Changeset 125146 in webkit

Timestamp:

Aug 8, 2012 8:52:41 PM (12 years ago)

Author:

abarth@webkit.org

Message:

Implement JSDOMWindow*::allowsAccessFrom* in terms of BindingSecurity
​https://bugs.webkit.org/show_bug.cgi?id=93407

Reviewed by Eric Seidel.

This patch removes allowsAccessFrom and implements the security checks
in terms of shouldAllowAccessToFrame directly. There shouldn't be any
change in behavior.

• bindings/js/JSDOMWindowBase.cpp:

(WebCore):
(WebCore::shouldAllowAccessFrom):

• bindings/js/JSDOMWindowBase.h:

(JSDOMWindowBase):

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::namedItemGetter):
(WebCore::JSDOMWindow::getOwnPropertySlot):
(WebCore::JSDOMWindow::getOwnPropertyDescriptor):
(WebCore::JSDOMWindow::put):
(WebCore::JSDOMWindow::deleteProperty):
(WebCore::JSDOMWindow::getPropertyNames):
(WebCore::JSDOMWindow::getOwnPropertyNames):
(WebCore::JSDOMWindow::defineOwnProperty):
(WebCore::JSDOMWindow::setLocation):

• bindings/js/JSDOMWindowCustom.h:
• bindings/js/JSInjectedScriptManager.cpp:

(WebCore::InjectedScriptManager::canAccessInspectedWindow):

• bindings/objc/WebScriptObject.mm:

(-[WebScriptObject _isSafeScript]):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateGetOwnPropertyDescriptorBody):
(GenerateImplementation):

• bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:

(WebCore::jsTestActiveDOMObjectExcitingAttr):
(WebCore::jsTestActiveDOMObjectConstructor):
(WebCore::jsTestActiveDOMObjectPrototypeFunctionExcitingFunction):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• bindings/js/JSDOMWindowBase.cpp (modified) (2 diffs)
• bindings/js/JSDOMWindowBase.h (modified) (2 diffs)
• bindings/js/JSDOMWindowCustom.cpp (modified) (11 diffs)
• bindings/js/JSDOMWindowCustom.h (modified) (1 diff)
• bindings/js/JSInjectedScriptManager.cpp (modified) (2 diffs)
• bindings/objc/WebScriptObject.mm (modified) (1 diff)
• bindings/scripts/CodeGeneratorJS.pm (modified) (6 diffs)
• bindings/scripts/test/JS/JSTestActiveDOMObject.cpp (modified) (3 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-08-08  Adam Barth  <abarth@webkit.org>
+
+        Implement JSDOMWindow*::allowsAccessFrom* in terms of BindingSecurity
+        https://bugs.webkit.org/show_bug.cgi?id=93407
+
+        Reviewed by Eric Seidel.
+
+        This patch removes allowsAccessFrom and implements the security checks
+        in terms of shouldAllowAccessToFrame directly. There shouldn't be any
+        change in behavior.
+
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore):
+        (WebCore::shouldAllowAccessFrom):
+        * bindings/js/JSDOMWindowBase.h:
+        (JSDOMWindowBase):
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::namedItemGetter):
+        (WebCore::JSDOMWindow::getOwnPropertySlot):
+        (WebCore::JSDOMWindow::getOwnPropertyDescriptor):
+        (WebCore::JSDOMWindow::put):
+        (WebCore::JSDOMWindow::deleteProperty):
+        (WebCore::JSDOMWindow::getPropertyNames):
+        (WebCore::JSDOMWindow::getOwnPropertyNames):
+        (WebCore::JSDOMWindow::defineOwnProperty):
+        (WebCore::JSDOMWindow::setLocation):
+        * bindings/js/JSDOMWindowCustom.h:
+        * bindings/js/JSInjectedScriptManager.cpp:
+        (WebCore::InjectedScriptManager::canAccessInspectedWindow):
+        * bindings/objc/WebScriptObject.mm:
+        (-[WebScriptObject _isSafeScript]):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateGetOwnPropertyDescriptorBody):
+        (GenerateImplementation):
+        * bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:
+        (WebCore::jsTestActiveDOMObjectExcitingAttr):
+        (WebCore::jsTestActiveDOMObjectConstructor):
+        (WebCore::jsTestActiveDOMObjectPrototypeFunctionExcitingFunction):
+
 2012-08-08  Sheriff Bot  <webkit.review.bot@gmail.com>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp

@@ -43 +43 @@
 namespace WebCore {
 
+// FIXME: This function should call shouldAllowAccessToDocument once there is a predictable
+// way to get a Document* from a DOMWindow*.
+static bool shouldAllowAccessFrom(const JSGlobalObject* thisObject, ExecState* exec)
+{
+    DOMWindow* active = activeDOMWindow(exec);
+    DOMWindow* target = asJSDOMWindow(thisObject)->impl();
+
+    if (active->securityOrigin()->canAccess(target->securityOrigin()))
+        return true;
+
+    printErrorMessageForFrame(target->frame(), target->crossDomainAccessErrorMessage(active));
+    return false;
+}
+
 const ClassInfo JSDOMWindowBase::s_info = { "Window", &JSDOMGlobalObject::s_info, 0, 0, CREATE_METHOD_TABLE(JSDOMWindowBase) };
 
-const GlobalObjectMethodTable JSDOMWindowBase::s_globalObjectMethodTable = { &allowsAccessFrom, &supportsProfiling, &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptExperimentsEnabled };
+const GlobalObjectMethodTable JSDOMWindowBase::s_globalObjectMethodTable = { &shouldAllowAccessFrom, &supportsProfiling, &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptExperimentsEnabled };
 
 JSDOMWindowBase::JSDOMWindowBase(JSGlobalData& globalData, Structure* structure, PassRefPtr<DOMWindow> window, JSDOMWindowShell* shell)
@@ -84 +98 @@
 }
 
-String JSDOMWindowBase::crossDomainAccessErrorMessage(const JSGlobalObject* other) const
-{
-    return m_shell->window()->impl()->crossDomainAccessErrorMessage(asJSDOMWindow(other)->impl());
-}
-
 void JSDOMWindowBase::printErrorMessage(const String& message) const
 {
     printErrorMessageForFrame(impl()->frame(), message);
-}
-
-// This method checks whether accesss to *this* global object is permitted from
-// the given context; this differs from allowsAccessFromPrivate, since that
-// method checks whether the given context is permitted to access the current
-// window the shell is referencing (which may come from a different security
-// origin to this global object).
-bool JSDOMWindowBase::allowsAccessFrom(const JSGlobalObject* thisObject, ExecState* exec)
-{
-    JSGlobalObject* otherObject = exec->lexicalGlobalObject();
-
-    const JSDOMWindow* originWindow = asJSDOMWindow(otherObject);
-    const JSDOMWindow* targetWindow = asJSDOMWindow(thisObject);
-
-    if (originWindow == targetWindow)
-        return true;
-
-    const SecurityOrigin* originSecurityOrigin = originWindow->impl()->securityOrigin();
-    const SecurityOrigin* targetSecurityOrigin = targetWindow->impl()->securityOrigin();
-
-    if (originSecurityOrigin->canAccess(targetSecurityOrigin))
-        return true;
-
-    targetWindow->printErrorMessage(targetWindow->crossDomainAccessErrorMessage(otherObject));
-    return false;
 }
 

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.h

@@ -65 +65 @@
         static bool shouldInterruptScript(const JSC::JSGlobalObject*);
         static bool javaScriptExperimentsEnabled(const JSC::JSGlobalObject*);
-        static bool allowsAccessFrom(const JSC::JSGlobalObject*, JSC::ExecState*);
-        
-        bool allowsAccessFrom(JSC::ExecState*) const;
-        bool allowsAccessFromNoErrorMessage(JSC::ExecState*) const;
-        bool allowsAccessFrom(JSC::ExecState*, String& message) const;
+
         void printErrorMessage(const String&) const;
-
-        // Don't call this version of allowsAccessFrom -- it's a slightly incorrect implementation used only by WebScriptObject
-        bool allowsAccessFrom(const JSC::JSGlobalObject*) const;
         
         static JSC::JSObject* toThisObject(JSC::JSCell*, JSC::ExecState*);
@@ -83 +76 @@
         RefPtr<DOMWindow> m_impl;
         JSDOMWindowShell* m_shell;
-
-        bool allowsAccessFromPrivate(const JSC::JSGlobalObject*) const;
-        String crossDomainAccessErrorMessage(const JSC::JSGlobalObject*) const;
     };
 

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -113 +113 @@
     Document* document = thisObj->impl()->frame()->document();
 
-    ASSERT(thisObj->allowsAccessFrom(exec));
+    ASSERT(shouldAllowAccessToFrame(exec, thisObj->impl()->frame()));
     ASSERT(document);
     ASSERT(document->isHTMLDocument());
@@ -159 +159 @@
     // is allowed.
     String errorMessage;
-    bool allowsAccess = thisObject->allowsAccessFrom(exec, errorMessage);
+    bool allowsAccess = shouldAllowAccessToFrame(exec, thisObject->impl()->frame(), errorMessage);
 
     // Look for overrides before looking at any of our own properties, but ignore overrides completely
@@ -167 +167 @@
 
     // We need this code here because otherwise JSDOMWindowBase will stop the search before we even get to the
-    // prototype due to the blanket same origin (allowsAccessFrom) check at the end of getOwnPropertySlot.
+    // prototype due to the blanket same origin check at the end of getOwnPropertySlot.
     // Also, it's important to get the implementation straight out of the DOMWindow prototype regardless of
     // what prototype is actually set on this object.
@@ -273 +273 @@
     JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
     // Never allow cross-domain getOwnPropertyDescriptor
-    if (!thisObject->allowsAccessFrom(exec))
+    if (!shouldAllowAccessToFrame(exec, thisObject->impl()->frame()))
         return false;
 
@@ -350 +350 @@
     // Optimization: access JavaScript global variables directly before involving the DOM.
     if (thisObject->JSGlobalObject::hasOwnPropertyForWrite(exec, propertyName)) {
-        if (thisObject->allowsAccessFrom(exec))
+        if (shouldAllowAccessToFrame(exec, thisObject->impl()->frame()))
             JSGlobalObject::put(thisObject, exec, propertyName, value, slot);
         return;
@@ -358 +358 @@
         return;
 
-    if (thisObject->allowsAccessFrom(exec))
+    if (shouldAllowAccessToFrame(exec, thisObject->impl()->frame()))
         Base::put(thisObject, exec, propertyName, value, slot);
 }
@@ -366 +366 @@
     JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(cell);
     // Only allow deleting properties by frames in the same origin.
-    if (!thisObject->allowsAccessFrom(exec))
+    if (!shouldAllowAccessToFrame(exec, thisObject->impl()->frame()))
         return false;
     return Base::deleteProperty(thisObject, exec, propertyName);
@@ -375 +375 @@
     JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
     // Only allow the window to enumerated by frames in the same origin.
-    if (!thisObject->allowsAccessFrom(exec))
+    if (!shouldAllowAccessToFrame(exec, thisObject->impl()->frame()))
         return;
     Base::getPropertyNames(thisObject, exec, propertyNames, mode);
@@ -384 +384 @@
     JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
     // Only allow the window to enumerated by frames in the same origin.
-    if (!thisObject->allowsAccessFrom(exec))
+    if (!shouldAllowAccessToFrame(exec, thisObject->impl()->frame()))
         return;
     Base::getOwnPropertyNames(thisObject, exec, propertyNames, mode);
@@ -393 +393 @@
     JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
     // Only allow defining properties in this way by frames in the same origin, as it allows setters to be introduced.
-    if (!thisObject->allowsAccessFrom(exec))
+    if (!shouldAllowAccessToFrame(exec, thisObject->impl()->frame()))
         return false;
 
@@ -413 +413 @@
         if (Settings* settings = activeFrame->settings()) {
             if (settings->usesDashboardBackwardCompatibilityMode() && !activeFrame->tree()->parent()) {
-                if (allowsAccessFrom(exec))
+                if (shouldAllowAccessToFrame(exec, impl()->frame()))
                     putDirect(exec->globalData(), Identifier(exec, "location"), value);
                 return;

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.h

@@ -37 +37 @@
 }
 
-inline bool JSDOMWindowBase::allowsAccessFrom(const JSGlobalObject* other) const
-{
-    if (allowsAccessFromPrivate(other))
-        return true;
-    printErrorMessage(crossDomainAccessErrorMessage(other));
-    return false;
-}
-
-inline bool JSDOMWindowBase::allowsAccessFrom(JSC::ExecState* exec) const
-{
-    if (allowsAccessFromPrivate(exec->lexicalGlobalObject()))
-        return true;
-    printErrorMessage(crossDomainAccessErrorMessage(exec->lexicalGlobalObject()));
-    return false;
-}
-    
-inline bool JSDOMWindowBase::allowsAccessFromNoErrorMessage(JSC::ExecState* exec) const
-{
-    return allowsAccessFromPrivate(exec->lexicalGlobalObject());
-}
-    
-inline bool JSDOMWindowBase::allowsAccessFrom(JSC::ExecState* exec, String& message) const
-{
-    if (allowsAccessFromPrivate(exec->lexicalGlobalObject()))
-        return true;
-    message = crossDomainAccessErrorMessage(exec->lexicalGlobalObject());
-    return false;
-}
-    
-ALWAYS_INLINE bool JSDOMWindowBase::allowsAccessFromPrivate(const JSGlobalObject* other) const
-{
-    const JSDOMWindow* originWindow = asJSDOMWindow(other);
-    const JSDOMWindow* targetWindow = m_shell->window();
-
-    if (originWindow == targetWindow)
-        return true;
-
-    const SecurityOrigin* originSecurityOrigin = originWindow->impl()->securityOrigin();
-    const SecurityOrigin* targetSecurityOrigin = targetWindow->impl()->securityOrigin();
-
-    return originSecurityOrigin->canAccess(targetSecurityOrigin);
-}
-
 }
 

trunk/Source/WebCore/bindings/js/JSInjectedScriptManager.cpp

@@ -37 +37 @@
 #include "InjectedScriptManager.h"
 
+#include "BindingSecurity.h"
 #include "ExceptionCode.h"
 #include "JSDOMWindow.h"
@@ -86 +87 @@
     if (!inspectedWindow)
         return false;
-    return inspectedWindow->allowsAccessFromNoErrorMessage(scriptState);
+    return BindingSecurity::shouldAllowAccessToFrame(scriptState, inspectedWindow->impl()->frame(), DoNotReportSecurityError);
 }
 

trunk/Source/WebCore/bindings/objc/WebScriptObject.mm

@@ -242 +242 @@
         return false;
 
-    return jsCast<JSDOMWindowBase*>(root->globalObject())->allowsAccessFrom(_private->originRootObject->globalObject());
+    // It's not actually correct to call shouldAllowAccessToFrame in this way because
+    // JSDOMWindowBase* isn't the right object to represent the currently executing
+    // JavaScript. Instead, we should use ExecState, like we do elsewhere.
+    JSDOMWindowBase* target = jsCast<JSDOMWindowBase*>(root->globalObject());
+    return shouldAllowAccessToFrame(_private->originRootObject->globalObject()->globalExec(), target->impl()->frame());
 }
 

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -486 +486 @@
     my @getOwnPropertyDescriptorImpl = ();
     if ($dataNode->extendedAttributes->{"CheckSecurity"}) {
-        if ($interfaceName eq "DOMWindow") {
-            push(@implContent, "    if (!thisObject->allowsAccessFrom(exec))\n");
-        } else {
-            push(@implContent, "    if (!shouldAllowAccessToFrame(exec, thisObject->impl()->frame()))\n");
-        }
+        push(@implContent, "    if (!shouldAllowAccessToFrame(exec, thisObject->impl()->frame()))\n");
         push(@implContent, "        return false;\n");
     }
@@ -1781 +1777 @@
                     !$attribute->signature->extendedAttributes->{"DoNotCheckSecurity"} &&
                     !$attribute->signature->extendedAttributes->{"DoNotCheckSecurityOnGetter"}) {
-                    push(@implContent, "    if (!castedThis->allowsAccessFrom(exec))\n");
+                    push(@implContent, "    if (!shouldAllowAccessToFrame(exec, castedThis->impl()->frame()))\n");
                     push(@implContent, "        return jsUndefined();\n");
                 }
@@ -1896 +1892 @@
 
                 if ($dataNode->extendedAttributes->{"CheckSecurity"}) {
-                    push(@implContent, "    if (!domObject->allowsAccessFrom(exec))\n");
+                    push(@implContent, "    if (!shouldAllowAccessToFrame(exec, domObject->impl()->frame()))\n");
                     push(@implContent, "        return jsUndefined();\n");
                 }
@@ -1970 +1966 @@
 
                             if ($dataNode->extendedAttributes->{"CheckSecurity"} && !$attribute->signature->extendedAttributes->{"DoNotCheckSecurity"}) {
-                                if ($interfaceName eq "DOMWindow") {
-                                    push(@implContent, "    if (!jsCast<$className*>(thisObject)->allowsAccessFrom(exec))\n");
-                                } else {
-                                    push(@implContent, "    if (!shouldAllowAccessToFrame(exec, jsCast<$className*>(thisObject)->impl()->frame()))\n");
-                                }
+                                push(@implContent, "    if (!shouldAllowAccessToFrame(exec, jsCast<$className*>(thisObject)->impl()->frame()))\n");
                                 push(@implContent, "        return;\n");
                             }
@@ -2099 +2091 @@
                 push(@implContent, "{\n");
                 if ($dataNode->extendedAttributes->{"CheckSecurity"}) {
-                    if ($interfaceName eq "DOMWindow") {
-                        push(@implContent, "    if (!jsCast<$className*>(thisObject)->allowsAccessFrom(exec))\n");
-                    } else {
-                        push(@implContent, "    if (!shouldAllowAccessToFrame(exec, jsCast<$className*>(thisObject)->impl()->frame()))\n");
-                    }
+                    push(@implContent, "    if (!shouldAllowAccessToFrame(exec, jsCast<$className*>(thisObject)->impl()->frame()))\n");
                     push(@implContent, "        return;\n");
                 }
@@ -2207 +2195 @@
                 if ($dataNode->extendedAttributes->{"CheckSecurity"} and
                     !$function->signature->extendedAttributes->{"DoNotCheckSecurity"}) {
-                    push(@implContent, "    if (!castedThis->allowsAccessFrom(exec))\n");
+                    push(@implContent, "    if (!shouldAllowAccessToFrame(exec, castedThis->impl()->frame()))\n");
                     push(@implContent, "        return JSValue::encode(jsUndefined());\n");
                 }

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp

@@ -154 +154 @@
 {
     JSTestActiveDOMObject* castedThis = jsCast<JSTestActiveDOMObject*>(asObject(slotBase));
-    if (!castedThis->allowsAccessFrom(exec))
+    if (!shouldAllowAccessToFrame(exec, castedThis->impl()->frame()))
         return jsUndefined();
     UNUSED_PARAM(exec);
@@ -166 +166 @@
 {
     JSTestActiveDOMObject* domObject = jsCast<JSTestActiveDOMObject*>(asObject(slotBase));
-    if (!domObject->allowsAccessFrom(exec))
+    if (!shouldAllowAccessToFrame(exec, domObject->impl()->frame()))
         return jsUndefined();
     return JSTestActiveDOMObject::getConstructor(exec, domObject->globalObject());
@@ -183 +183 @@
     JSTestActiveDOMObject* castedThis = jsCast<JSTestActiveDOMObject*>(asObject(thisValue));
     ASSERT_GC_OBJECT_INHERITS(castedThis, &JSTestActiveDOMObject::s_info);
-    if (!castedThis->allowsAccessFrom(exec))
+    if (!shouldAllowAccessToFrame(exec, castedThis->impl()->frame()))
         return JSValue::encode(jsUndefined());
     TestActiveDOMObject* impl = static_cast<TestActiveDOMObject*>(castedThis->impl());