Changeset 69553 in webkit


Ignore:
Timestamp:
Oct 11, 2010 7:12:51 PM (13 years ago)
Author:
msaboff@apple.com
Message:

2010-10-11 Michael Saboff <msaboff@apple.com>

Reviewed by Darin Adler.

Added and changed tests to verify that DOMWindow objects are
create with appropriate constructors and that those constructors
are not callable directly.
https://bugs.webkit.org/show_bug.cgi?id=47422

  • fast/dom/Window/window-constructor-expected.txt: Added.
  • fast/dom/Window/window-constructor.html: Added.
  • fast/dom/Window/window-properties-expected.txt:
  • fast/dom/Window/window-property-descriptors-expected.txt:
  • fast/dom/prototype-inheritance-2-expected.txt:
  • fast/dom/script-tests/constructors-cached.js:
  • fast/dom/wrapper-classes-expected.txt:
  • http/tests/security/cross-frame-access-get-expected.txt:
  • http/tests/security/cross-frame-access-get.html:
  • http/tests/security/cross-frame-access-put.html:
  • inspector/console-dir-global-expected.txt:
  • java/lc3/JSObject/ToJSObject-001-expected.txt:
  • java/lc3/JSObject/ToObject-001-expected.txt:

2010-10-11 Michael Saboff <msaboff@apple.com>

Reviewed by Darin Adler.

Changed DOMWindow to have a constructor. Updated the code generator
to add security checks to the constructors if CheckDomainSecurity is
set. Also changed the constructor generation code to use
globalObject->prototype() for DOMWindow object prototypes instead
of "self".
https://bugs.webkit.org/show_bug.cgi?id=47422

Test: fast/dom/Window/window-constructor.html

  • bindings/scripts/CodeGeneratorJS.pm:
  • page/DOMWindow.idl:
Location:
trunk
Files:
2 added
18 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r69550 r69553  
     12010-10-11  Michael Saboff  <msaboff@apple.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        Added and changed tests to verify that DOMWindow objects are
     6        create with appropriate constructors and that those constructors
     7        are not callable directly.
     8        https://bugs.webkit.org/show_bug.cgi?id=47422
     9
     10        * fast/dom/Window/window-constructor-expected.txt: Added.
     11        * fast/dom/Window/window-constructor.html: Added.
     12        * fast/dom/Window/window-properties-expected.txt:
     13        * fast/dom/Window/window-property-descriptors-expected.txt:
     14        * fast/dom/prototype-inheritance-2-expected.txt:
     15        * fast/dom/script-tests/constructors-cached.js:
     16        * fast/dom/wrapper-classes-expected.txt:
     17        * http/tests/security/cross-frame-access-get-expected.txt:
     18        * http/tests/security/cross-frame-access-get.html:
     19        * http/tests/security/cross-frame-access-put.html:
     20        * inspector/console-dir-global-expected.txt:
     21        * java/lc3/JSObject/ToJSObject-001-expected.txt:
     22        * java/lc3/JSObject/ToObject-001-expected.txt:
     23
    1242010-10-11  Prasad Tammana  <prasadt@chromium.org>
    225
  • trunk/LayoutTests/fast/dom/Window/script-tests/window-property-descriptors.js

    r66462 r69553  
    88    // Don't log DumpRenderTree injected objects
    99    "layoutTestController" : 1, // Work around http://bugs.webkit.org/show_bug.cgi?id=11373
     10    "constructor" : 0,  // Workaround to include constructor in windowPropertyNames
    1011    "GCController" : 1,
    1112    "accessibilityController" : 1,
     
    6061    if (protoPropertyNames[i] == "createBlobURL" || protoPropertyNames[i] == "revokeBlobURL")
    6162        continue;
     63    if (protoPropertyNames[i] == "constructor")
     64        continue;
    6265    shouldBeUndefined("Object.getOwnPropertyDescriptor(window, '" + protoPropertyNames[i] + "')");
    6366}
  • trunk/LayoutTests/fast/dom/Window/window-properties-expected.txt

    r68440 r69553  
    21932193window.console.trace [function]
    21942194window.console.warn [function]
     2195window.constructor [object DOMWindowConstructor]
     2196window.constructor.prototype [object DOMWindowPrototype]
     2197window.constructor.prototype.addEventListener [function]
     2198window.constructor.prototype.alert [function]
     2199window.constructor.prototype.atob [function]
     2200window.constructor.prototype.blur [function]
     2201window.constructor.prototype.btoa [function]
     2202window.constructor.prototype.captureEvents [function]
     2203window.constructor.prototype.clearInterval [function]
     2204window.constructor.prototype.clearTimeout [function]
     2205window.constructor.prototype.close [function]
     2206window.constructor.prototype.confirm [function]
     2207window.constructor.prototype.createBlobURL [function]
     2208window.constructor.prototype.dispatchEvent [function]
     2209window.constructor.prototype.find [function]
     2210window.constructor.prototype.focus [function]
     2211window.constructor.prototype.getComputedStyle [function]
     2212window.constructor.prototype.getMatchedCSSRules [function]
     2213window.constructor.prototype.getSelection [function]
     2214window.constructor.prototype.moveBy [function]
     2215window.constructor.prototype.moveTo [function]
     2216window.constructor.prototype.open [function]
     2217window.constructor.prototype.openDatabase [function]
     2218window.constructor.prototype.postMessage [function]
     2219window.constructor.prototype.print [function]
     2220window.constructor.prototype.prompt [function]
     2221window.constructor.prototype.releaseEvents [function]
     2222window.constructor.prototype.removeEventListener [function]
     2223window.constructor.prototype.resizeBy [function]
     2224window.constructor.prototype.resizeTo [function]
     2225window.constructor.prototype.revokeBlobURL [function]
     2226window.constructor.prototype.scroll [function]
     2227window.constructor.prototype.scrollBy [function]
     2228window.constructor.prototype.scrollTo [function]
     2229window.constructor.prototype.setInterval [function]
     2230window.constructor.prototype.setTimeout [function]
     2231window.constructor.prototype.showModalDialog [function]
     2232window.constructor.prototype.stop [function]
     2233window.constructor.prototype.webkitConvertPointFromNodeToPage [function]
     2234window.constructor.prototype.webkitConvertPointFromPageToNode [function]
    21952235window.crypto [undefined]
    21962236window.decodeURI [function]
  • trunk/LayoutTests/fast/dom/Window/window-property-descriptors-expected.txt

    r68440 r69553  
    334334PASS typeof Object.getOwnPropertyDescriptor(window, 'closed') is 'object'
    335335PASS typeof Object.getOwnPropertyDescriptor(window, 'console') is 'object'
     336PASS typeof Object.getOwnPropertyDescriptor(window, 'constructor') is 'object'
    336337PASS typeof Object.getOwnPropertyDescriptor(window, 'crypto') is 'object'
    337338PASS typeof Object.getOwnPropertyDescriptor(window, 'debug') is 'object'
     
    498499PASS Object.getOwnPropertyDescriptor(window, 'close') is undefined.
    499500PASS Object.getOwnPropertyDescriptor(window, 'confirm') is undefined.
    500 PASS Object.getOwnPropertyDescriptor(window, 'constructor') is undefined.
    501501PASS Object.getOwnPropertyDescriptor(window, 'dispatchEvent') is undefined.
    502502PASS Object.getOwnPropertyDescriptor(window, 'find') is undefined.
  • trunk/LayoutTests/fast/dom/prototype-inheritance-2-expected.txt

    r68440 r69553  
    8282PASS DOMTokenListPrototype from inner.document.forms.testForm.0.0.classList.__proto__
    8383PASS DOMWindow from inner
     84PASS DOMWindowConstructor from inner.document.forms.testForm.0.ownerDocument.defaultView.constructor
    8485PASS DOMWindowPrototype from inner.document.forms.testForm.0.ownerDocument.defaultView.__proto__
    8586PASS DocumentPrototype from inner.document.forms.testForm.0.ownerDocument.__proto__.__proto__
  • trunk/LayoutTests/fast/dom/script-tests/constructors-cached.js

    r48551 r69553  
    11description("This test ensures that objects with security restrictions are cached correctly");
    22
    3 var constructors = ["Image", "Option", "XMLHttpRequest", "Audio"];
     3var ctors = ["Image", "Option", "XMLHttpRequest", "Audio"];
    44
    5 for (var i = 0; i < constructors.length; i++) {
    6     var constructor = constructors[i];
     5for (var i = 0; i < ctors.length; i++) {
     6    var ctor = ctors[i];
    77    try {
    88        // Test retrieving the object twice results in the same object
    9         shouldBe(constructor, constructor);
     9        shouldBe(ctor, ctor);
    1010
    1111        // Be paranoid -- make sure that setting a property results in that property
    1212        // stays
    13         this[constructor].testProperty = "property set successfully";
    14         shouldBe(constructor + ".testProperty", '"property set successfully"');
     13        this[ctor].testProperty = "property set successfully";
     14        shouldBe(ctor + ".testProperty", '"property set successfully"');
    1515    } catch (e) {
    16         testFailed("Testing " + constructor + " threw " + e);
     16        testFailed("Testing " + ctor + " threw " + e);
    1717    }
    1818}
  • trunk/LayoutTests/fast/dom/wrapper-classes-expected.txt

    r61322 r69553  
    131131PASS jsWrapperClass(window) is 'DOMWindow'
    132132PASS jsWrapperClass(window.__proto__) is 'DOMWindowPrototype'
    133 FAIL jsWrapperClass(window.constructor) should be DOMWindowConstructor. Was Function.
     133PASS jsWrapperClass(window.constructor) is 'DOMWindowConstructor'
    134134
    135135HTML DOM
  • trunk/LayoutTests/http/tests/security/cross-frame-access-get-expected.txt

    r61599 r69553  
     1CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-get.html. Domains, protocols and ports must match.
     2
    13CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-get.html. Domains, protocols and ports must match.
    24
     
    516518PASS: canGet('targetWindow.clearTimeout') should be 'false' and is.
    517519PASS: canGet('targetWindow.confirm') should be 'false' and is.
     520PASS: canGet('targetWindow.constructor') should be 'false' and is.
    518521PASS: canGet('targetWindow.find') should be 'false' and is.
    519522PASS: canGet('targetWindow.getComputedStyle') should be 'false' and is.
  • trunk/LayoutTests/http/tests/security/cross-frame-access-get.html

    r61599 r69553  
    115115            "clearTimeout",
    116116            "confirm",
     117            "constructor",
    117118            "find",
    118119            "getComputedStyle",
  • trunk/LayoutTests/http/tests/security/cross-frame-access-put.html

    r44906 r69553  
    207207    setForbiddenProperty(targetWindow, "close");
    208208    setForbiddenProperty(targetWindow, "confirm");
     209    setForbiddenProperty(targetWindow, "constructor");
    209210    setForbiddenProperty(targetWindow, "eval");
    210211    setForbiddenProperty(targetWindow, "find");
  • trunk/LayoutTests/inspector/console-dir-global-expected.txt

    r61010 r69553  
    55    Array : 1
    66    console : 1
     7    constructor : 1
    78    document : 1
    89    doit : 1
  • trunk/LayoutTests/java/lc3/JSObject/ToJSObject-001-expected.txt

    r66156 r69553  
    1717FAIL jsoc.setJSObject( THIS ); jsoc.PUB_JSOBJECT should be [object DOMWindow]. Was [object DOMWindow].
    1818PASS jsoc.setJSObject( THIS ); jsoc.getJSObject() is this
    19 PASS jsoc.getJSObject().constructor is Object
     19PASS jsoc.getJSObject().constructor is this.constructor
    2020FAIL jsoc.setJSObject( Math ); jsoc.PUB_JSOBJECT should be [object Math]. Was [object Math].
    2121PASS jsoc.setJSObject( Math ); jsoc.getJSObject() is Math
  • trunk/LayoutTests/java/lc3/JSObject/ToJSObject-001.js

    r55469 r69553  
    174174  "jsoc.getJSObject().constructor",
    175175  'this',
    176   'Object');
     176  'this.constructor');
    177177
    178178a[i++] = new TestObject(
  • trunk/LayoutTests/java/lc3/JSObject/ToObject-001-expected.txt

    r66156 r69553  
    4444FAIL dt.setObject( THIS ); dt.PUB_OBJECT should be [object DOMWindow]. Was [object DOMWindow].
    4545PASS dt.setObject( THIS ); dt.getObject() is this
    46 PASS dt.getObject().constructor is Object
     46PASS dt.getObject().constructor is this.constructor
    4747FAIL dt.setObject( Math ); dt.PUB_OBJECT should be [object Math]. Was [object Math].
    4848PASS dt.setObject( Math ); dt.getObject() is Math
  • trunk/LayoutTests/java/lc3/JSObject/ToObject-001.js

    r55469 r69553  
    176176  "dt.getObject().constructor",
    177177  'this',
    178   'Object');
     178  'this.constructor');
    179179
    180180a[i++] = new TestObject(
  • trunk/WebCore/ChangeLog

    r69551 r69553  
     12010-10-11  Michael Saboff  <msaboff@apple.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        Changed DOMWindow to have a constructor.  Updated the code generator
     6        to add security checks to the constructors if CheckDomainSecurity is
     7        set.  Also changed the constructor generation code to use
     8        globalObject->prototype() for DOMWindow object prototypes instead
     9        of "self".
     10        https://bugs.webkit.org/show_bug.cgi?id=47422
     11
     12        Test: fast/dom/Window/window-constructor.html
     13
     14        * bindings/scripts/CodeGeneratorJS.pm:
     15        * page/DOMWindow.idl:
     16
    1172010-10-11  Daniel Cheng  <dcheng@chromium.org>
    218
  • trunk/WebCore/bindings/scripts/CodeGeneratorJS.pm

    r68440 r69553  
    16331633                push(@implContent, "{\n");
    16341634                push(@implContent, "    ${className}* domObject = static_cast<$className*>(asObject(slotBase));\n");
     1635
     1636                if ($dataNode->extendedAttributes->{"CheckDomainSecurity"}) {
     1637                    push(@implContent, "    if (!domObject->allowsAccessFrom(exec))\n");
     1638                    push(@implContent, "        return jsUndefined();\n");
     1639                }
     1640
    16351641                push(@implContent, "    return ${className}::getConstructor(exec, domObject->globalObject());\n");
    16361642                push(@implContent, "}\n");
     
    28392845    push(@$outputArray, "    : DOMConstructorObject(${constructorClassName}::createStructure(globalObject->objectPrototype()), globalObject)\n");
    28402846    push(@$outputArray, "{\n");
    2841     push(@$outputArray, "    putDirect(exec->propertyNames().prototype, ${protoClassName}::self(exec, globalObject), DontDelete | ReadOnly);\n");
     2847    if ($interfaceName eq "DOMWindow") {
     2848        push(@$outputArray, "    putDirect(exec->propertyNames().prototype, globalObject->prototype(), DontDelete | ReadOnly);\n");
     2849    } else {
     2850        push(@$outputArray, "    putDirect(exec->propertyNames().prototype, ${protoClassName}::self(exec, globalObject), DontDelete | ReadOnly);\n");
     2851    }
    28422852    push(@$outputArray, "    putDirect(exec->propertyNames().length, jsNumber(exec, ${numberOfconstructParameters}), ReadOnly | DontDelete | DontEnum);\n") if $numberOfconstructParameters;
    28432853    push(@$outputArray, "}\n\n");
  • trunk/WebCore/page/DOMWindow.idl

    r69540 r69553  
    3939        CustomPutFunction,
    4040        EventTarget,
    41         OmitConstructor,
    4241        ExtendsDOMGlobalObject,
    4342        GenerateNativeConverter,
Note: See TracChangeset for help on using the changeset viewer.