Blink bindings: use v8 to enforce method call access checks

third_party/WebKit/Source/bindings/templates/methods.cpp.tmpl

 {% from 'utilities.cpp.tmpl' import declare_enum_validation_variable, v8_value_to_local_cpp_value %}
 
 {##############################################################################}
 {% macro generate_method(method, world_suffix) %}
 static void {{method.name}}{{method.overload_index}}Method{{world_suffix}}(const v8::FunctionCallbackInfo<v8::Value>& info) {
   {% filter format_remove_duplicates([
       'ExceptionState exceptionState',
       'ScriptState* scriptState = ']) %}
   {% set define_exception_state -%}
   ExceptionState exceptionState(info.GetIsolate(), ExceptionState::ExecutionContext, "{{interface_name}}", "{{method.name}}");
@@ skipping 11 matching lines @@
 
   {% if not method.is_static %}
   {% if method.returns_promise %}
   // V8DOMConfiguration::DoNotCheckHolder
   // Make sure that info.Holder() really points to an instance of the type.
   if (!{{v8_class}}::hasInstance(info.Holder(), info.GetIsolate())) {
     {{throw_type_error(method, '"Illegal invocation"')}}
     return;
   }
   {% endif %}
-  {% set local_dom_window_only = interface_name == 'Window' and not method.is_cross_origin %}
-  {% if local_dom_window_only %}
-  {% if method.is_check_security_for_receiver %}
-  {{cpp_class}}* uncheckedImpl = {{v8_class}}::toImpl(info.Holder());
-  {% else %}
+  {% if interface_name == 'Window' and not method.is_cross_origin %}
   // Same-origin methods are never exposed via the cross-origin interceptors.
   // Since same-origin access requires a LocalDOMWindow, it is safe to downcast
   // here.
   LocalDOMWindow* impl = toLocalDOMWindow({{v8_class}}::toImpl(info.Holder()));
-  {% endif %}{# method.is_check_security_for_receiver #}
   {% else %}
   {{cpp_class}}* impl = {{v8_class}}::toImpl(info.Holder());
-  {% endif %}{# local_dom_window_only #}
+  {% endif %}{# interface_name == 'Window' and not method.is_cross_origin #}
   {% endif %}{# not method.is_static #}
 
   {# Security checks #}
-  {% if method.is_check_security_for_receiver %}
-  {{define_exception_state}}
-  {% if interface_name == 'EventTarget' %}
-  // Performance hack for EventTarget.  Checking whether it's a Window or not
-  // prior to the call to BindingSecurity::shouldAllowAccessTo increases 30%
-  // of speed performance on Android Nexus 7 as of Dec 2015.  ALWAYS_INLINE
-  // didn't work in this case.
-  if (const DOMWindow* window = impl->toDOMWindow()) {
-    if (!BindingSecurity::shouldAllowAccessTo(currentDOMWindow(info.GetIsolate()), window, exceptionState)) {
-      return;
-    }
-  }
-  {% else %}{# interface_name == 'EventTarget' #}
-  {% if local_dom_window_only %}
-  if (!BindingSecurity::shouldAllowAccessTo(currentDOMWindow(info.GetIsolate()), uncheckedImpl, exceptionState)) {
-  {% else %}
-  if (!BindingSecurity::shouldAllowAccessTo(currentDOMWindow(info.GetIsolate()), impl, exceptionState)) {
-  {% endif %}{# local_dom_window_only #}
-    return;
-  }
-  {% if local_dom_window_only %}
-  LocalDOMWindow* impl = toLocalDOMWindow(uncheckedImpl);
-  {% endif %}{# local_dom_window_only #}
-  {% endif %}{# interface_name == 'EventTarget' #}
-  {% endif %}{# method.is_check_security_for_receiver #}
   {% if method.is_check_security_for_return_value %}
   {{define_exception_state}}
   if (!BindingSecurity::shouldAllowAccessTo(currentDOMWindow(info.GetIsolate()), {{method.cpp_value}}, exceptionState)) {
     v8SetReturnValueNull(info);
     return;
   }
   {% endif %}
 
   {% if 'scriptState' in function_call %}
   {% if method.is_static %}
@@ skipping 539 matching lines @@
 {% set method_callback =
        '%s::%sMethodCallback' % (v8_class_or_partial, method.name) %}
 {% set method_callback_for_main_world =
        '%s::%sMethodCallbackForMainWorld' % (v8_class_or_partial, method.name)
        if method.is_per_world_bindings else 'nullptr' %}
 {% set property_attribute =
        'static_cast<v8::PropertyAttribute>(%s)' % ' | '.join(method.property_attributes)
        if method.property_attributes else 'v8::None' %}
 {% set holder_check = 'V8DOMConfiguration::DoNotCheckHolder'
        if method.returns_promise else 'V8DOMConfiguration::CheckHolder' %}
-{"{{method.name}}", {{method_callback}}, {{method_callback_for_main_world}}, {{method.length}}, {{property_attribute}}, {{property_location(method)}}, {{holder_check}}}
+{% set access_check = 'V8DOMConfiguration::CheckAccess'
+       if method.is_check_security_for_receiver else 'V8DOMConfiguration::DoNotCheckAccess' %}
+{"{{method.name}}", {{method_callback}}, {{method_callback_for_main_world}}, {{method.length}}, {{property_attribute}}, {{property_location(method)}}, {{holder_check}}, {{access_check}}}
 {%- endmacro %}
 
 
 {######################################}
 {% macro install_custom_signature(method, instance_template, prototype_template, interface_template, signature) %}
 const V8DOMConfiguration::MethodConfiguration {{method.name}}MethodConfiguration = {{method_configuration(method)}};
 V8DOMConfiguration::installMethod(isolate, world, {{instance_template}}, {{prototype_template}}, {{interface_template}}, {{signature}}, {{method.name}}MethodConfiguration);
 {%- endmacro %}
 
 
@@ skipping 11 matching lines @@
                           if method.overloads else
                           method.runtime_enabled_feature_name) %}
 const V8DOMConfiguration::MethodConfiguration {{method.name}}MethodConfiguration = {{method_configuration(method)}};
 V8DOMConfiguration::installMethod(isolate, world, v8::Local<v8::Object>(), prototypeObject, interfaceObject, signature, {{method.name}}MethodConfiguration);
 {% endfilter %}{# runtime_enabled() #}
 {% endfilter %}{# exposed() #}
 {% endfilter %}{# secure_context() #}
 {% endfor %}
 {% endif %}
 {%- endmacro %}