Move stringify, form, navigation and scroll methods out of core.js.

ios/web/web_state/js/resources/common.js

Index: ios/web/web_state/js/resources/common.js
diff --git a/ios/web/web_state/js/resources/common.js b/ios/web/web_state/js/resources/common.js
index 56adb250ff7019be9cc1ec763fcc2b014c187381..d2f826e7bb0f943babf236878b27374cd8800cf1 100644
--- a/ios/web/web_state/js/resources/common.js
+++ b/ios/web/web_state/js/resources/common.js
@@ -26,6 +26,7 @@ __gCrWeb['common'] = __gCrWeb.common;
 
 /* Beginning of anonymous object. */
 (function() {
+
   /**
    * JSON safe object to protect against custom implementation of Object.toJSON
    * in host pages.
@@ -46,6 +47,31 @@ __gCrWeb['common'] = __gCrWeb.common;
   __gCrWeb.common.JSONStringify = JSON.stringify;
 
   /**
+   * Returns a string that is formatted according to the JSON syntax rules.
+   * This is equivalent to the built-in JSON.stringify() function, but is
+   * less likely to be overridden by the website itself.  This public function
+   * should not be used if spoofing it would create a security vulnerability.

[Eugene But (OOO till 7-30), 2017/04/10 21:42:07]

How about s/if spoofing it would create a security vulnerability./instead of
{@code JSON.stringify}. ?

[danyao, 2017/04/10 22:12:59]

Did you perhaps mean {@code JSONStringify}?

Changing to {@code JSON.stringify} seems a bit confusing to me because this is
right after we said this method provides an "improvement" over JSON.stringify.
It seems a bit weird to immediately recommend against using it instead of the
built-in function.

[Eugene But (OOO till 7-30), 2017/04/11 00:12:44]

{@code JSONStringify} lg. I just was not sure what "if spoofing it would create
a security vulnerability" actually means :)

[danyao, 2017/04/11 15:10:39]

Updated. There may be something weird going on with the Closure compiler
settings because private methods declared in the dot syntax (e.g.
gCrWeb.common.JSONStringify) are not minified, so they can be overriden by the
website as easily as the public methods, which defeats the recommendation here.
I made a note to investigate this for the gCrWeb API hiding work.

+   * The |__gCrWeb| object itself does not use it; it uses its private
+   * counterpart instead.
+   * Prevents websites from changing stringify's behavior by adding the
+   * method toJSON() by temporarily removing it.
+   */
+  __gCrWeb['stringify'] = function(value) {
+    if (value === null)
+      return 'null';
+    if (value === undefined)
+       return 'undefined';
+    if (typeof(value.toJSON) == 'function') {
+      var originalToJSON = value.toJSON;
+      value.toJSON = undefined;
+      var stringifiedValue = __gCrWeb.common.JSONStringify(value);
+      value.toJSON = originalToJSON;
+      return stringifiedValue;
+    }
+    return __gCrWeb.common.JSONStringify(value);
+  };
+
+  /**
    * Prefix used in references to form elements that have no 'id' or 'name'
    */
   __gCrWeb.common.kNamelessFormIDPrefix = 'gChrome~';
@@ -689,4 +715,5 @@ __gCrWeb['common'] = __gCrWeb.common;
     }
     return false;
   };
+
 }());  // End of anonymous object