[Extensions] Finish freezing schema

extensions/renderer/v8_schema_registry.cc

Index: extensions/renderer/v8_schema_registry.cc
diff --git a/extensions/renderer/v8_schema_registry.cc b/extensions/renderer/v8_schema_registry.cc
index 851b01171413853e7bbac99df035d2884ab325dd..ac865aaf2ce7e26feae94446e9ec852b9a69e28b 100644
--- a/extensions/renderer/v8_schema_registry.cc
+++ b/extensions/renderer/v8_schema_registry.cc
@@ -21,6 +21,18 @@ namespace extensions {
 
 namespace {
 
+// Recursively freezes every v8 object on |object|.
+void DeepFreeze(const v8::Local<v8::Object>& object,
+                const v8::Local<v8::Context>& context) {

[robwu, 2016/04/21 14:07:50]

As explained at https://crbug.com/604901#c8, add something equivalent to the
following line:

object->SetPrototype(context, v8::Null(context->GetIsolate()));

[Devlin, 2016/04/21 22:07:36]

Done.

This also has the happy side-effect of making a bunch of places that should have
been using safe builtins fail.

+  v8::Local<v8::Array> property_names = object->GetOwnPropertyNames();
+  for (uint32_t i = 0; i < property_names->Length(); ++i) {
+    v8::Local<v8::Value> child = object->Get(property_names->Get(i));
+    if (child->IsObject())
+      DeepFreeze(v8::Local<v8::Object>::Cast(child), context);
+  }
+  object->SetIntegrityLevel(context, v8::IntegrityLevel::kFrozen);
+}
+
 class SchemaRegistryNativeHandler : public ObjectBackedNativeHandler {
  public:
   SchemaRegistryNativeHandler(V8SchemaRegistry* registry,
@@ -104,7 +116,7 @@ v8::Local<v8::Object> V8SchemaRegistry::GetSchema(const std::string& api) {
   CHECK(!value.IsEmpty());
 
   v8::Local<v8::Object> v8_schema(v8::Local<v8::Object>::Cast(value));
-  v8_schema->SetIntegrityLevel(context, v8::IntegrityLevel::kFrozen);
+  DeepFreeze(v8_schema, context);
   schema_cache_->Set(api, v8_schema);
 
   return handle_scope.Escape(v8_schema);