Make document.location unforgeable

Make document.location unforgeable

https://html.spec.whatwg.org/#document
https://heycam.github.io/webidl/#Unforgeable

In document-special-properties.html, an <iframe name="location"> would
previously shadow document.location but now does not. This brings us in
line with IE11. Firefox Nightly does the same, but seemingly only
because it doesn't fall back to named elements at all.

BUG=444015
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=189862

[philipj_slow, 2015-02-04 11:00:51]

DoNotCheckSecurity

[philipj_slow, 2015-02-05 16:47:29]

philipj@opera.com changed reviewers:
+ jochen@chromium.org

[philipj_slow, 2015-02-05 16:47:30]

Jochen, can you PTAL? I'm very uncertain about DoNotCheckSecurity and am not
sure if it should be there or not. Without it, the generated code uses
"v8::PROHIBITS_OVERWRITING" and with it it's "v8::ALL_CAN_READ |
v8::PROHIBITS_OVERWRITING". Before this CL it was simply "v8::DEFAULT".

Note that window.location uses DoNotCheckSecurity, but also Replaceable which
isn't per spec, so I'm not sure it's a good role model.

Advice on the kind of test that would show the difference appreciated.

[philipj_slow, 2015-02-09 13:55:05]

Ping jochen.

[jochen (gone - plz use gerrit), 2015-02-09 14:29:07]

https://codereview.chromium.org/884213006/diff/40001/Source/core/dom/Document...
File Source/core/dom/Document.idl (right):

https://codereview.chromium.org/884213006/diff/40001/Source/core/dom/Document...
Source/core/dom/Document.idl:131: [PutForwards=href, DoNotCheckSecurity,
Unforgeable] readonly attribute Location location;
why DoNotCheckSecurity?

[philipj_slow, 2015-02-09 14:37:01]

https://codereview.chromium.org/884213006/diff/40001/Source/core/dom/Document...
File Source/core/dom/Document.idl (right):

https://codereview.chromium.org/884213006/diff/40001/Source/core/dom/Document...
Source/core/dom/Document.idl:131: [PutForwards=href, DoNotCheckSecurity,
Unforgeable] readonly attribute Location location;
On 2015/02/09 14:29:07, jochen (slow) wrote:
> why DoNotCheckSecurity?

That is the question in an earlier comment. Window.location has it and I get
nervous, feedback appreciated.

[jochen (gone - plz use gerrit), 2015-02-09 14:38:17]

jochen@chromium.org changed reviewers:
+ dcarney@chromium.org

[jochen (gone - plz use gerrit), 2015-02-09 14:38:18]

+dcarney for the security check question in comment #3

[jochen (gone - plz use gerrit), 2015-02-09 16:07:18]

lgtm

[jochen (gone - plz use gerrit), 2015-02-09 16:07:38]

(Dan said it's fine)

[philipj_slow, 2015-02-09 16:56:21]

Thanks, Jochen!

Dan, can you explain the difference between having and not having
DoNotCheckSecurity to me? Is there a test case I could write to expose the
difference and maybe check what other browsers do?

[dcarney, 2015-02-09 20:03:03]

On 2015/02/09 16:56:21, philipj_UTC7 wrote:
> Thanks, Jochen!
> 
> Dan, can you explain the difference between having and not having
> DoNotCheckSecurity to me? Is there a test case I could write to expose the
> difference and maybe check what other browsers do?

DoNotCheckSecurity means a property will be exposed to all contexts, but when
it's accessed from another context than its own, that context will see a
different object.  Since document is not visible from other contexts, nor should
document.location be.  Therefore it should need no special cross-context
handling.

[philipj_slow, 2015-02-10 03:24:08]

On 2015/02/09 20:03:03, dcarney wrote:
> On 2015/02/09 16:56:21, philipj_UTC7 wrote:
> > Thanks, Jochen!
> > 
> > Dan, can you explain the difference between having and not having
> > DoNotCheckSecurity to me? Is there a test case I could write to expose the
> > difference and maybe check what other browsers do?
> 
> DoNotCheckSecurity means a property will be exposed to all contexts, but when
> it's accessed from another context than its own, that context will see a
> different object.  Since document is not visible from other contexts, nor
should
> document.location be.  Therefore it should need no special cross-context
> handling.

Ah, I see. All other instances of DoNotCheckSecurity are on Window and Location,
due to being reachable via window.location I would presume.

It sounds like there's no point in having DoNotCheckSecurity here on
Document.location, so I will remove it. Shout it if I misunderstood.

[philipj_slow, 2015-02-10 03:28:14]

New patchsets have been uploaded after l-g-t-m from jochen@chromium.org

[philipj_slow, 2015-02-10 03:28:15]

drop DoNotCheckSecurity

[philipj_slow, 2015-02-10 03:28:22]

The CQ bit was checked by philipj@opera.com

[commit-bot: I haz the power, 2015-02-10 03:29:07]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/884213006/60001

[commit-bot: I haz the power, 2015-02-10 04:41:47]

Committed patchset #4 (id:60001) as
https://src.chromium.org/viewvc/blink?view=rev&revision=189862