Changeset 206221 in webkit

Timestamp:

Sep 21, 2016 11:23:33 AM (8 years ago)

Author:

Chris Dumez

Message:

Object.getOwnPropertyDescriptor() does not work correctly cross origin
​https://bugs.webkit.org/show_bug.cgi?id=162311

Reviewed by Gavin Barraclough.

LayoutTests/imported/w3c:

Rebaseline W3C test now that more checks are passing.

• web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt:

Source/JavaScriptCore:

Add a CustomGetterSetter field to PropertySlot that gets populated
by getOwnPropertySlot() and use it in getOwnPropertyDescriptor()
to properly populate the descriptor. We used to rely on reifying
the properties and then call getDirect() in order to get the
CustomGetterSetter. However, this hack was insufficient to support
the cross-origin case because we need to control more precisely
the visibility of the getter and the setter. For example, Location's
href property has both a getter and a setter in the same origin
case but only has a setter in the cross-origin case.

In the future, we can extend the use of PropertySlot's
customGetterSetter field to the same origin case and get rid of the
reification + getDirect() hack in getOwnPropertyDescriptor().

• runtime/JSObject.cpp:

(JSC::JSObject::getOwnPropertyDescriptor):

• runtime/PropertySlot.cpp:

(JSC::PropertySlot::customAccessorGetter):

• runtime/PropertySlot.h:

Source/WebCore:

Object.getOwnPropertyDescriptor() does not work correctly cross origin. In particular:

• We return value descriptors for attributes instead of getter/setter descriptors
• attributes / operations are wrongly marked as non-configurable

Corresponding specification:

• ​https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
• ​https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-)

Test: http/tests/security/cross-origin-descriptors.html

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):

• bindings/js/JSLocationCustom.cpp:

(WebCore::JSLocation::getOwnPropertySlotDelegate):

LayoutTests:

Add layout test coverage.

• http/tests/security/cross-origin-descriptors-expected.txt: Added.
• http/tests/security/cross-origin-descriptors.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/cross-origin-descriptors-expected.txt (added)
• LayoutTests/http/tests/security/cross-origin-descriptors.html (added)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/PropertySlot.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/PropertySlot.h (modified) (7 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (2 diffs)
• Source/WebCore/bindings/js/JSLocationCustom.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-09-21  Chris Dumez  <cdumez@apple.com>
+
+        Object.getOwnPropertyDescriptor() does not work correctly cross origin
+        https://bugs.webkit.org/show_bug.cgi?id=162311
+
+        Reviewed by Gavin Barraclough.
+
+        Add layout test coverage.
+
+        * http/tests/security/cross-origin-descriptors-expected.txt: Added.
+        * http/tests/security/cross-origin-descriptors.html: Added.
+
 2016-09-21  Daniel Bates  <dabates@apple.com>
 

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2016-09-21  Chris Dumez  <cdumez@apple.com>
+
+        Object.getOwnPropertyDescriptor() does not work correctly cross origin
+        https://bugs.webkit.org/show_bug.cgi?id=162311
+
+        Reviewed by Gavin Barraclough.
+
+        Rebaseline W3C test now that more checks are passing.
+
+        * web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt:
+
 2016-09-21  Jer Noble  <jer.noble@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt

@@ -8 +8 @@
 PASS [[IsExtensible]] should return true for cross-origin objects 
 PASS [[PreventExtensions]] should throw for cross-origin objects 
-FAIL [[GetOwnProperty]] - Properties on cross-origin objects should be reported |own| Blocked a frame with origin "http://localhost:8800" from accessing a frame with origin "http://127.0.0.1:8800". Protocols, domains, and ports must match.
-FAIL [[GetOwnProperty]] - Property descriptors for cross-origin properties should be set up correctly assert_equals: property descriptor for location should be configurable expected true but got false
+PASS [[GetOwnProperty]] - Properties on cross-origin objects should be reported |own| 
+PASS [[GetOwnProperty]] - Property descriptors for cross-origin properties should be set up correctly 
 PASS [[Delete]] Should throw on cross-origin objects 
 PASS [[DefineOwnProperty]] Should throw for cross-origin objects 
-FAIL [[Enumerate]] should return an empty iterator Blocked a frame with origin "http://localhost:8800" from accessing a frame with origin "http://127.0.0.1:8800". Protocols, domains, and ports must match.
+FAIL [[Enumerate]] should return an empty iterator assert_unreached: Shouldn't have been able to enumerate href on cross-origin Location Reached unreachable code
 PASS [[OwnPropertyKeys]] should return all properties from cross-origin objects 
 PASS A and B jointly observe the same identity for cross-origin Window and Location 
 PASS Cross-origin functions get local Function.prototype 
-FAIL Cross-origin Window accessors get local Function.prototype undefined is not an object (evaluating 'f.name')
+PASS Cross-origin Window accessors get local Function.prototype 
 PASS Same-origin observers get different functions for cross-origin objects 
-FAIL Same-origin obsevers get different accessors for cross-origin Window assert_true: different Window accessors per-incumbent script settings object expected true got false
-FAIL Same-origin observers get different accessors for cross-origin Location Blocked a frame with origin "http://localhost:8800" from accessing a frame with origin "http://127.0.0.1:8800". Protocols, domains, and ports must match.
+PASS Same-origin obsevers get different accessors for cross-origin Window 
+PASS Same-origin observers get different accessors for cross-origin Location 
  

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-09-21  Chris Dumez  <cdumez@apple.com>
+
+        Object.getOwnPropertyDescriptor() does not work correctly cross origin
+        https://bugs.webkit.org/show_bug.cgi?id=162311
+
+        Reviewed by Gavin Barraclough.
+
+        Add a CustomGetterSetter field to PropertySlot that gets populated
+        by getOwnPropertySlot() and use it in getOwnPropertyDescriptor()
+        to properly populate the descriptor. We used to rely on reifying
+        the properties and then call getDirect() in order to get the
+        CustomGetterSetter. However, this hack was insufficient to support
+        the cross-origin case because we need to control more precisely
+        the visibility of the getter and the setter. For example, Location's
+        href property has both a getter and a setter in the same origin
+        case but only has a setter in the cross-origin case.
+
+        In the future, we can extend the use of PropertySlot's
+        customGetterSetter field to the same origin case and get rid of the
+        reification + getDirect() hack in getOwnPropertyDescriptor().
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::getOwnPropertyDescriptor):
+        * runtime/PropertySlot.cpp:
+        (JSC::PropertySlot::customAccessorGetter):
+        * runtime/PropertySlot.h:
+
 2016-09-21  Michael Saboff  <msaboff@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -2843 +2843 @@
             thisObject = proxy->target();
 
-        JSValue maybeGetterSetter = thisObject->getDirect(exec->vm(), propertyName);
-        if (!maybeGetterSetter) {
-            thisObject->reifyAllStaticProperties(exec);
-            maybeGetterSetter = thisObject->getDirect(exec->vm(), propertyName);
-        }
-
-        ASSERT(maybeGetterSetter);
-        auto* getterSetter = jsCast<CustomGetterSetter*>(maybeGetterSetter);
+        CustomGetterSetter* getterSetter;
+        if (slot.isCustomAccessor())
+            getterSetter = slot.customGetterSetter();
+        else {
+            JSValue maybeGetterSetter = thisObject->getDirect(exec->vm(), propertyName);
+            if (!maybeGetterSetter) {
+                thisObject->reifyAllStaticProperties(exec);
+                maybeGetterSetter = thisObject->getDirect(exec->vm(), propertyName);
+            }
+
+            ASSERT(maybeGetterSetter);
+            getterSetter = jsCast<CustomGetterSetter*>(maybeGetterSetter);
+        }
         if (getterSetter->getter())
             descriptor.setGetter(getCustomGetterSetterFunctionForGetterSetter(exec, propertyName, getterSetter, JSCustomGetterSetterFunction::Type::Getter));

trunk/Source/JavaScriptCore/runtime/PropertySlot.cpp

@@ -42 +42 @@
 }
 
+JSValue PropertySlot::customAccessorGetter(ExecState* exec, PropertyName propertyName) const
+{
+    if (!m_data.customAccessor.getterSetter->getter())
+        return jsUndefined();
+    return JSValue::decode(m_data.customAccessor.getterSetter->getter()(exec, JSValue::encode(m_thisValue), propertyName));
+}
+
 JSValue PropertySlot::getPureResult() const
 {

trunk/Source/JavaScriptCore/runtime/PropertySlot.h

@@ -72 +72 @@
         TypeValue,
         TypeGetter,
-        TypeCustom
+        TypeCustom,
+        TypeCustomAccessor,
     };
 
@@ -108 +109 @@
     bool isAccessor() const { return m_propertyType == TypeGetter; }
     bool isCustom() const { return m_propertyType == TypeCustom; }
+    bool isCustomAccessor() const { return m_propertyType == TypeCustomAccessor; }
     bool isCacheableValue() const { return isCacheable() && isValue(); }
     bool isCacheableGetter() const { return isCacheable() && isAccessor(); }
     bool isCacheableCustom() const { return isCacheable() && isCustom(); }
+    bool isCacheableCustomAccessor() const { return isCacheable() && isCustomAccessor(); }
     void setIsTaintedByOpaqueObject() { m_isTaintedByOpaqueObject = true; }
     bool isTaintedByOpaqueObject() const { return m_isTaintedByOpaqueObject; }
@@ -141 +144 @@
     }
 
+    CustomGetterSetter* customGetterSetter() const
+    {
+        ASSERT(isCustomAccessor());
+        return m_data.customAccessor.getterSetter;
+    }
+
     JSObject* slotBase() const
     {
@@ -216 +225 @@
         m_slotBase = slotBase;
         m_propertyType = TypeCustom;
+        m_offset = !invalidOffset;
+    }
+
+    void setCustomGetterSetter(JSObject* slotBase, unsigned attributes, CustomGetterSetter* getterSetter)
+    {
+        ASSERT(attributes == attributesForStructure(attributes));
+
+        ASSERT(getterSetter);
+        m_data.customAccessor.getterSetter = getterSetter;
+        m_attributes = attributes;
+
+        ASSERT(slotBase);
+        m_slotBase = slotBase;
+        m_propertyType = TypeCustomAccessor;
+        m_offset = invalidOffset;
+    }
+
+    void setCacheableCustomGetterSetter(JSObject* slotBase, unsigned attributes, CustomGetterSetter* getterSetter)
+    {
+        ASSERT(attributes == attributesForStructure(attributes));
+
+        ASSERT(getterSetter);
+        m_data.customAccessor.getterSetter = getterSetter;
+        m_attributes = attributes;
+
+        ASSERT(slotBase);
+        m_slotBase = slotBase;
+        m_propertyType = TypeCustomAccessor;
         m_offset = !invalidOffset;
     }
@@ -275 +312 @@
     JS_EXPORT_PRIVATE JSValue functionGetter(ExecState*) const;
     JS_EXPORT_PRIVATE JSValue customGetter(ExecState*, PropertyName) const;
+    JS_EXPORT_PRIVATE JSValue customAccessorGetter(ExecState*, PropertyName) const;
 
     unsigned m_attributes;
@@ -285 +323 @@
             GetValueFunc getValue;
         } custom;
+        struct {
+            CustomGetterSetter* getterSetter;
+        } customAccessor;
     } m_data;
 
@@ -303 +344 @@
     if (m_propertyType == TypeGetter)
         return functionGetter(exec);
+    if (m_propertyType == TypeCustomAccessor)
+        return customAccessorGetter(exec, propertyName);
     return customGetter(exec, propertyName);
 }

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-09-21  Chris Dumez  <cdumez@apple.com>
+
+        Object.getOwnPropertyDescriptor() does not work correctly cross origin
+        https://bugs.webkit.org/show_bug.cgi?id=162311
+
+        Reviewed by Gavin Barraclough.
+
+        Object.getOwnPropertyDescriptor() does not work correctly cross origin. In particular:
+        - We return value descriptors for attributes instead of getter/setter descriptors
+        - attributes / operations are wrongly marked as non-configurable
+
+        Corresponding specification:
+        - https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
+        - https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-)
+
+        Test: http/tests/security/cross-origin-descriptors.html
+
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):
+        * bindings/js/JSLocationCustom.cpp:
+        (WebCore::JSLocation::getOwnPropertySlotDelegate):
+
 2016-09-21  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -102 +102 @@
     // Always provide the original function, on a fresh uncached function object.
     if (propertyName == exec->propertyNames().blur) {
-        slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionBlur, 0>);
+        slot.setCustom(thisObject, ReadOnly | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionBlur, 0>);
         return true;
     }
     if (propertyName == exec->propertyNames().close) {
-        slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionClose, 0>);
+        slot.setCustom(thisObject, ReadOnly | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionClose, 0>);
         return true;
     }
     if (propertyName == exec->propertyNames().focus) {
-        slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionFocus, 0>);
+        slot.setCustom(thisObject, ReadOnly | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionFocus, 0>);
         return true;
     }
     if (propertyName == exec->propertyNames().postMessage) {
-        slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionPostMessage, 2>);
+        slot.setCustom(thisObject, ReadOnly | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionPostMessage, 2>);
         return true;
     }
@@ -132 +132 @@
             || propertyName == exec->propertyNames().parent
             || propertyName == exec->propertyNames().top) {
-            slot.setCacheableCustom(thisObject, ReadOnly | DontDelete | DontEnum, entry->propertyGetter());
+            bool shouldExposeSetter = propertyName == exec->propertyNames().location;
+            CustomGetterSetter* customGetterSetter = CustomGetterSetter::create(vm, entry->propertyGetter(), shouldExposeSetter ? entry->propertyPutter() : nullptr);
+            slot.setCacheableCustomGetterSetter(thisObject, DontEnum | CustomAccessor, customGetterSetter);
             return true;
         }

trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp

@@ -53 +53 @@
 
     // We only allow access to Location.replace() cross origin.
-    // Make it read-only / non-configurable to prevent writes via defineProperty.
     if (propertyName == exec->propertyNames().replace) {
-        slot.setCustom(this, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsLocationInstanceFunctionReplace, 1>);
+        slot.setCustom(this, ReadOnly | DontEnum, nonCachingStaticFunctionGetter<jsLocationInstanceFunctionReplace, 1>);
+        return true;
+    }
+
+    // Getting location.href cross origin needs to throw. However, getOwnPropertyDescriptor() needs to return
+    // a descriptor that has a setter but no getter.
+    if (slot.internalMethodType() == PropertySlot::InternalMethodType::GetOwnProperty && propertyName == exec->propertyNames().href) {
+        auto* entry = JSLocation::info()->staticPropHashTable->entry(propertyName);
+        CustomGetterSetter* customGetterSetter = CustomGetterSetter::create(vm, nullptr, entry->propertyPutter());
+        slot.setCacheableCustomGetterSetter(this, DontEnum | CustomAccessor, customGetterSetter);
         return true;
     }