set isolated world security origins

Source/bindings/v8/V8WindowShell.cpp

 /*
  * Copyright (C) 2008, 2009, 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 212 matching lines @@
 
     if (m_world->isMainWorld()) {
         updateDocument();
         if (m_frame->document()) {
             setSecurityToken(m_frame->document()->securityOrigin());
             ContentSecurityPolicy* csp = m_frame->document()->contentSecurityPolicy();
             context->AllowCodeGenerationFromStrings(csp->allowEval(0, ContentSecurityPolicy::SuppressReport));
             context->SetErrorMessageForCodeGenerationFromStrings(v8String(m_isolate, csp->evalDisabledErrorMessage()));
         }
     } else {
-        // Using the default security token means that the canAccess is always
-        // called, which is slow.
-        // FIXME: Use tokens where possible. This will mean keeping track of all
-        //        created contexts so that they can all be updated when the
-        //        document domain
-        //        changes.
-        context->UseDefaultSecurityToken();
-
         SecurityOrigin* origin = m_world->isolatedWorldSecurityOrigin();
+        setSecurityToken(origin);
         if (origin && InspectorInstrumentation::hasFrontends()) {
             InspectorInstrumentation::didCreateIsolatedContext(m_frame, ScriptState::current(m_isolate), origin);
         }
     }
     m_frame->loader().client()->didCreateScriptContext(context, m_world->extensionGroup(), m_world->worldId());
     return true;
 }
 
 void V8WindowShell::createContext()
 {
@@ skipping 117 matching lines @@
 {
     ASSERT(isContextInitialized());
     if (!m_world->isMainWorld())
         return;
     v8::HandleScope handleScope(m_isolate);
     m_scriptState->context()->Global()->ForceDelete(v8AtomicString(m_isolate, "document"));
 }
 
 void V8WindowShell::setSecurityToken(SecurityOrigin* origin)
 {
-    ASSERT(m_world->isMainWorld());
     // If two tokens are equal, then the SecurityOrigins canAccess each other.
     // If two tokens are not equal, then we have to call canAccess.
     // Note: we can't use the HTTPOrigin if it was set from the DOM.
     String token;
     // We stick with an empty token if document.domain was modified or if we
     // are in the initial empty document, so that we can do a full canAccess
     // check in those cases.
-    if (!origin->domainWasSetInDOM()
-        && !m_frame->loader().stateMachine()->isDisplayingInitialEmptyDocument())
+    bool delaySet = m_world->isMainWorld()
+        && (origin->domainWasSetInDOM()
+            || m_frame->loader().stateMachine()->isDisplayingInitialEmptyDocument());
+    if (origin && !delaySet)
         token = origin->toString();
 
     // An empty or "null" token means we always have to call
     // canAccess. The toString method on securityOrigins returns the
     // string "null" for empty security origins and for security
     // origins that should only allow access to themselves. In this
     // case, we use the global object as the security token to avoid
     // calling canAccess when a script accesses its own objects.
     v8::HandleScope handleScope(m_isolate);
     v8::Handle<v8::Context> context = m_scriptState->context();
@@ skipping 90 matching lines @@
 
 void V8WindowShell::updateSecurityOrigin(SecurityOrigin* origin)
 {
     ASSERT(m_world->isMainWorld());
     if (!isContextInitialized())
         return;
     setSecurityToken(origin);
 }
 
 } // WebCore