V8-binding: Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

We shouldn't use v8::Object::CreateDataProperty in a setter
function callback if the property is a data-type property.
Because CreateDataProperty for data-type property invokes
its setter, so it causes an infinite loop.

V8 already supports [Replaceable]'s behavior if we use
SetNativeDataProperty() without setter.  Thus, this CL uses
it.

This CL has an unintentional side effect that deletion / replacement in
one window is observable from another window.  Example is below.

  <parent window>
  childWin.frames
  // => Window object

  <child window>
  delete frames  // |frames = 0| has the same effect.
  // => true

  <parent window>
  childWin.frames
  // => throws a SecurityError

You cannot access to childWin.frames, but you can detect a change on
childWin, which is not expected.
See also the changes in
http/tests/security/w3c/cross-origin-objects-actual.txt

BUG=582538, 501666
Committed: https://crrev.com/607c6e18aae50211a534f964ebfdac47cdbf21be
Cr-Commit-Position: refs/heads/master@{#381435}

[Yuki, 2016-02-03 10:04:19]

Description was changed from

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

BUG=
==========

to

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

BUG=
==========

[Yuki, 2016-02-08 13:29:30]

Description was changed from

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

BUG=
==========

to

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

BUG=501666
==========

[Yuki, 2016-02-09 11:35:02]

Description was changed from

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

BUG=501666
==========

to

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

BUG=582538,501666
==========

[Yuki, 2016-02-12 13:03:13]

Description was changed from

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

BUG=582538,501666
==========

to

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

We shouldn't use v8::Object::CreateDataProperty in a setter
function callback if the property is a data-type property.
Because CreateDataProperty for data-type property invokes
its setter, so it causes an infinite loop.

V8 already supports [Replaceable]'s behavior if we use
SetNativeDataProperty() without setter.  Thus, this CL uses
it.

BUG=582538,501666
==========

[Yuki, 2016-03-01 08:04:25]

Description was changed from

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

We shouldn't use v8::Object::CreateDataProperty in a setter
function callback if the property is a data-type property.
Because CreateDataProperty for data-type property invokes
its setter, so it causes an infinite loop.

V8 already supports [Replaceable]'s behavior if we use
SetNativeDataProperty() without setter.  Thus, this CL uses
it.

BUG=582538,501666
==========

to

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

We shouldn't use v8::Object::CreateDataProperty in a setter
function callback if the property is a data-type property.
Because CreateDataProperty for data-type property invokes
its setter, so it causes an infinite loop.

V8 already supports [Replaceable]'s behavior if we use
SetNativeDataProperty() without setter.  Thus, this CL uses
it.

This CL has an unintentional side effect that deletion / replacement in one
window is observable from another window.  Example is below.

  <parent window>
  childWin.frames
  // => Window object

  <child window>
  delete frames  // |frames = 0| has the same effect.
  // => true

  <parent window>
  childWin.frames
  // => throws a SecurityError

You cannot access to childWin.frames, but you can detect a change on childWin,
which is not expected.

BUG=582538,501666
==========

[Yuki, 2016-03-01 08:05:27]

Description was changed from

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

We shouldn't use v8::Object::CreateDataProperty in a setter
function callback if the property is a data-type property.
Because CreateDataProperty for data-type property invokes
its setter, so it causes an infinite loop.

V8 already supports [Replaceable]'s behavior if we use
SetNativeDataProperty() without setter.  Thus, this CL uses
it.

This CL has an unintentional side effect that deletion / replacement in one
window is observable from another window.  Example is below.

  <parent window>
  childWin.frames
  // => Window object

  <child window>
  delete frames  // |frames = 0| has the same effect.
  // => true

  <parent window>
  childWin.frames
  // => throws a SecurityError

You cannot access to childWin.frames, but you can detect a change on childWin,
which is not expected.

BUG=582538,501666
==========

to

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

We shouldn't use v8::Object::CreateDataProperty in a setter
function callback if the property is a data-type property.
Because CreateDataProperty for data-type property invokes
its setter, so it causes an infinite loop.

V8 already supports [Replaceable]'s behavior if we use
SetNativeDataProperty() without setter.  Thus, this CL uses
it.

This CL has an unintentional side effect that deletion / replacement in
one window is observable from another window.  Example is below.

  <parent window>
  childWin.frames
  // => Window object

  <child window>
  delete frames  // |frames = 0| has the same effect.
  // => true

  <parent window>
  childWin.frames
  // => throws a SecurityError

You cannot access to childWin.frames, but you can detect a change on
childWin, which is not expected.

BUG=582538,501666
==========

[Yuki, 2016-03-01 08:06:25]

Description was changed from

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

We shouldn't use v8::Object::CreateDataProperty in a setter
function callback if the property is a data-type property.
Because CreateDataProperty for data-type property invokes
its setter, so it causes an infinite loop.

V8 already supports [Replaceable]'s behavior if we use
SetNativeDataProperty() without setter.  Thus, this CL uses
it.

This CL has an unintentional side effect that deletion / replacement in
one window is observable from another window.  Example is below.

  <parent window>
  childWin.frames
  // => Window object

  <child window>
  delete frames  // |frames = 0| has the same effect.
  // => true

  <parent window>
  childWin.frames
  // => throws a SecurityError

You cannot access to childWin.frames, but you can detect a change on
childWin, which is not expected.

BUG=582538,501666
==========

to

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

We shouldn't use v8::Object::CreateDataProperty in a setter
function callback if the property is a data-type property.
Because CreateDataProperty for data-type property invokes
its setter, so it causes an infinite loop.

V8 already supports [Replaceable]'s behavior if we use
SetNativeDataProperty() without setter.  Thus, this CL uses
it.

This CL has an unintentional side effect that deletion / replacement in
one window is observable from another window.  Example is below.

  <parent window>
  childWin.frames
  // => Window object

  <child window>
  delete frames  // |frames = 0| has the same effect.
  // => true

  <parent window>
  childWin.frames
  // => throws a SecurityError

You cannot access to childWin.frames, but you can detect a change on
childWin, which is not expected.
See also the changes in
http/tests/security/w3c/cross-origin-objects-actual.txt

BUG=582538,501666
==========

[Yuki, 2016-03-01 09:34:17]

yukishiino@chromium.org changed reviewers:
+ haraken@chromium.org, verwaest@chromium.org

[Yuki, 2016-03-01 09:34:18]

Could you guys review this CL?

This CL trades the following two issues.

a) existing issue, will be resolved
Object.defineProperty(window, 'console', {value: 0, writable: false})
causes an infinite loop and it makes the renderer crash.
See http://crbug.com/582538

b) new issue, will be introduced
<child window>
frames = 0
<parent window>
childWin.frames
=> throws a SecurityError
You can detect the change in childWin.

I'm on the fence if we should land this CL or not.
Any advice is welcome.

[Toon Verwaest, 2016-03-07 19:45:31]

I still think you should. LGTM from my side.

[haraken, 2016-03-07 23:33:34]

LGTM

[Yuki, 2016-03-16 11:24:53]

The CQ bit was checked by yukishiino@chromium.org

[Yuki, 2016-03-16 11:24:54]

The patchset sent to the CQ was uploaded after l-g-t-m from
haraken@chromium.org, verwaest@chromium.org
Link to the patchset: https://codereview.chromium.org/1667653002/#ps320001
(title: "Moved the [LenientThis] test to http/tests/.")

[commit-bot: I haz the power, 2016-03-16 11:25:09]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1667653002/320001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1667653002/320001

[commit-bot: I haz the power, 2016-03-16 11:35:06]

Description was changed from

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

We shouldn't use v8::Object::CreateDataProperty in a setter
function callback if the property is a data-type property.
Because CreateDataProperty for data-type property invokes
its setter, so it causes an infinite loop.

V8 already supports [Replaceable]'s behavior if we use
SetNativeDataProperty() without setter.  Thus, this CL uses
it.

This CL has an unintentional side effect that deletion / replacement in
one window is observable from another window.  Example is below.

  <parent window>
  childWin.frames
  // => Window object

  <child window>
  delete frames  // |frames = 0| has the same effect.
  // => true

  <parent window>
  childWin.frames
  // => throws a SecurityError

You cannot access to childWin.frames, but you can detect a change on
childWin, which is not expected.
See also the changes in
http/tests/security/w3c/cross-origin-objects-actual.txt

BUG=582538,501666
==========

to

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

We shouldn't use v8::Object::CreateDataProperty in a setter
function callback if the property is a data-type property.
Because CreateDataProperty for data-type property invokes
its setter, so it causes an infinite loop.

V8 already supports [Replaceable]'s behavior if we use
SetNativeDataProperty() without setter.  Thus, this CL uses
it.

This CL has an unintentional side effect that deletion / replacement in
one window is observable from another window.  Example is below.

  <parent window>
  childWin.frames
  // => Window object

  <child window>
  delete frames  // |frames = 0| has the same effect.
  // => true

  <parent window>
  childWin.frames
  // => throws a SecurityError

You cannot access to childWin.frames, but you can detect a change on
childWin, which is not expected.
See also the changes in
http/tests/security/w3c/cross-origin-objects-actual.txt

BUG=582538,501666
==========

[commit-bot: I haz the power, 2016-03-16 11:35:08]

Committed patchset #17 (id:320001)

[commit-bot: I haz the power, 2016-03-16 11:36:06]

Description was changed from

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

We shouldn't use v8::Object::CreateDataProperty in a setter
function callback if the property is a data-type property.
Because CreateDataProperty for data-type property invokes
its setter, so it causes an infinite loop.

V8 already supports [Replaceable]'s behavior if we use
SetNativeDataProperty() without setter.  Thus, this CL uses
it.

This CL has an unintentional side effect that deletion / replacement in
one window is observable from another window.  Example is below.

  <parent window>
  childWin.frames
  // => Window object

  <child window>
  delete frames  // |frames = 0| has the same effect.
  // => true

  <parent window>
  childWin.frames
  // => throws a SecurityError

You cannot access to childWin.frames, but you can detect a change on
childWin, which is not expected.
See also the changes in
http/tests/security/w3c/cross-origin-objects-actual.txt

BUG=582538,501666
==========

to

==========
Use v8::Template::SetNativeDataProperty without setter for [Replaceable].

We shouldn't use v8::Object::CreateDataProperty in a setter
function callback if the property is a data-type property.
Because CreateDataProperty for data-type property invokes
its setter, so it causes an infinite loop.

V8 already supports [Replaceable]'s behavior if we use
SetNativeDataProperty() without setter.  Thus, this CL uses
it.

This CL has an unintentional side effect that deletion / replacement in
one window is observable from another window.  Example is below.

  <parent window>
  childWin.frames
  // => Window object

  <child window>
  delete frames  // |frames = 0| has the same effect.
  // => true

  <parent window>
  childWin.frames
  // => throws a SecurityError

You cannot access to childWin.frames, but you can detect a change on
childWin, which is not expected.
See also the changes in
http/tests/security/w3c/cross-origin-objects-actual.txt

BUG=582538,501666

Committed: https://crrev.com/607c6e18aae50211a534f964ebfdac47cdbf21be
Cr-Commit-Position: refs/heads/master@{#381435}
==========

[commit-bot: I haz the power, 2016-03-16 11:36:08]

Patchset 17 (id:??) landed as
https://crrev.com/607c6e18aae50211a534f964ebfdac47cdbf21be
Cr-Commit-Position: refs/heads/master@{#381435}