Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(10)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp

Issue 8036045: Merge 95488 - Named property confusion with __proto__ (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/835/
Patch Set: Created 9 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/http/tests/security/window-named-proto-expected.txt ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2009 Google Inc. All rights reserved. 2 * Copyright (C) 2009 Google Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are 5 * modification, are permitted provided that the following conditions are
6 * met: 6 * met:
7 * 7 *
8 * * Redistributions of source code must retain the above copyright 8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer. 9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above 10 * * Redistributions in binary form must reproduce the above
(...skipping 531 matching lines...) Expand 10 before | Expand all | Expand 10 after
542 542
543 DOMWindow* targetWindow = V8DOMWindow::toNative(window); 543 DOMWindow* targetWindow = V8DOMWindow::toNative(window);
544 544
545 ASSERT(targetWindow); 545 ASSERT(targetWindow);
546 546
547 Frame* target = targetWindow->frame(); 547 Frame* target = targetWindow->frame();
548 if (!target) 548 if (!target)
549 return false; 549 return false;
550 550
551 if (key->IsString()) { 551 if (key->IsString()) {
552 DEFINE_STATIC_LOCAL(AtomicString, nameOfProtoProperty, ("__proto__"));
553
552 String name = toWebCoreString(key); 554 String name = toWebCoreString(key);
553 // Notice that we can't call HasRealNamedProperty for ACCESS_HAS 555 // Notice that we can't call HasRealNamedProperty for ACCESS_HAS
554 // because that would generate infinite recursion. 556 // because that would generate infinite recursion.
555 if (type == v8::ACCESS_HAS && target->tree()->child(name)) 557 if (type == v8::ACCESS_HAS && target->tree()->child(name))
556 return true; 558 return true;
557 if (type == v8::ACCESS_GET && target->tree()->child(name) && !host->HasR ealNamedProperty(key->ToString())) 559 // We need to explicitly compare against nameOfProtoProperty because
560 // V8's JSObject::LocalLookup finds __proto__ before
561 // interceptors and even when __proto__ isn't a "real named property".
562 if (type == v8::ACCESS_GET && target->tree()->child(name) && !host->HasR ealNamedProperty(key->ToString()) && name != nameOfProtoProperty)
558 return true; 563 return true;
559 } 564 }
560 565
561 return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, fal se); 566 return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, fal se);
562 } 567 }
563 568
564 bool V8DOMWindow::indexedSecurityCheck(v8::Local<v8::Object> host, uint32_t inde x, v8::AccessType type, v8::Local<v8::Value>) 569 bool V8DOMWindow::indexedSecurityCheck(v8::Local<v8::Object> host, uint32_t inde x, v8::AccessType type, v8::Local<v8::Value>)
565 { 570 {
566 v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8DOMWindow:: GetTemplate(), host); 571 v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8DOMWindow:: GetTemplate(), host);
567 if (window.IsEmpty()) 572 if (window.IsEmpty())
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after
612 v8::Handle<v8::Context> context = V8Proxy::context(frame); 617 v8::Handle<v8::Context> context = V8Proxy::context(frame);
613 if (context.IsEmpty()) 618 if (context.IsEmpty())
614 return v8::Handle<v8::Object>(); 619 return v8::Handle<v8::Object>();
615 620
616 v8::Handle<v8::Object> global = context->Global(); 621 v8::Handle<v8::Object> global = context->Global();
617 ASSERT(!global.IsEmpty()); 622 ASSERT(!global.IsEmpty());
618 return global; 623 return global;
619 } 624 }
620 625
621 } // namespace WebCore 626 } // namespace WebCore
OLDNEW
« no previous file with comments | « LayoutTests/http/tests/security/window-named-proto-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698