bool V8Location::namedSecurityCheck(v8::Local<v8::Object> host, v8::Local<v8::Value> key, v8::AccessType type, v8::Local<v8::Value> data)
{
ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::LOCATION);
// Only allow same origin access
Location* imp = V8Location::toNative(host);
return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), false);
}
v8::Handle<v8::Value> V8Location::toStringCallback(const v8::Arguments& args)
{
v8::Handle<v8::Object> holder = args.Holder();
Location* imp = V8Location::toNative(holder);
if (!BindingSecurity::shouldAllowAccessToFrame(BindingState::instance(), imp->frame()))
return v8::Undefined();
String result = imp->href();
return v8String(result, args.GetIsolate());
}
v8::Handle<v8::Value> V8Location::toStringCallback(const v8::Arguments& args)
{
INC_STATS("DOM.Location.toString");
v8::Handle<v8::Object> holder = args.Holder();
Location* imp = V8Location::toNative(holder);
if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), true))
return v8::Undefined();
String result = imp->href();
return v8String(result);
}
v8::Handle<v8::Value> V8Location::reloadCallback(const v8::Arguments& args)
{
// FIXME: we ignore the "forceget" parameter.
INC_STATS("DOM.Location.reload");
v8::Handle<v8::Object> holder = args.Holder();
Location* imp = V8Location::toNative(holder);
Frame* frame = imp->frame();
if (!frame || !ScriptController::isSafeScript(frame))
return v8::Undefined();
if (!protocolIsJavaScript(frame->loader()->url()))
frame->redirectScheduler()->scheduleRefresh(processingUserGesture());
return v8::Undefined();
}
void V8Location::searchAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
{
INC_STATS("DOM.Location.search._set");
v8::Handle<v8::Object> holder = info.Holder();
Location* imp = V8Location::toNative(holder);
String query = toWebCoreString(value);
Frame* frame = imp->frame();
if (!frame)
return;
KURL url = frame->loader()->url();
url.setQuery(query);
navigateIfAllowed(frame, url, false, false);
}
v8::Handle<v8::Value> V8Location::replaceAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
{
INC_STATS("DOM.Location.replace._get");
static v8::Persistent<v8::FunctionTemplate> privateTemplate = v8::Persistent<v8::FunctionTemplate>::New(v8::FunctionTemplate::New(V8Location::replaceCallback, v8::Handle<v8::Value>(), v8::Signature::New(V8Location::GetRawTemplate())));
v8::Handle<v8::Object> holder = V8DOMWrapper::lookupDOMWrapper(V8Location::GetTemplate(), info.This());
if (holder.IsEmpty()) {
// can only reach here by 'object.__proto__.func', and it should passed
// domain security check already
return privateTemplate->GetFunction();
}
Location* imp = V8Location::toNative(holder);
if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), false)) {
static v8::Persistent<v8::FunctionTemplate> sharedTemplate = v8::Persistent<v8::FunctionTemplate>::New(v8::FunctionTemplate::New(V8Location::replaceCallback, v8::Handle<v8::Value>(), v8::Signature::New(V8Location::GetRawTemplate())));
return sharedTemplate->GetFunction();
}
return privateTemplate->GetFunction();
}
v8::Handle<v8::Value> V8Location::replaceAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
{
v8::Isolate* isolate = info.GetIsolate();
static v8::Persistent<v8::FunctionTemplate> privateTemplate = v8::Persistent<v8::FunctionTemplate>::New(isolate, v8::FunctionTemplate::New(V8Location::replaceCallback, v8Undefined(), v8::Signature::New(V8Location::GetRawTemplate(isolate))));
v8::Handle<v8::Object> holder = info.This()->FindInstanceInPrototypeChain(V8Location::GetTemplate(isolate));
if (holder.IsEmpty()) {
// can only reach here by 'object.__proto__.func', and it should passed
// domain security check already
return privateTemplate->GetFunction();
}
Location* imp = V8Location::toNative(holder);
if (!BindingSecurity::shouldAllowAccessToFrame(BindingState::instance(), imp->frame(), DoNotReportSecurityError)) {
static v8::Persistent<v8::FunctionTemplate> sharedTemplate = v8::Persistent<v8::FunctionTemplate>::New(isolate, v8::FunctionTemplate::New(V8Location::replaceCallback, v8Undefined(), v8::Signature::New(V8Location::GetRawTemplate(isolate))));
return sharedTemplate->GetFunction();
}
return privateTemplate->GetFunction();
}
void V8Location::hostAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
{
INC_STATS("DOM.Location.host._set");
v8::Handle<v8::Object> holder = info.Holder();
Location* imp = V8Location::toNative(holder);
String host = toWebCoreString(value);
Frame* frame = imp->frame();
if (!frame)
return;
KURL url = frame->loader()->url();
String newHost = host.left(host.find(":"));
String newPort = host.substring(host.find(":") + 1);
url.setHost(newHost);
url.setPort(newPort.toUInt());
navigateIfAllowed(frame, url, false, false);
}
void V8Location::hrefAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
{
INC_STATS("DOM.Location.href._set");
v8::Handle<v8::Object> holder = info.Holder();
Location* imp = V8Location::toNative(holder);
Frame* frame = imp->frame();
if (!frame)
return;
KURL url = completeURL(toWebCoreString(value));
if (url.isNull())
return;
if (!shouldAllowNavigation(frame))
return;
navigateIfAllowed(frame, url, false, false);
}
v8::Handle<v8::Value> V8Location::assignCallback(const v8::Arguments& args)
{
INC_STATS("DOM.Location.assign");
v8::Handle<v8::Object> holder = args.Holder();
Location* imp = V8Location::toNative(holder);
Frame* frame = imp->frame();
if (!frame)
return v8::Undefined();
KURL url = completeURL(toWebCoreString(args[0]));
if (url.isNull())
return v8::Undefined();
if (!shouldAllowNavigation(frame))
return v8::Undefined();
navigateIfAllowed(frame, url, false, false);
return v8::Undefined();
}
// Returns the owner frame pointer of a DOM wrapper object. It only works for
// these DOM objects requiring cross-domain access check.
static Frame* getTargetFrame(v8::Local<v8::Object> host, v8::Local<v8::Value> data)
{
Frame* target = 0;
WrapperTypeInfo* type = WrapperTypeInfo::unwrap(data);
if (V8DOMWindow::info.equals(type)) {
v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8DOMWindow::GetTemplate(), host);
if (window.IsEmpty())
return target;
DOMWindow* targetWindow = V8DOMWindow::toNative(window);
target = targetWindow->frame();
} else if (V8History::info.equals(type)) {
History* history = V8History::toNative(host);
target = history->frame();
} else if (V8Location::info.equals(type)) {
Location* location = V8Location::toNative(host);
target = location->frame();
}
return target;
}
void V8Location::hashAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
{
INC_STATS("DOM.Location.hash._set");
v8::Handle<v8::Object> holder = info.Holder();
Location* imp = V8Location::toNative(holder);
String hash = toWebCoreString(value);
Frame* frame = imp->frame();
if (!frame)
return;
KURL url = frame->loader()->url();
String oldRef = url.fragmentIdentifier();
if (hash.startsWith("#"))
hash = hash.substring(1);
if (oldRef == hash || (oldRef.isNull() && hash.isEmpty()))
return;
url.setFragmentIdentifier(hash);
navigateIfAllowed(frame, url, false, false);
}
void setJSLocationHash(ExecState* exec, JSObject* thisObject, JSValue value)
{
#ifdef JSC_TAINTED
unsigned int tainted = 0;
if (value.isString() && value.isTainted()) {
tainted = value.isTainted();
}
if (value.inherits(&StringObject::s_info) && asStringObject(value)->isTainted()) {
tainted = asStringObject(value)->isTainted();
}
if (value.isObject()) {
UString s = value.toString(exec);
if (s.isTainted()) {
tainted = s.isTainted();
}
}
if (tainted) {
JSLocation* castedThis = static_cast<JSLocation*>(thisObject);
Location* imp = static_cast<Location*>(castedThis->impl());
imp->frame()->document()->setTainted(tainted);
TaintedStructure trace_struct;
trace_struct.taintedno = tainted;
trace_struct.internalfunc = "setJSLocationHash";
trace_struct.jsfunc = "location.hash";
trace_struct.action = "sink";
char msg[20];
stringstream msgss;
snprintf(msg, 20, "%s", value.toString(exec).utf8(true).data());
msgss << msg;
msgss >> trace_struct.value;
TaintedTrace* trace = TaintedTrace::getInstance();
trace->addTaintedTrace(trace_struct);
}
#endif
static_cast<JSLocation*>(thisObject)->setHash(exec, value);
}
bool V8Location::namedSecurityCheck(v8::Local<v8::Object> host, v8::Local<v8::Value> key, v8::AccessType type, v8::Local<v8::Value>)
{
// Only allow same origin access
Location* imp = V8Location::toNative(host);
return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), false);
}
bool V8Location::namedSecurityCheck(v8::Local<v8::Object> host, v8::Local<v8::Value> key, v8::AccessType type, v8::Local<v8::Value>)
{
// Only allow same origin access
Location* imp = V8Location::toNative(host);
return BindingSecurity::shouldAllowAccessToFrame(BindingState::instance(), imp->frame(), DoNotReportSecurityError);
}
