Merge 67509

WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp

Index: WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp
===================================================================
--- WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp	(revision 67717)
+++ WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp	(working copy)
@@ -605,10 +605,12 @@
 
     if (key->IsString()) {
         String name = toWebCoreString(key);
-
-        // Allow access of GET and HAS if index is a subframe.
-        if ((type == v8::ACCESS_GET || type == v8::ACCESS_HAS) && target->tree()->child(name))
+        // Notice that we can't call HasRealNamedProperty for ACCESS_HAS
+        // because that would generate infinite recursion.
+        if (type == v8::ACCESS_HAS && target->tree()->child(name))
             return true;
+        if (type == v8::ACCESS_GET && target->tree()->child(name) && !host->HasRealNamedProperty(key->ToString()))
+            return true;
     }
 
     return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, false);
@@ -628,9 +630,12 @@
     if (!target)
         return false;
 
-    // Allow access of GET and HAS if index is a subframe.
-    if ((type == v8::ACCESS_GET || type == v8::ACCESS_HAS) && target->tree()->child(index))
+    // Notice that we can't call HasRealNamedProperty for ACCESS_HAS
+    // because that would generate infinite recursion.
+    if (type == v8::ACCESS_HAS && target->tree()->child(index))
         return true;
+    if (type == v8::ACCESS_GET && target->tree()->child(index) && !host->HasRealIndexedProperty(index))
+        return true;
 
     return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, false);
 }