OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2009 Google Inc. All rights reserved. | 2 * Copyright (C) 2009 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
6 * met: | 6 * met: |
7 * | 7 * |
8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
(...skipping 20 matching lines...) Expand all Loading... | |
31 #include "bindings/core/v8/BindingSecurity.h" | 31 #include "bindings/core/v8/BindingSecurity.h" |
32 | 32 |
33 #include "bindings/core/v8/ExceptionState.h" | 33 #include "bindings/core/v8/ExceptionState.h" |
34 #include "bindings/core/v8/V8BindingForCore.h" | 34 #include "bindings/core/v8/V8BindingForCore.h" |
35 #include "bindings/core/v8/V8Location.h" | 35 #include "bindings/core/v8/V8Location.h" |
36 #include "core/dom/Document.h" | 36 #include "core/dom/Document.h" |
37 #include "core/frame/LocalDOMWindow.h" | 37 #include "core/frame/LocalDOMWindow.h" |
38 #include "core/frame/LocalFrame.h" | 38 #include "core/frame/LocalFrame.h" |
39 #include "core/frame/Location.h" | 39 #include "core/frame/Location.h" |
40 #include "core/frame/Settings.h" | 40 #include "core/frame/Settings.h" |
41 #include "core/frame/UseCounter.h" | |
41 #include "core/html/HTMLFrameElementBase.h" | 42 #include "core/html/HTMLFrameElementBase.h" |
42 #include "core/workers/MainThreadWorkletGlobalScope.h" | 43 #include "core/workers/MainThreadWorkletGlobalScope.h" |
43 #include "platform/bindings/WrapperCreationSecurityCheck.h" | 44 #include "platform/bindings/WrapperCreationSecurityCheck.h" |
44 #include "platform/weborigin/SecurityOrigin.h" | 45 #include "platform/weborigin/SecurityOrigin.h" |
45 | 46 |
46 namespace blink { | 47 namespace blink { |
47 | 48 |
48 namespace { | 49 namespace { |
49 | 50 |
50 bool CanAccessFrameInternal(const LocalDOMWindow* accessing_window, | 51 bool CanAccessFrameInternal(const LocalDOMWindow* accessing_window, |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
107 } // namespace | 108 } // namespace |
108 | 109 |
109 bool BindingSecurity::ShouldAllowAccessTo( | 110 bool BindingSecurity::ShouldAllowAccessTo( |
110 const LocalDOMWindow* accessing_window, | 111 const LocalDOMWindow* accessing_window, |
111 const DOMWindow* target, | 112 const DOMWindow* target, |
112 ExceptionState& exception_state) { | 113 ExceptionState& exception_state) { |
113 DCHECK(target); | 114 DCHECK(target); |
114 const Frame* frame = target->GetFrame(); | 115 const Frame* frame = target->GetFrame(); |
115 if (!frame || !frame->GetSecurityContext()) | 116 if (!frame || !frame->GetSecurityContext()) |
116 return false; | 117 return false; |
117 return CanAccessFrame(accessing_window, | 118 bool can_access = CanAccessFrame( |
118 frame->GetSecurityContext()->GetSecurityOrigin(), | 119 accessing_window, frame->GetSecurityContext()->GetSecurityOrigin(), |
119 target, exception_state); | 120 target, exception_state); |
121 | |
122 if (!can_access) { | |
123 UseCounter::Count(accessing_window->GetFrame(), | |
124 UseCounter::kCrossOriginPropertyAccess); | |
125 if (target->opener() == accessing_window) { | |
126 UseCounter::Count(accessing_window->GetFrame(), | |
127 UseCounter::kCrossOriginPropertyAccessFromOpener); | |
128 } | |
129 } | |
Mike West
2017/05/16 14:54:31
Does this do what I think it does?
jochen (gone - plz use gerrit)
2017/05/17 07:36:06
not sure, but kCrossOriginPropertyAccessFromOpener
| |
130 | |
131 return can_access; | |
120 } | 132 } |
121 | 133 |
122 bool BindingSecurity::ShouldAllowAccessTo( | 134 bool BindingSecurity::ShouldAllowAccessTo( |
123 const LocalDOMWindow* accessing_window, | 135 const LocalDOMWindow* accessing_window, |
124 const DOMWindow* target, | 136 const DOMWindow* target, |
125 ErrorReportOption reporting_option) { | 137 ErrorReportOption reporting_option) { |
126 DCHECK(target); | 138 DCHECK(target); |
127 const Frame* frame = target->GetFrame(); | 139 const Frame* frame = target->GetFrame(); |
128 if (!frame || !frame->GetSecurityContext()) | 140 if (!frame || !frame->GetSecurityContext()) |
129 return false; | 141 return false; |
130 return CanAccessFrame(accessing_window, | 142 bool can_access = CanAccessFrame( |
131 frame->GetSecurityContext()->GetSecurityOrigin(), | 143 accessing_window, frame->GetSecurityContext()->GetSecurityOrigin(), |
132 target, reporting_option); | 144 target, reporting_option); |
145 | |
146 if (!can_access) { | |
Yuki
2017/05/17 05:31:11
If we're going to put this into CanAccessFrame, th
| |
147 UseCounter::Count(accessing_window->GetFrame(), | |
148 UseCounter::kCrossOriginPropertyAccess); | |
149 if (target->opener() == accessing_window) { | |
150 UseCounter::Count(accessing_window->GetFrame(), | |
151 UseCounter::kCrossOriginPropertyAccessFromOpener); | |
152 } | |
153 } | |
154 | |
155 return can_access; | |
133 } | 156 } |
134 | 157 |
135 bool BindingSecurity::ShouldAllowAccessTo( | 158 bool BindingSecurity::ShouldAllowAccessTo( |
136 const LocalDOMWindow* accessing_window, | |
137 const EventTarget* target, | |
138 ExceptionState& exception_state) { | |
139 DCHECK(target); | |
140 const DOMWindow* window = target->ToDOMWindow(); | |
141 if (!window) { | |
142 // We only need to check the access to Window objects which are | |
143 // cross-origin accessible. If it's not a Window, the object's | |
144 // origin must always be the same origin (or it already leaked). | |
145 return true; | |
146 } | |
147 const Frame* frame = window->GetFrame(); | |
148 if (!frame || !frame->GetSecurityContext()) | |
149 return false; | |
150 return CanAccessFrame(accessing_window, | |
151 frame->GetSecurityContext()->GetSecurityOrigin(), | |
152 window, exception_state); | |
153 } | |
154 | |
155 bool BindingSecurity::ShouldAllowAccessTo( | |
156 const LocalDOMWindow* accessing_window, | 159 const LocalDOMWindow* accessing_window, |
157 const Location* target, | 160 const Location* target, |
158 ExceptionState& exception_state) { | 161 ExceptionState& exception_state) { |
159 DCHECK(target); | 162 DCHECK(target); |
160 const Frame* frame = target->GetFrame(); | 163 const Frame* frame = target->GetFrame(); |
161 if (!frame || !frame->GetSecurityContext()) | 164 if (!frame || !frame->GetSecurityContext()) |
162 return false; | 165 return false; |
163 return CanAccessFrame(accessing_window, | 166 bool can_access = CanAccessFrame( |
164 frame->GetSecurityContext()->GetSecurityOrigin(), | 167 accessing_window, frame->GetSecurityContext()->GetSecurityOrigin(), |
165 frame->DomWindow(), exception_state); | 168 frame->DomWindow(), exception_state); |
169 | |
170 if (!can_access) { | |
171 UseCounter::Count(accessing_window->GetFrame(), | |
172 UseCounter::kCrossOriginPropertyAccess); | |
173 if (target->DomWindow()->opener() == accessing_window) { | |
174 UseCounter::Count(accessing_window->GetFrame(), | |
175 UseCounter::kCrossOriginPropertyAccessFromOpener); | |
176 } | |
177 } | |
178 | |
179 return can_access; | |
166 } | 180 } |
167 | 181 |
168 bool BindingSecurity::ShouldAllowAccessTo( | 182 bool BindingSecurity::ShouldAllowAccessTo( |
169 const LocalDOMWindow* accessing_window, | 183 const LocalDOMWindow* accessing_window, |
170 const Location* target, | 184 const Location* target, |
171 ErrorReportOption reporting_option) { | 185 ErrorReportOption reporting_option) { |
172 DCHECK(target); | 186 DCHECK(target); |
173 const Frame* frame = target->GetFrame(); | 187 const Frame* frame = target->GetFrame(); |
174 if (!frame || !frame->GetSecurityContext()) | 188 if (!frame || !frame->GetSecurityContext()) |
175 return false; | 189 return false; |
176 return CanAccessFrame(accessing_window, | 190 bool can_access = CanAccessFrame( |
177 frame->GetSecurityContext()->GetSecurityOrigin(), | 191 accessing_window, frame->GetSecurityContext()->GetSecurityOrigin(), |
178 frame->DomWindow(), reporting_option); | 192 frame->DomWindow(), reporting_option); |
193 | |
194 if (!can_access) { | |
195 UseCounter::Count(accessing_window->GetFrame(), | |
196 UseCounter::kCrossOriginPropertyAccess); | |
197 if (target->DomWindow()->opener() == accessing_window) { | |
198 UseCounter::Count(accessing_window->GetFrame(), | |
199 UseCounter::kCrossOriginPropertyAccessFromOpener); | |
200 } | |
201 } | |
202 | |
203 return can_access; | |
179 } | 204 } |
180 | 205 |
181 bool BindingSecurity::ShouldAllowAccessTo( | 206 bool BindingSecurity::ShouldAllowAccessTo( |
182 const LocalDOMWindow* accessing_window, | 207 const LocalDOMWindow* accessing_window, |
183 const Node* target, | 208 const Node* target, |
184 ExceptionState& exception_state) { | 209 ExceptionState& exception_state) { |
185 if (!target) | 210 if (!target) |
186 return false; | 211 return false; |
187 return CanAccessFrame(accessing_window, | 212 return CanAccessFrame(accessing_window, |
188 target->GetDocument().GetSecurityOrigin(), | 213 target->GetDocument().GetSecurityOrigin(), |
(...skipping 149 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
338 // arguments, so the generated exception can be more descriptive. | 363 // arguments, so the generated exception can be more descriptive. |
339 ExceptionState exception_state(isolate, ExceptionState::kUnknownContext, | 364 ExceptionState exception_state(isolate, ExceptionState::kUnknownContext, |
340 nullptr, nullptr); | 365 nullptr, nullptr); |
341 exception_state.ThrowSecurityError( | 366 exception_state.ThrowSecurityError( |
342 target_window->SanitizedCrossDomainAccessErrorMessage( | 367 target_window->SanitizedCrossDomainAccessErrorMessage( |
343 CurrentDOMWindow(isolate)), | 368 CurrentDOMWindow(isolate)), |
344 target_window->CrossDomainAccessErrorMessage(CurrentDOMWindow(isolate))); | 369 target_window->CrossDomainAccessErrorMessage(CurrentDOMWindow(isolate))); |
345 } | 370 } |
346 | 371 |
347 } // namespace blink | 372 } // namespace blink |
OLD | NEW |