Re-enable Object.observe and add enforcement for security invariants.

src/object-observe.js

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 "use strict";
 
 // Overview:
 //
 // This file contains all of the routing and accounting for Object.observe.
 // User code will interact with these mechanisms via the Object.observe APIs
@@ skipping 382 matching lines @@
 }
 
 function ObserverEnqueueIfActive(observer, objectInfo, changeRecord,
                                  needsAccessCheck) {
   if (!ObserverIsActive(observer, objectInfo) ||
       !TypeMapHasType(ObserverGetAcceptTypes(observer), changeRecord.type)) {
     return;
   }
 
   var callback = ObserverGetCallback(observer);
-  if (needsAccessCheck &&
-      // Drop all splice records on the floor for access-checked objects
-      (changeRecord.type == 'splice' ||
-       !%IsAccessAllowedForObserver(
-           callback, changeRecord.object, changeRecord.name))) {
+  if (needsAccessCheck && !%IsAccessAllowedForObserver(callback,
+                                                       changeRecord.object,
+                                                       changeRecord)) {
     return;
   }
 
   var callbackInfo = CallbackInfoNormalize(callback);
   if (IS_NULL(GetPendingObservers())) {
     SetPendingObservers(nullProtoObject())
     GetMicrotaskQueue().push(ObserveMicrotaskRunner);
     %SetMicrotaskPending(true);
   }
   GetPendingObservers()[callbackInfo.priority] = callback;
   callbackInfo.push(changeRecord);
 }
 
 function ObjectInfoEnqueueExternalChangeRecord(objectInfo, changeRecord, type) {
   if (!ObjectInfoHasActiveObservers(objectInfo))
     return;
 
   var hasType = !IS_UNDEFINED(type);
   var newRecord = hasType ?
       { object: ObjectInfoGetObject(objectInfo), type: type } :
       { object: ObjectInfoGetObject(objectInfo) };
 
   for (var prop in changeRecord) {
     if (prop === 'object' || (hasType && prop === 'type')) continue;
     %DefineOrRedefineDataProperty(newRecord, prop, changeRecord[prop],
         READ_ONLY + DONT_DELETE);
   }
   ObjectFreeze(newRecord);
 
-  ObjectInfoEnqueueInternalChangeRecord(objectInfo, newRecord,
-                                        true /* skip access check */);
+  ObjectInfoEnqueueInternalChangeRecord(objectInfo, newRecord);
 }
 
-function ObjectInfoEnqueueInternalChangeRecord(objectInfo, changeRecord,
-                                               skipAccessCheck) {
+function ObjectInfoEnqueueInternalChangeRecord(objectInfo, changeRecord) {
   // TODO(rossberg): adjust once there is a story for symbols vs proxies.
   if (IS_SYMBOL(changeRecord.name)) return;
 
-  var needsAccessCheck = !skipAccessCheck &&
-      %IsAccessCheckNeeded(changeRecord.object);
+  var needsAccessCheck = %IsAccessCheckNeeded(changeRecord.object);

[rossberg, 2014/04/30 11:28:32]

I believe you always need to do the same-origin check. As Dan suggests, this
runtime function should go.

[rafaelw, 2014/05/02 03:22:32]

Done.

 
   if (ChangeObserversIsOptimized(objectInfo.changeObservers)) {
     var observer = objectInfo.changeObservers;
     ObserverEnqueueIfActive(observer, objectInfo, changeRecord,
                             needsAccessCheck);
     return;
   }
 
   for (var priority in objectInfo.changeObservers) {
     var observer = objectInfo.changeObservers[priority];
@@ skipping 97 matching lines @@
   if (IS_SPEC_OBJECT(changeRecord))
     ObjectInfoEnqueueExternalChangeRecord(objectInfo, changeRecord, changeType);
 }
 
 function ObjectGetNotifier(object) {
   if (!IS_SPEC_OBJECT(object))
     throw MakeTypeError("observe_non_object", ["getNotifier"]);
 
   if (ObjectIsFrozen(object)) return null;
 
+  if (!%ObjectWasCreatedInCurrentOrigin(object)) return null;
+
   var objectInfo = ObjectInfoGetOrCreate(object);
   return ObjectInfoGetNotifier(objectInfo);
 }
 
 function CallbackDeliverPending(callback) {
   var callbackInfo = GetCallbackInfoMap().get(callback);
   if (IS_UNDEFINED(callbackInfo) || IS_NUMBER(callbackInfo))
     return false;
 
   // Clear the pending change records from callback and return it to its
@@ skipping 41 matching lines @@
   InstallFunctions($Array, DONT_ENUM, $Array(
     "observe", ArrayObserve,
     "unobserve", ArrayUnobserve
   ));
   InstallFunctions(notifierPrototype, DONT_ENUM, $Array(
     "notify", ObjectNotifierNotify,
     "performChange", ObjectNotifierPerformChange
   ));
 }
 
-// Disable Object.observe API for M35.
-// SetupObjectObserve();
+SetupObjectObserve();