Rework security checks to be based on Window rather than Frame.

third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp

 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 23 matching lines @@
 #include "bindings/core/v8/ScriptValue.h"
 #include "bindings/core/v8/ScriptWrappableVisitor.h"
 #include "bindings/core/v8/SourceLocation.h"
 #include "bindings/core/v8/UseCounterCallback.h"
 #include "bindings/core/v8/V8Binding.h"
 #include "bindings/core/v8/V8DOMException.h"
 #include "bindings/core/v8/V8ErrorEvent.h"
 #include "bindings/core/v8/V8ErrorHandler.h"
 #include "bindings/core/v8/V8GCController.h"
 #include "bindings/core/v8/V8IdleTaskRunner.h"
-#include "bindings/core/v8/V8Location.h"
 #include "bindings/core/v8/V8PerContextData.h"
 #include "bindings/core/v8/V8PrivateProperty.h"
-#include "bindings/core/v8/V8Window.h"
 #include "bindings/core/v8/WorkerOrWorkletScriptController.h"
 #include "core/dom/Document.h"
 #include "core/frame/LocalDOMWindow.h"
-#include "core/frame/LocalFrame.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/inspector/ConsoleMessage.h"
 #include "core/inspector/MainThreadDebugger.h"
 #include "core/workers/WorkerGlobalScope.h"
 #include "platform/EventDispatchForbiddenScope.h"
 #include "platform/RuntimeEnabledFeatures.h"
 #include "platform/instrumentation/tracing/TraceEvent.h"
 #include "platform/loader/fetch/AccessControlStatus.h"
 #include "platform/weborigin/SecurityViolationReportingPolicy.h"
 #include "public/platform/Platform.h"
 #include "public/platform/WebScheduler.h"
 #include "public/platform/WebThread.h"
 #include "v8/include/v8-debug.h"
 #include "v8/include/v8-profiler.h"
 #include "wtf/AddressSanitizer.h"
 #include "wtf/Assertions.h"
 #include "wtf/PtrUtil.h"
 #include "wtf/RefPtr.h"
 #include "wtf/text/WTFString.h"
 #include "wtf/typed_arrays/ArrayBufferContents.h"
 
 namespace blink {
 
-static Frame* findFrame(v8::Isolate* isolate,
-                        v8::Local<v8::Object> host,
-                        v8::Local<v8::Value> data) {
-  const WrapperTypeInfo* type = WrapperTypeInfo::unwrap(data);
-
-  if (V8Window::wrapperTypeInfo.equals(type)) {
-    v8::Local<v8::Object> windowWrapper =
-        V8Window::findInstanceInPrototypeChain(host, isolate);
-    if (windowWrapper.IsEmpty())
-      return 0;
-    return V8Window::toImpl(windowWrapper)->frame();
-  }
-
-  if (V8Location::wrapperTypeInfo.equals(type))
-    return V8Location::toImpl(host)->frame();
-
-  // This function can handle only those types listed above.
-  ASSERT_NOT_REACHED();
-  return 0;
-}
-
 static void reportFatalErrorInMainThread(const char* location,
                                          const char* message) {
   int memoryUsageMB = Platform::current()->actualMemoryUsageMB();
   DVLOG(1) << "V8 error: " << message << " (" << location
            << ").  Current memory usage: " << memoryUsageMB << " MB";
   CRASH();
 }
 
 static void reportOOMErrorInMainThread(const char* location, bool isJsHeap) {
   int memoryUsageMB = Platform::current()->actualMemoryUsageMB();
@@ skipping 193 matching lines @@
       toWorkerGlobalScope(executionContext)->scriptController();
   ASSERT(scriptController);
 
   promiseRejectHandler(data, *scriptController->getRejectedPromises(),
                        scriptState);
 }
 
 static void failedAccessCheckCallbackInMainThread(v8::Local<v8::Object> host,
                                                   v8::AccessType type,
                                                   v8::Local<v8::Value> data) {
-  v8::Isolate* isolate = v8::Isolate::GetCurrent();
-  Frame* target = findFrame(isolate, host, data);
   // FIXME: We should modify V8 to pass in more contextual information (context,
   // property, and object).
-  BindingSecurity::failedAccessCheckFor(isolate, target);
+  BindingSecurity::failedAccessCheckFor(v8::Isolate::GetCurrent(),
+                                        WrapperTypeInfo::unwrap(data), host);

[haraken, 2017/03/07 08:53:57]

This host refers to a holder object, right? Maybe we should rename it to holder.

[dcheng, 2017/03/07 09:06:47]

Done.

 }
 
 static bool codeGenerationCheckCallbackInMainThread(
     v8::Local<v8::Context> context) {
   if (ExecutionContext* executionContext = toExecutionContext(context)) {
     if (ContentSecurityPolicy* policy =
             toDocument(executionContext)->contentSecurityPolicy())
       return policy->allowEval(ScriptState::from(context),
                                SecurityViolationReportingPolicy::Report,
                                ContentSecurityPolicy::WillThrowException);
@@ skipping 236 matching lines @@
           v8::Isolate::kMessageLog);
   isolate->SetFatalErrorHandler(reportFatalErrorInWorker);
 
   uint32_t here;
   isolate->SetStackLimit(reinterpret_cast<uintptr_t>(&here) -
                          kWorkerMaxStackSize);
   isolate->SetPromiseRejectCallback(promiseRejectHandlerInWorker);
 }
 
 }  // namespace blink