bindings: Makes the window object be the inner global object.

third_party/WebKit/Source/bindings/core/v8/WorkerOrWorkletScriptController.cpp

Index: third_party/WebKit/Source/bindings/core/v8/WorkerOrWorkletScriptController.cpp
diff --git a/third_party/WebKit/Source/bindings/core/v8/WorkerOrWorkletScriptController.cpp b/third_party/WebKit/Source/bindings/core/v8/WorkerOrWorkletScriptController.cpp
index 43079ab58290e3addff5e4aa65172b9316a6168e..129ff09aebbd7f1e401836b4f7270329ffad477a 100644
--- a/third_party/WebKit/Source/bindings/core/v8/WorkerOrWorkletScriptController.cpp
+++ b/third_party/WebKit/Source/bindings/core/v8/WorkerOrWorkletScriptController.cpp
@@ -156,7 +156,19 @@ bool WorkerOrWorkletScriptController::initializeContextIfNeeded()
     if (isContextInitialized())
         return true;
 
-    v8::Local<v8::Context> context = v8::Context::New(m_isolate);
+    // Create a new v8::Context with the worker/worklet as the global object
+    // (aka the inner global).
+    ScriptWrappable* scriptWrappable = m_globalScope->getScriptWrappable();
+    const WrapperTypeInfo* wrapperTypeInfo = scriptWrappable->wrapperTypeInfo();
+    v8::Local<v8::FunctionTemplate> globalInterfaceTemplate = wrapperTypeInfo->domTemplate(m_isolate, *m_world);
+    if (globalInterfaceTemplate.IsEmpty())
+        return false;
+    v8::Local<v8::ObjectTemplate> globalTemplate = globalInterfaceTemplate->InstanceTemplate();
+    v8::Local<v8::Context> context;
+    {
+        V8PerIsolateData::UseCounterDisabledScope useCounterDisabled(V8PerIsolateData::from(m_isolate));
+        context = v8::Context::New(m_isolate, nullptr, globalTemplate);
+    }
     if (context.IsEmpty())
         return false;
 
@@ -172,24 +184,13 @@ bool WorkerOrWorkletScriptController::initializeContextIfNeeded()
             debugger->contextCreated(context);
     }
 
-    // Create a new JS object and use it as the prototype for the shadow global object.
-    const WrapperTypeInfo* wrapperTypeInfo = m_globalScope->getScriptWrappable()->wrapperTypeInfo();
-
-    v8::Local<v8::Function> globalScopeConstructor = m_scriptState->perContextData()->constructorForType(wrapperTypeInfo);
-    if (globalScopeConstructor.IsEmpty())
-        return false;
-
-    v8::Local<v8::Object> jsGlobalScope;
-    if (!V8ObjectConstructor::newInstance(m_isolate, globalScopeConstructor).ToLocal(&jsGlobalScope)) {
-        disposeContextIfNeeded();
-        return false;
-    }
-
-    jsGlobalScope = V8DOMWrapper::associateObjectWithWrapper(m_isolate, m_globalScope->getScriptWrappable(), wrapperTypeInfo, jsGlobalScope);
+    // The global proxy object.  Note this is not the global object.
+    v8::Local<v8::Object> globalProxy = context->Global();
+    // The global object, aka worker/worklet wrapper object.
+    v8::Local<v8::Object> globalObject = globalProxy->GetPrototype().As<v8::Object>();
+    globalObject = V8DOMWrapper::associateObjectWithWrapper(m_isolate, scriptWrappable, wrapperTypeInfo, globalObject);

[jochen (gone - plz use gerrit), 2017/01/04 14:24:27]

this exposes the global object (instead of the global proxy) to script, e.g.,
when you look at event.target for push events.. while this isn't a security
issue on workers (as there's only one context anyways), this shouldn't happen

 
-    // Insert the object instance as the prototype of the shadow object.
-    v8::Local<v8::Object> globalObject = v8::Local<v8::Object>::Cast(m_scriptState->context()->Global()->GetPrototype());
-    return v8CallBoolean(globalObject->SetPrototype(context, jsGlobalScope));
+    return true;
 }
 
 ScriptValue WorkerOrWorkletScriptController::evaluate(const CompressibleString& script, const String& fileName, const TextPosition& scriptStartPosition, CachedMetadataHandler* cacheHandler, V8CacheOptions v8CacheOptions)