Add security checks to scheduled actions

third_party/WebKit/Source/bindings/core/v8/ScheduledAction.cpp

 /*
  * Copyright (C) 2007-2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 12 matching lines @@
  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "bindings/core/v8/ScheduledAction.h"
 
+#include "bindings/core/v8/BindingSecurity.h"
 #include "bindings/core/v8/ScriptController.h"
 #include "bindings/core/v8/ScriptSourceCode.h"
 #include "bindings/core/v8/SourceLocation.h"
 #include "bindings/core/v8/V8Binding.h"
 #include "bindings/core/v8/V8GCController.h"
 #include "bindings/core/v8/V8ScriptRunner.h"
 #include "core/dom/Document.h"
 #include "core/dom/ExecutionContext.h"
 #include "core/frame/LocalFrame.h"
 #include "core/workers/WorkerGlobalScope.h"
 #include "core/workers/WorkerThread.h"
 #include "platform/instrumentation/tracing/TraceEvent.h"
 
 namespace blink {
 
 ScheduledAction* ScheduledAction::create(ScriptState* scriptState,
+                                         ExecutionContext* target,

[haraken, 2017/02/21 13:10:20]

Is the target execution context different from
scriptState->getExecutionContext()?

[jochen (gone - plz use gerrit), 2017/02/21 13:13:02]

possibly - you could invoke setTimeout on a same-origin window

[haraken, 2017/02/21 13:23:10]

Ah, right.

Maybe would it be nicer to move the CHECK to
ScheduledAction::execute(ExecutionContext* context)? Then you have the target
execution context already. Also we already have a branch for the main thread.

                                          const ScriptValue& handler,
                                          const Vector<ScriptValue>& arguments) {
   ASSERT(handler.isFunction());
+  if (!scriptState->world().isWorkerWorld()) {
+    CHECK(BindingSecurity::shouldAllowAccessToFrame(
+        enteredDOMWindow(scriptState->isolate()), toDocument(target)->frame(),
+        BindingSecurity::ErrorReportOption::DoNotReport));
+  }
   return new ScheduledAction(scriptState, handler, arguments);
 }
 
 ScheduledAction* ScheduledAction::create(ScriptState* scriptState,
+                                         ExecutionContext* target,
                                          const String& handler) {
+  if (!scriptState->world().isWorkerWorld()) {
+    CHECK(BindingSecurity::shouldAllowAccessToFrame(
+        enteredDOMWindow(scriptState->isolate()), toDocument(target)->frame(),
+        BindingSecurity::ErrorReportOption::DoNotReport));
+  }
   return new ScheduledAction(scriptState, handler);
 }
 
 DEFINE_TRACE(ScheduledAction) {
   visitor->trace(m_code);
 }
 
 ScheduledAction::~ScheduledAction() {
   // Verify that owning DOMTimer has eagerly disposed.
   DCHECK(m_info.IsEmpty());
@@ skipping 109 matching lines @@
 }
 
 void ScheduledAction::createLocalHandlesForArgs(
     Vector<v8::Local<v8::Value>>* handles) {
   handles->reserveCapacity(m_info.Size());
   for (size_t i = 0; i < m_info.Size(); ++i)
     handles->push_back(m_info.Get(i));
 }
 
 }  // namespace blink