Bindings: perform security check before downcasting to LocalDOMWindow.

third_party/WebKit/Source/web/tests/WebFrameTest.cpp

 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 8452 matching lines @@
     registerMockedHttpURLLoad("subframe-a.html");
     registerMockedHttpURLLoad("subframe-b.html");
     registerMockedHttpURLLoad("subframe-c.html");
     registerMockedHttpURLLoad("subframe-hello.html");
 
     m_webViewHelper.initializeAndLoad(m_baseURL + "frame-a-b-c.html", true);
   }
 
   void reset() { m_webViewHelper.reset(); }
   WebFrame* mainFrame() const { return m_webViewHelper.webView()->mainFrame(); }
-  WebView* webView() const { return m_webViewHelper.webView(); }
+  WebViewImpl* webView() const { return m_webViewHelper.webView(); }
 
  private:
   FrameTestHelpers::WebViewHelper m_webViewHelper;
 };
 
 TEST_F(WebFrameSwapTest, SwapMainFrame) {
   WebRemoteFrame* remoteFrame =
       WebRemoteFrame::create(WebTreeScopeType::Document, nullptr);
   mainFrame()->swap(remoteFrame);
 
@@ skipping 325 matching lines @@
   v8::Local<v8::Value> localWindowTop =
       mainFrame()->executeScriptAndReturnValue(WebScriptSource(
           "document.querySelector('#frame2').contentWindow.top;"));
   EXPECT_TRUE(windowTop->StrictEquals(localWindowTop));
 
   // Manually reset to break WebViewHelper's dependency on the stack allocated
   // TestWebFrameClient.
   reset();
 }
 
+TEST_F(WebFrameSwapTest, SetTimeoutAfterSwap) {
+  v8::Isolate* isolate = v8::Isolate::GetCurrent();
+  v8::HandleScope scope(isolate);
+  mainFrame()->executeScript(
+      WebScriptSource("savedSetTimeout = window[0].setTimeout"));
+
+  // Swap the frame to a remote frame.
+  FrameTestHelpers::TestWebRemoteFrameClient remoteClient;
+  WebRemoteFrame* remoteFrame = remoteClient.frame();
+  WebFrame* targetFrame = mainFrame()->firstChild();
+  targetFrame->swap(remoteFrame);
+  remoteFrame->setReplicatedOrigin(SecurityOrigin::createUnique());
+
+  // Invoking setTimeout should throw a security error.
+  {
+    v8::Local<v8::Value> exception = mainFrame()->executeScriptAndReturnValue(
+        WebScriptSource("try {\n"
+                        "  savedSetTimeout.call(window[0], () => {}, 0);\n"
+                        "} catch (e) { e; }"));
+    ASSERT_TRUE(!exception.IsEmpty());
+    EXPECT_EQ(
+        "SecurityError: Failed to execute 'setTimeout' on 'Window': Blocked a "
+        "frame with origin \"http://internal.test\" from accessing a "
+        "cross-origin frame.",
+        toCoreString(exception
+                         ->ToString(ScriptState::forMainWorld(
+                                        webView()->mainFrameImpl()->frame())
+                                        ->context())
+                         .ToLocalChecked()));
+  }
+
+  reset();
+}
+
 TEST_F(WebFrameSwapTest, SwapInitializesGlobal) {
   v8::HandleScope scope(v8::Isolate::GetCurrent());
 
   v8::Local<v8::Value> windowTop =
       mainFrame()->executeScriptAndReturnValue(WebScriptSource("window"));
   ASSERT_TRUE(windowTop->IsObject());
 
   v8::Local<v8::Value> lastChild = mainFrame()->executeScriptAndReturnValue(
       WebScriptSource("saved = window[2]"));
   ASSERT_TRUE(lastChild->IsObject());
@@ skipping 2508 matching lines @@
 
   EXPECT_TRUE(mainFrameClient.childClient().didCallFrameDetached());
   EXPECT_TRUE(mainFrameClient.childClient().didCallDidStopLoading());
   EXPECT_TRUE(mainFrameClient.childClient().didCallDidFinishDocumentLoad());
   EXPECT_TRUE(mainFrameClient.childClient().didCallDidHandleOnloadEvents());
 
   webViewHelper.reset();
 }
 
 }  // namespace blink