Add access checks to V8WrapperInstationScope.

Source/bindings/core/v8/V8DOMWrapper.h

 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 13 matching lines @@
  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #ifndef V8DOMWrapper_h
 #define V8DOMWrapper_h
 
+#include "bindings/core/v8/BindingSecurity.h"
 #include "bindings/core/v8/DOMDataStore.h"
 #include "bindings/core/v8/ScriptWrappable.h"
+#include "bindings/core/v8/V8Binding.h"
 #include "wtf/PassRefPtr.h"
 #include "wtf/RawPtr.h"
 #include "wtf/text/AtomicString.h"
 #include <v8.h>
 
 namespace blink {
 
 class Node;
 struct WrapperTypeInfo;
 
@@ skipping 55 matching lines @@
         setNativeInfo(wrapper, wrapperTypeInfo, ScriptWrappable::fromNode(node));
         ASSERT(hasInternalFieldsSet(wrapper));
     }
     RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(toScriptWrappable(wrapper) == ScriptWrappable::fromNode(node));
     return wrapper;
 }
 
 class V8WrapperInstantiationScope {
     STACK_ALLOCATED();
 public:
-    V8WrapperInstantiationScope(v8::Local<v8::Object> creationContext, v8::Isolate* isolate)
+    V8WrapperInstantiationScope(v8::Local<v8::Object> creationContext, v8::Isolate* isolate, bool withSecurityCheck = true)
         : m_didEnterContext(false)
         , m_context(isolate->GetCurrentContext())
     {
         // creationContext should not be empty. Because if we have an
         // empty creationContext, we will end up creating
         // a new object in the context currently entered. This is wrong.
         RELEASE_ASSERT(!creationContext.IsEmpty());
         v8::Local<v8::Context> contextForWrapper = creationContext->CreationContext();
         // For performance, we enter the context only if the currently running context
         // is different from the context that we are about to enter.
         if (contextForWrapper == m_context)

[haraken, 2015/12/22 07:17:51]

epertoso@ and jochen@: I'm getting a bit confused. In what scenario can
info.Holder()->CreationContext() be different from isolate->GetCurrentContext()?

Imagine that you have a main frame and an iframe. Imagine that you execute the
following code in the main frame.

- If you call iframe.contentDocument, in the binding callback for
contentDocument, which context do the isolate->GetCurrentContext and the
info.Holder()->CreationContext return?

(My guess is that both return the iframe's context.)

- If you call iframe.contentDocument.createElement(), in the binding callback
for createElement(), which context do the isolate->GetCurrentContext and the
info.Holder()->CreationContext return?

(My guess is that both return the iframe's context.)

- In what scenario, do the isolate->GetCurrentContext and the
info.Holder()->CreationContext return different contexts?

             return;
+        if (withSecurityCheck)
+            SecurityCheck(isolate, contextForWrapper);
         m_context = v8::Local<v8::Context>::New(isolate, contextForWrapper);
         m_didEnterContext = true;
         m_context->Enter();
     }
 
     ~V8WrapperInstantiationScope()
     {
         if (!m_didEnterContext)
             return;
         m_context->Exit();
     }
 
     v8::Local<v8::Context> context() const { return m_context; }
 
 private:
+    void SecurityCheck(v8::Isolate*, v8::Local<v8::Context> contextForWrapper);
+
     bool m_didEnterContext;
     v8::Local<v8::Context> m_context;
 };
 
 } // namespace blink
 
 #endif // V8DOMWrapper_h