Add access checks to V8WrapperInstationScope.

Source/bindings/core/v8/V8DOMWrapper.cpp

 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 16 matching lines @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "config.h"
 #include "bindings/core/v8/V8DOMWrapper.h"
 
 #include "bindings/core/v8/V8Binding.h"
 #include "bindings/core/v8/V8HTMLCollection.h"
 #include "bindings/core/v8/V8HTMLDocument.h"
+#include "bindings/core/v8/V8Location.h"
 #include "bindings/core/v8/V8ObjectConstructor.h"
 #include "bindings/core/v8/V8PerContextData.h"
 #include "bindings/core/v8/V8PerIsolateData.h"
 #include "bindings/core/v8/V8ScriptRunner.h"
 #include "bindings/core/v8/V8Window.h"
 
 namespace blink {
 
 static v8::Local<v8::Object> wrapInShadowTemplate(v8::Local<v8::Object> wrapper, ScriptWrappable* scriptWrappable, v8::Isolate* isolate)
 {
@@ skipping 18 matching lines @@
     if (!V8ScriptRunner::instantiateObject(isolate, shadowConstructor).ToLocal(&shadow))
         return v8::Local<v8::Object>();
     if (!v8CallBoolean(shadow->SetPrototype(isolate->GetCurrentContext(), wrapper)))
         return v8::Local<v8::Object>();
     V8DOMWrapper::setNativeInfo(wrapper, &V8HTMLDocument::wrapperTypeInfo, scriptWrappable);
     return shadow;
 }
 
 v8::Local<v8::Object> V8DOMWrapper::createWrapper(v8::Isolate* isolate, v8::Local<v8::Object> creationContext, const WrapperTypeInfo* type, ScriptWrappable* scriptWrappable)
 {
-    V8WrapperInstantiationScope scope(creationContext, isolate);
+    ASSERT(!type->equals(&V8Window::wrapperTypeInfo));
+    // According to https://html.spec.whatwg.org/multipage/browsers.html#security-location,
+    // cross-origin script access to a few properties of Location is allowed.
+    // Location already implements the necessary security checks.
+    bool withSecurityCheck = !type->equals(&V8Location::wrapperTypeInfo);
+    V8WrapperInstantiationScope scope(creationContext, isolate, withSecurityCheck);
 
     V8PerContextData* perContextData = V8PerContextData::from(scope.context());
     v8::Local<v8::Object> wrapper;
     if (perContextData) {
         wrapper = perContextData->createWrapperFromCache(type);
     } else {
         v8::Local<v8::Function> function;
         if (!type->domTemplate(isolate)->GetFunction(isolate->GetCurrentContext()).ToLocal(&function))
             return v8::Local<v8::Object>();
         if (!V8ObjectConstructor::newInstance(isolate, function).ToLocal(&wrapper))
@@ skipping 31 matching lines @@
     if (object->InternalFieldCount() < v8DefaultWrapperInternalFieldCount)
         return false;
 
     const ScriptWrappable* untrustedScriptWrappable = toScriptWrappable(object);
     const WrapperTypeInfo* untrustedWrapperTypeInfo = toWrapperTypeInfo(object);
     return untrustedScriptWrappable
         && untrustedWrapperTypeInfo
         && untrustedWrapperTypeInfo->ginEmbedder == gin::kEmbedderBlink;
 }
 
+void V8WrapperInstantiationScope::SecurityCheck(v8::Isolate* isolate, v8::Local<v8::Context> contextForWrapper)
+{
+    if (!m_context.IsEmpty()) {
+        // If the context is different, we need to make sure that the current
+        // context has access to the creation context.
+        Frame* frame = toFrameIfNotDetached(contextForWrapper);
+        RELEASE_ASSERT(!frame || BindingSecurity::shouldAllowAccessToFrame(isolate, frame, DoNotReportSecurityError));
+    }
+}
+
 } // namespace blink