third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp - Issue 2745313003: Move securityCheck out of V8WrapperInstantiationScope

Side by Side Diff: third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp

Issue 2745313003: Move securityCheck out of V8WrapperInstantiationScope (Closed)

Patch Set: Address code review feedback Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2009 Google Inc. All rights reserved.	2 * Copyright (C) 2009 Google Inc. All rights reserved.

3 *	3 *

4 * Redistribution and use in source and binary forms, with or without	4 * Redistribution and use in source and binary forms, with or without

5 * modification, are permitted provided that the following conditions are	5 * modification, are permitted provided that the following conditions are

6 * met:	6 * met:

7 *	7 *

8 * * Redistributions of source code must retain the above copyright	8 * * Redistributions of source code must retain the above copyright

9 * notice, this list of conditions and the following disclaimer.	9 * notice, this list of conditions and the following disclaimer.

10 * * Redistributions in binary form must reproduce the above	10 * * Redistributions in binary form must reproduce the above

(...skipping 14 matching lines...) Expand all Loading...
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

29 */	29 */

30	30

31 #include "bindings/core/v8/BindingSecurity.h"	31 #include "bindings/core/v8/BindingSecurity.h"

32	32

33 #include "bindings/core/v8/ExceptionState.h"	33 #include "bindings/core/v8/ExceptionState.h"

34 #include "bindings/core/v8/V8Binding.h"	34 #include "bindings/core/v8/V8Binding.h"

	35 #include "bindings/core/v8/V8Location.h"

	36 #include "bindings/core/v8/WrapperCreationSecurityCheck.h"

35 #include "core/dom/Document.h"	37 #include "core/dom/Document.h"

36 #include "core/frame/LocalDOMWindow.h"	38 #include "core/frame/LocalDOMWindow.h"

37 #include "core/frame/LocalFrame.h"	39 #include "core/frame/LocalFrame.h"

38 #include "core/frame/Location.h"	40 #include "core/frame/Location.h"

39 #include "core/frame/Settings.h"	41 #include "core/frame/Settings.h"

40 #include "core/html/HTMLFrameElementBase.h"	42 #include "core/html/HTMLFrameElementBase.h"

41 #include "core/workers/MainThreadWorkletGlobalScope.h"	43 #include "core/workers/MainThreadWorkletGlobalScope.h"

42 #include "platform/weborigin/SecurityOrigin.h"	44 #include "platform/weborigin/SecurityOrigin.h"

43	45

44 namespace blink {	46 namespace blink {

(...skipping 200 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
245 return false;	247 return false;

246	248

247 // Note that there is no need to call back	249 // Note that there is no need to call back

248 // FrameLoader::didAccessInitialDocument() because \|targetWindow\| must be	250 // FrameLoader::didAccessInitialDocument() because \|targetWindow\| must be

249 // a child window inside iframe or frame and it doesn't have a URL bar,	251 // a child window inside iframe or frame and it doesn't have a URL bar,

250 // so there is no need to worry about URL spoofing.	252 // so there is no need to worry about URL spoofing.

251	253

252 return true;	254 return true;

253 }	255 }

254	256

	257 void BindingSecurity::wrapperCreationSecurityCheck(

	258 v8::Isolate* isolate,

	259 v8::Local<v8::Context> creationContext,

	260 const WrapperTypeInfo* type,

	261 v8::Local<v8::Value> crossContextException) {

	262 ExceptionState exceptionState(isolate, ExceptionState::ConstructionContext,

	263 type->interfaceName);

	264

	265 // According to

	266 // https://html.spec.whatwg.org/multipage/browsers.html#security-location,

	267 // cross-origin script access to a few properties of Location is allowed.

	268 // Location already implements the necessary security checks.

	269 if (type->equals(&V8Location::wrapperTypeInfo)) {

	270 if (crossContextException.IsEmpty())
	Yuki 2017/04/03 08:29:26 I meant that we can do an early-exit at the beginn I meant that we can do an early-exit at the beginning. void BindingSecurity::wrapperCreationSecurityCheck(...) { if (crossContextException.IsEmpty()) return; ExceptionState exceptionState(...); ... } However, now I think that it's better to do this early-exit on the call site. See my reply at: https://codereview.chromium.org/2745313003/diff/120001/third_party/WebKit/Sou... Given that we do the early-exit on the call site, we can write: void BindingSecurity::wrapperCreationSecurityCheck(...) { DCHECK(!crossContextException.IsEmpty()); ... } And then, I think that the expected behavior of this function will be "rethrow an exception", and I'd prefer "rethrowCrossContextException" or something. It's a bit strange that fooCheck() returns void. adithyas 2017/04/03 15:20:54 Based on my reply on your earlier comment, I was t Show quoted text On 2017/04/03 at 08:29:26, Yuki wrote: > I meant that we can do an early-exit at the beginning. > > void BindingSecurity::wrapperCreationSecurityCheck(...) { > if (crossContextException.IsEmpty()) > return; > > ExceptionState exceptionState(...); > ... > } > > However, now I think that it's better to do this early-exit on the call site. See my reply at: > https://codereview.chromium.org/2745313003/diff/120001/third_party/WebKit/Sou... > > Given that we do the early-exit on the call site, we can write: > > void BindingSecurity::wrapperCreationSecurityCheck(...) { > DCHECK(!crossContextException.IsEmpty()); > > ... > } > > And then, I think that the expected behavior of this function will be "rethrow an exception", and I'd prefer "rethrowCrossContextException" or something. It's a bit strange that fooCheck() returns void. Based on my reply on your earlier comment, I was thinking this could be 2 functions instead: bool BindingSecurity::checkCreationContextAccess(creationContext, type) { if (type == V8Location) return true; frame = toLocalFrameIfNotDetached(creationContext) if (!frame) { return shouldAllowAccessToDetachedWindow(...); // could throw security error } else { return shouldAllowAccessToFrame(...); // could throw security error } } void BindingSecurity::rethrowCrossContextException(crossContextException, type, creationContext) { if (type == V8Location) { // convert to security error and throw } else { // rethrow crossContextException }
	271 return;

	272 // Convert cross-context exception to security error

	273 LocalDOMWindow* callingWindow = currentDOMWindow(isolate);

	274 LocalDOMWindow* targetWindow = toLocalDOMWindow(creationContext);

	275 exceptionState.throwSecurityError(

	276 targetWindow->sanitizedCrossDomainAccessErrorMessage(callingWindow),

	277 targetWindow->crossDomainAccessErrorMessage(callingWindow));

	278 return;

	279 }

	280

	281 bool hasAccess = false;

	282 LocalFrame* frame = toLocalFrameIfNotDetached(creationContext);

	283

	284 if (!frame) {

	285 // Sandbox detached frames - they can't create cross origin objects.

	286 LocalDOMWindow* callingWindow = currentDOMWindow(isolate);

	287 LocalDOMWindow* targetWindow = toLocalDOMWindow(creationContext);

	288

	289 hasAccess = shouldAllowAccessToDetachedWindow(callingWindow, targetWindow,

	290 exceptionState);

	291 } else {

	292 const DOMWrapperWorld& currentWorld =

	293 DOMWrapperWorld::world(isolate->GetCurrentContext());

	294 CHECK_EQ(currentWorld.worldId(),

	295 DOMWrapperWorld::world(creationContext).worldId());

	296

	297 hasAccess = !currentWorld.isMainWorld() \|\|

	298 shouldAllowAccessToFrame(currentDOMWindow(isolate), frame,

	299 exceptionState);

	300 }

	301

	302 if (hasAccess && !crossContextException.IsEmpty()) {

	303 exceptionState.rethrowV8Exception(crossContextException);

	304 }
	Yuki 2017/04/03 08:29:26 You may want: DCHECK(exceptionState.hadException You may want: DCHECK(exceptionState.hadException());
	305 }

	306

255 void BindingSecurity::failedAccessCheckFor(v8::Isolate* isolate,	307 void BindingSecurity::failedAccessCheckFor(v8::Isolate* isolate,

256 const Frame* target) {	308 const Frame* target) {

257 // TODO(dcheng): See if this null check can be removed or hoisted to a	309 // TODO(dcheng): See if this null check can be removed or hoisted to a

258 // different location.	310 // different location.

259 if (!target)	311 if (!target)

260 return;	312 return;

261	313

262 DOMWindow* targetWindow = target->domWindow();	314 DOMWindow* targetWindow = target->domWindow();

263	315

264 // TODO(dcheng): Add ContextType, interface name, and property name as	316 // TODO(dcheng): Add ContextType, interface name, and property name as

265 // arguments, so the generated exception can be more descriptive.	317 // arguments, so the generated exception can be more descriptive.

266 ExceptionState exceptionState(isolate, ExceptionState::UnknownContext,	318 ExceptionState exceptionState(isolate, ExceptionState::UnknownContext,

267 nullptr, nullptr);	319 nullptr, nullptr);

268 exceptionState.throwSecurityError(	320 exceptionState.throwSecurityError(

269 targetWindow->sanitizedCrossDomainAccessErrorMessage(	321 targetWindow->sanitizedCrossDomainAccessErrorMessage(

270 currentDOMWindow(isolate)),	322 currentDOMWindow(isolate)),

271 targetWindow->crossDomainAccessErrorMessage(currentDOMWindow(isolate)));	323 targetWindow->crossDomainAccessErrorMessage(currentDOMWindow(isolate)));

272 }	324 }

273	325

274 } // namespace blink	326 } // namespace blink

OLD	NEW