third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp - Issue 2745313003: Move securityCheck out of V8WrapperInstantiationScope

Side by Side Diff: third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp

Issue 2745313003: Move securityCheck out of V8WrapperInstantiationScope (Closed)

Patch Set: Add comments and DCHECKs Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2009 Google Inc. All rights reserved.	2 * Copyright (C) 2009 Google Inc. All rights reserved.

3 *	3 *

4 * Redistribution and use in source and binary forms, with or without	4 * Redistribution and use in source and binary forms, with or without

5 * modification, are permitted provided that the following conditions are	5 * modification, are permitted provided that the following conditions are

6 * met:	6 * met:

7 *	7 *

8 * * Redistributions of source code must retain the above copyright	8 * * Redistributions of source code must retain the above copyright

9 * notice, this list of conditions and the following disclaimer.	9 * notice, this list of conditions and the following disclaimer.

10 * * Redistributions in binary form must reproduce the above	10 * * Redistributions in binary form must reproduce the above

(...skipping 14 matching lines...) Expand all Loading...
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

29 */	29 */

30	30

31 #include "bindings/core/v8/BindingSecurity.h"	31 #include "bindings/core/v8/BindingSecurity.h"

32	32

33 #include "bindings/core/v8/ExceptionState.h"	33 #include "bindings/core/v8/ExceptionState.h"

34 #include "bindings/core/v8/V8Binding.h"	34 #include "bindings/core/v8/V8Binding.h"

	35 #include "bindings/core/v8/V8Location.h"

	36 #include "bindings/core/v8/WrapperCreationSecurityCheck.h"

35 #include "core/dom/Document.h"	37 #include "core/dom/Document.h"

36 #include "core/frame/LocalDOMWindow.h"	38 #include "core/frame/LocalDOMWindow.h"

37 #include "core/frame/LocalFrame.h"	39 #include "core/frame/LocalFrame.h"

38 #include "core/frame/Location.h"	40 #include "core/frame/Location.h"

39 #include "core/frame/Settings.h"	41 #include "core/frame/Settings.h"

40 #include "core/html/HTMLFrameElementBase.h"	42 #include "core/html/HTMLFrameElementBase.h"

41 #include "core/workers/MainThreadWorkletGlobalScope.h"	43 #include "core/workers/MainThreadWorkletGlobalScope.h"

42 #include "platform/weborigin/SecurityOrigin.h"	44 #include "platform/weborigin/SecurityOrigin.h"

43	45

44 namespace blink {	46 namespace blink {

(...skipping 200 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
245 return false;	247 return false;

246	248

247 // Note that there is no need to call back	249 // Note that there is no need to call back

248 // FrameLoader::didAccessInitialDocument() because \|targetWindow\| must be	250 // FrameLoader::didAccessInitialDocument() because \|targetWindow\| must be

249 // a child window inside iframe or frame and it doesn't have a URL bar,	251 // a child window inside iframe or frame and it doesn't have a URL bar,

250 // so there is no need to worry about URL spoofing.	252 // so there is no need to worry about URL spoofing.

251	253

252 return true;	254 return true;

253 }	255 }

254	256

	257 bool BindingSecurity::shouldAllowAccessToCreationContext(

	258 v8::Isolate* isolate,
	haraken 2017/04/09 15:28:59 You don't need to pass in an Isolate, since you c You don't need to pass in an Isolate, since you can get it by creationContext->GetIsolate(). adithyas 2017/04/10 18:02:00 Fixed, here and everywhere else. Show quoted text On 2017/04/09 at 15:28:59, haraken wrote: > You don't need to pass in an Isolate*, since you can get it by creationContext->GetIsolate(). Fixed, here and everywhere else.
	259 v8::Local<v8::Context> creationContext,

	260 const WrapperTypeInfo* type) {

	261 // According to

	262 // https://html.spec.whatwg.org/multipage/browsers.html#security-location,

	263 // cross-origin script access to a few properties of Location is allowed.

	264 // Location already implements the necessary security checks.

	265 if (type->equals(&V8Location::wrapperTypeInfo))

	266 return true;

	267

	268 LocalFrame* frame = toLocalFrameIfNotDetached(creationContext);

	269 ExceptionState exceptionState(isolate, ExceptionState::ConstructionContext,

	270 type->interfaceName);

	271 if (!frame) {

	272 // Sandbox detached frames - they can't create cross origin objects.

	273 LocalDOMWindow* callingWindow = currentDOMWindow(isolate);

	274 LocalDOMWindow* targetWindow = toLocalDOMWindow(creationContext);

	275

	276 return shouldAllowAccessToDetachedWindow(callingWindow, targetWindow,

	277 exceptionState);

	278 }

	279 const DOMWrapperWorld& currentWorld =

	280 DOMWrapperWorld::world(isolate->GetCurrentContext());

	281 CHECK_EQ(currentWorld.worldId(),

	282 DOMWrapperWorld::world(creationContext).worldId());

	283

	284 return !currentWorld.isMainWorld() \|\|
	haraken 2017/04/09 15:29:00 I'd like to understand what the isMainWorld check I'd like to understand what the isMainWorld check is for. Would you mind investigating a git blame history a bit? adithyas 2017/04/10 18:02:00 This is the CL that added the check in: https://co Show quoted text On 2017/04/09 at 15:29:00, haraken wrote: > I'd like to understand what the isMainWorld check is for. Would you mind investigating a git blame history a bit? This is the CL that added the check in: https://codereview.chromium.org/1323453005#msg15 jochen@'s comment explains it: "the security token of the isolated world is chrome-extension://abcd..., so the security check against the Frame's security origin will always fail. so for isolated worlds, all we check is that the access is within the same isolated world."
	285 shouldAllowAccessToFrame(currentDOMWindow(isolate), frame,

	286 exceptionState);

	287 }

	288

	289 void BindingSecurity::rethrowCrossContextException(

	290 v8::Isolate* isolate,
	haraken 2017/04/09 15:29:00 Ditto. Remove the Isolate* parameter. Ditto. Remove the Isolate* parameter.
	291 v8::Local<v8::Context> creationContext,

	292 const WrapperTypeInfo* type,

	293 v8::Local<v8::Value> crossContextException) {

	294 DCHECK(!crossContextException.IsEmpty());

	295 ExceptionState exceptionState(isolate, ExceptionState::ConstructionContext,

	296 type->interfaceName);
	haraken 2017/04/09 15:29:00 It looks redundant to create an ExceptionState. I It looks redundant to create an ExceptionState. I think you can just make BindingSecurity::rethrowCrossContextException a V8 exception. You can address it in a follow-up CL. Yuki 2017/04/10 04:13:30 Yes, it's somewhat redundant, but ExceptionState s Show quoted text On 2017/04/09 15:29:00, haraken wrote: > > It looks redundant to create an ExceptionState. I think you can just make > BindingSecurity::rethrowCrossContextException a V8 exception. You can address it > in a follow-up CL. Yes, it's somewhat redundant, but ExceptionState supports creating an exception message (in a somewhat unified format). I think that we want to take its advantage. In general, it's not on a performance-sensitive path if it's throwing an exception.
	297 if (type->equals(&V8Location::wrapperTypeInfo)) {

	298 // Convert cross-context exception to security error

	299 LocalDOMWindow* callingWindow = currentDOMWindow(isolate);

	300 LocalDOMWindow* targetWindow = toLocalDOMWindow(creationContext);

	301 exceptionState.throwSecurityError(

	302 targetWindow->sanitizedCrossDomainAccessErrorMessage(callingWindow),

	303 targetWindow->crossDomainAccessErrorMessage(callingWindow));

	304 return;

	305 }

	306 exceptionState.rethrowV8Exception(crossContextException);

	307 }

	308

	309 void BindingSecurity::initWrapperCreationSecurityCheck() {

	310 WrapperCreationSecurityCheck::setSecurityCheckFunction(

	311 shouldAllowAccessToCreationContext);

	312 WrapperCreationSecurityCheck::setRethrowExceptionFunction(

	313 rethrowCrossContextException);

	314 }

	315

255 void BindingSecurity::failedAccessCheckFor(v8::Isolate* isolate,	316 void BindingSecurity::failedAccessCheckFor(v8::Isolate* isolate,

256 const Frame* target) {	317 const Frame* target) {

257 // TODO(dcheng): See if this null check can be removed or hoisted to a	318 // TODO(dcheng): See if this null check can be removed or hoisted to a

258 // different location.	319 // different location.

259 if (!target)	320 if (!target)

260 return;	321 return;

261	322

262 DOMWindow* targetWindow = target->domWindow();	323 DOMWindow* targetWindow = target->domWindow();

263	324

264 // TODO(dcheng): Add ContextType, interface name, and property name as	325 // TODO(dcheng): Add ContextType, interface name, and property name as

265 // arguments, so the generated exception can be more descriptive.	326 // arguments, so the generated exception can be more descriptive.

266 ExceptionState exceptionState(isolate, ExceptionState::UnknownContext,	327 ExceptionState exceptionState(isolate, ExceptionState::UnknownContext,

267 nullptr, nullptr);	328 nullptr, nullptr);

268 exceptionState.throwSecurityError(	329 exceptionState.throwSecurityError(

269 targetWindow->sanitizedCrossDomainAccessErrorMessage(	330 targetWindow->sanitizedCrossDomainAccessErrorMessage(

270 currentDOMWindow(isolate)),	331 currentDOMWindow(isolate)),

271 targetWindow->crossDomainAccessErrorMessage(currentDOMWindow(isolate)));	332 targetWindow->crossDomainAccessErrorMessage(currentDOMWindow(isolate)));

272 }	333 }

273	334

274 } // namespace blink	335 } // namespace blink

OLD	NEW