Implement cross-origin attributes using access check interceptors.

third_party/WebKit/Source/bindings/templates/interface_base.cpp.tmpl

 {% filter format_blink_cpp_source_code %}
 
 {% include 'copyright_block.txt' %}
 #include "{{v8_class_or_partial}}.h"
 
 {% for filename in cpp_includes if filename != '%s.h' % cpp_class_or_partial %}
 #include "{{filename}}"
 {% endfor %}
 
 namespace blink {
@@ skipping 99 matching lines @@
 {% endif %}
 {% if attribute.has_setter %}
 {% if not attribute.has_custom_setter %}
 {{attribute_setter(attribute, world_suffix)}}
 {% endif %}
 {{attribute_setter_callback(attribute, world_suffix)}}
 {% endif %}
 {% endfor %}
 {% endfor %}
 {##############################################################################}
-{% block security_check_functions %}
-{% if has_access_check_callbacks and not is_partial %}
-bool securityCheck(v8::Local<v8::Context> accessingContext, v8::Local<v8::Object> accessedObject, v8::Local<v8::Value> data) {
-  {% if interface_name == 'Window' %}
-  v8::Isolate* isolate = v8::Isolate::GetCurrent();
-  v8::Local<v8::Object> window = V8Window::findInstanceInPrototypeChain(accessedObject, isolate);
-  if (window.IsEmpty())
-    return false; // the frame is gone.
-
-  const DOMWindow* targetWindow = V8Window::toImpl(window);
-  return BindingSecurity::shouldAllowAccessTo(toLocalDOMWindow(toDOMWindow(accessingContext)), targetWindow, BindingSecurity::ErrorReportOption::DoNotReport);
-  {% else %}{# if interface_name == 'Window' #}
-  {# Not 'Window' means it\'s Location. #}
-  {{cpp_class}}* impl = {{v8_class}}::toImpl(accessedObject);
-  return BindingSecurity::shouldAllowAccessTo(toLocalDOMWindow(toDOMWindow(accessingContext)), impl, BindingSecurity::ErrorReportOption::DoNotReport);
-  {% endif %}{# if interface_name == 'Window' #}
-}
-
-{% endif %}
-{% endblock %}
-{##############################################################################}
 {# Methods #}
 {% from 'methods.cpp.tmpl' import generate_method, overload_resolution_method,
-       method_callback, origin_safe_method_getter, generate_constructor,
+       method_callback, cross_origin_method_getter, generate_constructor,
        method_implemented_in_private_script, generate_post_message_impl,
        runtime_determined_length_method, runtime_determined_maxarg_method
        with context %}
 {% for method in methods if method.should_be_exposed_to_script %}
 {% for world_suffix in method.world_suffixes %}
 {% if not method.is_custom and not method.is_post_message and method.visible %}
 {{generate_method(method, world_suffix)}}
 {% endif %}
 {% if method.is_post_message and not is_partial %}
 {{generate_post_message_impl(method)}}
@@ skipping 11 matching lines @@
 {# Document about the following condition: #}
 {# https://docs.google.com/document/d/1qBC7Therp437Jbt_QYAtNYMZs6zQ_7_tnMkNUG_ACqs/edit?usp=sharing #}
 {% if (method.overloads and method.overloads.visible and
        (not method.overloads.has_partial_overloads or not is_partial)) or
       (not method.overloads and method.visible) %}
 {# A single callback is generated for overloaded methods #}
 {# with considering partial overloads #}
 {{method_callback(method, world_suffix)}}
 {% endif %}
 {% endif %}
-{% if method.is_do_not_check_security and method.visible %}
-{{origin_safe_method_getter(method, world_suffix)}}
+{% if method.is_cross_origin and method.visible %}
+{{cross_origin_method_getter(method, world_suffix)}}
 {% endif %}
 {% endfor %}
 {% endfor %}
 {% if iterator_method %}
 {{generate_method(iterator_method)}}
 {{method_callback(iterator_method)}}
 {% endif %}
-{% block origin_safe_method_setter %}{% endblock %}
 {# Constructors #}
 {% for constructor in constructors %}
 {{generate_constructor(constructor)}}
 {% endfor %}
 {% block overloaded_constructor %}{% endblock %}
 {% block event_constructor %}{% endblock %}
 {# Special operations (methods) #}
 {% block named_property_getter %}{% endblock %}
 {% block named_property_getter_callback %}{% endblock %}
 {% block named_property_setter %}{% endblock %}
 {% block named_property_setter_callback %}{% endblock %}
 {% block named_property_deleter %}{% endblock %}
 {% block named_property_deleter_callback %}{% endblock %}
 {% block named_property_query %}{% endblock %}
 {% block named_property_query_callback %}{% endblock %}
 {% block named_property_enumerator %}{% endblock %}
 {% block named_property_enumerator_callback %}{% endblock %}
 {% block indexed_property_getter %}{% endblock %}
 {% block indexed_property_getter_callback %}{% endblock %}
 {% block indexed_property_setter %}{% endblock %}
 {% block indexed_property_setter_callback %}{% endblock %}
 {% block indexed_property_deleter %}{% endblock %}
 {% block indexed_property_deleter_callback %}{% endblock %}
+{##############################################################################}
+{% block security_check_functions %}

[dcheng, 2016/11/02 01:46:42]

This block is moved so it can reference the generated helpers for attributes /
methods.

+{% if has_access_check_callbacks and not is_partial %}
+bool securityCheck(v8::Local<v8::Context> accessingContext, v8::Local<v8::Object> accessedObject, v8::Local<v8::Value> data) {
+  {% if interface_name == 'Window' %}
+  v8::Isolate* isolate = v8::Isolate::GetCurrent();
+  v8::Local<v8::Object> window = V8Window::findInstanceInPrototypeChain(accessedObject, isolate);
+  if (window.IsEmpty())
+    return false; // the frame is gone.
+
+  const DOMWindow* targetWindow = V8Window::toImpl(window);
+  return BindingSecurity::shouldAllowAccessTo(toLocalDOMWindow(toDOMWindow(accessingContext)), targetWindow, BindingSecurity::ErrorReportOption::DoNotReport);
+  {% else %}{# if interface_name == 'Window' #}
+  {# Not 'Window' means it\'s Location. #}
+  {{cpp_class}}* impl = {{v8_class}}::toImpl(accessedObject);
+  return BindingSecurity::shouldAllowAccessTo(toLocalDOMWindow(toDOMWindow(accessingContext)), impl, BindingSecurity::ErrorReportOption::DoNotReport);
+  {% endif %}{# if interface_name == 'Window' #}
+}
+
+{% if has_cross_origin_named_getter %}
+void crossOriginNamedGetter(v8::Local<v8::Name> name, const v8::PropertyCallbackInfo<v8::Value>& info) {
+  if (!name->IsString())
+    return;
+  const AtomicString& propertyName = toCoreAtomicString(name.As<v8::String>());
+
+  // TODO(dcheng): Can we / should we use AtomicString here? That means using DEFINE_STATIC_LOCAL here.
+  static const struct AttributeInfo {
+    const char* const name;
+    using GetterCallback = void(*)(const v8::PropertyCallbackInfo<v8::Value>&);
+    const GetterCallback getter;
+  } kAttributeInfoList[] = {
+    {##### Cross-origin attributes #####}
+    {##### TODO(dcheng): Should another layer assert that should_be_exposed_to_script is true and  world_suffixes == ['']? #####}
+    {% for attribute in attributes if attribute.has_cross_origin_getter %}
+    {##### TODO(dcheng): error out on attribute.has_custom_getter and attribute.constructor_type? #####}

[dcheng, 2016/11/02 01:46:42]

For all these TODOs, I'm open to the best way to proceed.

The current attributes / methods that are exposed cross-origin don't need to use
the complexity of per-world bindings or custom getters or constructor types.
Should we enforce this by making v8_attributes.py raise an exception if there
are attributes we don't support? Or is it OK to just let it fail later on when
it tries to compile the generated code?

+    {"{{attribute.name}}", &{{cpp_class}}V8Internal::{{attribute.name}}AttributeGetter},
+    {% endfor %}
+    {##### Cross-origin methods #####}
+    {##### TODO(dcheng): Should another layer assert that method.visible is true? #####}
+    {% for method in methods if method.is_cross_origin %}
+    {"{{method.name}}", &{{cpp_class}}V8Internal::{{method.name}}CrossOriginMethodGetter},
+    {% endfor %}
+  };
+
+  for (const auto& attribute: kAttributeInfoList) {
+    if (propertyName == attribute.name) {
+      attribute.getter(info);
+      return;
+    }
+  }
+
+  {% if named_property_getter and named_property_getter.is_cross_origin %}
+  {% if named_property_getter.is_custom %}
+  {{v8_class}}::namedPropertyGetterCustom(propertyName, info);
+  {% else %}
+  {{cpp_class}}V8Internal::namedPropertyGetter(propertyName, info);
+  {% endif %}
+  {% endif %}
+}
+{% endif %}
+
+{% if has_cross_origin_named_setter %}
+void crossOriginNamedSetter(v8::Local<v8::Name> name, v8::Local<v8::Value> value, const v8::PropertyCallbackInfo<v8::Value>& info) {
+  if (!name->IsString())
+    return;
+  const AtomicString& propertyName = toCoreAtomicString(name.As<v8::String>());
+
+  // TODO(dcheng): Can we / should we use AtomicString here? That means using DEFINE_STATIC_LOCAL here.
+  static const struct AttributeInfo {
+    const char* const name;
+    using SetterCallback = void(*)(v8::Local<v8::Value>, const V8CrossOriginSetterInfo&);
+    const SetterCallback setter;
+  } kAttributeInfoList[] = {
+    {##### Cross-origin attributes #####}
+    {##### TODO(dcheng): Should another layer assert that should_be_exposed_to_script is true and world_suffixes == ['']? #####}
+    {% for attribute in attributes if attribute.has_cross_origin_setter %}
+    {##### TODO(dcheng): error out on attribute.has_custom_setter? #####}
+    {"{{attribute.name}}", &{{cpp_class}}V8Internal::{{attribute.name}}AttributeSetter},
+    {% endfor %}
+  };
+
+  for (const auto& attribute: kAttributeInfoList) {
+    if (propertyName == attribute.name) {
+      attribute.setter(value, V8CrossOriginSetterInfo(info.GetIsolate(), info.Holder()));
+      return;
+    }
+  }
+}
+{% endif %}
+
+{% if has_cross_origin_indexed_getter %}
+void crossOriginIndexedGetter(uint32_t index, const v8::PropertyCallbackInfo<v8::Value>& info) {
+  {% if indexed_property_getter.is_custom %}
+  {{v8_class}}::indexedPropertyGetterCustom(index, info);
+  {% else %}
+  {{cpp_class}}V8Internal::indexedPropertyGetter(index, info);
+  {% endif %}
+}
+{% endif %}
+
+{% endif %}
+{% endblock %}
+{##############################################################################}
 } // namespace {{cpp_class_or_partial}}V8Internal
 
 {% block visit_dom_wrapper %}{% endblock %}
 {##############################################################################}
 {% block install_attributes %}
 {% from 'attributes.cpp.tmpl' import attribute_configuration with context %}
 {% if attributes | has_attribute_configuration %}
 // Suppress warning: global constructors, because AttributeConfiguration is trivial
 // and does not depend on another global objects.
 #if defined(COMPONENT_BUILD) && defined(WIN32) && COMPILER(CLANG)
@@ skipping 89 matching lines @@
   {% endif %}
   {% if attributes | has_accessor_configuration %}
   V8DOMConfiguration::installAccessors(isolate, world, instanceTemplate, prototypeTemplate, interfaceTemplate, signature, {{'%sAccessors' % v8_class}}, {{'WTF_ARRAY_LENGTH(%sAccessors)' % v8_class}});
   {% endif %}
   {% if methods | has_method_configuration(is_partial) %}
   V8DOMConfiguration::installMethods(isolate, world, instanceTemplate, prototypeTemplate, interfaceTemplate, signature, {{'%sMethods' % v8_class}}, {{'WTF_ARRAY_LENGTH(%sMethods)' % v8_class}});
   {% endif %}
   {% endfilter %}
   {%- if has_access_check_callbacks and not is_partial %}{{newline}}
   // Cross-origin access check
-  instanceTemplate->SetAccessCheckCallback({{cpp_class}}V8Internal::securityCheck, v8::External::New(isolate, const_cast<WrapperTypeInfo*>(&{{v8_class}}::wrapperTypeInfo)));
+  {% set cross_origin_named_getter = '%sV8Internal::crossOriginNamedGetter' % cpp_class if has_cross_origin_named_getter else 'nullptr' %}
+  {% set cross_origin_named_setter = '%sV8Internal::crossOriginNamedSetter' % cpp_class if has_cross_origin_named_setter else 'nullptr' %}
+  {% set cross_origin_indexed_getter = '%sV8Internal::crossOriginIndexedGetter' % cpp_class if has_cross_origin_indexed_getter else 'nullptr' %}
+  instanceTemplate->SetAccessCheckCallbackAndHandler({{cpp_class}}V8Internal::securityCheck, v8::NamedPropertyHandlerConfiguration({{cross_origin_named_getter}}, {{cross_origin_named_setter}}), v8::IndexedPropertyHandlerConfiguration({{cross_origin_indexed_getter}}), v8::External::New(isolate, const_cast<WrapperTypeInfo*>(&{{v8_class}}::wrapperTypeInfo)));
   {% endif %}
 
   {%- for group in attributes | purely_runtime_enabled_attributes | groupby('runtime_feature_name') %}{{newline}}
   if ({{group.list[0].runtime_enabled_function}}()) {
     {% for attribute in group.list | unique_by('name') | sort %}
     {% if attribute.is_data_type_property %}
     const V8DOMConfiguration::AttributeConfiguration attribute{{attribute.name}}Configuration = {{attribute_configuration(attribute)}};
     V8DOMConfiguration::installAttribute(isolate, world, instanceTemplate, prototypeTemplate, attribute{{attribute.name}}Configuration);
     {% else %}
     const V8DOMConfiguration::AccessorConfiguration accessor{{attribute.name}}Configuration = {{attribute_configuration(attribute)}};
@@ skipping 36 matching lines @@
   instanceTemplate->MarkAsUndetectable();
   {% endif %}
 
   {%- if methods | custom_registration(is_partial) %}{{newline}}
   {% for method in methods | custom_registration(is_partial) %}
   {# install_custom_signature #}
   {% filter exposed(method.overloads.exposed_test_all
                     if method.overloads else method.exposed_test) %}
   {% filter runtime_enabled(method.overloads.runtime_enabled_function_all
                             if method.overloads else method.runtime_enabled_function) %}
-  {% if method.is_do_not_check_security %}
-  {{install_do_not_check_security_method(method, '', 'instanceTemplate', 'prototypeTemplate') | indent(2)}}
-  {% else %}
   {{install_custom_signature(method, 'instanceTemplate', 'prototypeTemplate', 'interfaceTemplate', 'signature') | indent(2)}}
-  {% endif %}
   {% endfilter %}
   {% endfilter %}
   {% endfor %}
   {% endif %}
 }
 
 {% endif %}{# not is_array_buffer_or_view #}
 {% endblock %}
 {##############################################################################}
 {% block origin_trials %}
@@ skipping 62 matching lines @@
 {% for attribute in attributes if attribute.is_implemented_in_private_script %}
 {{attribute_getter_implemented_in_private_script(attribute)}}
 {% if attribute.has_setter %}
 {{attribute_setter_implemented_in_private_script(attribute)}}
 {% endif %}
 {% endfor %}
 {% block partial_interface %}{% endblock %}
 }  // namespace blink
 
 {% endfilter %}{# format_blink_cpp_source_code #}