Allow sites to enable 'window.onerror' handlers for cross-domain scripts.

Source/core/dom/ScriptExecutionContext.cpp

Index: Source/core/dom/ScriptExecutionContext.cpp
diff --git a/Source/core/dom/ScriptExecutionContext.cpp b/Source/core/dom/ScriptExecutionContext.cpp
index 6c0b2101c5dfe6e21e924cc2f016b092ca95ca7e..3094071d16b8382d0469a25747763ca721c83ed1 100644
--- a/Source/core/dom/ScriptExecutionContext.cpp
+++ b/Source/core/dom/ScriptExecutionContext.cpp
@@ -195,10 +195,9 @@ void ScriptExecutionContext::closeMessagePorts() {
     }
 }
 
-bool ScriptExecutionContext::sanitizeScriptError(String& errorMessage, int& lineNumber, int& columnNumber, String& sourceURL, CachedScript* cachedScript)
+bool ScriptExecutionContext::sanitizeScriptError(String& errorMessage, int& lineNumber, int& columnNumber, String& sourceURL)
 {
-    KURL targetURL = completeURL(sourceURL);
-    if (securityOrigin()->canRequest(targetURL) || (cachedScript && cachedScript->passesAccessControlCheck(securityOrigin())))
+    if (scriptPassedAccessControlCheck(completeURL(sourceURL)))
         return false;
     errorMessage = "Script error.";
     sourceURL = String();
@@ -207,7 +206,7 @@ bool ScriptExecutionContext::sanitizeScriptError(String& errorMessage, int& line
     return true;
 }
 
-void ScriptExecutionContext::reportException(const String& errorMessage, int lineNumber, int columnNumber, const String& sourceURL, PassRefPtr<ScriptCallStack> callStack, CachedScript* cachedScript)
+void ScriptExecutionContext::reportException(const String& errorMessage, int lineNumber, int columnNumber, const String& sourceURL, PassRefPtr<ScriptCallStack> callStack)
 {
     if (m_inDispatchErrorEvent) {
         if (!m_pendingExceptions)
@@ -217,7 +216,7 @@ void ScriptExecutionContext::reportException(const String& errorMessage, int lin
     }
 
     // First report the original exception and only then all the nested ones.
-    if (!dispatchErrorEvent(errorMessage, lineNumber, columnNumber, sourceURL, cachedScript))
+    if (!dispatchErrorEvent(errorMessage, lineNumber, columnNumber, sourceURL))
         logExceptionToConsole(errorMessage, sourceURL, lineNumber, columnNumber, callStack);
 
     if (!m_pendingExceptions)
@@ -235,7 +234,7 @@ void ScriptExecutionContext::addConsoleMessage(MessageSource source, MessageLeve
     addMessage(source, level, message, sourceURL, lineNumber, 0, state, requestIdentifier);
 }
 
-bool ScriptExecutionContext::dispatchErrorEvent(const String& errorMessage, int lineNumber, int columnNumber, const String& sourceURL, CachedScript* cachedScript)
+bool ScriptExecutionContext::dispatchErrorEvent(const String& errorMessage, int lineNumber, int columnNumber, const String& sourceURL)
 {
     EventTarget* target = errorEventTarget();
     if (!target)
@@ -245,7 +244,7 @@ bool ScriptExecutionContext::dispatchErrorEvent(const String& errorMessage, int
     int line = lineNumber;
     int column = columnNumber;
     String sourceName = sourceURL;
-    sanitizeScriptError(message, line, column, sourceName, cachedScript);
+    sanitizeScriptError(message, line, column, sourceName);
 
     ASSERT(!m_inDispatchErrorEvent);
     m_inDispatchErrorEvent = true;
@@ -329,4 +328,14 @@ void ScriptExecutionContext::setDatabaseContext(DatabaseContext* databaseContext
     m_databaseContext = databaseContext;
 }
 
+void ScriptExecutionContext::didLoadScriptThatPassedAccessControlCheck(const KURL& url)
+{
+    m_scriptsPassingAccessControlCheck.add(url.string().impl()->hash());
+}
+
+bool ScriptExecutionContext::scriptPassedAccessControlCheck(const KURL& url) const
+{
+    return securityOrigin()->canRequest(url) || m_scriptsPassingAccessControlCheck.contains(url.string().impl()->hash());

[abarth-chromium, 2013/07/25 18:19:16]

not lgtm

This is insecure.  String::hash isn't a secure hash.  That means the attacker
could arrange for two URLs to have the same hash: one that passes the access
control check and one that does not.  In doing so, the attacker could bypass
this security check.

+}
+
 } // namespace WebCore