Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(118)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp

Issue 3452011: Merge 67509 (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/517/
Patch Set: Created 10 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/http/tests/security/xss-DENIED-frame-name-expected.txt ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2009 Google Inc. All rights reserved. 2 * Copyright (C) 2009 Google Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are 5 * modification, are permitted provided that the following conditions are
6 * met: 6 * met:
7 * 7 *
8 * * Redistributions of source code must retain the above copyright 8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer. 9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above 10 * * Redistributions in binary form must reproduce the above
(...skipping 587 matching lines...) Expand 10 before | Expand all | Expand 10 after
598 DOMWindow* targetWindow = V8DOMWindow::toNative(window); 598 DOMWindow* targetWindow = V8DOMWindow::toNative(window);
599 599
600 ASSERT(targetWindow); 600 ASSERT(targetWindow);
601 601
602 Frame* target = targetWindow->frame(); 602 Frame* target = targetWindow->frame();
603 if (!target) 603 if (!target)
604 return false; 604 return false;
605 605
606 if (key->IsString()) { 606 if (key->IsString()) {
607 String name = toWebCoreString(key); 607 String name = toWebCoreString(key);
608 608 // Notice that we can't call HasRealNamedProperty for ACCESS_HAS
609 // Allow access of GET and HAS if index is a subframe. 609 // because that would generate infinite recursion.
610 if ((type == v8::ACCESS_GET || type == v8::ACCESS_HAS) && target->tree() ->child(name)) 610 if (type == v8::ACCESS_HAS && target->tree()->child(name))
611 return true;
612 if (type == v8::ACCESS_GET && target->tree()->child(name) && !host->HasR ealNamedProperty(key->ToString()))
611 return true; 613 return true;
612 } 614 }
613 615
614 return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, fal se); 616 return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, fal se);
615 } 617 }
616 618
617 bool V8DOMWindow::indexedSecurityCheck(v8::Local<v8::Object> host, uint32_t inde x, v8::AccessType type, v8::Local<v8::Value>) 619 bool V8DOMWindow::indexedSecurityCheck(v8::Local<v8::Object> host, uint32_t inde x, v8::AccessType type, v8::Local<v8::Value>)
618 { 620 {
619 v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8DOMWindow:: GetTemplate(), host); 621 v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8DOMWindow:: GetTemplate(), host);
620 if (window.IsEmpty()) 622 if (window.IsEmpty())
621 return false; 623 return false;
622 624
623 DOMWindow* targetWindow = V8DOMWindow::toNative(window); 625 DOMWindow* targetWindow = V8DOMWindow::toNative(window);
624 626
625 ASSERT(targetWindow); 627 ASSERT(targetWindow);
626 628
627 Frame* target = targetWindow->frame(); 629 Frame* target = targetWindow->frame();
628 if (!target) 630 if (!target)
629 return false; 631 return false;
630 632
631 // Allow access of GET and HAS if index is a subframe. 633 // Notice that we can't call HasRealNamedProperty for ACCESS_HAS
632 if ((type == v8::ACCESS_GET || type == v8::ACCESS_HAS) && target->tree()->ch ild(index)) 634 // because that would generate infinite recursion.
635 if (type == v8::ACCESS_HAS && target->tree()->child(index))
636 return true;
637 if (type == v8::ACCESS_GET && target->tree()->child(index) && !host->HasReal IndexedProperty(index))
633 return true; 638 return true;
634 639
635 return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, fal se); 640 return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, fal se);
636 } 641 }
637 642
638 v8::Handle<v8::Value> toV8(DOMWindow* window) 643 v8::Handle<v8::Value> toV8(DOMWindow* window)
639 { 644 {
640 if (!window) 645 if (!window)
641 return v8::Null(); 646 return v8::Null();
642 // Initializes environment of a frame, and return the global object 647 // Initializes environment of a frame, and return the global object
(...skipping 19 matching lines...) Expand all
662 v8::Handle<v8::Context> context = V8Proxy::context(frame); 667 v8::Handle<v8::Context> context = V8Proxy::context(frame);
663 if (context.IsEmpty()) 668 if (context.IsEmpty())
664 return v8::Handle<v8::Object>(); 669 return v8::Handle<v8::Object>();
665 670
666 v8::Handle<v8::Object> global = context->Global(); 671 v8::Handle<v8::Object> global = context->Global();
667 ASSERT(!global.IsEmpty()); 672 ASSERT(!global.IsEmpty());
668 return global; 673 return global;
669 } 674 }
670 675
671 } // namespace WebCore 676 } // namespace WebCore
OLDNEW
« no previous file with comments | « LayoutTests/http/tests/security/xss-DENIED-frame-name-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698