Commit fc55cce7 authored by japhet@chromium.org's avatar japhet@chromium.org
Browse files

2010-01-05 Nate Chapin <japhet@chromium.org>

        Reviewed by Dimitri Glazkov.

        Generate header declarations for V8 binding security checks
        and delete V8CustomBinding.cpp

        * Android.v8bindings.mk: Removed V8CustomBinding.cpp.
        * WebCore.gypi: Removed V8CustomBinding.cpp.
        * bindings/scripts/CodeGeneratorV8.pm: Generate security check declarations.
        * bindings/v8/V8DOMWindowShell.cpp:
        (WebCore::getTargetFrame): Moved from V8CustomBinding.cpp.
        (WebCore::reportUnsafeJavaScriptAccess):
        (WebCore::V8DOMWindowShell::createNewContext):
        (WebCore::V8DOMWindowShell::setLocation): Moved from V8CustomBinding.cpp.
        * bindings/v8/V8DOMWindowShell.h:
        * bindings/v8/V8DOMWrapper.cpp:
        (WebCore::downcastSVGPathSeg): Moved from V8CustomBinding.cpp.
        (WebCore::V8DOMWrapper::convertSVGObjectWithContextToV8Object):
        (WebCore::V8DOMWrapper::getTemplate):
        * bindings/v8/custom/V8CustomBinding.cpp: Removed.
        * bindings/v8/custom/V8CustomBinding.h:
        * bindings/v8/custom/V8DOMWindowCustom.cpp:
        (WebCore::V8DOMWindow::locationAccessorSetter):
        (WebCore::V8DOMWindow::namedSecurityCheck):
        (WebCore::V8DOMWindow::indexedSecurityCheck):
        * bindings/v8/custom/V8DocumentLocationCustom.cpp:
        (WebCore::V8Document::locationAccessorSetter):
        * bindings/v8/custom/V8HistoryCustom.cpp:
        (WebCore::V8History::indexedSecurityCheck):
        (WebCore::V8History::namedSecurityCheck):
        * bindings/v8/custom/V8LocationCustom.cpp:
        (WebCore::V8Location::indexedSecurityCheck):
        (WebCore::V8Location::namedSecurityCheck):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@52867 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent f7fb346c
......@@ -92,7 +92,6 @@ LOCAL_SRC_FILES += \
bindings/v8/custom/V8ClientRectListCustom.cpp \
bindings/v8/custom/V8ClipboardCustom.cpp \
bindings/v8/custom/V8CoordinatesCustom.cpp \
bindings/v8/custom/V8CustomBinding.cpp \
bindings/v8/custom/V8CustomEventListener.cpp \
bindings/v8/custom/V8CustomPositionCallback.cpp \
bindings/v8/custom/V8CustomPositionErrorCallback.cpp \
......
2010-01-05 Nate Chapin <japhet@chromium.org>
Reviewed by Dimitri Glazkov.
Generate header declarations for V8 binding security checks
and delete V8CustomBinding.cpp
* Android.v8bindings.mk: Removed V8CustomBinding.cpp.
* WebCore.gypi: Removed V8CustomBinding.cpp.
* bindings/scripts/CodeGeneratorV8.pm: Generate security check declarations.
* bindings/v8/V8DOMWindowShell.cpp:
(WebCore::getTargetFrame): Moved from V8CustomBinding.cpp.
(WebCore::reportUnsafeJavaScriptAccess):
(WebCore::V8DOMWindowShell::createNewContext):
(WebCore::V8DOMWindowShell::setLocation): Moved from V8CustomBinding.cpp.
* bindings/v8/V8DOMWindowShell.h:
* bindings/v8/V8DOMWrapper.cpp:
(WebCore::downcastSVGPathSeg): Moved from V8CustomBinding.cpp.
(WebCore::V8DOMWrapper::convertSVGObjectWithContextToV8Object):
(WebCore::V8DOMWrapper::getTemplate):
* bindings/v8/custom/V8CustomBinding.cpp: Removed.
* bindings/v8/custom/V8CustomBinding.h:
* bindings/v8/custom/V8DOMWindowCustom.cpp:
(WebCore::V8DOMWindow::locationAccessorSetter):
(WebCore::V8DOMWindow::namedSecurityCheck):
(WebCore::V8DOMWindow::indexedSecurityCheck):
* bindings/v8/custom/V8DocumentLocationCustom.cpp:
(WebCore::V8Document::locationAccessorSetter):
* bindings/v8/custom/V8HistoryCustom.cpp:
(WebCore::V8History::indexedSecurityCheck):
(WebCore::V8History::namedSecurityCheck):
* bindings/v8/custom/V8LocationCustom.cpp:
(WebCore::V8Location::indexedSecurityCheck):
(WebCore::V8Location::namedSecurityCheck):
2010-01-06 Nikolas Zimmermann <nzimmermann@rim.com>
 
Reviewed by Dirk Schulze.
......@@ -659,7 +659,6 @@
'bindings/v8/custom/V8CoordinatesCustom.cpp',
'bindings/v8/custom/V8CSSStyleDeclarationCustom.cpp',
'bindings/v8/custom/V8ConsoleCustom.cpp',
'bindings/v8/custom/V8CustomBinding.cpp',
'bindings/v8/custom/V8CustomBinding.h',
'bindings/v8/custom/V8CustomEventListener.cpp',
'bindings/v8/custom/V8CustomEventListener.h',
......
......@@ -317,6 +317,13 @@ END
GenerateHeaderRuntimeEnablerDeclarations(@enabledAtRuntime);
GenerateHeaderCustomCall($dataNode);
if ($dataNode->extendedAttributes->{"CheckDomainSecurity"}) {
push(@headerContent, <<END);
static bool namedSecurityCheck(v8::Local<v8::Object> host, v8::Local<v8::Value> key, v8::AccessType, v8::Local<v8::Value> data);
static bool indexedSecurityCheck(v8::Local<v8::Object> host, uint32_t index, v8::AccessType, v8::Local<v8::Value> data);
END
}
push(@headerContent, <<END);
......@@ -1567,7 +1574,7 @@ END
my $access_check = "";
if ($dataNode->extendedAttributes->{"CheckDomainSecurity"} && !($interfaceName eq "DOMWindow")) {
$access_check = "instance->SetAccessCheckCallbacks(V8Custom::v8${interfaceName}NamedSecurityCheck, V8Custom::v8${interfaceName}IndexedSecurityCheck, v8::Integer::New(V8ClassIndex::ToInt(V8ClassIndex::${classIndex})));";
$access_check = "instance->SetAccessCheckCallbacks(V8${interfaceName}::namedSecurityCheck, V8${interfaceName}::indexedSecurityCheck, v8::Integer::New(V8ClassIndex::ToInt(V8ClassIndex::${classIndex})));";
}
# For the DOMWindow interface, generate the shadow object template
......
......@@ -36,6 +36,7 @@
#include "DateExtension.h"
#include "DocumentLoader.h"
#include "DOMObjectsInclude.h"
#include "Frame.h"
#include "FrameLoaderClient.h"
#include "InspectorTimelineAgent.h"
#include "Page.h"
......@@ -83,9 +84,40 @@ static void reportFatalErrorInV8(const char* location, const char* message)
handleFatalErrorInV8();
}
// Returns the owner frame pointer of a DOM wrapper object. It only works for
// these DOM objects requiring cross-domain access check.
static Frame* getTargetFrame(v8::Local<v8::Object> host, v8::Local<v8::Value> data)
{
Frame* target = 0;
switch (V8ClassIndex::FromInt(data->Int32Value())) {
case V8ClassIndex::DOMWINDOW: {
v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8ClassIndex::DOMWINDOW, host);
if (window.IsEmpty())
return target;
DOMWindow* targetWindow = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, window);
target = targetWindow->frame();
break;
}
case V8ClassIndex::LOCATION: {
History* history = V8DOMWrapper::convertToNativeObject<History>(V8ClassIndex::HISTORY, host);
target = history->frame();
break;
}
case V8ClassIndex::HISTORY: {
Location* location = V8DOMWrapper::convertToNativeObject<Location>(V8ClassIndex::LOCATION, host);
target = location->frame();
break;
}
default:
break;
}
return target;
}
static void reportUnsafeJavaScriptAccess(v8::Local<v8::Object> host, v8::AccessType type, v8::Local<v8::Value> data)
{
Frame* target = V8Custom::GetTargetFrame(host, data);
Frame* target = getTargetFrame(host, data);
if (target)
V8Proxy::reportUnsafeAccessTo(target, V8Proxy::ReportLater);
}
......@@ -301,7 +333,7 @@ v8::Persistent<v8::Context> V8DOMWindowShell::createNewContext(v8::Handle<v8::Ob
return result;
// Install a security handler with V8.
globalTemplate->SetAccessCheckCallbacks(V8Custom::v8DOMWindowNamedSecurityCheck, V8Custom::v8DOMWindowIndexedSecurityCheck, v8::Integer::New(V8ClassIndex::DOMWINDOW));
globalTemplate->SetAccessCheckCallbacks(V8DOMWindow::namedSecurityCheck, V8DOMWindow::indexedSecurityCheck, v8::Integer::New(V8ClassIndex::DOMWINDOW));
globalTemplate->SetInternalFieldCount(V8Custom::kDOMWindowInternalFieldCount);
// Used to avoid sleep calls in unload handlers.
......@@ -514,6 +546,20 @@ v8::Local<v8::Object> V8DOMWindowShell::createWrapperFromCacheSlowCase(V8ClassIn
return notHandledByInterceptor();
}
void V8DOMWindowShell::setLocation(DOMWindow* window, const String& relativeURL)
{
Frame* frame = window->frame();
if (!frame)
return;
KURL url = completeURL(relativeURL);
if (url.isNull())
return;
if (!shouldAllowNavigation(frame))
return;
navigateIfAllowed(frame, url, false, false);
}
} // WebCore
......@@ -86,6 +86,8 @@ public:
return clone.IsEmpty() ? createWrapperFromCacheSlowCase(type) : clone;
}
static void setLocation(DOMWindow*, const String& relativeURL);
private:
V8DOMWindowShell(Frame*);
......
......@@ -57,6 +57,10 @@
#include "WebGLUniformLocation.h"
#include "WorkerContextExecutionProxy.h"
#if ENABLE(SVG)
#include "SVGPathSeg.h"
#endif
#include <algorithm>
#include <utility>
#include <v8.h>
......@@ -97,6 +101,35 @@ static v8::Handle<v8::Value> ConstructorToString(const v8::Arguments& args)
}
#if ENABLE(SVG)
static V8ClassIndex::V8WrapperType downcastSVGPathSeg(void* pathSeg)
{
SVGPathSeg* realPathSeg = reinterpret_cast<SVGPathSeg*>(pathSeg);
switch (realPathSeg->pathSegType()) {
case SVGPathSeg::PATHSEG_CLOSEPATH: return V8ClassIndex::SVGPATHSEGCLOSEPATH;
case SVGPathSeg::PATHSEG_MOVETO_ABS: return V8ClassIndex::SVGPATHSEGMOVETOABS;
case SVGPathSeg::PATHSEG_MOVETO_REL: return V8ClassIndex::SVGPATHSEGMOVETOREL;
case SVGPathSeg::PATHSEG_LINETO_ABS: return V8ClassIndex::SVGPATHSEGLINETOABS;
case SVGPathSeg::PATHSEG_LINETO_REL: return V8ClassIndex::SVGPATHSEGLINETOREL;
case SVGPathSeg::PATHSEG_CURVETO_CUBIC_ABS: return V8ClassIndex::SVGPATHSEGCURVETOCUBICABS;
case SVGPathSeg::PATHSEG_CURVETO_CUBIC_REL: return V8ClassIndex::SVGPATHSEGCURVETOCUBICREL;
case SVGPathSeg::PATHSEG_CURVETO_QUADRATIC_ABS: return V8ClassIndex::SVGPATHSEGCURVETOQUADRATICABS;
case SVGPathSeg::PATHSEG_CURVETO_QUADRATIC_REL: return V8ClassIndex::SVGPATHSEGCURVETOQUADRATICREL;
case SVGPathSeg::PATHSEG_ARC_ABS: return V8ClassIndex::SVGPATHSEGARCABS;
case SVGPathSeg::PATHSEG_ARC_REL: return V8ClassIndex::SVGPATHSEGARCREL;
case SVGPathSeg::PATHSEG_LINETO_HORIZONTAL_ABS: return V8ClassIndex::SVGPATHSEGLINETOHORIZONTALABS;
case SVGPathSeg::PATHSEG_LINETO_HORIZONTAL_REL: return V8ClassIndex::SVGPATHSEGLINETOHORIZONTALREL;
case SVGPathSeg::PATHSEG_LINETO_VERTICAL_ABS: return V8ClassIndex::SVGPATHSEGLINETOVERTICALABS;
case SVGPathSeg::PATHSEG_LINETO_VERTICAL_REL: return V8ClassIndex::SVGPATHSEGLINETOVERTICALREL;
case SVGPathSeg::PATHSEG_CURVETO_CUBIC_SMOOTH_ABS: return V8ClassIndex::SVGPATHSEGCURVETOCUBICSMOOTHABS;
case SVGPathSeg::PATHSEG_CURVETO_CUBIC_SMOOTH_REL: return V8ClassIndex::SVGPATHSEGCURVETOCUBICSMOOTHREL;
case SVGPathSeg::PATHSEG_CURVETO_QUADRATIC_SMOOTH_ABS: return V8ClassIndex::SVGPATHSEGCURVETOQUADRATICSMOOTHABS;
case SVGPathSeg::PATHSEG_CURVETO_QUADRATIC_SMOOTH_REL: return V8ClassIndex::SVGPATHSEGCURVETOQUADRATICSMOOTHREL;
default: return V8ClassIndex::INVALID_CLASS_INDEX;
}
}
v8::Handle<v8::Value> V8DOMWrapper::convertSVGElementInstanceToV8Object(SVGElementInstance* instance)
{
if (!instance)
......@@ -128,7 +161,7 @@ v8::Handle<v8::Value> V8DOMWrapper::convertSVGObjectWithContextToV8Object(V8Clas
// Special case: SVGPathSegs need to be downcast to their real type
if (type == V8ClassIndex::SVGPATHSEG)
type = V8Custom::DowncastSVGPathSeg(object);
type = downcastSVGPathSeg(object);
v8::Local<v8::Object> v8Object = instantiateV8Object(type, type, object);
if (!v8Object.IsEmpty()) {
......@@ -152,7 +185,7 @@ v8::Handle<v8::Value> V8DOMWrapper::convertSVGObjectWithContextToV8Object(V8Clas
return result;
}
#endif
#endif // ENABLE(SVG)
#if ENABLE(3D_CANVAS)
void V8DOMWrapper::setIndexedPropertiesToExternalArray(v8::Handle<v8::Object> wrapper,
......@@ -309,7 +342,7 @@ v8::Persistent<v8::FunctionTemplate> V8DOMWrapper::getTemplate(V8ClassIndex::V8W
// Set access check callbacks, but turned off initially.
// When a context is detached from a frame, turn on the access check.
// Turning on checks also invalidates inline caches of the object.
instanceTemplate->SetAccessCheckCallbacks(V8Custom::v8DOMWindowNamedSecurityCheck, V8Custom::v8DOMWindowIndexedSecurityCheck, v8::Integer::New(V8ClassIndex::DOMWINDOW), false);
instanceTemplate->SetAccessCheckCallbacks(V8DOMWindow::namedSecurityCheck, V8DOMWindow::indexedSecurityCheck, v8::Integer::New(V8ClassIndex::DOMWINDOW), false);
break;
}
case V8ClassIndex::LOCATION: {
......
/*
* Copyright (C) 2007-2009 Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.
* * Neither the name of Google Inc. nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "V8CustomBinding.h"
#include "CSSHelper.h"
#include "Element.h"
#include "Document.h"
#include "DOMWindow.h"
#include "History.h"
#include "HTMLNames.h"
#include "HTMLFrameElementBase.h"
#include "Location.h"
#include "V8Binding.h"
#include "V8BindingState.h"
#include "V8Proxy.h"
#if ENABLE(SVG)
#include "SVGPathSeg.h"
#endif
namespace WebCore {
// --------------- Security Checks -------------------------
INDEXED_ACCESS_CHECK(History)
{
ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::HISTORY);
// Only allow same origin access.
History* history = V8DOMWrapper::convertToNativeObject<History>(V8ClassIndex::HISTORY, host);
return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), history->frame(), false);
}
NAMED_ACCESS_CHECK(History)
{
ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::HISTORY);
// Only allow same origin access.
History* history = V8DOMWrapper::convertToNativeObject<History>(V8ClassIndex::HISTORY, host);
return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), history->frame(), false);
}
#undef INDEXED_ACCESS_CHECK
#undef NAMED_ACCESS_CHECK
#undef NAMED_PROPERTY_GETTER
#undef NAMED_PROPERTY_SETTER
Frame* V8Custom::GetTargetFrame(v8::Local<v8::Object> host, v8::Local<v8::Value> data)
{
Frame* target = 0;
switch (V8ClassIndex::FromInt(data->Int32Value())) {
case V8ClassIndex::DOMWINDOW: {
v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8ClassIndex::DOMWINDOW, host);
if (window.IsEmpty())
return target;
DOMWindow* targetWindow = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, window);
target = targetWindow->frame();
break;
}
case V8ClassIndex::LOCATION: {
History* history = V8DOMWrapper::convertToNativeObject<History>(V8ClassIndex::HISTORY, host);
target = history->frame();
break;
}
case V8ClassIndex::HISTORY: {
Location* location = V8DOMWrapper::convertToNativeObject<Location>(V8ClassIndex::LOCATION, host);
target = location->frame();
break;
}
default:
break;
}
return target;
}
#if ENABLE(SVG)
V8ClassIndex::V8WrapperType V8Custom::DowncastSVGPathSeg(void* pathSeg)
{
WebCore::SVGPathSeg* realPathSeg = reinterpret_cast<WebCore::SVGPathSeg*>(pathSeg);
switch (realPathSeg->pathSegType()) {
#define MAKE_CASE(svgValue, v8Value) case WebCore::SVGPathSeg::svgValue: return V8ClassIndex::v8Value
MAKE_CASE(PATHSEG_CLOSEPATH, SVGPATHSEGCLOSEPATH);
MAKE_CASE(PATHSEG_MOVETO_ABS, SVGPATHSEGMOVETOABS);
MAKE_CASE(PATHSEG_MOVETO_REL, SVGPATHSEGMOVETOREL);
MAKE_CASE(PATHSEG_LINETO_ABS, SVGPATHSEGLINETOABS);
MAKE_CASE(PATHSEG_LINETO_REL, SVGPATHSEGLINETOREL);
MAKE_CASE(PATHSEG_CURVETO_CUBIC_ABS, SVGPATHSEGCURVETOCUBICABS);
MAKE_CASE(PATHSEG_CURVETO_CUBIC_REL, SVGPATHSEGCURVETOCUBICREL);
MAKE_CASE(PATHSEG_CURVETO_QUADRATIC_ABS, SVGPATHSEGCURVETOQUADRATICABS);
MAKE_CASE(PATHSEG_CURVETO_QUADRATIC_REL, SVGPATHSEGCURVETOQUADRATICREL);
MAKE_CASE(PATHSEG_ARC_ABS, SVGPATHSEGARCABS);
MAKE_CASE(PATHSEG_ARC_REL, SVGPATHSEGARCREL);
MAKE_CASE(PATHSEG_LINETO_HORIZONTAL_ABS, SVGPATHSEGLINETOHORIZONTALABS);
MAKE_CASE(PATHSEG_LINETO_HORIZONTAL_REL, SVGPATHSEGLINETOHORIZONTALREL);
MAKE_CASE(PATHSEG_LINETO_VERTICAL_ABS, SVGPATHSEGLINETOVERTICALABS);
MAKE_CASE(PATHSEG_LINETO_VERTICAL_REL, SVGPATHSEGLINETOVERTICALREL);
MAKE_CASE(PATHSEG_CURVETO_CUBIC_SMOOTH_ABS, SVGPATHSEGCURVETOCUBICSMOOTHABS);
MAKE_CASE(PATHSEG_CURVETO_CUBIC_SMOOTH_REL, SVGPATHSEGCURVETOCUBICSMOOTHREL);
MAKE_CASE(PATHSEG_CURVETO_QUADRATIC_SMOOTH_ABS, SVGPATHSEGCURVETOQUADRATICSMOOTHABS);
MAKE_CASE(PATHSEG_CURVETO_QUADRATIC_SMOOTH_REL, SVGPATHSEGCURVETOQUADRATICSMOOTHREL);
#undef MAKE_CASE
default:
return V8ClassIndex::INVALID_CLASS_INDEX;
}
}
#endif // ENABLE(SVG)
} // namespace WebCore
......@@ -34,8 +34,6 @@
#include "V8Index.h"
#include <v8.h>
struct NPObject;
#define INDEXED_PROPERTY_GETTER(NAME) \
v8::Handle<v8::Value> V8Custom::v8##NAME##IndexedPropertyGetter( \
uint32_t index, const v8::AccessorInfo& info)
......@@ -60,24 +58,7 @@ struct NPObject;
v8::Handle<v8::Boolean> V8Custom::v8##NAME##NamedPropertyDeleter( \
v8::Local<v8::String> name, const v8::AccessorInfo& info)
#define NAMED_ACCESS_CHECK(NAME) \
bool V8Custom::v8##NAME##NamedSecurityCheck(v8::Local<v8::Object> host, \
v8::Local<v8::Value> key, v8::AccessType type, v8::Local<v8::Value> data)
#define INDEXED_ACCESS_CHECK(NAME) \
bool V8Custom::v8##NAME##IndexedSecurityCheck(v8::Local<v8::Object> host, \
uint32_t index, v8::AccessType type, v8::Local<v8::Value> data)
namespace WebCore {
class DOMWindow;
class Element;
class Frame;
class HTMLCollection;
class HTMLFrameElementBase;
class String;
class V8Proxy;
class V8Custom {
public:
// Constants.
......@@ -211,20 +192,6 @@ namespace WebCore {
#define USE_CALLBACK(NAME) V8Custom::v8##NAME##Callback
#define DECLARE_NAMED_ACCESS_CHECK(NAME) \
static bool v8##NAME##NamedSecurityCheck(v8::Local<v8::Object> host, \
v8::Local<v8::Value> key, v8::AccessType type, v8::Local<v8::Value> data)
#define DECLARE_INDEXED_ACCESS_CHECK(NAME) \
static bool v8##NAME##IndexedSecurityCheck(v8::Local<v8::Object> host, \
uint32_t index, v8::AccessType type, v8::Local<v8::Value> data)
DECLARE_NAMED_ACCESS_CHECK(Location);
DECLARE_INDEXED_ACCESS_CHECK(History);
DECLARE_NAMED_ACCESS_CHECK(History);
DECLARE_INDEXED_ACCESS_CHECK(Location);
DECLARE_NAMED_PROPERTY_GETTER(HTMLDocument);
DECLARE_NAMED_PROPERTY_DELETER(HTMLDocument);
......@@ -253,8 +220,6 @@ namespace WebCore {
DECLARE_NAMED_PROPERTY_GETTER(DOMWindow);
DECLARE_INDEXED_PROPERTY_GETTER(DOMWindow);
DECLARE_NAMED_ACCESS_CHECK(DOMWindow);
DECLARE_INDEXED_ACCESS_CHECK(DOMWindow);
DECLARE_NAMED_PROPERTY_GETTER(HTMLFrameSetElement);
DECLARE_NAMED_PROPERTY_GETTER(HTMLFormElement);
......@@ -335,9 +300,6 @@ namespace WebCore {
DECLARE_CALLBACK(WebSocketConstructor);
#endif
#undef DECLARE_INDEXED_ACCESS_CHECK
#undef DECLARE_NAMED_ACCESS_CHECK
#undef DECLARE_NAMED_PROPERTY_GETTER
#undef DECLARE_NAMED_PROPERTY_SETTER
#undef DECLARE_NAMED_PROPERTY_DELETER
......@@ -347,19 +309,6 @@ namespace WebCore {
#undef DECLARE_INDEXED_PROPERTY_DELETER
#undef DECLARE_CALLBACK
// Returns the NPObject corresponding to an HTMLElement object.
static NPObject* GetHTMLPlugInElementNPObject(v8::Handle<v8::Object>);
// Returns the owner frame pointer of a DOM wrapper object. It only works for
// these DOM objects requiring cross-domain access check.
static Frame* GetTargetFrame(v8::Local<v8::Object> host, v8::Local<v8::Value> data);
// Special case for downcasting SVG path segments.
#if ENABLE(SVG)
static V8ClassIndex::V8WrapperType DowncastSVGPathSeg(void* pathSeg);
#endif
static void WindowSetLocation(DOMWindow*, const String&);
};
} // namespace WebCore
......
......@@ -215,7 +215,7 @@ v8::Handle<v8::Value> V8DOMWindow::cryptoAccessorGetter(v8::Local<v8::String> na
void V8DOMWindow::locationAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
{
DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, info.Holder());
V8Custom::WindowSetLocation(imp, toWebCoreString(value));
V8DOMWindowShell::setLocation(imp, toWebCoreString(value));
}
......@@ -826,23 +826,6 @@ NAMED_PROPERTY_GETTER(DOMWindow)
}
void V8Custom::WindowSetLocation(DOMWindow* window, const String& relativeURL)
{
Frame* frame = window->frame();
if (!frame)
return;
KURL url = completeURL(relativeURL);
if (url.isNull())
return;
if (!shouldAllowNavigation(frame))
return;
navigateIfAllowed(frame, url, false, false);
}
v8::Handle<v8::Value> V8DOMWindow::setTimeoutCallback(const v8::Arguments& args)
{
INC_STATS("DOM.DOMWindow.setTimeout()");
......@@ -886,7 +869,7 @@ v8::Handle<v8::Value> V8DOMWindow::clearIntervalCallback(const v8::Arguments& ar
return v8::Undefined();
}
NAMED_ACCESS_CHECK(DOMWindow)
bool V8DOMWindow::namedSecurityCheck(v8::Local<v8::Object> host, v8::Local<v8::Value> key, v8::AccessType type, v8::Local<v8::Value> data)
{
ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::DOMWINDOW);
v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8ClassIndex::DOMWINDOW, host);
......@@ -912,7 +895,7 @@ NAMED_ACCESS_CHECK(DOMWindow)
return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, false);
}
INDEXED_ACCESS_CHECK(DOMWindow)
bool V8DOMWindow::indexedSecurityCheck(v8::Local<v8::Object> host, uint32_t index, v8::AccessType type, v8::Local<v8::Value> data)
{
ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::DOMWINDOW);
v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8ClassIndex::DOMWINDOW, host);
......
......@@ -50,8 +50,8 @@ void V8Document::locationAccessorSetter(v8::Local<v8::String> name, v8::Local<v8
return;
DOMWindow* window = document->frame()->domWindow();
// WindowSetLocation does security checks. // XXXMB- verify!
V8Custom::WindowSetLocation(window, toWebCoreString(value));
// setLocation does security checks. // XXXMB- verify!
V8DOMWindowShell::setLocation(window, toWebCoreString(value));
}
} // namespace WebCore
......@@ -35,6 +35,7 @@
#include "History.h"
#include "SerializedScriptValue.h"
#include "V8Binding.h"
#include "V8BindingState.h"
#include "V8CustomBinding.h"
#include "V8Proxy.h"
......@@ -82,4 +83,20 @@ v8::Handle<v8::Value> V8History::replaceStateCallback(const v8::Arguments& args)
return throwError(ec);
}
bool V8History::indexedSecurityCheck(v8::Local<v8::Object> host, uint32_t index, v8::AccessType type, v8::Local<v8::Value> data)
{
ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::HISTORY);
// Only allow same origin access.
History* history = V8DOMWrapper::convertToNativeObject<History>(V8ClassIndex::HISTORY, host);
return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), history->frame(), false);
}
bool V8History::namedSecurityCheck(v8::Local<v8::Object> host, v8::Local<v8::Value> key, v8::AccessType type, v8::Local<v8::Value> data)
{
ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::HISTORY);
// Only allow same origin access.
History* history = V8DOMWrapper::convertToNativeObject<History>(V8ClassIndex::HISTORY, host);
return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), history->frame(), false);
}
} // namespace WebCore
......@@ -342,7 +342,7 @@ v8::Handle<v8::Value> V8Location::toStringCallback(const v8::Arguments& args)
return v8String(result);
}
INDEXED_ACCESS_CHECK(Location)
bool V8Location::indexedSecurityCheck(v8::Local<v8::Object> host, uint32_t index, v8::AccessType type, v8::Local<v8::Value> data)
{
ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::LOCATION);
// Only allow same origin access
......@@ -350,7 +350,7 @@ INDEXED_ACCESS_CHECK(Location)
return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), false);
}
NAMED_ACCESS_CHECK(Location)
bool V8Location::namedSecurityCheck(v8::Local<v8::Object> host, v8::Local<v8::Value> key, v8::AccessType type, v8::Local<v8::Value> data)
{
ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::LOCATION);
// Only allow same origin access
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment