Diff
Modified: trunk/LayoutTests/ChangeLog (89781 => 89782)
--- trunk/LayoutTests/ChangeLog 2011-06-27 04:45:43 UTC (rev 89781)
+++ trunk/LayoutTests/ChangeLog 2011-06-27 04:49:46 UTC (rev 89782)
@@ -1,5 +1,16 @@
2011-06-26 Adam Barth <[email protected]>
+ Reviewed by Eric Seidel.
+
+ window.location should use the holder's prototype chain
+ https://bugs.webkit.org/show_bug.cgi?id=63411
+
+ * http/tests/security/location-prototype-expected.txt: Added.
+ * http/tests/security/location-prototype.html: Added.
+ * http/tests/security/resources/location-prototype-overwrite.html: Added.
+
+2011-06-26 Adam Barth <[email protected]>
+
Reviewed by Kent Tamura.
m_formElementsWithFormAttribute doesn't ref the objects it holds
Added: trunk/LayoutTests/http/tests/security/location-prototype-expected.txt (0 => 89782)
--- trunk/LayoutTests/http/tests/security/location-prototype-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/location-prototype-expected.txt 2011-06-27 04:49:46 UTC (rev 89782)
@@ -0,0 +1,2 @@
+ALERT: Yay! Calling a function that shouldn't exist threw an exception.
+This test passes if it doesn't alert the string "fail".
Added: trunk/LayoutTests/http/tests/security/location-prototype.html (0 => 89782)
--- trunk/LayoutTests/http/tests/security/location-prototype.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/location-prototype.html 2011-06-27 04:49:46 UTC (rev 89782)
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function loaded() {
+ try {
+ window.location.fail();
+ } catch(ex) {
+ alert("Yay! Calling a function that shouldn't exist threw an exception.");
+ }
+}
+
+</script>
+</head>
+<body _onload_="loaded()">
+This test passes if it doesn't alert the string "fail".
+<iframe src=""
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/resources/location-prototype-overwrite.html (0 => 89782)
--- trunk/LayoutTests/http/tests/security/resources/location-prototype-overwrite.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/location-prototype-overwrite.html 2011-06-27 04:49:46 UTC (rev 89782)
@@ -0,0 +1,9 @@
+<!DOCTYPE HTML>
+<script>
+// Make sure touch top window location first, get the hook to inject function.
+window.top.location;
+
+Object.prototype.fail = function() {
+ alert('FAIL!');
+};
+</script>
Modified: trunk/LayoutTests/platform/chromium/fast/dom/prototype-inheritance-expected.txt (89781 => 89782)
--- trunk/LayoutTests/platform/chromium/fast/dom/prototype-inheritance-expected.txt 2011-06-27 04:45:43 UTC (rev 89781)
+++ trunk/LayoutTests/platform/chromium/fast/dom/prototype-inheritance-expected.txt 2011-06-27 04:49:46 UTC (rev 89782)
@@ -717,16 +717,16 @@
PASS inner.getMatchedCSSRules.constructor.isInner is true
PASS inner.getSelection.isInner is true
PASS inner.getSelection.constructor.isInner is true
-FAIL inner.history.isInner should be true. Was false.
-FAIL inner.history.constructor.isInner should be true. Was false.
+PASS inner.history.isInner is true
+PASS inner.history.constructor.isInner is true
PASS inner.isFinite.isInner is true
PASS inner.isFinite.constructor.isInner is true
PASS inner.isNaN.isInner is true
PASS inner.isNaN.constructor.isInner is true
FAIL inner.localStorage.isInner should be true. Was false.
FAIL inner.localStorage.constructor.isInner should be true. Was false.
-FAIL inner.location.isInner should be true. Was false.
-FAIL inner.location.constructor.isInner should be true. Was false.
+PASS inner.location.isInner is true
+PASS inner.location.constructor.isInner is true
FAIL inner.locationbar.isInner should be true. Was false.
FAIL inner.locationbar.constructor.isInner should be true. Was false.
PASS inner.matchMedia.isInner is true
Modified: trunk/Source/WebCore/ChangeLog (89781 => 89782)
--- trunk/Source/WebCore/ChangeLog 2011-06-27 04:45:43 UTC (rev 89781)
+++ trunk/Source/WebCore/ChangeLog 2011-06-27 04:49:46 UTC (rev 89782)
@@ -2,6 +2,21 @@
Reviewed by Eric Seidel.
+ window.location should use the holder's prototype chain
+ https://bugs.webkit.org/show_bug.cgi?id=63411
+
+ This patch corrects the prototype chain for Location, but we really
+ should do a complete cleanup of the prototype chain generation, like we
+ did for _javascript_Core.
+
+ Test: http/tests/security/location-prototype.html
+
+ * bindings/scripts/CodeGeneratorV8.pm:
+
+2011-06-26 Adam Barth <[email protected]>
+
+ Reviewed by Eric Seidel.
+
Add [Optional] attributes where appropriate for addEventListener and removeEventListener
https://bugs.webkit.org/show_bug.cgi?id=63417
Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorV8.pm (89781 => 89782)
--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorV8.pm 2011-06-27 04:45:43 UTC (rev 89781)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorV8.pm 2011-06-27 04:49:46 UTC (rev 89782)
@@ -634,6 +634,12 @@
return IsSubType($dataNode, "Node");
}
+sub IsVisibleAcrossOrigins
+{
+ my $dataNode = shift;
+ return $dataNode->extendedAttributes->{"CheckDomainSecurity"} && !($dataNode->name eq "DOMWindow");
+}
+
sub GenerateDomainSafeFunctionGetter
{
my $function = shift;
@@ -2525,9 +2531,22 @@
END
}
- if (IsNodeSubType($dataNode)) {
+ # FIXME: We need a better way of recovering the correct prototype chain
+ # for every sort of object. For now, we special-case cross-origin visible
+ # objects (i.e., those with CheckDomainSecurity).
+ if (IsVisibleAcrossOrigins($dataNode)) {
push(@implContent, <<END);
+ if (impl->frame()) {
+ proxy = V8Proxy::retrieve(impl->frame());
+ if (proxy)
+ proxy->windowShell()->initContextIfNeeded();
+ }
+END
+ }
+ if (IsNodeSubType($dataNode) || IsVisibleAcrossOrigins($dataNode)) {
+ push(@implContent, <<END);
+
v8::Handle<v8::Context> context;
if (proxy)
context = proxy->context();
@@ -2541,7 +2560,7 @@
push(@implContent, <<END);
wrapper = V8DOMWrapper::instantiateV8Object(proxy, &info, impl);
END
- if (IsNodeSubType($dataNode)) {
+ if (IsNodeSubType($dataNode) || IsVisibleAcrossOrigins($dataNode)) {
push(@implContent, <<END);
// Exit the node's context if it was entered.
if (!context.IsEmpty())
