Changeset 203935 in webkit

Timestamp:

Jul 29, 2016, 6:08:41 PM (9 years ago)

Author:

Chris Dumez

Message:

Window's named properties should be exposed on a WindowProperties object in its prototype
​https://bugs.webkit.org/show_bug.cgi?id=160354

Reviewed by Gavin Barraclough.

LayoutTests/imported/w3c:

Rebaseline W3C test now that one more check is passing.

• web-platform-tests/html/dom/interfaces-expected.txt:

Source/WebCore:

Window's named properties should be exposed on a WindowProperties object
in its prototype:

• ​http://heycam.github.io/webidl/#named-properties-object

Firefox and Chrome both comply with the specification. However, WebKit
had no "WindowProperties" object in the Window prototype chain and the
named properties are exposed on the Window object itself.

No new tests, rebaselined existing tests.

• CMakeLists.txt:
• WebCore.xcodeproj/project.pbxproj:
• bindings/js/JSBindingsAllInOne.cpp:
• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::getOwnPropertySlot):
(WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
(WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess): Deleted.
(WebCore::JSDOMWindow::put): Deleted.
(WebCore::JSDOMWindow::putByIndex): Deleted.
(WebCore::JSDOMWindow::getEnumerableLength): Deleted.

• bindings/js/JSDOMWindowProperties.cpp: Added.

(WebCore::jsDOMWindowPropertiesGetOwnPropertySlotNamedItemGetter):
(WebCore::JSDOMWindowProperties::getOwnPropertySlot):
(WebCore::JSDOMWindowProperties::getOwnPropertySlotByIndex):

• bindings/js/JSDOMWindowProperties.h: Added.

(WebCore::JSDOMWindowProperties::create):
(WebCore::JSDOMWindowProperties::createStructure):
(WebCore::JSDOMWindowProperties::JSDOMWindowProperties):

• bindings/js/JSDOMWindowShell.cpp:

(WebCore::JSDOMWindowShell::setWindow):

LayoutTests:

• fast/dom/Window/es52-globals-expected.txt:

Update / Rebaseline test now that named properties are no longer reported as "own"
properties on the Window object. I have verified that the test gives the
same result in Firefox and Chrome.

• fast/loader/window-clearing-expected.txt:

Rebaseline test that prints one more line because there is one more
object in Window's prototype chain.

• http/tests/security/window-named-proto-expected.txt:
• http/tests/security/window-named-valueOf-expected.txt:

Rebaseline 2 security tests that give slightly different output. The new
output is identical to the one in Firefox and Chrome. The tests are not
failing since they are not alert'ing content from the other frame.
The reason those tests were logging a security error is because we would
previously prevent named property access if the frame name conflicts with
a property name in the Window prototype, and we now no longer
differentiate this case.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/Window/es52-globals-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/Window/es52-globals.html (modified) (1 diff)
• LayoutTests/fast/loader/window-clearing-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/window-named-proto-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/window-named-valueOf-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/window-named-valueOf.html (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/dom/interfaces-expected.txt (modified) (1 diff)
• Source/WebCore/CMakeLists.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/WebCore.xcodeproj/project.pbxproj (modified) (6 diffs)
• Source/WebCore/bindings/js/JSBindingsAllInOne.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (4 diffs)
• Source/WebCore/bindings/js/JSDOMWindowProperties.cpp (added)
• Source/WebCore/bindings/js/JSDOMWindowProperties.h (added)
• Source/WebCore/bindings/js/JSDOMWindowShell.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-07-29  Chris Dumez  <cdumez@apple.com>
+
+        Window's named properties should be exposed on a WindowProperties object in its prototype
+        https://bugs.webkit.org/show_bug.cgi?id=160354
+
+        Reviewed by Gavin Barraclough.
+
+        * fast/dom/Window/es52-globals-expected.txt:
+        Update / Rebaseline test now that named properties are no longer reported as "own"
+        properties on the Window object. I have verified that the test gives the
+        same result in Firefox and Chrome.
+
+        * fast/loader/window-clearing-expected.txt:
+        Rebaseline test that prints one more line because there is one more
+        object in Window's prototype chain.
+
+        * http/tests/security/window-named-proto-expected.txt:
+        * http/tests/security/window-named-valueOf-expected.txt:
+        Rebaseline 2 security tests that give slightly different output. The new
+        output is identical to the one in Firefox and Chrome. The tests are not
+        failing since they are not alert'ing content from the other frame.
+        The reason those tests were logging a security error is because we would
+        previously prevent named property access if the frame name conflicts with
+        a property name in the Window prototype, and we now no longer
+        differentiate this case.
+
 2016-07-29  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/LayoutTests/fast/dom/Window/es52-globals-expected.txt

@@ -2 +2 @@
 PASS window.hasOwnProperty("x") is true
 PASS window.hasOwnProperty("y") is false
-PASS window.hasOwnProperty("f") is true
-PASS window.hasOwnProperty("div") is true
-FAIL window.hasOwnProperty("a") should be true. Was false.
+PASS window.hasOwnProperty("f") is false
+PASS window.__proto__.__proto__.hasOwnProperty("f") is true
+PASS window.hasOwnProperty("div") is false
+PASS window.__proto__.__proto__.hasOwnProperty("div") is true
+PASS window.hasOwnProperty("a") is false
 PASS Element is not undefined
 PASS x is 1

trunk/LayoutTests/fast/dom/Window/es52-globals.html

@@ -15 +15 @@
 shouldBeTrue('window.hasOwnProperty("x")');
 shouldBeFalse('window.hasOwnProperty("y")');
-shouldBeTrue('window.hasOwnProperty("f")');
-shouldBeTrue('window.hasOwnProperty("div")');
-shouldBeTrue('window.hasOwnProperty("a")');
+shouldBeFalse('window.hasOwnProperty("f")');
+shouldBeTrue('window.__proto__.__proto__.hasOwnProperty("f")');
+shouldBeFalse('window.hasOwnProperty("div")');
+shouldBeTrue('window.__proto__.__proto__.hasOwnProperty("div")');
+shouldBeFalse('window.hasOwnProperty("a")');
 
 </script>

trunk/LayoutTests/fast/loader/window-clearing-expected.txt

@@ -10 +10 @@
 
 PASS: element 3 in the window's prototype chain was cleared
+
+PASS: element 4 in the window's prototype chain was cleared

trunk/LayoutTests/http/tests/security/window-named-proto-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "null" from accessing a frame with origin "http://localhost:8080".  The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
+CONSOLE MESSAGE: line 2: TypeError: null is not an object (evaluating 'document.body.innerHTML')
 
-CONSOLE MESSAGE: line 1: TypeError: undefined is not an object (evaluating 'parent.__proto__.alert')
-

trunk/LayoutTests/http/tests/security/window-named-valueOf-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "null" from accessing a frame with origin "http://localhost:8080".  The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
-
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "null" from accessing a frame with origin "http://localhost:8080".  The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
-
+CONSOLE MESSAGE: line 1: Threw exception: TypeError: Illegal constructor
 This passes if it doesn't alert the contents of innocent-victim.  

trunk/LayoutTests/http/tests/security/window-named-valueOf.html

@@ -24 +24 @@
                 alert(obj.valueOf.constructor("return document.body.innerHTML")());
             } catch(ex) {
+               console.log("Threw exception: " + ex)
             }
             if (window.testRunner)

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2016-07-29  Chris Dumez  <cdumez@apple.com>
+
+        Window's named properties should be exposed on a WindowProperties object in its prototype
+        https://bugs.webkit.org/show_bug.cgi?id=160354
+
+        Reviewed by Gavin Barraclough.
+
+        Rebaseline W3C test now that one more check is passing.
+
+        * web-platform-tests/html/dom/interfaces-expected.txt:
+
 2016-07-29  Youenn Fablet  <youenn@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/dom/interfaces-expected.txt

@@ -5160 +5160 @@
 PASS Window interface object length 
 PASS Window interface object name 
-FAIL Window interface: existence and properties of interface prototype object assert_equals: Class name for prototype of Window.prototype is not "WindowProperties" expected "[object WindowProperties]" but got "[object EventTargetPrototype]"
+PASS Window interface: existence and properties of interface prototype object 
 PASS Window interface: existence and properties of interface prototype object's "constructor" property 
 PASS Window interface: attribute self 

trunk/Source/WebCore/CMakeLists.txt

@@ -1133 +1133 @@
     bindings/js/JSDOMWindowBase.cpp
     bindings/js/JSDOMWindowCustom.cpp
+    bindings/js/JSDOMWindowProperties.cpp
     bindings/js/JSDOMWindowShell.cpp
     bindings/js/JSDOMWrapper.cpp

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-07-29  Chris Dumez  <cdumez@apple.com>
+
+        Window's named properties should be exposed on a WindowProperties object in its prototype
+        https://bugs.webkit.org/show_bug.cgi?id=160354
+
+        Reviewed by Gavin Barraclough.
+
+        Window's named properties should be exposed on a WindowProperties object
+        in its prototype:
+        - http://heycam.github.io/webidl/#named-properties-object
+
+        Firefox and Chrome both comply with the specification. However, WebKit
+        had no "WindowProperties" object in the Window prototype chain and the
+        named properties are exposed on the Window object itself.
+
+        No new tests, rebaselined existing tests.
+
+        * CMakeLists.txt:
+        * WebCore.xcodeproj/project.pbxproj:
+        * bindings/js/JSBindingsAllInOne.cpp:
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::getOwnPropertySlot):
+        (WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
+        (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess): Deleted.
+        (WebCore::JSDOMWindow::put): Deleted.
+        (WebCore::JSDOMWindow::putByIndex): Deleted.
+        (WebCore::JSDOMWindow::getEnumerableLength): Deleted.
+        * bindings/js/JSDOMWindowProperties.cpp: Added.
+        (WebCore::jsDOMWindowPropertiesGetOwnPropertySlotNamedItemGetter):
+        (WebCore::JSDOMWindowProperties::getOwnPropertySlot):
+        (WebCore::JSDOMWindowProperties::getOwnPropertySlotByIndex):
+        * bindings/js/JSDOMWindowProperties.h: Added.
+        (WebCore::JSDOMWindowProperties::create):
+        (WebCore::JSDOMWindowProperties::createStructure):
+        (WebCore::JSDOMWindowProperties::JSDOMWindowProperties):
+        * bindings/js/JSDOMWindowShell.cpp:
+        (WebCore::JSDOMWindowShell::setWindow):
+
 2016-07-29  Daniel Bates  <dabates@apple.com>
 

trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -1793 +1793 @@
                 460BB6151D0A1BF000221812 /* Base64Utilities.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 460BB6131D0A1BEC00221812 /* Base64Utilities.cpp */; };
                 460BB6161D0A1BF000221812 /* Base64Utilities.h in Headers */ = {isa = PBXBuildFile; fileRef = 460BB6141D0A1BEC00221812 /* Base64Utilities.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                460CBF351D4BCD0E0092E88E /* JSDOMWindowProperties.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 460CBF331D4BCCFE0092E88E /* JSDOMWindowProperties.cpp */; };
+                460CBF361D4BCD0E0092E88E /* JSDOMWindowProperties.h in Headers */ = {isa = PBXBuildFile; fileRef = 460CBF341D4BCCFE0092E88E /* JSDOMWindowProperties.h */; };
                 4634592C1AC2271000ECB71C /* PowerObserverMac.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4634592B1AC2271000ECB71C /* PowerObserverMac.cpp */; };
                 463EB6221B8789E00096ED51 /* TagCollection.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 463EB6201B8789CB0096ED51 /* TagCollection.cpp */; };
@@ -9425 +9427 @@
                 460BB6131D0A1BEC00221812 /* Base64Utilities.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Base64Utilities.cpp; sourceTree = "<group>"; };
                 460BB6141D0A1BEC00221812 /* Base64Utilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Base64Utilities.h; sourceTree = "<group>"; };
+                460CBF331D4BCCFE0092E88E /* JSDOMWindowProperties.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSDOMWindowProperties.cpp; sourceTree = "<group>"; };
+                460CBF341D4BCCFE0092E88E /* JSDOMWindowProperties.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSDOMWindowProperties.h; sourceTree = "<group>"; };
                 4634592B1AC2271000ECB71C /* PowerObserverMac.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PowerObserverMac.cpp; sourceTree = "<group>"; };
                 463EB6201B8789CB0096ED51 /* TagCollection.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TagCollection.cpp; sourceTree = "<group>"; };
@@ -17905 +17909 @@
                                 9767CE09145ABC12005E64DB /* ExceptionHeaders.h */,
                                 9767CE0A145ABC13005E64DB /* ExceptionInterfaces.h */,
-                                9908B0FD1BCAD07D00ED0F45 /* FetchInternalsBuiltins.cpp */,
                                 9B03D8061BB3110D00B764B9 /* FetchInternalsBuiltins.h */,
                                 A17C81200F2A5CF7005DAAEB /* HTMLElementFactory.cpp */,
@@ -22572 +22575 @@
                                 BC6932710D7E293900AE44D1 /* JSDOMWindowBase.cpp */,
                                 BC6932720D7E293900AE44D1 /* JSDOMWindowBase.h */,
+                                460CBF331D4BCCFE0092E88E /* JSDOMWindowProperties.cpp */,
+                                460CBF341D4BCCFE0092E88E /* JSDOMWindowProperties.h */,
                                 BCBFB53A0DCD29CF0019B3E5 /* JSDOMWindowShell.cpp */,
                                 BCBFB53B0DCD29CF0019B3E5 /* JSDOMWindowShell.h */,
@@ -27032 +27037 @@
                                 81BE20D311F4BC3200915DFA /* JSIDBCursor.h in Headers */,
                                 C585A68311D4FB08004C3E4B /* JSIDBDatabase.h in Headers */,
+                                460CBF361D4BCD0E0092E88E /* JSDOMWindowProperties.h in Headers */,
                                 C585A69711D4FB13004C3E4B /* JSIDBFactory.h in Headers */,
                                 C572EE1F1201C9BC007D8F82 /* JSIDBIndex.h in Headers */,
@@ -29842 +29848 @@
                                 A8C2280E11D4A59700D5A7D3 /* DocumentParser.cpp in Sources */,
                                 4A4F48A916B0DFC000EDBB29 /* DocumentRuleSets.cpp in Sources */,
+                                460CBF351D4BCD0E0092E88E /* JSDOMWindowProperties.cpp in Sources */,
                                 AD6E71AC1668899D00320C13 /* DocumentSharedObjectPool.cpp in Sources */,
                                 0B9056190F2578BE0095FF6A /* DocumentThreadableLoader.cpp in Sources */,

trunk/Source/WebCore/bindings/js/JSBindingsAllInOne.cpp

@@ -63 +63 @@
 #include "JSDOMWindowBase.cpp"
 #include "JSDOMWindowCustom.cpp"
+#include "JSDOMWindowProperties.cpp"
 #include "JSDOMWindowShell.cpp"
 #include "JSDOMWrapper.cpp"

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -147 +147 @@
     }
 
-    // Do prototype lookup early so that functions and attributes in the prototype can have
-    // precedence over the index and name getters.
-    // FIXME: This seems like a silly idea. It only serves to suppress named property access
-    // to frames that happen to have names corresponding to properties on the prototype.
-    // This seems to only serve to leak some information cross-origin.
-    JSValue proto = thisObject->getPrototypeDirect();
-    if (proto.isObject() && asObject(proto)->getPropertySlot(exec, propertyName, slot)) {
-        thisObject->printErrorMessage(errorMessage);
-        slot.setUndefined();
-        return true;
-    }
-
     // Check for child frames by name before built-in properties to match Mozilla. This does
     // not match IE, but some sites end up naming frames things that conflict with window
@@ -171 +159 @@
     slot.setUndefined();
     return true;
-}
-
-static bool jsDOMWindowGetOwnPropertySlotNamedItemGetter(JSDOMWindow* thisObject, Frame& frame, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
-{
-    JSValue proto = thisObject->getPrototypeDirect();
-    if (proto.isObject() && asObject(proto)->hasProperty(exec, propertyName))
-        return false;
-
-    // Check for child frames by name before built-in properties to match Mozilla. This does
-    // not match IE, but some sites end up naming frames things that conflict with window
-    // properties that are in Moz but not IE. Since we have some of these, we have to do it
-    // the Moz way.
-    if (auto* scopedChild = frame.tree().scopedChild(propertyNameToAtomicString(propertyName))) {
-        slot.setValue(thisObject, ReadOnly | DontDelete | DontEnum, toJS(exec, scopedChild->document()->domWindow()));
-        return true;
-    }
-
-    // FIXME: Search the whole frame hierarchy somewhere around here.
-    // We need to test the correct priority order.
-
-    // Allow shortcuts like 'Image1' instead of document.images.Image1
-    Document* document = frame.document();
-    if (is<HTMLDocument>(*document)) {
-        auto& htmlDocument = downcast<HTMLDocument>(*document);
-        auto* atomicPropertyName = propertyName.publicName();
-        if (atomicPropertyName && htmlDocument.hasWindowNamedItem(*atomicPropertyName)) {
-            JSValue namedItem;
-            if (UNLIKELY(htmlDocument.windowNamedItemContainsMultipleElements(*atomicPropertyName))) {
-                Ref<HTMLCollection> collection = document->windowNamedItems(atomicPropertyName);
-                ASSERT(collection->length() > 1);
-                namedItem = toJS(exec, thisObject->globalObject(), collection);
-            } else
-                namedItem = toJS(exec, thisObject->globalObject(), htmlDocument.windowNamedItem(*atomicPropertyName));
-            slot.setValue(thisObject, ReadOnly | DontDelete | DontEnum, namedItem);
-            return true;
-        }
-    }
-
-    return false;
 }
 
@@ -255 +204 @@
 #endif
 
-    // (3) Finally, named properties.
-    // Really, this should just be 'return false;' - these should all be on the NPO.
-    return jsDOMWindowGetOwnPropertySlotNamedItemGetter(thisObject, *frame, exec, propertyName, slot);
+    return false;
 }
 
@@ -285 +232 @@
 
     // (2) Regular own properties.
-    if (Base::getOwnPropertySlotByIndex(thisObject, exec, index, slot))
-        return true;
-
-    // (3) Finally, named properties.
-    // Really, this should just be 'return false;' - these should all be on the NPO.
-    return jsDOMWindowGetOwnPropertySlotNamedItemGetter(thisObject, *frame, exec, Identifier::from(exec, index), slot);
+    return Base::getOwnPropertySlotByIndex(thisObject, exec, index, slot);
 }
 

trunk/Source/WebCore/bindings/js/JSDOMWindowShell.cpp

@@ -33 +33 @@
 #include "GCController.h"
 #include "JSDOMWindow.h"
+#include "JSDOMWindowProperties.h"
 #include "JSEventTarget.h"
 #include "ScriptController.h"
@@ -86 +87 @@
     JSDOMWindow* jsDOMWindow = JSDOMWindow::create(vm, structure, *domWindow, this);
     prototype->structure()->setGlobalObject(vm, jsDOMWindow);
-    prototype->structure()->setPrototypeWithoutTransition(vm, JSEventTarget::prototype(vm, jsDOMWindow));
+
+    Structure* windowPropertiesStructure = JSDOMWindowProperties::createStructure(vm, jsDOMWindow, JSEventTarget::prototype(vm, jsDOMWindow));
+    JSDOMWindowProperties* windowProperties = JSDOMWindowProperties::create(windowPropertiesStructure, *jsDOMWindow);
+
+    prototype->structure()->setPrototypeWithoutTransition(vm, windowProperties);
     setWindow(vm, jsDOMWindow);
     ASSERT(jsDOMWindow->globalObject() == jsDOMWindow);