Changeset 196690 in webkit

Timestamp:

Feb 17, 2016 12:38:27 AM (8 years ago)

Author:

Chris Dumez

Message:

Window should have its 'constructor' property on the prototype
​https://bugs.webkit.org/show_bug.cgi?id=154037
<rdar://problem/24689078>

Reviewed by Gavin Barraclough.

LayoutTests/imported/w3c:

Rebaseline W3C test now that one more check is passing.

• web-platform-tests/html/dom/interfaces-expected.txt:

Source/WebCore:

Window should have its 'constructor' property on the prototype as per
the Web IDL specification:
​http://heycam.github.io/webidl/#interface-prototype-object

Firefox and Chrome already match the specification.

No new tests, covered by:

• fast/dom/Window/window-constructor-settable.html
• fast/dom/Window/window-constructor.html
• http/tests/security/cross-origin-window-property-access.html
• imported/w3c/web-platform-tests/html/dom/interfaces.html

• bindings/scripts/CodeGeneratorJS.pm:

(ConstructorShouldBeOnInstance): Deleted.
Drop this routine as all constructors are now on the prototype.

(InstancePropertyCount):
Do not account for constructor properties as these can only be
on the prototype now.

(PrototypePropertyCount):
Increment the property count by 1 if the interface has a constructor
property (e.g. [NoInterfaceObject] interfaces do not have one).

(GeneratePropertiesHashTable):
Stop calling ConstructorShouldBeOnInstance() as it no longer exists.
Always generated the "constructor" property if:

1. We are generating the prototype hash table.

and

2. The interface needs a constructor (i.e. not marked as [NoInterfaceObject]).

(GenerateImplementation):

• Drop code handling the case where ConstructorShouldBeOnInstance() returns true as constructors are not always on the prototype and the ConstructorShouldBeOnInstance() routine has been dropped.
• Drop code handling [CustomProxyToJSObject]. Now that the constructor is always on the prototype, we never need to cast thisValue to a JSDOMWindow (by calling toJSDOMWindow). In the Window case, thisValue is now casted to a JSDOMWindowPrototype*, similarly to other interfaces so we don't need a special casting function anymore.
• Stop generating security checks. This only impacts Window as it is the only interface marked as [CheckSecurity]. The cross-origin checking code as it was would not work when "constructor" is on the prototype because thisValue is a JSDOMWindowPrototype, not a JSDOMWindow and we have no way of getting the wrapped window. Also, the security check is no longer needed because:
  1. Accessing crossOriginWindow.constructor will not work now that constructor is on the prototype because JSDOMWindow::getOwnPropertySlot() already prevents access to the prototype in the cross-origin case.
  2. "constructor" is a value property, not a getter/setter. Therefore, it is no possible to use the getter/setter from a same origin window instance and call it on a cross origin window.

LayoutTests:

• http/tests/security/cross-origin-window-property-access-expected.txt:
• http/tests/security/cross-origin-window-property-access.html:

Add checks to make sure it still is not possible to access
window.constructor cross-origin.

• js/getOwnPropertyDescriptor-window-attributes-expected.txt:
• js/getOwnPropertyDescriptor-window-attributes.html:

Update test now that window has it's "constructor" attribute
on the prototype.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/cross-origin-window-property-access-expected.txt (modified) (2 diffs)
• LayoutTests/http/tests/security/cross-origin-window-property-access.html (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/dom/interfaces-expected.txt (modified) (1 diff)
• LayoutTests/js/getOwnPropertyDescriptor-window-attributes-expected.txt (modified) (1 diff)
• LayoutTests/js/getOwnPropertyDescriptor-window-attributes.html (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (6 diffs)
• Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp (modified) (5 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-02-17  Chris Dumez  <cdumez@apple.com>
+
+        Window should have its 'constructor' property on the prototype
+        https://bugs.webkit.org/show_bug.cgi?id=154037
+        <rdar://problem/24689078>
+
+        Reviewed by Gavin Barraclough.
+
+        * http/tests/security/cross-origin-window-property-access-expected.txt:
+        * http/tests/security/cross-origin-window-property-access.html:
+        Add checks to make sure it still is not possible to access
+        window.constructor cross-origin.
+
+        * js/getOwnPropertyDescriptor-window-attributes-expected.txt:
+        * js/getOwnPropertyDescriptor-window-attributes.html:
+        Update test now that window has it's "constructor" attribute
+        on the prototype.
+
 2016-02-16  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/LayoutTests/http/tests/security/cross-origin-window-property-access-expected.txt

@@ -4 +4 @@
 CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 15: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 15: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 Tests that using another window's property getter does not bypass cross-origin checks.
 
@@ -15 +17 @@
 PASS Object.getOwnPropertyDescriptor(window, "navigator").get.call(crossOriginWindow) returned undefined.
 PASS Object.getOwnPropertyDescriptor(window, "screenX").get.call(crossOriginWindow) returned undefined.
+PASS Object.getOwnPropertyDescriptor(window.__proto__, "constructor").get.call(crossOriginWindow) threw exception TypeError: undefined is not an object (evaluating 'Object.getOwnPropertyDescriptor(window.__proto__, "constructor").get.call').
+PASS Object.getOwnPropertyDescriptor(window.__proto__, "constructor").get.call(crossOriginWindow.__proto__) threw exception TypeError: undefined is not an object (evaluating 'Object.getOwnPropertyDescriptor(window.__proto__, "constructor").get.call').
+PASS crossOriginWindow.constructor returned undefined.
+PASS Object.getOwnPropertyDescriptor(crossOriginWindow.__proto__, "constructor").value threw exception TypeError: undefined is not an object (evaluating 'Object.getOwnPropertyDescriptor(crossOriginWindow.__proto__, "constructor")').
 PASS Object.getOwnPropertyDescriptor(window, "location").get.call(crossOriginWindow) === crossOriginWindow.location is true
 PASS successfullyParsed is true

trunk/LayoutTests/http/tests/security/cross-origin-window-property-access.html

@@ -33 +33 @@
     shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "navigator").get.call(crossOriginWindow)');
     shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window, "screenX").get.call(crossOriginWindow)');
+    shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window.__proto__, "constructor").get.call(crossOriginWindow)');
+    shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(window.__proto__, "constructor").get.call(crossOriginWindow.__proto__)');
+    shouldThrowOrReturnUndefined('crossOriginWindow.constructor');
+    shouldThrowOrReturnUndefined('Object.getOwnPropertyDescriptor(crossOriginWindow.__proto__, "constructor").value');
     shouldBeTrue('Object.getOwnPropertyDescriptor(window, "location").get.call(crossOriginWindow) === crossOriginWindow.location');
     finishJSTest();

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2016-02-17  Chris Dumez  <cdumez@apple.com>
+
+        Window should have its 'constructor' property on the prototype
+        https://bugs.webkit.org/show_bug.cgi?id=154037
+        <rdar://problem/24689078>
+
+        Reviewed by Gavin Barraclough.
+
+        Rebaseline W3C test now that one more check is passing.
+
+        * web-platform-tests/html/dom/interfaces-expected.txt:
+
 2016-02-16  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/dom/interfaces-expected.txt

@@ -3812 +3812 @@
 PASS Window interface object name 
 FAIL Window interface: existence and properties of interface prototype object assert_equals: Class name for prototype of Window.prototype is not "WindowProperties" expected "[object WindowProperties]" but got "[object EventTargetPrototype]"
-FAIL Window interface: existence and properties of interface prototype object's "constructor" property assert_own_property: Window.prototype does not have own property "constructor" expected property "constructor" missing
+PASS Window interface: existence and properties of interface prototype object's "constructor" property 
 PASS Window interface: attribute self 
 PASS Window interface: attribute name 

trunk/LayoutTests/js/getOwnPropertyDescriptor-window-attributes-expected.txt

@@ -55 +55 @@
 PASS descriptor.value is window.Node
 
-* window.constructor
+* window.__proto__.constructor
 PASS descriptor.enumerable is false
 PASS descriptor.writable is true

trunk/LayoutTests/js/getOwnPropertyDescriptor-window-attributes.html

@@ -63 +63 @@
 
 debug("");
-// FIXME: 'constructor' should be on the prototype.
-debug("* window.constructor");
-descriptor = Object.getOwnPropertyDescriptor(window, "constructor");
+debug("* window.__proto__.constructor");
+descriptor = Object.getOwnPropertyDescriptor(window.__proto__, "constructor");
 shouldBeFalse("descriptor.enumerable");
 shouldBeTrue("descriptor.writable");

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-02-17  Chris Dumez  <cdumez@apple.com>
+
+        Window should have its 'constructor' property on the prototype
+        https://bugs.webkit.org/show_bug.cgi?id=154037
+        <rdar://problem/24689078>
+
+        Reviewed by Gavin Barraclough.
+
+        Window should have its 'constructor' property on the prototype as per
+        the Web IDL specification:
+        http://heycam.github.io/webidl/#interface-prototype-object
+
+        Firefox and Chrome already match the specification.
+
+        No new tests, covered by:
+        - fast/dom/Window/window-constructor-settable.html
+        - fast/dom/Window/window-constructor.html
+        - http/tests/security/cross-origin-window-property-access.html
+        - imported/w3c/web-platform-tests/html/dom/interfaces.html
+
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (ConstructorShouldBeOnInstance): Deleted.
+        Drop this routine as all constructors are now on the prototype.
+
+        (InstancePropertyCount):
+        Do not account for constructor properties as these can only be
+        on the prototype now.
+
+        (PrototypePropertyCount):
+        Increment the property count by 1 if the interface has a constructor
+        property (e.g. [NoInterfaceObject] interfaces do not have one).
+
+        (GeneratePropertiesHashTable):
+        Stop calling ConstructorShouldBeOnInstance() as it no longer exists.
+        Always generated the "constructor" property if:
+        1. We are generating the prototype hash table.
+        and
+        2. The interface needs a constructor (i.e. not marked as
+           [NoInterfaceObject]).
+
+        (GenerateImplementation):
+        - Drop code handling the case where ConstructorShouldBeOnInstance()
+          returns true as constructors are not always on the prototype and
+          the ConstructorShouldBeOnInstance() routine has been dropped.
+        - Drop code handling [CustomProxyToJSObject]. Now that the constructor
+          is always on the prototype, we never need to cast thisValue to a
+          JSDOMWindow (by calling toJSDOMWindow). In the Window case, thisValue
+          is now casted to a JSDOMWindowPrototype*, similarly to other interfaces
+          so we don't need a special casting function anymore.
+        - Stop generating security checks. This only impacts Window as it is the
+          only interface marked as [CheckSecurity]. The cross-origin checking code
+          as it was would not work when "constructor" is on the prototype because
+          thisValue is a JSDOMWindowPrototype, not a JSDOMWindow and we have no
+          way of getting the wrapped window. Also, the security check is no longer
+          needed because:
+          1. Accessing crossOriginWindow.constructor will not work now that
+             constructor is on the prototype because
+             JSDOMWindow::getOwnPropertySlot() already prevents access to the
+             prototype in the cross-origin case.
+          2. "constructor" is a value property, not a getter/setter. Therefore,
+             it is no possible to use the getter/setter from a same origin window
+             instance and call it on a cross origin window.
+
 2016-02-16  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -682 +682 @@
 }
 
-sub ConstructorShouldBeOnInstance
-{
-    my $interface = shift;
-
-    # FIXME: constructor should always be on the prototype:
-    # http://www.w3.org/TR/WebIDL/#interface-prototype-object
-    return 1 if $interface->extendedAttributes->{"CheckSecurity"};
-    return 0;
-}
-
 sub AttributeShouldBeOnInstanceForCompatibility
 {
@@ -791 +781 @@
     }
     $count += InstanceFunctionCount($interface);
-    $count++ if ConstructorShouldBeOnInstance($interface);
     return $count;
 }
@@ -803 +792 @@
     }
     $count += PrototypeFunctionCount($interface);
-    $count++ if !ConstructorShouldBeOnInstance($interface);
+    $count++ if NeedsConstructorProperty($interface);
     return $count;
 }
@@ -1389 +1378 @@
     my $propertyCount = $isInstance ? InstancePropertyCount($interface) : PrototypePropertyCount($interface);
 
-    if (ConstructorShouldBeOnInstance($interface) == $isInstance) {
-
-        if (NeedsConstructorProperty($interface)) {
-            die if !$propertyCount;
-            push(@$hashKeys, "constructor");
-            my $getter = "js" . $interfaceName . "Constructor";
-            push(@$hashValue1, $getter);
-
-            my $setter = "setJS" . $interfaceName . "Constructor";
-            push(@$hashValue2, $setter);
-            push(@$hashSpecials, "DontEnum");
-        }
+    if (!$isInstance && NeedsConstructorProperty($interface)) {
+        die if !$propertyCount;
+        push(@$hashKeys, "constructor");
+        my $getter = "js" . $interfaceName . "Constructor";
+        push(@$hashValue1, $getter);
+
+        my $setter = "setJS" . $interfaceName . "Constructor";
+        push(@$hashValue2, $setter);
+        push(@$hashSpecials, "DontEnum");
     }
 
@@ -2524 +2510 @@
             my $constructorFunctionName = "js" . $interfaceName . "Constructor";
 
-            if ($interface->extendedAttributes->{"CustomProxyToJSObject"}) {
-                push(@implContent, "EncodedJSValue ${constructorFunctionName}(ExecState* state, EncodedJSValue thisValue, PropertyName)\n");
-                push(@implContent, "{\n");
-                push(@implContent, "    ${className}* domObject = to${className}(JSValue::decode(thisValue));\n");
-            } elsif (ConstructorShouldBeOnInstance($interface)) {
-                push(@implContent, "EncodedJSValue ${constructorFunctionName}(ExecState* state, EncodedJSValue thisValue, PropertyName)\n");
-                push(@implContent, "{\n");
-                push(@implContent, "    ${className}* domObject = " . GetCastingHelperForThisObject($interface) . "(JSValue::decode(thisValue));\n");
-            } else {
-                push(@implContent, "EncodedJSValue ${constructorFunctionName}(ExecState* state, EncodedJSValue thisValue, PropertyName)\n");
-                push(@implContent, "{\n");
-                push(@implContent, "    ${className}Prototype* domObject = jsDynamicCast<${className}Prototype*>(JSValue::decode(thisValue));\n");
-            }
+            push(@implContent, "EncodedJSValue ${constructorFunctionName}(ExecState* state, EncodedJSValue thisValue, PropertyName)\n");
+            push(@implContent, "{\n");
+            push(@implContent, "    ${className}Prototype* domObject = jsDynamicCast<${className}Prototype*>(JSValue::decode(thisValue));\n");
             push(@implContent, "    if (!domObject)\n");
             push(@implContent, "        return throwVMTypeError(state);\n");
-
-            if ($interface->extendedAttributes->{"CheckSecurity"}) {
-                die if !ConstructorShouldBeOnInstance($interface);
-                push(@implContent, "    if (!BindingSecurity::shouldAllowAccessToDOMWindow(state, domObject->wrapped()))\n");
-                push(@implContent, "        return JSValue::encode(jsUndefined());\n");
-            }
 
             if (!$interface->extendedAttributes->{"NoInterfaceObject"}) {
@@ -2562 +2532 @@
         push(@implContent, "{\n");
         push(@implContent, "    JSValue value = JSValue::decode(encodedValue);\n");
-        if ($interface->extendedAttributes->{"CustomProxyToJSObject"}) {
-            push(@implContent, "    ${className}* domObject = to${className}(JSValue::decode(thisValue));\n");
-        } elsif (ConstructorShouldBeOnInstance($interface)) {
-            push(@implContent, "    ${className}* domObject = " . GetCastingHelperForThisObject($interface) . "(JSValue::decode(thisValue));\n");
-        } else {
-            push(@implContent, "    ${className}Prototype* domObject = jsDynamicCast<${className}Prototype*>(JSValue::decode(thisValue));\n");
-        }
+        push(@implContent, "    ${className}Prototype* domObject = jsDynamicCast<${className}Prototype*>(JSValue::decode(thisValue));\n");
         push(@implContent, "    if (UNLIKELY(!domObject)) {\n");
         push(@implContent, "        throwVMTypeError(state);\n");
         push(@implContent, "        return;\n");
         push(@implContent, "    }\n");
-        if ($interface->extendedAttributes->{"CheckSecurity"}) {
-            if ($interfaceName eq "DOMWindow") {
-                push(@implContent, "    if (!BindingSecurity::shouldAllowAccessToDOMWindow(state, domObject->wrapped()))\n");
-            } else {
-                push(@implContent, "    if (!shouldAllowAccessToFrame(state, domObject->wrapped().frame()))\n");
-            }
-            push(@implContent, "        return;\n");
-        }
 
         push(@implContent, "    // Shadowing a built-in constructor\n");

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp

@@ -74 +74 @@
 /* Hash table */
 
-static const struct CompactHashIndex JSTestActiveDOMObjectTableIndex[4] = {
-    { 1, -1 },
+static const struct CompactHashIndex JSTestActiveDOMObjectTableIndex[2] = {
     { 0, -1 },
     { -1, -1 },
-    { -1, -1 },
 };
 
@@ -84 +82 @@
 static const HashTableValue JSTestActiveDOMObjectTableValues[] =
 {
-    { "constructor", DontEnum, NoIntrinsic, { (intptr_t)static_cast<PropertySlot::GetValueFunc>(jsTestActiveDOMObjectConstructor), (intptr_t) static_cast<PutPropertySlot::PutValueFunc>(setJSTestActiveDOMObjectConstructor) } },
     { "excitingAttr", ReadOnly | CustomAccessor, NoIntrinsic, { (intptr_t)static_cast<PropertySlot::GetValueFunc>(jsTestActiveDOMObjectExcitingAttr), (intptr_t) static_cast<PutPropertySlot::PutValueFunc>(0) } },
 };
 
-static const HashTable JSTestActiveDOMObjectTable = { 2, 3, true, JSTestActiveDOMObjectTableValues, JSTestActiveDOMObjectTableIndex };
+static const HashTable JSTestActiveDOMObjectTable = { 1, 1, true, JSTestActiveDOMObjectTableValues, JSTestActiveDOMObjectTableIndex };
 template<> JSValue JSTestActiveDOMObjectConstructor::prototypeForStructure(JSC::VM& vm, const JSDOMGlobalObject& globalObject)
 {
@@ -108 +105 @@
 static const HashTableValue JSTestActiveDOMObjectPrototypeTableValues[] =
 {
+    { "constructor", DontEnum, NoIntrinsic, { (intptr_t)static_cast<PropertySlot::GetValueFunc>(jsTestActiveDOMObjectConstructor), (intptr_t) static_cast<PutPropertySlot::PutValueFunc>(setJSTestActiveDOMObjectConstructor) } },
     { "excitingFunction", JSC::Function, NoIntrinsic, { (intptr_t)static_cast<NativeFunction>(jsTestActiveDOMObjectPrototypeFunctionExcitingFunction), (intptr_t) (1) } },
     { "postMessage", JSC::Function, NoIntrinsic, { (intptr_t)static_cast<NativeFunction>(jsTestActiveDOMObjectPrototypeFunctionPostMessage), (intptr_t) (1) } },
@@ -171 +169 @@
 EncodedJSValue jsTestActiveDOMObjectConstructor(ExecState* state, EncodedJSValue thisValue, PropertyName)
 {
-    JSTestActiveDOMObject* domObject = jsDynamicCast<JSTestActiveDOMObject*>(JSValue::decode(thisValue));
+    JSTestActiveDOMObjectPrototype* domObject = jsDynamicCast<JSTestActiveDOMObjectPrototype*>(JSValue::decode(thisValue));
     if (!domObject)
         return throwVMTypeError(state);
-    if (!BindingSecurity::shouldAllowAccessToDOMWindow(state, domObject->wrapped()))
-        return JSValue::encode(jsUndefined());
     return JSValue::encode(JSTestActiveDOMObject::getConstructor(state->vm(), domObject->globalObject()));
 }
@@ -182 +178 @@
 {
     JSValue value = JSValue::decode(encodedValue);
-    JSTestActiveDOMObject* domObject = jsDynamicCast<JSTestActiveDOMObject*>(JSValue::decode(thisValue));
+    JSTestActiveDOMObjectPrototype* domObject = jsDynamicCast<JSTestActiveDOMObjectPrototype*>(JSValue::decode(thisValue));
     if (UNLIKELY(!domObject)) {
         throwVMTypeError(state);
         return;
     }
-    if (!shouldAllowAccessToFrame(state, domObject->wrapped().frame()))
-        return;
     // Shadowing a built-in constructor
     domObject->putDirect(state->vm(), state->propertyNames().constructor, value);