bool V8Location::namedSecurityCheck(v8::Local<v8::Object> host, v8::Local<v8::Value> key, v8::AccessType type, v8::Local<v8::Value> data)
{
    ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::LOCATION);
    // Only allow same origin access
    Location* imp = V8Location::toNative(host);
    return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), false);
}
Esempio n. 2
0
v8::Handle<v8::Value> V8Location::toStringCallback(const v8::Arguments& args)
{
    v8::Handle<v8::Object> holder = args.Holder();
    Location* imp = V8Location::toNative(holder);
    if (!BindingSecurity::shouldAllowAccessToFrame(BindingState::instance(), imp->frame()))
        return v8::Undefined();
    String result = imp->href();
    return v8String(result, args.GetIsolate());
}
v8::Handle<v8::Value> V8Location::toStringCallback(const v8::Arguments& args)
{
    INC_STATS("DOM.Location.toString");
    v8::Handle<v8::Object> holder = args.Holder();
    Location* imp = V8Location::toNative(holder);
    if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), true))
        return v8::Undefined();
    String result = imp->href();
    return v8String(result);
}
v8::Handle<v8::Value> V8Location::reloadCallback(const v8::Arguments& args)
{
    // FIXME: we ignore the "forceget" parameter.

    INC_STATS("DOM.Location.reload");
    v8::Handle<v8::Object> holder = args.Holder();
    Location* imp = V8Location::toNative(holder);

    Frame* frame = imp->frame();
    if (!frame || !ScriptController::isSafeScript(frame))
        return v8::Undefined();

    if (!protocolIsJavaScript(frame->loader()->url()))
        frame->redirectScheduler()->scheduleRefresh(processingUserGesture());
    return v8::Undefined();
}
void V8Location::searchAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
{
    INC_STATS("DOM.Location.search._set");
    v8::Handle<v8::Object> holder = info.Holder();
    Location* imp = V8Location::toNative(holder);
    String query = toWebCoreString(value);

    Frame* frame = imp->frame();
    if (!frame)
        return;

    KURL url = frame->loader()->url();
    url.setQuery(query);

    navigateIfAllowed(frame, url, false, false);
}
v8::Handle<v8::Value> V8Location::replaceAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
{
    INC_STATS("DOM.Location.replace._get");
    static v8::Persistent<v8::FunctionTemplate> privateTemplate = v8::Persistent<v8::FunctionTemplate>::New(v8::FunctionTemplate::New(V8Location::replaceCallback, v8::Handle<v8::Value>(), v8::Signature::New(V8Location::GetRawTemplate())));
    v8::Handle<v8::Object> holder = V8DOMWrapper::lookupDOMWrapper(V8Location::GetTemplate(), info.This());
    if (holder.IsEmpty()) {
        // can only reach here by 'object.__proto__.func', and it should passed
        // domain security check already
        return privateTemplate->GetFunction();
    }
    Location* imp = V8Location::toNative(holder);
    if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), false)) {
        static v8::Persistent<v8::FunctionTemplate> sharedTemplate = v8::Persistent<v8::FunctionTemplate>::New(v8::FunctionTemplate::New(V8Location::replaceCallback, v8::Handle<v8::Value>(), v8::Signature::New(V8Location::GetRawTemplate())));
        return sharedTemplate->GetFunction();
    }
    return privateTemplate->GetFunction();
}
Esempio n. 7
0
v8::Handle<v8::Value> V8Location::replaceAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
{
    v8::Isolate* isolate = info.GetIsolate();
    static v8::Persistent<v8::FunctionTemplate> privateTemplate = v8::Persistent<v8::FunctionTemplate>::New(isolate, v8::FunctionTemplate::New(V8Location::replaceCallback, v8Undefined(), v8::Signature::New(V8Location::GetRawTemplate(isolate))));
    v8::Handle<v8::Object> holder = info.This()->FindInstanceInPrototypeChain(V8Location::GetTemplate(isolate));
    if (holder.IsEmpty()) {
        // can only reach here by 'object.__proto__.func', and it should passed
        // domain security check already
        return privateTemplate->GetFunction();
    }
    Location* imp = V8Location::toNative(holder);
    if (!BindingSecurity::shouldAllowAccessToFrame(BindingState::instance(), imp->frame(), DoNotReportSecurityError)) {
        static v8::Persistent<v8::FunctionTemplate> sharedTemplate = v8::Persistent<v8::FunctionTemplate>::New(isolate, v8::FunctionTemplate::New(V8Location::replaceCallback, v8Undefined(), v8::Signature::New(V8Location::GetRawTemplate(isolate))));
        return sharedTemplate->GetFunction();
    }
    return privateTemplate->GetFunction();
}
void V8Location::hostAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
{
    INC_STATS("DOM.Location.host._set");
    v8::Handle<v8::Object> holder = info.Holder();
    Location* imp = V8Location::toNative(holder);
    String host = toWebCoreString(value);

    Frame* frame = imp->frame();
    if (!frame)
        return;

    KURL url = frame->loader()->url();
    String newHost = host.left(host.find(":"));
    String newPort = host.substring(host.find(":") + 1);
    url.setHost(newHost);
    url.setPort(newPort.toUInt());

    navigateIfAllowed(frame, url, false, false);
}
void V8Location::hrefAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
{
    INC_STATS("DOM.Location.href._set");
    v8::Handle<v8::Object> holder = info.Holder();
    Location* imp = V8Location::toNative(holder);

    Frame* frame = imp->frame();
    if (!frame)
        return;

    KURL url = completeURL(toWebCoreString(value));
    if (url.isNull())
        return;

    if (!shouldAllowNavigation(frame))
        return;

    navigateIfAllowed(frame, url, false, false);
}
Esempio n. 10
0
v8::Handle<v8::Value> V8Location::assignCallback(const v8::Arguments& args)
{
    INC_STATS("DOM.Location.assign");
    v8::Handle<v8::Object> holder = args.Holder();
    Location* imp = V8Location::toNative(holder);

    Frame* frame = imp->frame();
    if (!frame)
        return v8::Undefined();

    KURL url = completeURL(toWebCoreString(args[0]));
    if (url.isNull())
        return v8::Undefined();

    if (!shouldAllowNavigation(frame))
        return v8::Undefined();

    navigateIfAllowed(frame, url, false, false);
    return v8::Undefined();
}
// Returns the owner frame pointer of a DOM wrapper object. It only works for
// these DOM objects requiring cross-domain access check.
static Frame* getTargetFrame(v8::Local<v8::Object> host, v8::Local<v8::Value> data)
{
    Frame* target = 0;
    WrapperTypeInfo* type = WrapperTypeInfo::unwrap(data);
    if (V8DOMWindow::info.equals(type)) {
        v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8DOMWindow::GetTemplate(), host);
        if (window.IsEmpty())
            return target;

        DOMWindow* targetWindow = V8DOMWindow::toNative(window);
        target = targetWindow->frame();
    } else if (V8History::info.equals(type)) {
        History* history = V8History::toNative(host);
        target = history->frame();
    } else if (V8Location::info.equals(type)) {
        Location* location = V8Location::toNative(host);
        target = location->frame();
    }
    return target;
}
Esempio n. 12
0
void V8Location::hashAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
{
    INC_STATS("DOM.Location.hash._set");
    v8::Handle<v8::Object> holder = info.Holder();
    Location* imp = V8Location::toNative(holder);
    String hash = toWebCoreString(value);

    Frame* frame = imp->frame();
    if (!frame)
        return;

    KURL url = frame->loader()->url();
    String oldRef = url.fragmentIdentifier();

    if (hash.startsWith("#"))
        hash = hash.substring(1);
    if (oldRef == hash || (oldRef.isNull() && hash.isEmpty()))
        return;
    url.setFragmentIdentifier(hash);

    navigateIfAllowed(frame, url, false, false);
}
Esempio n. 13
0
void setJSLocationHash(ExecState* exec, JSObject* thisObject, JSValue value)
{
#ifdef JSC_TAINTED
    unsigned int tainted = 0;
    if (value.isString() && value.isTainted()) {
	tainted = value.isTainted();
    }
    if (value.inherits(&StringObject::s_info) && asStringObject(value)->isTainted()) {
	tainted = asStringObject(value)->isTainted();
    }
    if (value.isObject()) {
        UString s = value.toString(exec);
        if (s.isTainted()) {
		tainted = s.isTainted();
	}
    }
    if (tainted) {
        JSLocation* castedThis = static_cast<JSLocation*>(thisObject);
	Location* imp = static_cast<Location*>(castedThis->impl());
        imp->frame()->document()->setTainted(tainted);

	TaintedStructure trace_struct;
	trace_struct.taintedno = tainted;
	trace_struct.internalfunc = "setJSLocationHash";
	trace_struct.jsfunc = "location.hash";
	trace_struct.action = "sink";

	char msg[20];
	stringstream msgss;
	snprintf(msg, 20, "%s", value.toString(exec).utf8(true).data());
	msgss << msg;
	msgss >> trace_struct.value;

	TaintedTrace* trace = TaintedTrace::getInstance();
	trace->addTaintedTrace(trace_struct);
    }
#endif
    static_cast<JSLocation*>(thisObject)->setHash(exec, value);
}
bool V8Location::namedSecurityCheck(v8::Local<v8::Object> host, v8::Local<v8::Value> key, v8::AccessType type, v8::Local<v8::Value>)
{
    // Only allow same origin access
    Location* imp = V8Location::toNative(host);
    return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), false);
}
Esempio n. 15
0
bool V8Location::namedSecurityCheck(v8::Local<v8::Object> host, v8::Local<v8::Value> key, v8::AccessType type, v8::Local<v8::Value>)
{
    // Only allow same origin access
    Location* imp = V8Location::toNative(host);
    return BindingSecurity::shouldAllowAccessToFrame(BindingState::instance(), imp->frame(), DoNotReportSecurityError);
}