JSMainThreadExecState.cpp"
#include "JSMessageChannelConstructor.cpp"
#include "JSMessageChannelCustom.cpp"
#include "JSMessageEventCustom.cpp"
......
......@@ -31,6 +31,7 @@
#include "Document.h"
#include "JSDOMBinding.h"
#include "JSMainThreadExecState.h"
using namespace JSC;
......@@ -59,7 +60,9 @@ JSValue JSCallbackData::invokeCallback(MarkedArgumentBuffer& args, bool* raisedE
}
globalObject()->globalData()->timeoutChecker.start();
JSValue result = JSC::call(exec, function, callType, callData, callback(), args);
JSValue result = globalObject()->scriptExecutionContext()->isDocument()
? JSMainThreadExecState::call(exec, function, callType, callData, callback(), args)
: JSC::call(exec, function, callType, callData, callback(), args);
globalObject()->globalData()->timeoutChecker.stop();
Document::updateStyleForAllDocuments();
......
......@@ -24,6 +24,7 @@
#include "Frame.h"
#include "JSEvent.h"
#include "JSEventTarget.h"
#include "JSMainThreadExecState.h"
#include <runtime/JSLock.h>
#include <wtf/RefCountedLeakCounter.h>
......@@ -111,9 +112,17 @@ void JSEventListener::handleEvent(ScriptExecutionContext* scriptExecutionContext
DynamicGlobalObjectScope globalObjectScope(exec, globalData->dynamicGlobalObject ? globalData->dynamicGlobalObject : globalObject);
globalData->timeoutChecker.start();
JSValue retval = handleEventFunction
? JSC::call(exec, handleEventFunction, callType, callData, jsFunction, args)
: JSC::call(exec, jsFunction, callType, callData, toJS(exec, globalObject, event->currentTarget()), args);
JSValue retval;
if (handleEventFunction) {
retval = scriptExecutionContext->isDocument()
? JSMainThreadExecState::call(exec, handleEventFunction, callType, callData, jsFunction, args)
: JSC::call(exec, handleEventFunction, callType, callData, jsFunction, args);
} else {
JSValue currentTarget = toJS(exec, globalObject, event->currentTarget());
retval = scriptExecutionContext->isDocument()
? JSMainThreadExecState::call(exec, jsFunction, callType, callData, currentTarget, args)
: JSC::call(exec, jsFunction, callType, callData, currentTarget, args);
}
globalData->timeoutChecker.stop();
globalObject->setCurrentEvent(savedEvent);
......
......@@ -36,6 +36,7 @@
#if ENABLE(INSPECTOR)
#include "Console.h"
#include "JSMainThreadExecState.h"
#if ENABLE(DATABASE)
#include "Database.h"
#include "JSDatabase.h"
......@@ -82,7 +83,7 @@ ScriptObject InjectedScriptHost::createInjectedScript(const String& source, Scri
JSLock lock(SilenceAssertionsOnly);
JSDOMGlobalObject* globalObject = static_cast<JSDOMGlobalObject*>(scriptState->lexicalGlobalObject());
JSValue globalThisValue = scriptState->globalThisValue();
Completion comp = JSC::evaluate(scriptState, globalObject->globalScopeChain(), sourceCode, globalThisValue);
Completion comp = JSMainThreadExecState::evaluate(scriptState, globalObject->globalScopeChain(), sourceCode, globalThisValue);
if (comp.complType() != JSC::Normal && comp.complType() != JSC::ReturnValue)
return ScriptObject();
JSValue functionValue = comp.value();
......
/*
* Copyright (C) 2010 Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "JSMainThreadExecState.h"
namespace WebCore {
JSC::ExecState* JSMainThreadExecState::s_mainThreadState = 0;
} // namespace WebCore
/*
* Copyright (C) 2010 Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef JSMainThreadExecState_h
#define JSMainThreadExecState_h
#include <JSDOMBinding.h>
#ifndef NDEBUG
#include <wtf/MainThread.h>
#endif
#include <wtf/Noncopyable.h>
namespace WebCore {
class JSMainThreadExecState : public Noncopyable {
public:
static JSC::ExecState* currentState()
{
ASSERT(WTF::isMainThread());
return s_mainThreadState;
};
static JSC::JSValue call(JSC::ExecState* exec, JSC::JSValue functionObject, JSC::CallType callType, const JSC::CallData& callData, JSC::JSValue thisValue, const JSC::ArgList& args)
{
JSMainThreadExecState currentState(exec);
return JSC::call(exec, functionObject, callType, callData, thisValue, args);
};
static JSC::Completion evaluate(JSC::ExecState* exec, JSC::ScopeChain& chain, const JSC::SourceCode& source, JSC::JSValue thisValue)
{
JSMainThreadExecState currentState(exec);
return JSC::evaluate(exec, chain, source, thisValue);
};
protected:
explicit JSMainThreadExecState(JSC::ExecState* exec)
: m_previousState(s_mainThreadState)
{
ASSERT(WTF::isMainThread());
s_mainThreadState = exec;
};
~JSMainThreadExecState()
{
ASSERT(WTF::isMainThread());
s_mainThreadState = m_previousState;
}
private:
static JSC::ExecState* s_mainThreadState;
JSC::ExecState* m_previousState;
};
// Null state prevents origin security checks.
class JSMainThreadNullState : private JSMainThreadExecState {
public:
explicit JSMainThreadNullState() : JSMainThreadExecState(0) {};
};
} // namespace WebCore
#endif // JSMainThreadExecState_h
......@@ -30,6 +30,7 @@
#include "FrameLoader.h"
#include "JSDOMBinding.h"
#include "JSDOMWindow.h"
#include "JSMainThreadExecState.h"
#include "ScriptController.h"
#include "ScriptExecutionContext.h"
#include "ScriptSourceCode.h"
......@@ -84,7 +85,7 @@ void ScheduledAction::execute(ScriptExecutionContext* context)
#endif
}
void ScheduledAction::executeFunctionInContext(JSGlobalObject* globalObject, JSValue thisValue)
void ScheduledAction::executeFunctionInContext(JSGlobalObject* globalObject, JSValue thisValue, ScriptExecutionContext* context)
{
ASSERT(m_function);
JSLock lock(SilenceAssertionsOnly);
......@@ -102,7 +103,10 @@ void ScheduledAction::executeFunctionInContext(JSGlobalObject* globalObject, JSV
args.append(m_args[i]);
globalObject->globalData()->timeoutChecker.start();
JSC::call(exec, m_function, callType, callData, thisValue, args);
if (context->isDocument())
JSMainThreadExecState::call(exec, m_function, callType, callData, thisValue, args);
else
JSC::call(exec, m_function, callType, callData, thisValue, args);
globalObject->globalData()->timeoutChecker.stop();
if (exec->hadException())
......@@ -122,7 +126,7 @@ void ScheduledAction::execute(Document* document)
frame->script()->setProcessingTimerCallback(true);
if (m_function) {
executeFunctionInContext(window, window->shell());
executeFunctionInContext(window, window->shell(), document);
Document::updateStyleForAllDocuments();
} else
frame->script()->executeScriptInWorld(m_isolatedWorld.get(), m_code);
......@@ -140,7 +144,7 @@ void ScheduledAction::execute(WorkerContext* workerContext)
if (m_function) {
JSWorkerContext* contextWrapper = scriptController->workerContextWrapper();
executeFunctionInContext(contextWrapper, contextWrapper);
executeFunctionInContext(contextWrapper, contextWrapper, workerContext);
} else {
ScriptSourceCode code(m_code, workerContext->url());
scriptController->evaluate(code);
......
......@@ -55,7 +55,7 @@ namespace WebCore {
{
}
void executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue thisValue);
void executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue thisValue, ScriptExecutionContext*);
void execute(Document*);
#if ENABLE(WORKERS)
void execute(WorkerContext*);
......
......@@ -29,6 +29,7 @@
#include "HTMLPlugInElement.h"
#include "InspectorTimelineAgent.h"
#include "JSDocument.h"
#include "JSMainThreadExecState.h"
#include "NP_jsobject.h"
#include "Page.h"
#include "PageGroup.h"
......@@ -142,7 +143,7 @@ ScriptValue ScriptController::evaluateInWorld(const ScriptSourceCode& sourceCode
#endif
exec->globalData().timeoutChecker.start();
Completion comp = JSC::evaluate(exec, exec->dynamicGlobalObject()->globalScopeChain(), jsSourceCode, shell);
Completion comp = JSMainThreadExecState::evaluate(exec, exec->dynamicGlobalObject()->globalScopeChain(), jsSourceCode, shell);
exec->globalData().timeoutChecker.stop();
#if ENABLE(INSPECTOR)
......@@ -285,6 +286,16 @@ bool ScriptController::anyPageIsProcessingUserGesture() const
return false;
}
bool ScriptController::canAccessFromCurrentOrigin(Frame *frame)
{
ExecState* exec = JSMainThreadExecState::currentState();
if (exec)
return allowsAccessFromFrame(exec, frame);
// If the current state is 0 we're in a call path where the DOM security
// check doesn't apply (eg. parser).
return true;
}
void ScriptController::attachDebugger(JSC::Debugger* debugger)
{
for (ShellMap::iterator iter = m_windowShells.begin(); iter != m_windowShells.end(); ++iter)
......
......@@ -118,6 +118,7 @@ public:
bool processingUserGesture(DOMWrapperWorld*) const;
bool anyPageIsProcessingUserGesture() const;
static bool canAccessFromCurrentOrigin(Frame*);
bool canExecuteScripts(ReasonForCallingCanExecuteScripts);
// Debugger can be 0 to detach any existing Debugger.
......
......@@ -32,6 +32,7 @@
#include "ScriptFunctionCall.h"
#include "JSDOMBinding.h"
#include "JSMainThreadExecState.h"
#include "ScriptString.h"
#include "ScriptValue.h"
......@@ -146,7 +147,7 @@ ScriptValue ScriptFunctionCall::call(bool& hadException, bool reportExceptions)
if (callType == CallTypeNone)
return ScriptValue();
JSValue result = JSC::call(m_exec, function, callType, callData, thisObject, m_arguments);
JSValue result = JSMainThreadExecState::call(m_exec, function, callType, callData, thisObject, m_arguments);
if (m_exec->hadException()) {
if (reportExceptions)
reportException(m_exec, m_exec->exception());
......
......@@ -32,6 +32,7 @@
#import "DOMEventListener.h"
#import "Event.h"
#import "EventListener.h"
#import "JSMainThreadExecState.h"
#import <wtf/HashMap.h>
namespace WebCore {
......
......@@ -34,6 +34,7 @@
#import "JSDOMWindow.h"
#import "JSDOMWindowCustom.h"
#import "JSHTMLElement.h"
#import "JSMainThreadExecState.h"
#import "JSPluginElementFunctions.h"
#import "ObjCRuntimeObject.h"
#import "PlatformString.h"
......@@ -304,7 +305,7 @@ static void getListFromNSArray(ExecState *exec, NSArray *array, RootObject* root
return nil;
[self _rootObject]->globalObject()->globalData()->timeoutChecker.start();