void V8Window::openerAttributeSetterCustom(
v8::Local<v8::Value> value,
const v8::PropertyCallbackInfo<void>& info) {
v8::Isolate* isolate = info.GetIsolate();
DOMWindow* impl = V8Window::toImpl(info.Holder());
ExceptionState exceptionState(ExceptionState::SetterContext, "opener",
"Window", info.Holder(), isolate);
if (!BindingSecurity::shouldAllowAccessTo(currentDOMWindow(info.GetIsolate()),
impl, exceptionState)) {
return;
}
// Opener can be shadowed if it is in the same domain.
// Have a special handling of null value to behave
// like Firefox. See bug http://b/1224887 & http://b/791706.
if (value->IsNull()) {
// impl->frame() has to be a non-null LocalFrame. Otherwise, the
// same-origin check would have failed.
ASSERT(impl->frame());
toLocalFrame(impl->frame())->loader().setOpener(0);
}
// Delete the accessor from the inner object.
info.Holder()->Delete(isolate->GetCurrentContext(),
v8AtomicString(isolate, "opener"));
// Put property on the inner object.
if (info.Holder()->IsObject()) {
v8::Maybe<bool> unused =
v8::Local<v8::Object>::Cast(info.Holder())
->Set(isolate->GetCurrentContext(),
v8AtomicString(isolate, "opener"), value);
ALLOW_UNUSED_LOCAL(unused);
}
}
v8::Handle<v8::Value> V8DOMWindow::removeEventListenerCallback(const v8::Arguments& args)
{
INC_STATS("DOM.DOMWindow.removeEventListener()");
String eventType = toWebCoreString(args[0]);
bool useCapture = args[2]->BooleanValue();
DOMWindow* imp = V8DOMWindow::toNative(args.Holder());
if (!V8BindingSecurity::canAccessFrame(V8BindingState::Only(), imp->frame(), true))
return v8::Undefined();
Document* doc = imp->document();
if (!doc)
return v8::Undefined();
V8Proxy* proxy = V8Proxy::retrieve(imp->frame());
if (!proxy)
return v8::Undefined();
RefPtr<EventListener> listener = V8DOMWrapper::getEventListener(args[1], false, ListenerFindOnly);
if (listener) {
imp->removeEventListener(eventType, listener.get(), useCapture);
removeHiddenDependency(args.Holder(), args[1], eventListenerCacheIndex);
}
return v8::Undefined();
}
void V8Window::openerAttributeSetterCustom(v8::Local<v8::Value> value, const v8::PropertyCallbackInfo<void>& info)
{
DOMWindow* impl = V8Window::toNative(info.Holder());
ExceptionState exceptionState(ExceptionState::SetterContext, "opener", "Window", info.Holder(), info.GetIsolate());
if (!BindingSecurity::shouldAllowAccessToFrame(info.GetIsolate(), impl->frame(), exceptionState)) {
exceptionState.throwIfNeeded();
return;
}
// Opener can be shadowed if it is in the same domain.
// Have a special handling of null value to behave
// like Firefox. See bug http://b/1224887 & http://b/791706.
if (value->IsNull()) {
// impl->frame() cannot be null,
// otherwise, SameOrigin check would have failed.
ASSERT(impl->frame());
impl->frame()->loader().setOpener(0);
}
// Delete the accessor from this object.
info.Holder()->Delete(v8AtomicString(info.GetIsolate(), "opener"));
// Put property on the front (this) object.
info.This()->Set(v8AtomicString(info.GetIsolate(), "opener"), value);
}
void V8Custom::ClearTimeoutImpl(const v8::Arguments& args)
{
v8::Handle<v8::Value> holder = args.Holder();
DOMWindow* imp = V8Proxy::ToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, holder);
if (!V8Proxy::CanAccessFrame(imp->frame(), true))
return;
ScriptExecutionContext* context = static_cast<ScriptExecutionContext*>(imp->frame()->document());
int handle = toInt32(args[0]);
DOMTimer::removeById(context, handle);
}
void V8Window::postMessageMethodCustom(const v8::FunctionCallbackInfo<v8::Value>& info)
{
ExceptionState exceptionState(ExceptionState::ExecutionContext, "postMessage", "Window", info.Holder(), info.GetIsolate());
if (UNLIKELY(info.Length() < 2)) {
setMinimumArityTypeError(exceptionState, 2, info.Length());
exceptionState.throwIfNeeded();
return;
}
// None of these need to be RefPtr because info and context are guaranteed
// to hold on to them.
DOMWindow* window = V8Window::toImpl(info.Holder());
LocalDOMWindow* source = callingDOMWindow(info.GetIsolate());
ASSERT(window);
UseCounter::countIfNotPrivateScript(info.GetIsolate(), window->frame(), UseCounter::WindowPostMessage);
// If called directly by WebCore we don't have a calling context.
if (!source) {
exceptionState.throwTypeError("No active calling context exists.");
exceptionState.throwIfNeeded();
return;
}
// This function has variable arguments and can be:
// Per current spec:
// postMessage(message, targetOrigin)
// postMessage(message, targetOrigin, {sequence of transferrables})
// Legacy non-standard implementations in webkit allowed:
// postMessage(message, {sequence of transferrables}, targetOrigin);
OwnPtrWillBeRawPtr<MessagePortArray> portArray = adoptPtrWillBeNoop(new MessagePortArray);
ArrayBufferArray arrayBufferArray;
int targetOriginArgIndex = 1;
if (info.Length() > 2) {
int transferablesArgIndex = 2;
if (isLegacyTargetOriginDesignation(info[2])) {
UseCounter::countIfNotPrivateScript(info.GetIsolate(), window->frame(), UseCounter::WindowPostMessageWithLegacyTargetOriginArgument);
targetOriginArgIndex = 2;
transferablesArgIndex = 1;
}
if (!SerializedScriptValue::extractTransferables(info.GetIsolate(), info[transferablesArgIndex], transferablesArgIndex, *portArray, arrayBufferArray, exceptionState)) {
exceptionState.throwIfNeeded();
return;
}
}
TOSTRING_VOID(V8StringResource<TreatNullAndUndefinedAsNullString>, targetOrigin, info[targetOriginArgIndex]);
RefPtr<SerializedScriptValue> message = SerializedScriptValueFactory::instance().create(info.GetIsolate(), info[0], portArray.get(), &arrayBufferArray, exceptionState);
if (exceptionState.throwIfNeeded())
return;
window->postMessage(message.release(), portArray.get(), targetOrigin, source, exceptionState);
exceptionState.throwIfNeeded();
}
// Check if the current execution context can access a target frame.
// First it checks same domain policy using the lexical context
//
// This is equivalent to KJS::Window::allowsAccessFrom(ExecState*, String&).
bool V8Proxy::canAccessPrivate(DOMWindow* targetWindow)
{
ASSERT(targetWindow);
String message;
DOMWindow* originWindow = retrieveWindow(currentContext());
if (originWindow == targetWindow)
return true;
if (!originWindow)
return false;
const SecurityOrigin* activeSecurityOrigin = originWindow->securityOrigin();
const SecurityOrigin* targetSecurityOrigin = targetWindow->securityOrigin();
// We have seen crashes were the security origin of the target has not been
// initialized. Defend against that.
if (!targetSecurityOrigin)
return false;
if (activeSecurityOrigin->canAccess(targetSecurityOrigin))
return true;
// Allow access to a "about:blank" page if the dynamic context is a
// detached context of the same frame as the blank page.
if (targetSecurityOrigin->isEmpty() && originWindow->frame() == targetWindow->frame())
return true;
return false;
}
void V8Window::openMethodCustom(const v8::FunctionCallbackInfo<v8::Value>& info)
{
DOMWindow* impl = V8Window::toImpl(info.Holder());
ExceptionState exceptionState(ExceptionState::ExecutionContext, "open", "Window", info.Holder(), info.GetIsolate());
if (!BindingSecurity::shouldAllowAccessToFrame(info.GetIsolate(), impl->frame(), exceptionState)) {
exceptionState.throwIfNeeded();
return;
}
TOSTRING_VOID(V8StringResource<TreatNullAndUndefinedAsNullString>, urlString, info[0]);
AtomicString frameName;
if (info[1]->IsUndefined() || info[1]->IsNull()) {
frameName = "_blank";
} else {
TOSTRING_VOID(V8StringResource<>, frameNameResource, info[1]);
frameName = frameNameResource;
}
TOSTRING_VOID(V8StringResource<TreatNullAndUndefinedAsNullString>, windowFeaturesString, info[2]);
// |impl| has to be a LocalDOMWindow, since RemoteDOMWindows wouldn't have
// passed the BindingSecurity check above.
RefPtrWillBeRawPtr<DOMWindow> openedWindow = toLocalDOMWindow(impl)->open(urlString, frameName, windowFeaturesString, callingDOMWindow(info.GetIsolate()), enteredDOMWindow(info.GetIsolate()));
if (!openedWindow)
return;
v8SetReturnValueFast(info, openedWindow.release(), impl);
}
bool V8DOMWindow::namedSecurityCheck(v8::Local<v8::Object> host, v8::Local<v8::Value> key, v8::AccessType type, v8::Local<v8::Value>)
{
v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8DOMWindow::GetTemplate(), host);
if (window.IsEmpty())
return false; // the frame is gone.
DOMWindow* targetWindow = V8DOMWindow::toNative(window);
ASSERT(targetWindow);
Frame* target = targetWindow->frame();
if (!target)
return false;
if (key->IsString()) {
DEFINE_STATIC_LOCAL(AtomicString, nameOfProtoProperty, ("__proto__"));
String name = toWebCoreString(key);
// Notice that we can't call HasRealNamedProperty for ACCESS_HAS
// because that would generate infinite recursion.
if (type == v8::ACCESS_HAS && target->tree()->child(name))
return true;
// We need to explicitly compare against nameOfProtoProperty because
// V8's JSObject::LocalLookup finds __proto__ before
// interceptors and even when __proto__ isn't a "real named property".
if (type == v8::ACCESS_GET && target->tree()->child(name) && !host->HasRealNamedProperty(key->ToString()) && name != nameOfProtoProperty)
return true;
}
return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, false);
}
void V8Window::openMethodCustom(const v8::FunctionCallbackInfo<v8::Value>& info)
{
DOMWindow* impl = V8Window::toNative(info.Holder());
ExceptionState exceptionState(ExceptionState::ExecutionContext, "open", "Window", info.Holder(), info.GetIsolate());
if (!BindingSecurity::shouldAllowAccessToFrame(info.GetIsolate(), impl->frame(), exceptionState)) {
exceptionState.throwIfNeeded();
return;
}
TOSTRING_VOID(V8StringResource<WithUndefinedOrNullCheck>, urlString, info[0]);
AtomicString frameName;
if (info[1]->IsUndefined() || info[1]->IsNull()) {
frameName = "_blank";
} else {
TOSTRING_VOID(V8StringResource<>, frameNameResource, info[1]);
frameName = frameNameResource;
}
TOSTRING_VOID(V8StringResource<WithUndefinedOrNullCheck>, windowFeaturesString, info[2]);
RefPtrWillBeRawPtr<DOMWindow> openedWindow = impl->open(urlString, frameName, windowFeaturesString, callingDOMWindow(info.GetIsolate()), enteredDOMWindow(info.GetIsolate()));
if (!openedWindow)
return;
v8SetReturnValueFast(info, openedWindow.release(), impl);
}
bool V8Window::indexedSecurityCheckCustom(v8::Local<v8::Object> host, uint32_t index, v8::AccessType type, v8::Local<v8::Value>)
{
v8::Isolate* isolate = v8::Isolate::GetCurrent();
v8::Handle<v8::Object> window = host->FindInstanceInPrototypeChain(V8Window::GetTemplate(isolate, worldTypeInMainThread(isolate)));
if (window.IsEmpty())
return false;
DOMWindow* targetWindow = V8Window::toNative(window);
ASSERT(targetWindow);
Frame* target = targetWindow->frame();
if (!target)
return false;
// Notify the loader's client if the initial document has been accessed.
if (target->loader()->stateMachine()->isDisplayingInitialEmptyDocument())
target->loader()->didAccessInitialDocument();
Frame* childFrame = target->tree()->scopedChild(index);
// Notice that we can't call HasRealNamedProperty for ACCESS_HAS
// because that would generate infinite recursion.
if (type == v8::ACCESS_HAS && childFrame)
return true;
if (type == v8::ACCESS_GET
&& childFrame
&& !host->HasRealIndexedProperty(index)
&& !window->HasRealIndexedProperty(index))
return true;
return BindingSecurity::shouldAllowAccessToFrame(target, DoNotReportSecurityError);
}
static v8::Handle<v8::Value> handlePostMessageCallback(const v8::Arguments& args)
{
DOMWindow* window = V8DOMWindow::toNative(args.Holder());
DOMWindow* source = V8Proxy::retrieveFrameForCallingContext()->domWindow();
ASSERT(source->frame());
bool didThrow = false;
RefPtr<SerializedScriptValue> message = SerializedScriptValue::create(args[0], didThrow);
if (didThrow)
return v8::Undefined();
MessagePortArray portArray;
String targetOrigin;
// This function has variable arguments and can either be:
// postMessage(message, port, targetOrigin);
// or
// postMessage(message, targetOrigin);
v8::TryCatch tryCatch;
if (args.Length() > 2) {
if (!getMessagePortArray(args[1], portArray))
return v8::Undefined();
targetOrigin = toWebCoreStringWithNullOrUndefinedCheck(args[2]);
} else {
targetOrigin = toWebCoreStringWithNullOrUndefinedCheck(args[1]);
}
if (tryCatch.HasCaught())
return v8::Undefined();
ExceptionCode ec = 0;
window->postMessage(message.release(), &portArray, targetOrigin, source, ec);
return throwError(ec);
}
void V8Window::postMessageMethodCustom(
const v8::FunctionCallbackInfo<v8::Value>& info) {
ExceptionState exceptionState(ExceptionState::ExecutionContext, "postMessage",
"Window", info.Holder(), info.GetIsolate());
if (UNLIKELY(info.Length() < 2)) {
exceptionState.throwTypeError(
ExceptionMessages::notEnoughArguments(2, info.Length()));
return;
}
// None of these need to be RefPtr because info and context are guaranteed
// to hold on to them.
DOMWindow* window = V8Window::toImpl(info.Holder());
// TODO(yukishiino): The HTML spec specifies that we should use the
// Incumbent Realm instead of the Current Realm, but currently we don't have
// a way to retrieve the Incumbent Realm. See also:
// https://html.spec.whatwg.org/multipage/comms.html#dom-window-postmessage
LocalDOMWindow* source = currentDOMWindow(info.GetIsolate());
ASSERT(window);
UseCounter::countIfNotPrivateScript(info.GetIsolate(), window->frame(),
UseCounter::WindowPostMessage);
// If called directly by WebCore we don't have a calling context.
if (!source) {
exceptionState.throwTypeError("No active calling context exists.");
return;
}
// This function has variable arguments and can be:
// postMessage(message, targetOrigin)
// postMessage(message, targetOrigin, {sequence of transferrables})
// TODO(foolip): Type checking of the arguments should happen in order, so
// that e.g. postMessage({}, { toString: () => { throw Error(); } }, 0)
// throws the Error from toString, not the TypeError for argument 3.
Transferables transferables;
const int targetOriginArgIndex = 1;
if (info.Length() > 2) {
const int transferablesArgIndex = 2;
if (!SerializedScriptValue::extractTransferables(
info.GetIsolate(), info[transferablesArgIndex],
transferablesArgIndex, transferables, exceptionState)) {
return;
}
}
// TODO(foolip): targetOrigin should be a USVString in IDL and treated as
// such here, without TreatNullAndUndefinedAsNullString.
TOSTRING_VOID(V8StringResource<TreatNullAndUndefinedAsNullString>,
targetOrigin, info[targetOriginArgIndex]);
RefPtr<SerializedScriptValue> message = SerializedScriptValue::serialize(
info.GetIsolate(), info[0], &transferables, nullptr, exceptionState);
if (exceptionState.hadException())
return;
window->postMessage(message.release(), transferables.messagePorts,
targetOrigin, source, exceptionState);
}
inline void DialogHandler::dialogCreated(DOMWindow& dialog)
{
m_frame = dialog.frame();
// FIXME: This looks like a leak between the normal world and an isolated
// world if dialogArguments comes from an isolated world.
JSDOMWindow* globalObject = toJSDOMWindow(m_frame.get(), normalWorld(m_exec.vm()));
if (JSValue dialogArguments = m_exec.argument(1))
globalObject->putDirect(m_exec.vm(), Identifier::fromString(&m_exec, "dialogArguments"), dialogArguments);
}
Frame* toFrameIfNotDetached(v8::Handle<v8::Context> context)
{
DOMWindow* window = toDOMWindow(context);
if (window->isCurrentlyDisplayedInFrame())
return window->frame();
// We return 0 here because |context| is detached from the Frame. If we
// did return |frame| we could get in trouble because the frame could be
// navigated to another security origin.
return 0;
}
static float pageZoomFactor(const UIEvent* event)
{
DOMWindow* window = event->view();
if (!window)
return 1;
Frame* frame = window->frame();
if (!frame)
return 1;
return frame->pageZoomFactor();
}
Frame* V8Proxy::retrieveFrame(v8::Handle<v8::Context> context)
{
DOMWindow* window = retrieveWindow(context);
Frame* frame = window->frame();
if (frame && frame->domWindow() == window)
return frame;
// We return 0 here because |context| is detached from the Frame. If we
// did return |frame| we could get in trouble because the frame could be
// navigated to another security origin.
return 0;
}
ScriptObject InspectorCanvasAgent::notifyRenderingContextWasWrapped(const ScriptObject& wrappedContext)
{
ASSERT(m_frontend);
ScriptState* scriptState = wrappedContext.scriptState();
DOMWindow* domWindow = scriptState ? domWindowFromScriptState(scriptState) : 0;
Frame* frame = domWindow ? domWindow->frame() : 0;
String frameId = m_pageAgent->frameId(frame);
if (!frameId.isEmpty())
m_frontend->contextCreated(frameId);
return wrappedContext;
}
void V8Window::openerAttrSetterCustom(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::PropertyCallbackInfo<void>& info)
{
DOMWindow* imp = V8Window::toNative(info.Holder());
if (!BindingSecurity::shouldAllowAccessToFrame(imp->frame()))
return;
// Opener can be shadowed if it is in the same domain.
// Have a special handling of null value to behave
// like Firefox. See bug http://b/1224887 & http://b/791706.
if (value->IsNull()) {
// imp->frame() cannot be null,
// otherwise, SameOrigin check would have failed.
ASSERT(imp->frame());
imp->frame()->loader()->setOpener(0);
}
// Delete the accessor from this object.
info.Holder()->Delete(name);
// Put property on the front (this) object.
info.This()->Set(name, value);
}
void V8Window::showModalDialogMethodCustom(const v8::FunctionCallbackInfo<v8::Value>& args)
{
DOMWindow* impl = V8Window::toNative(args.Holder());
if (!BindingSecurity::shouldAllowAccessToFrame(impl->frame()))
return;
// FIXME: Handle exceptions properly.
String urlString = toWebCoreStringWithUndefinedOrNullCheck(args[0]);
DialogHandler handler(args[1]);
String dialogFeaturesString = toWebCoreStringWithUndefinedOrNullCheck(args[2]);
impl->showModalDialog(urlString, dialogFeaturesString, activeDOMWindow(), firstDOMWindow(), setUpDialog, &handler);
v8SetReturnValue(args, handler.returnValue());
}
ScriptObject InspectorCanvasAgent::notifyRenderingContextWasWrapped(const ScriptObject& wrappedContext)
{
ASSERT(m_frontend);
ScriptState* scriptState = wrappedContext.scriptState();
DOMWindow* domWindow = 0;
if (scriptState)
domWindow = scriptState->domWindow();
Frame* frame = domWindow ? domWindow->frame() : 0;
if (frame && !m_framesWithUninstrumentedCanvases.contains(frame))
m_framesWithUninstrumentedCanvases.set(frame, false);
String frameId = m_pageAgent->frameId(frame);
if (!frameId.isEmpty())
m_frontend->contextCreated(frameId);
return wrappedContext;
}
void V8Window::showModalDialogMethodCustom(const v8::FunctionCallbackInfo<v8::Value>& info)
{
DOMWindow* impl = V8Window::toNative(info.Holder());
ExceptionState exceptionState(ExceptionState::ExecutionContext, "showModalDialog", "Window", info.Holder(), info.GetIsolate());
if (!BindingSecurity::shouldAllowAccessToFrame(info.GetIsolate(), impl->frame(), exceptionState)) {
exceptionState.throwIfNeeded();
return;
}
TOSTRING_VOID(V8StringResource<WithUndefinedOrNullCheck>, urlString, info[0]);
DialogHandler handler(info[1]);
TOSTRING_VOID(V8StringResource<WithUndefinedOrNullCheck>, dialogFeaturesString, info[2]);
impl->showModalDialog(urlString, dialogFeaturesString, callingDOMWindow(info.GetIsolate()), enteredDOMWindow(info.GetIsolate()), setUpDialog, &handler);
v8SetReturnValue(info, handler.returnValue(info.GetIsolate()));
}
void V8Window::openMethodCustom(const v8::FunctionCallbackInfo<v8::Value>& args)
{
DOMWindow* impl = V8Window::toNative(args.Holder());
if (!BindingSecurity::shouldAllowAccessToFrame(impl->frame()))
return;
// FIXME: Handle exceptions properly.
String urlString = toWebCoreStringWithUndefinedOrNullCheck(args[0]);
AtomicString frameName = (args[1]->IsUndefined() || args[1]->IsNull()) ? "_blank" : AtomicString(toWebCoreString(args[1]));
String windowFeaturesString = toWebCoreStringWithUndefinedOrNullCheck(args[2]);
RefPtr<DOMWindow> openedWindow = impl->open(urlString, frameName, windowFeaturesString, activeDOMWindow(), firstDOMWindow());
if (!openedWindow)
return;
v8SetReturnValue(args, toV8Fast(openedWindow.release(), args, impl));
}
void V8Window::showModalDialogMethodCustom(const v8::FunctionCallbackInfo<v8::Value>& info)
{
DOMWindow* impl = V8Window::toNative(info.Holder());
ExceptionState exceptionState(ExceptionState::ExecutionContext, "showModalDialog", "Window", info.Holder(), info.GetIsolate());
if (!BindingSecurity::shouldAllowAccessToFrame(impl->frame(), exceptionState)) {
exceptionState.throwIfNeeded();
return;
}
// FIXME: Handle exceptions properly.
String urlString = toCoreStringWithUndefinedOrNullCheck(info[0]);
DialogHandler handler(info[1]);
String dialogFeaturesString = toCoreStringWithUndefinedOrNullCheck(info[2]);
impl->showModalDialog(urlString, dialogFeaturesString, activeDOMWindow(), firstDOMWindow(), setUpDialog, &handler);
v8SetReturnValue(info, handler.returnValue(info.GetIsolate()));
}
v8::Handle<v8::Value> V8DOMWindow::indexedPropertyGetter(uint32_t index, const v8::AccessorInfo& info)
{
INC_STATS("DOM.DOMWindow.IndexedPropertyGetter");
DOMWindow* window = V8DOMWindow::toNative(info.Holder());
if (!window)
return notHandledByInterceptor();
Frame* frame = window->frame();
if (!frame)
return notHandledByInterceptor();
Frame* child = frame->tree()->child(index);
if (child)
return toV8(child->domWindow());
return notHandledByInterceptor();
}
bool V8Window::namedSecurityCheckCustom(v8::Local<v8::Object> host, v8::Local<v8::Value> key, v8::AccessType type, v8::Local<v8::Value>)
{
v8::Isolate* isolate = v8::Isolate::GetCurrent();
v8::Handle<v8::Object> window = host->FindInstanceInPrototypeChain(V8Window::GetTemplate(isolate, worldTypeInMainThread(isolate)));
if (window.IsEmpty())
return false; // the frame is gone.
DOMWindow* targetWindow = V8Window::toNative(window);
ASSERT(targetWindow);
Frame* target = targetWindow->frame();
if (!target)
return false;
// Notify the loader's client if the initial document has been accessed.
if (target->loader()->stateMachine()->isDisplayingInitialEmptyDocument())
target->loader()->didAccessInitialDocument();
if (key->IsString()) {
DEFINE_STATIC_LOCAL(AtomicString, nameOfProtoProperty, ("__proto__", AtomicString::ConstructFromLiteral));
String name = toWebCoreString(key);
Frame* childFrame = target->tree()->scopedChild(name);
// Notice that we can't call HasRealNamedProperty for ACCESS_HAS
// because that would generate infinite recursion.
if (type == v8::ACCESS_HAS && childFrame)
return true;
// We need to explicitly compare against nameOfProtoProperty because
// V8's JSObject::LocalLookup finds __proto__ before
// interceptors and even when __proto__ isn't a "real named property".
v8::Handle<v8::String> keyString = key->ToString();
if (type == v8::ACCESS_GET
&& childFrame
&& !host->HasRealNamedProperty(keyString)
&& !window->HasRealNamedProperty(keyString)
&& name != nameOfProtoProperty)
return true;
}
return BindingSecurity::shouldAllowAccessToFrame(target, DoNotReportSecurityError);
}
// Returns the owner frame pointer of a DOM wrapper object. It only works for
// these DOM objects requiring cross-domain access check.
static Frame* getTargetFrame(v8::Local<v8::Object> host, v8::Local<v8::Value> data)
{
Frame* target = 0;
WrapperTypeInfo* type = WrapperTypeInfo::unwrap(data);
if (V8DOMWindow::info.equals(type)) {
v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8DOMWindow::GetTemplate(), host);
if (window.IsEmpty())
return target;
DOMWindow* targetWindow = V8DOMWindow::toNative(window);
target = targetWindow->frame();
} else if (V8History::info.equals(type)) {
History* history = V8History::toNative(host);
target = history->frame();
} else if (V8Location::info.equals(type)) {
Location* location = V8Location::toNative(host);
target = location->frame();
}
return target;
}
void V8Window::namedPropertyGetterCustom(v8::Local<v8::String> name, const v8::PropertyCallbackInfo<v8::Value>& info)
{
DOMWindow* window = V8Window::toNative(info.Holder());
if (!window)
return;
Frame* frame = window->frame();
// window is detached from a frame.
if (!frame)
return;
// Search sub-frames.
AtomicString propName = toWebCoreAtomicString(name);
Frame* child = frame->tree()->scopedChild(propName);
if (child) {
v8SetReturnValue(info, toV8Fast(child->domWindow(), info, window));
return;
}
// Search IDL functions defined in the prototype
if (!info.Holder()->GetRealNamedProperty(name).IsEmpty())
return;
// Search named items in the document.
Document* doc = frame->document();
if (doc && doc->isHTMLDocument()) {
if (toHTMLDocument(doc)->hasNamedItem(propName.impl()) || doc->hasElementWithId(propName.impl())) {
RefPtr<HTMLCollection> items = doc->windowNamedItems(propName);
if (!items->isEmpty()) {
if (items->hasExactlyOneItem()) {
v8SetReturnValue(info, toV8Fast(items->item(0), info, window));
return;
}
v8SetReturnValue(info, toV8Fast(items.release(), info, window));
return;
}
}
}
}
v8::Handle<v8::Value> V8DOMWindow::namedPropertyGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
{
INC_STATS("DOM.DOMWindow.NamedPropertyGetter");
DOMWindow* window = V8DOMWindow::toNative(info.Holder());
if (!window)
return notHandledByInterceptor();
Frame* frame = window->frame();
// window is detached from a frame.
if (!frame)
return notHandledByInterceptor();
// Search sub-frames.
AtomicString propName = v8StringToAtomicWebCoreString(name);
Frame* child = frame->tree()->child(propName);
if (child)
return toV8(child->domWindow());
// Search IDL functions defined in the prototype
v8::Handle<v8::Value> result = info.Holder()->GetRealNamedProperty(name);
if (!result.IsEmpty())
return result;
// Search named items in the document.
Document* doc = frame->document();
if (doc && doc->isHTMLDocument()) {
if (static_cast<HTMLDocument*>(doc)->hasNamedItem(propName.impl()) || doc->hasElementWithId(propName.impl())) {
RefPtr<HTMLCollection> items = doc->windowNamedItems(propName);
if (items->length() >= 1) {
if (items->length() == 1)
return toV8(items->firstItem());
return toV8(items.release());
}
}
}
return notHandledByInterceptor();
}
bool V8DOMWindow::indexedSecurityCheck(v8::Local<v8::Object> host, uint32_t index, v8::AccessType type, v8::Local<v8::Value>)
{
v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8DOMWindow::GetTemplate(), host);
if (window.IsEmpty())
return false;
DOMWindow* targetWindow = V8DOMWindow::toNative(window);
ASSERT(targetWindow);
Frame* target = targetWindow->frame();
if (!target)
return false;
// Notice that we can't call HasRealNamedProperty for ACCESS_HAS
// because that would generate infinite recursion.
if (type == v8::ACCESS_HAS && target->tree()->child(index))
return true;
if (type == v8::ACCESS_GET && target->tree()->child(index) && !host->HasRealIndexedProperty(index))
return true;
return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, false);
}
V8Proxy* V8Proxy::retrieve()
{
DOMWindow* window = retrieveWindow(currentContext());
ASSERT(window);
return retrieve(window->frame());
}