Changeset 199087 in webkit

Timestamp:

Apr 5, 2016 6:18:05 PM (8 years ago)

Author:

Chris Dumez

Message:

MessageEvent.source window is incorrect once window has been reified
​https://bugs.webkit.org/show_bug.cgi?id=156227
<rdar://problem/25545831>

Reviewed by Mark Lam.

Source/WebCore:

MessageEvent.source window was incorrect once window had been reified.

If the Window had not been reified, we kept constructing new
postMessage() functions when calling window.postMessage(). We used to
pass activeDOMWindow(execState) as source Window to
DOMWindow::postMessage(). activeDOMWindow() uses
exec->lexicalGlobalObject() which did the right thing because we
used to construct a new postMessage() function in the caller's context.

However, after reification, due to the way JSDOMWindow::getOwnPropertySlot()
was implemented, we would stop constructing new postMessage() functions
when calling window.postMessage(). As a result, the source window would
become incorrect because exec->lexicalGlobalObject() would return the
target Window instead.

In this patch, the following is done:

1. Stop constructing a new function every time in the same origin case for postMessage, blur, focus and close. This was inefficient and lead to incorrect behavior:
   • The behavior would differ depending if the Window is reified or not
   • It would be impossible to delete those operations, which is incompatible with the specification and other browsers (tested Firefox and Chrome).
2. Use callerDOMWindow(execState) instead of activeDOMWindow(execState) as source Window in JSDOMWindow::handlePostMessage(). callerDOMWindow() is a new utility function that returns the caller's Window object.

Tests: fast/dom/Window/delete-operations.html

fast/dom/Window/messageevent-source-postmessage-reified.html
fast/dom/Window/messageevent-source-postmessage.html
fast/dom/Window/messageevent-source-postmessage2.html
fast/dom/Window/window-postmessage-clone-frames.html
fast/dom/Window/post-message-crash2.html

• bindings/js/JSDOMBinding.cpp:

(WebCore::GetCallerCodeBlockFunctor::operator()):
(WebCore::GetCallerCodeBlockFunctor::codeBlock):
(WebCore::callerDOMWindow):

• bindings/js/JSDOMBinding.h:
• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::handlePostMessage):

LayoutTests:

Add tests that cover using MessageEvent.source Window for messaging
using postMessage(). There are 2 versions of the test, one where the
main window is reified and one where it is not. The test that has a
reified main window was failing because this fix.

• fast/dom/Window/delete-operations-expected.txt: Added.
• fast/dom/Window/delete-operations.html: Added.

Make sure that operations on Window are indeed deletable. Previously,
it would be impossible to delete postMessage, blur, focus and close.

• fast/dom/Window/messageevent-source-postmessage-expected.txt: Added.
• fast/dom/Window/messageevent-source-postmessage-reified-expected.txt: Added.
• fast/dom/Window/messageevent-source-postmessage-reified.html: Added.
• fast/dom/Window/messageevent-source-postmessage.html: Added.
• fast/dom/Window/messageevent-source-postmessage2.html: Added.
• fast/dom/Window/resources/messageevent-source-postmessage-frame.html: Added.
• fast/dom/Window/post-message-crash2-expected.txt: Added.
• fast/dom/Window/post-message-crash2.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/Window/delete-operations-expected.txt (added)
• LayoutTests/fast/dom/Window/delete-operations.html (added)
• LayoutTests/fast/dom/Window/messageevent-source-postmessage-expected.txt (added)
• LayoutTests/fast/dom/Window/messageevent-source-postmessage-reified-expected.txt (added)
• LayoutTests/fast/dom/Window/messageevent-source-postmessage-reified.html (added)
• LayoutTests/fast/dom/Window/messageevent-source-postmessage.html (added)
• LayoutTests/fast/dom/Window/messageevent-source-postmessage2-expected.txt (added)
• LayoutTests/fast/dom/Window/messageevent-source-postmessage2.html (added)
• LayoutTests/fast/dom/Window/post-message-crash2-expected.txt (added)
• LayoutTests/fast/dom/Window/post-message-crash2.html (added)
• LayoutTests/fast/dom/Window/resources/messageevent-source-postmessage-frame.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMBinding.cpp (modified) (2 diffs)
• Source/WebCore/bindings/js/JSDOMBinding.h (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-04-05  Chris Dumez  <cdumez@apple.com>
+
+        MessageEvent.source window is incorrect once window has been reified
+        https://bugs.webkit.org/show_bug.cgi?id=156227
+        <rdar://problem/25545831>
+
+        Reviewed by Mark Lam.
+
+        Add tests that cover using MessageEvent.source Window for messaging
+        using postMessage(). There are 2 versions of the test, one where the
+        main window is reified and one where it is not. The test that has a
+        reified main window was failing because this fix.
+
+        * fast/dom/Window/delete-operations-expected.txt: Added.
+        * fast/dom/Window/delete-operations.html: Added.
+        Make sure that operations on Window are indeed deletable. Previously,
+        it would be impossible to delete postMessage, blur, focus and close.
+
+        * fast/dom/Window/messageevent-source-postmessage-expected.txt: Added.
+        * fast/dom/Window/messageevent-source-postmessage-reified-expected.txt: Added.
+        * fast/dom/Window/messageevent-source-postmessage-reified.html: Added.
+        * fast/dom/Window/messageevent-source-postmessage.html: Added.
+        * fast/dom/Window/messageevent-source-postmessage2.html: Added.
+        * fast/dom/Window/resources/messageevent-source-postmessage-frame.html: Added.
+        * fast/dom/Window/post-message-crash2-expected.txt: Added.
+        * fast/dom/Window/post-message-crash2.html: Added.
+
 2016-04-05  Myles C. Maxfield  <mmaxfield@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-04-05  Chris Dumez  <cdumez@apple.com>
+
+        MessageEvent.source window is incorrect once window has been reified
+        https://bugs.webkit.org/show_bug.cgi?id=156227
+        <rdar://problem/25545831>
+
+        Reviewed by Mark Lam.
+
+        MessageEvent.source window was incorrect once window had been reified.
+
+        If the Window had not been reified, we kept constructing new
+        postMessage() functions when calling window.postMessage(). We used to
+        pass activeDOMWindow(execState) as source Window to
+        DOMWindow::postMessage(). activeDOMWindow() uses
+        exec->lexicalGlobalObject() which did the right thing because we
+        used to construct a new postMessage() function in the caller's context.
+
+        However, after reification, due to the way JSDOMWindow::getOwnPropertySlot()
+        was implemented, we would stop constructing new postMessage() functions
+        when calling window.postMessage(). As a result, the source window would
+        become incorrect because exec->lexicalGlobalObject() would return the
+        target Window instead.
+
+        In this patch, the following is done:
+        1. Stop constructing a new function every time in the same origin case
+           for postMessage, blur, focus and close. This was inefficient and lead
+           to incorrect behavior:
+           - The behavior would differ depending if the Window is reified or not
+           - It would be impossible to delete those operations, which is
+             incompatible with the specification and other browsers (tested
+             Firefox and Chrome).
+        2. Use callerDOMWindow(execState) instead of activeDOMWindow(execState)
+           as source Window in JSDOMWindow::handlePostMessage(). callerDOMWindow()
+           is a new utility function that returns the caller's Window object.
+
+        Tests: fast/dom/Window/delete-operations.html
+               fast/dom/Window/messageevent-source-postmessage-reified.html
+               fast/dom/Window/messageevent-source-postmessage.html
+               fast/dom/Window/messageevent-source-postmessage2.html
+               fast/dom/Window/window-postmessage-clone-frames.html
+               fast/dom/Window/post-message-crash2.html
+
+        * bindings/js/JSDOMBinding.cpp:
+        (WebCore::GetCallerCodeBlockFunctor::operator()):
+        (WebCore::GetCallerCodeBlockFunctor::codeBlock):
+        (WebCore::callerDOMWindow):
+        * bindings/js/JSDOMBinding.h:
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::handlePostMessage):
+
 2016-04-05  Beth Dakin  <bdakin@apple.com>
 

trunk/Source/WebCore/bindings/js/JSDOMBinding.cpp

@@ -36 +36 @@
 #include "JSExceptionBase.h"
 #include "SecurityOrigin.h"
+#include <bytecode/CodeBlock.h>
 #include <inspector/ScriptCallStack.h>
 #include <inspector/ScriptCallStackFactory.h>
@@ -556 +557 @@
     doubleToInteger(x, n);
     return n;
+}
+
+class GetCallerGlobalObjectFunctor {
+public:
+    GetCallerGlobalObjectFunctor() = default;
+
+    StackVisitor::Status operator()(StackVisitor& visitor) const
+    {
+        if (!m_hasSkippedFirstFrame) {
+            m_hasSkippedFirstFrame = true;
+            return StackVisitor::Continue;
+        }
+
+        if (auto* codeBlock = visitor->codeBlock())
+            m_globalObject = codeBlock->globalObject();
+        else {
+            ASSERT(visitor->callee());
+            m_globalObject = visitor->callee()->globalObject();
+        }
+        return StackVisitor::Done;
+    }
+
+    JSGlobalObject* globalObject() const { return m_globalObject; }
+
+private:
+    mutable bool m_hasSkippedFirstFrame { false };
+    mutable JSGlobalObject* m_globalObject { nullptr };
+};
+
+DOMWindow& callerDOMWindow(ExecState* exec)
+{
+    GetCallerGlobalObjectFunctor iter;
+    exec->iterate(iter);
+    return iter.globalObject() ? asJSDOMWindow(iter.globalObject())->wrapped() : firstDOMWindow(exec);
 }
 

trunk/Source/WebCore/bindings/js/JSDOMBinding.h

@@ -79 +79 @@
 typedef int ExceptionCode;
 
+DOMWindow& callerDOMWindow(JSC::ExecState*);
 DOMWindow& activeDOMWindow(JSC::ExecState*);
 DOMWindow& firstDOMWindow(JSC::ExecState*);

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -238 +238 @@
     slot.setWatchpointSet(thisObject->m_windowCloseWatchpoints);
 
-    // FIXME: These are all bogus. Keeping these here make some tests pass that check these properties
-    // are own properties of the window, but introduces other problems instead (e.g. if you overwrite
-    // & delete then the original value is restored!) Should be removed.
-    if (propertyName == exec->propertyNames().blur) {
-        if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot))
-            slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionBlur, 0>);
-        return true;
-    }
-    if (propertyName == exec->propertyNames().close) {
-        if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot))
-            slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionClose, 0>);
-        return true;
-    }
-    if (propertyName == exec->propertyNames().focus) {
-        if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot))
-            slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionFocus, 0>);
-        return true;
-    }
-    if (propertyName == exec->propertyNames().postMessage) {
-        if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot))
-            slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionPostMessage, 2>);
-        return true;
-    }
-
     if (propertyName == exec->propertyNames().showModalDialog) {
         if (Base::getOwnPropertySlot(thisObject, exec, propertyName, slot))
@@ -589 +565 @@
 
     ExceptionCode ec = 0;
-    impl.postMessage(message.release(), &messagePorts, targetOrigin, activeDOMWindow(&state), ec);
+    impl.postMessage(message.release(), &messagePorts, targetOrigin, callerDOMWindow(&state), ec);
     setDOMException(&state, ec);