// Property access sequence is:
// (1) indexed properties,
// (2) regular own properties,
// (3) named properties (in fact, these shouldn't be on the window, should be on the NPO).
bool JSDOMWindow::getOwnPropertySlotByIndex(JSObject* object, ExecState* state, unsigned index, PropertySlot& slot)
{
auto* thisObject = jsCast<JSDOMWindow*>(object);
auto* frame = thisObject->wrapped().frame();
// Indexed getters take precendence over regular properties, so caching would be invalid.
slot.disableCaching();
// (1) First, indexed properties.
// These are also allowed cross-orgin, so come before the access check.
if (frame && index < frame->tree().scopedChildCount()) {
slot.setValue(thisObject, ReadOnly | DontDelete | DontEnum, toJS(state, frame->tree().scopedChild(index)->document()->domWindow()));
return true;
}
// Hand off all cross-domain/frameless access to jsDOMWindowGetOwnPropertySlotRestrictedAccess.
String errorMessage;
if (!frame || !BindingSecurity::shouldAllowAccessToDOMWindow(*state, thisObject->wrapped(), errorMessage))
return jsDOMWindowGetOwnPropertySlotRestrictedAccess(thisObject, frame, state, Identifier::from(state, index), slot, errorMessage);
// (2) Regular own properties.
return Base::getOwnPropertySlotByIndex(thisObject, state, index, slot);
}
bool JSDOMWindow::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
{
JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
// When accessing a Window cross-domain, functions are always the native built-in ones, and they
// are not affected by properties changed on the Window or anything in its prototype chain.
// This is consistent with the behavior of Firefox.
// We don't want any properties other than "close" and "closed" on a frameless window (i.e. one whose page got closed,
// or whose iframe got removed).
// FIXME: This doesn't fully match Firefox, which allows at least toString in addition to those.
if (!thisObject->impl().frame()) {
// The following code is safe for cross-domain and same domain use.
// It ignores any custom properties that might be set on the DOMWindow (including a custom prototype).
if (propertyName == exec->propertyNames().closed) {
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, jsDOMWindowClosed);
return true;
}
if (propertyName == exec->propertyNames().close) {
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionClose, 0>);
return true;
}
// FIXME: We should have a message here that explains why the property access/function call was
// not allowed.
slot.setUndefined();
return true;
} else
slot.setWatchpointSet(thisObject->m_windowCloseWatchpoints);
// We need to check for cross-domain access here without printing the generic warning message
// because we always allow access to some function, just different ones depending whether access
// is allowed.
String errorMessage;
bool allowsAccess = shouldAllowAccessToDOMWindow(exec, thisObject->impl(), errorMessage);
// Look for overrides before looking at any of our own properties, but ignore overrides completely
// if this is cross-domain access.
if (allowsAccess && JSGlobalObject::getOwnPropertySlot(thisObject, exec, propertyName, slot))
return true;
// We need this code here because otherwise JSDOMWindowBase will stop the search before we even get to the
// prototype due to the blanket same origin (shouldAllowAccessToDOMWindow) check at the end of getOwnPropertySlot.
// Also, it's important to get the implementation straight out of the DOMWindow prototype regardless of
// what prototype is actually set on this object.
if (propertyName == exec->propertyNames().blur) {
if (!allowsAccess) {
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionBlur, 0>);
return true;
}
} else if (propertyName == exec->propertyNames().close) {
if (!allowsAccess) {
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionClose, 0>);
return true;
}
} else if (propertyName == exec->propertyNames().focus) {
if (!allowsAccess) {
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionFocus, 0>);
return true;
}
} else if (propertyName == exec->propertyNames().postMessage) {
if (!allowsAccess) {
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionPostMessage, 2>);
return true;
}
} else if (propertyName == exec->propertyNames().showModalDialog) {
if (!DOMWindow::canShowModalDialog(thisObject->impl().frame())) {
slot.setUndefined();
return true;
}
} else if (propertyName == exec->propertyNames().toString) {
// Allow access to toString() cross-domain, but always Object.prototype.toString.
if (!allowsAccess) {
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, objectToStringFunctionGetter);
return true;
}
}
const HashTableValue* entry = JSDOMWindow::info()->propHashTable(exec)->entry(exec, propertyName);
if (entry) {
slot.setCacheableCustom(thisObject, allowsAccess ? entry->attributes() : ReadOnly | DontDelete | DontEnum, entry->propertyGetter());
return true;
}
#if ENABLE(USER_MESSAGE_HANDLERS)
if (propertyName == exec->propertyNames().webkit && thisObject->impl().shouldHaveWebKitNamespaceForWorld(thisObject->world())) {
slot.setCacheableCustom(thisObject, allowsAccess ? DontDelete | ReadOnly : ReadOnly | DontDelete | DontEnum, jsDOMWindowWebKit);
return true;
}
#endif
// Do prototype lookup early so that functions and attributes in the prototype can have
// precedence over the index and name getters.
JSValue proto = thisObject->prototype();
if (proto.isObject()) {
if (asObject(proto)->getPropertySlot(exec, propertyName, slot)) {
if (!allowsAccess) {
thisObject->printErrorMessage(errorMessage);
slot.setUndefined();
}
return true;
}
}
// After this point it is no longer valid to cache any results because of
// the impure nature of the property accesses which follow. We can move this
// statement further down when we add ways to mitigate these impurities with,
// for example, watchpoints.
slot.disableCaching();
// Check for child frames by name before built-in properties to
// match Mozilla. This does not match IE, but some sites end up
// naming frames things that conflict with window properties that
// are in Moz but not IE. Since we have some of these, we have to do
// it the Moz way.
if (thisObject->impl().frame()->tree().scopedChild(propertyNameToAtomicString(propertyName))) {
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, childFrameGetter);
return true;
}
// FIXME: Search the whole frame hierarchy somewhere around here.
// We need to test the correct priority order.
// allow window[1] or parent[1] etc. (#56983)
unsigned i = propertyName.asIndex();
if (i < thisObject->impl().frame()->tree().scopedChildCount()) {
ASSERT(i != PropertyName::NotAnIndex);
slot.setValue(thisObject, ReadOnly | DontDelete | DontEnum,
toJS(exec, thisObject->impl().frame()->tree().scopedChild(i)->document()->domWindow()));
return true;
}
if (!allowsAccess) {
thisObject->printErrorMessage(errorMessage);
slot.setUndefined();
return true;
}
// Allow shortcuts like 'Image1' instead of document.images.Image1
Document* document = thisObject->impl().frame()->document();
if (document->isHTMLDocument()) {
AtomicStringImpl* atomicPropertyName = findAtomicString(propertyName);
if (atomicPropertyName && toHTMLDocument(document)->hasWindowNamedItem(*atomicPropertyName)) {
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, namedItemGetter);
return true;
}
}
return Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
}