Index: third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp |
diff --git a/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp b/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp |
index bc2246fb5e015b609bec62e12df43c6b1e88ae1f..3ead54016aee13408cf62831155c2c44f19eb846 100644 |
--- a/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp |
+++ b/third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp |
@@ -38,6 +38,7 @@ |
#include "core/frame/LocalFrame.h" |
#include "core/frame/Location.h" |
#include "core/frame/Settings.h" |
+#include "core/frame/UseCounter.h" |
#include "core/html/HTMLFrameElementBase.h" |
#include "core/workers/MainThreadWorkletGlobalScope.h" |
#include "platform/bindings/WrapperCreationSecurityCheck.h" |
@@ -114,9 +115,20 @@ bool BindingSecurity::ShouldAllowAccessTo( |
const Frame* frame = target->GetFrame(); |
if (!frame || !frame->GetSecurityContext()) |
return false; |
- return CanAccessFrame(accessing_window, |
- frame->GetSecurityContext()->GetSecurityOrigin(), |
- target, exception_state); |
+ bool can_access = CanAccessFrame( |
+ accessing_window, frame->GetSecurityContext()->GetSecurityOrigin(), |
+ target, exception_state); |
+ |
+ if (!can_access) { |
+ UseCounter::Count(accessing_window->GetFrame(), |
+ UseCounter::kCrossOriginPropertyAccess); |
+ if (target->opener() == accessing_window) { |
+ UseCounter::Count(accessing_window->GetFrame(), |
+ UseCounter::kCrossOriginPropertyAccessFromOpener); |
+ } |
+ } |
Mike West
2017/05/16 14:54:31
Does this do what I think it does?
jochen (gone - plz use gerrit)
2017/05/17 07:36:06
not sure, but kCrossOriginPropertyAccessFromOpener
|
+ |
+ return can_access; |
} |
bool BindingSecurity::ShouldAllowAccessTo( |
@@ -127,29 +139,20 @@ bool BindingSecurity::ShouldAllowAccessTo( |
const Frame* frame = target->GetFrame(); |
if (!frame || !frame->GetSecurityContext()) |
return false; |
- return CanAccessFrame(accessing_window, |
- frame->GetSecurityContext()->GetSecurityOrigin(), |
- target, reporting_option); |
-} |
- |
-bool BindingSecurity::ShouldAllowAccessTo( |
- const LocalDOMWindow* accessing_window, |
- const EventTarget* target, |
- ExceptionState& exception_state) { |
- DCHECK(target); |
- const DOMWindow* window = target->ToDOMWindow(); |
- if (!window) { |
- // We only need to check the access to Window objects which are |
- // cross-origin accessible. If it's not a Window, the object's |
- // origin must always be the same origin (or it already leaked). |
- return true; |
+ bool can_access = CanAccessFrame( |
+ accessing_window, frame->GetSecurityContext()->GetSecurityOrigin(), |
+ target, reporting_option); |
+ |
+ if (!can_access) { |
Yuki
2017/05/17 05:31:11
If we're going to put this into CanAccessFrame, th
|
+ UseCounter::Count(accessing_window->GetFrame(), |
+ UseCounter::kCrossOriginPropertyAccess); |
+ if (target->opener() == accessing_window) { |
+ UseCounter::Count(accessing_window->GetFrame(), |
+ UseCounter::kCrossOriginPropertyAccessFromOpener); |
+ } |
} |
- const Frame* frame = window->GetFrame(); |
- if (!frame || !frame->GetSecurityContext()) |
- return false; |
- return CanAccessFrame(accessing_window, |
- frame->GetSecurityContext()->GetSecurityOrigin(), |
- window, exception_state); |
+ |
+ return can_access; |
} |
bool BindingSecurity::ShouldAllowAccessTo( |
@@ -160,9 +163,20 @@ bool BindingSecurity::ShouldAllowAccessTo( |
const Frame* frame = target->GetFrame(); |
if (!frame || !frame->GetSecurityContext()) |
return false; |
- return CanAccessFrame(accessing_window, |
- frame->GetSecurityContext()->GetSecurityOrigin(), |
- frame->DomWindow(), exception_state); |
+ bool can_access = CanAccessFrame( |
+ accessing_window, frame->GetSecurityContext()->GetSecurityOrigin(), |
+ frame->DomWindow(), exception_state); |
+ |
+ if (!can_access) { |
+ UseCounter::Count(accessing_window->GetFrame(), |
+ UseCounter::kCrossOriginPropertyAccess); |
+ if (target->DomWindow()->opener() == accessing_window) { |
+ UseCounter::Count(accessing_window->GetFrame(), |
+ UseCounter::kCrossOriginPropertyAccessFromOpener); |
+ } |
+ } |
+ |
+ return can_access; |
} |
bool BindingSecurity::ShouldAllowAccessTo( |
@@ -173,9 +187,20 @@ bool BindingSecurity::ShouldAllowAccessTo( |
const Frame* frame = target->GetFrame(); |
if (!frame || !frame->GetSecurityContext()) |
return false; |
- return CanAccessFrame(accessing_window, |
- frame->GetSecurityContext()->GetSecurityOrigin(), |
- frame->DomWindow(), reporting_option); |
+ bool can_access = CanAccessFrame( |
+ accessing_window, frame->GetSecurityContext()->GetSecurityOrigin(), |
+ frame->DomWindow(), reporting_option); |
+ |
+ if (!can_access) { |
+ UseCounter::Count(accessing_window->GetFrame(), |
+ UseCounter::kCrossOriginPropertyAccess); |
+ if (target->DomWindow()->opener() == accessing_window) { |
+ UseCounter::Count(accessing_window->GetFrame(), |
+ UseCounter::kCrossOriginPropertyAccessFromOpener); |
+ } |
+ } |
+ |
+ return can_access; |
} |
bool BindingSecurity::ShouldAllowAccessTo( |