Implement cross-origin attributes using access check interceptors.

third_party/WebKit/Source/bindings/templates/interface_base.cpp.tmpl

 {% filter format_blink_cpp_source_code %}
 
 {% include 'copyright_block.txt' %}
 #include "{{v8_class_or_partial}}.h"
 
 {% for filename in cpp_includes if filename != '%s.h' % cpp_class_or_partial %}
 #include "{{filename}}"
 {% endfor %}
 
 namespace blink {
@@ skipping 103 matching lines @@
 {% endif %}
 {% if attribute.has_setter %}
 {% if not attribute.has_custom_setter %}
 {{attribute_setter(attribute, world_suffix)}}
 {% endif %}
 {{attribute_setter_callback(attribute, world_suffix)}}
 {% endif %}
 {% endfor %}
 {% endfor %}
 {##############################################################################}
-{% block security_check_functions %}
-{% if has_access_check_callbacks and not is_partial %}
-bool securityCheck(v8::Local<v8::Context> accessingContext, v8::Local<v8::Object> accessedObject, v8::Local<v8::Value> data) {
-  {% if interface_name == 'Window' %}
-  v8::Isolate* isolate = v8::Isolate::GetCurrent();
-  v8::Local<v8::Object> window = V8Window::findInstanceInPrototypeChain(accessedObject, isolate);
-  if (window.IsEmpty())
-    return false; // the frame is gone.
-
-  const DOMWindow* targetWindow = V8Window::toImpl(window);
-  return BindingSecurity::shouldAllowAccessTo(toLocalDOMWindow(toDOMWindow(accessingContext)), targetWindow, BindingSecurity::ErrorReportOption::DoNotReport);
-  {% else %}{# if interface_name == 'Window' #}
-  {# Not 'Window' means it\'s Location. #}
-  {{cpp_class}}* impl = {{v8_class}}::toImpl(accessedObject);
-  return BindingSecurity::shouldAllowAccessTo(toLocalDOMWindow(toDOMWindow(accessingContext)), impl, BindingSecurity::ErrorReportOption::DoNotReport);
-  {% endif %}{# if interface_name == 'Window' #}
-}
-
-{% endif %}
-{% endblock %}
-{##############################################################################}
 {# Methods #}
 {% from 'methods.cpp.tmpl' import generate_method, overload_resolution_method,
        method_callback, origin_safe_method_getter, generate_constructor,
        method_implemented_in_private_script, generate_post_message_impl,
        runtime_determined_length_method, runtime_determined_maxarg_method
        with context %}
 {% for method in methods if method.should_be_exposed_to_script %}
 {% for world_suffix in method.world_suffixes %}
 {% if not method.is_custom and not method.is_post_message and method.visible %}
 {{generate_method(method, world_suffix)}}
@@ skipping 14 matching lines @@
 {# Document about the following condition: #}
 {# https://docs.google.com/document/d/1qBC7Therp437Jbt_QYAtNYMZs6zQ_7_tnMkNUG_ACqs/edit?usp=sharing #}
 {% if (method.overloads and method.overloads.visible and
        (not method.overloads.has_partial_overloads or not is_partial)) or
       (not method.overloads and method.visible) %}
 {# A single callback is generated for overloaded methods #}
 {# with considering partial overloads #}
 {{method_callback(method, world_suffix)}}
 {% endif %}
 {% endif %}
-{% if method.is_do_not_check_security and method.visible %}
+{% if method.is_cross_origin and method.visible %}
 {{origin_safe_method_getter(method, world_suffix)}}
 {% endif %}
 {% endfor %}
 {% endfor %}
 {% if iterator_method %}
 {{generate_method(iterator_method)}}
 {{method_callback(iterator_method)}}
 {% endif %}
 {% block origin_safe_method_setter %}{% endblock %}
 {# Constructors #}
@@ skipping 12 matching lines @@
 {% block named_property_query %}{% endblock %}
 {% block named_property_query_callback %}{% endblock %}
 {% block named_property_enumerator %}{% endblock %}
 {% block named_property_enumerator_callback %}{% endblock %}
 {% block indexed_property_getter %}{% endblock %}
 {% block indexed_property_getter_callback %}{% endblock %}
 {% block indexed_property_setter %}{% endblock %}
 {% block indexed_property_setter_callback %}{% endblock %}
 {% block indexed_property_deleter %}{% endblock %}
 {% block indexed_property_deleter_callback %}{% endblock %}
+{##############################################################################}
+{% block security_check_functions %}
+{% if has_access_check_callbacks and not is_partial %}
+bool securityCheck(v8::Local<v8::Context> accessingContext, v8::Local<v8::Object> accessedObject, v8::Local<v8::Value> data) {
+  {% if interface_name == 'Window' %}
+  v8::Isolate* isolate = v8::Isolate::GetCurrent();
+  v8::Local<v8::Object> window = V8Window::findInstanceInPrototypeChain(accessedObject, isolate);
+  if (window.IsEmpty())
+    return false; // the frame is gone.
+
+  const DOMWindow* targetWindow = V8Window::toImpl(window);
+  return BindingSecurity::shouldAllowAccessTo(toLocalDOMWindow(toDOMWindow(accessingContext)), targetWindow, BindingSecurity::ErrorReportOption::DoNotReport);
+  {% else %}{# if interface_name == 'Window' #}
+  {# Not 'Window' means it\'s Location. #}
+  {{cpp_class}}* impl = {{v8_class}}::toImpl(accessedObject);
+  return BindingSecurity::shouldAllowAccessTo(toLocalDOMWindow(toDOMWindow(accessingContext)), impl, BindingSecurity::ErrorReportOption::DoNotReport);
+  {% endif %}{# if interface_name == 'Window' #}
+}
+
+{% if has_cross_origin_named_getter %}
+// TODO(dcheng): Can we / should we use AtomicString here? That means using DEFINE_STATIC_LOCAL here.
+static const struct {
+  const char* const name;
+  using GetterCallback = void(*)(const v8::PropertyCallbackInfo<v8::Value>&);
+  const GetterCallback getter;
+} kCrossOriginGetterAttributeInfoList[] = {
+  {##### Cross-origin attributes #####}
+  {% for attribute in attributes if attribute.has_cross_origin_getter %}
+  {"{{attribute.name}}", &{{cpp_class}}V8Internal::{{attribute.name}}AttributeGetter},
+  {% endfor %}
+  {##### Cross-origin methods #####}
+  {% for method in methods if method.is_cross_origin %}
+  {"{{method.name}}", &{{cpp_class}}V8Internal::{{method.name}}OriginSafeMethodGetter},
+  {% endfor %}
+};
+
+void crossOriginNamedGetter(v8::Local<v8::Name> name, const v8::PropertyCallbackInfo<v8::Value>& info) {
+  if (!name->IsString())
+    return;
+  const AtomicString& propertyName = toCoreAtomicString(name.As<v8::String>());
+
+  for (const auto& attribute: kCrossOriginGetterAttributeInfoList) {
+    if (propertyName == attribute.name) {
+      attribute.getter(info);
+      return;
+    }
+  }
+
+  {% if named_property_getter and named_property_getter.is_cross_origin %}
+  {% if named_property_getter.is_custom %}
+  {{v8_class}}::namedPropertyGetterCustom(propertyName, info);
+  {% else %}
+  {{cpp_class}}V8Internal::namedPropertyGetter(propertyName, info);
+  {% endif %}
+  {% else %}
+  BindingSecurity::failedAccessCheckFor(
+      info.GetIsolate(),
+      {{v8_class}}::toImpl(info.Holder())->frame());
+  {% endif %}
+}
+{% endif %}
+
+{% if has_cross_origin_named_setter %}
+// TODO(dcheng): Can we / should we use AtomicString here? That means using DEFINE_STATIC_LOCAL here.
+static const struct {
+  const char* const name;
+  using SetterCallback = void(*)(v8::Local<v8::Value>, const V8CrossOriginSetterInfo&);
+  const SetterCallback setter;
+} kCrossOriginSetterAttributeInfoList[] = {
+  {##### Cross-origin attributes #####}
+  {% for attribute in attributes if attribute.has_cross_origin_setter %}
+  {"{{attribute.name}}", &{{cpp_class}}V8Internal::{{attribute.name}}AttributeSetter},
+  {% endfor %}
+};
+
+void crossOriginNamedSetter(v8::Local<v8::Name> name, v8::Local<v8::Value> value, const v8::PropertyCallbackInfo<v8::Value>& info) {
+  if (!name->IsString())
+    return;
+  const AtomicString& propertyName = toCoreAtomicString(name.As<v8::String>());
+
+  for (const auto& attribute: kCrossOriginSetterAttributeInfoList) {
+    if (propertyName == attribute.name) {
+      attribute.setter(value, V8CrossOriginSetterInfo(info.GetIsolate(), info.Holder()));
+      return;
+    }
+  }
+
+  BindingSecurity::failedAccessCheckFor(
+      info.GetIsolate(),
+      {{v8_class}}::toImpl(info.Holder())->frame());
+}
+{% endif %}
+
+{% if has_cross_origin_named_getter %}
+void crossOriginNamedEnumerator(const v8::PropertyCallbackInfo<v8::Array>& info) {
+  HashSet<String> names;
+  for (const auto& attribute : kCrossOriginGetterAttributeInfoList)
+    names.add(attribute.name);
+  for (const auto& attribute : kCrossOriginSetterAttributeInfoList)
+    names.add(attribute.name);
+
+  v8SetReturnValue(
+      info,
+      toV8SequenceInternal(

[dcheng, 2016/12/07 08:19:08]

This isn't very nice, but there's no easy way to convert a hash set to an array
right now.

Currently, the HashSet is used, because there might be duplicates between the
getter / setter table. This is a hack though; my plan is to combine this into
one list.

[Yuki, 2016/12/07 12:03:40]

nit: I think the code generator can pre-computes everything and generates a list
of names.  We don't need much runtime code.

+          names, info.Holder(), info.GetIsolate()).As<v8::Array>());
+}
+{% endif %}
+
+{% if has_cross_origin_indexed_getter %}
+void crossOriginIndexedGetter(uint32_t index, const v8::PropertyCallbackInfo<v8::Value>& info) {
+  {% if indexed_property_getter.is_custom %}
+  {{v8_class}}::indexedPropertyGetterCustom(index, info);
+  {% else %}
+  {{cpp_class}}V8Internal::indexedPropertyGetter(index, info);
+  {% endif %}
+}
+{% endif %}
+
+{% endif %}
+{% endblock %}
+{##############################################################################}
 } // namespace {{cpp_class_or_partial}}V8Internal
 
 {% block visit_dom_wrapper %}{% endblock %}
 {##############################################################################}
 {% block install_attributes %}
 {% from 'attributes.cpp.tmpl' import attribute_configuration with context %}
 {% if attributes | has_attribute_configuration %}
 // Suppress warning: global constructors, because AttributeConfiguration is trivial
 // and does not depend on another global objects.
 #if defined(COMPONENT_BUILD) && defined(WIN32) && COMPILER(CLANG)
@@ skipping 121 matching lines @@
   {% endif %}
   {% if attributes | has_accessor_configuration %}
   V8DOMConfiguration::installAccessors(isolate, world, instanceTemplate, prototypeTemplate, interfaceTemplate, signature, {{'%sAccessors' % v8_class}}, {{'WTF_ARRAY_LENGTH(%sAccessors)' % v8_class}});
   {% endif %}
   {% if methods | has_method_configuration(is_partial) %}
   V8DOMConfiguration::installMethods(isolate, world, instanceTemplate, prototypeTemplate, interfaceTemplate, signature, {{'%sMethods' % v8_class}}, {{'WTF_ARRAY_LENGTH(%sMethods)' % v8_class}});
   {% endif %}
   {% endfilter %}
   {%- if has_access_check_callbacks and not is_partial %}{{newline}}
   // Cross-origin access check
-  instanceTemplate->SetAccessCheckCallback({{cpp_class}}V8Internal::securityCheck, v8::External::New(isolate, const_cast<WrapperTypeInfo*>(&{{v8_class}}::wrapperTypeInfo)));
+  {% set cross_origin_named_getter = '%sV8Internal::crossOriginNamedGetter' % cpp_class if has_cross_origin_named_getter else 'nullptr' %}
+  {% set cross_origin_named_setter = '%sV8Internal::crossOriginNamedSetter' % cpp_class if has_cross_origin_named_setter else 'nullptr' %}
+  {# TODO(dcheng): This seems a bit bogus. #}
+  {% set cross_origin_named_enumerator = '%sV8Internal::crossOriginNamedEnumerator' % cpp_class if has_cross_origin_named_getter else 'nullptr' %}
+  {% set cross_origin_indexed_getter = '%sV8Internal::crossOriginIndexedGetter' % cpp_class if has_cross_origin_indexed_getter else 'nullptr' %}
+  instanceTemplate->SetAccessCheckCallbackAndHandler({{cpp_class}}V8Internal::securityCheck, v8::NamedPropertyHandlerConfiguration({{cross_origin_named_getter}}, {{cross_origin_named_setter}}, nullptr, nullptr, {{cross_origin_named_enumerator}}), v8::IndexedPropertyHandlerConfiguration({{cross_origin_indexed_getter}}), v8::External::New(isolate, const_cast<WrapperTypeInfo*>(&{{v8_class}}::wrapperTypeInfo)));
   {% endif %}
 
   {%- for group in attributes | purely_runtime_enabled_attributes | groupby('runtime_feature_name') %}{{newline}}
   if ({{group.list[0].runtime_enabled_function}}()) {
     {% for attribute in group.list | unique_by('name') | sort %}
     {% if attribute.is_data_type_property %}
     const V8DOMConfiguration::AttributeConfiguration attribute{{attribute.name}}Configuration = {{attribute_configuration(attribute)}};
     V8DOMConfiguration::installAttribute(isolate, world, instanceTemplate, prototypeTemplate, attribute{{attribute.name}}Configuration);
     {% else %}
     const V8DOMConfiguration::AccessorConfiguration accessor{{attribute.name}}Configuration = {{attribute_configuration(attribute)}};
@@ skipping 38 matching lines @@
   instanceTemplate->MarkAsUndetectable();
   {% endif %}
 
   {%- if methods | custom_registration(is_partial) %}{{newline}}
   {% for method in methods | custom_registration(is_partial) %}
   {# install_custom_signature #}
   {% filter exposed(method.overloads.exposed_test_all
                     if method.overloads else method.exposed_test) %}
   {% filter runtime_enabled(method.overloads.runtime_enabled_function_all
                             if method.overloads else method.runtime_enabled_function) %}
-  {% if method.is_do_not_check_security %}
-  {{install_do_not_check_security_method(method, '', 'instanceTemplate', 'prototypeTemplate') | indent(2)}}
+  {% if method.is_cross_origin %}
+  {# TODO(dcheng): This shouldn't be necessary with cross-origin interceptors,
+     but v8 doesn't support querying the incumbent context. For now, always
+     incorrectly create per-realm representations. #}
+  {{install_origin_safe_method(method, '', 'instanceTemplate', 'prototypeTemplate') | indent(2)}}
   {% else %}
   {{install_custom_signature(method, 'instanceTemplate', 'prototypeTemplate', 'interfaceTemplate', 'signature') | indent(2)}}
   {% endif %}
   {% endfilter %}
   {% endfilter %}
   {% endfor %}
   {% endif %}
 }
 
 {% endif %}{# not is_array_buffer_or_view #}
@@ skipping 65 matching lines @@
 {% for attribute in attributes if attribute.is_implemented_in_private_script %}
 {{attribute_getter_implemented_in_private_script(attribute)}}
 {% if attribute.has_setter %}
 {{attribute_setter_implemented_in_private_script(attribute)}}
 {% endif %}
 {% endfor %}
 {% block partial_interface %}{% endblock %}
 }  // namespace blink
 
 {% endfilter %}{# format_blink_cpp_source_code #}