Changeset 79223 in webkit

Timestamp:

Feb 21, 2011 8:01:41 AM (13 years ago)

Author:

antonm@chromium.org

Message:

2011-02-08 Anton Muhin <​antonm@chromium.org>

Reviewed by Adam Barth and Alexey Proskuryakov.

Propagate security origin of parent document into HTML documents created with DOMImplementation
​https://bugs.webkit.org/show_bug.cgi?id=53611

This restores invariant that JS wrappers residing in the same JS context should come
from the same security origin.

Absence of regressions is covered by the current tests. Different security origin of
DOMImplementation is difficult to check with layout tests as DOMImplementation
resides in the same JS context as parent document and therefore there are no security origin checks.
This is observable however in C++.

• Android.jscbindings.mk:
• CMakeLists.txt:
• WebCore.gypi:
• WebCore.pro:
• WebCore.vcproj/WebCore.vcproj:
• WebCore.xcodeproj/project.pbxproj:
• bindings/v8/V8GCController.cpp: (WebCore::NodeGrouperVisitor::visitDOMWrapper):
• dom/DOMImplementation.cpp: (WebCore::DOMImplementation::DOMImplementation): (WebCore::DOMImplementation::createDocument):
• dom/DOMImplementation.h: (WebCore::DOMImplementation::create): (WebCore::DOMImplementation::documentDestroyed): (WebCore::DOMImplementation::parentDocument):
• dom/DOMImplementation.idl:
• dom/Document.cpp: (WebCore::Document::~Document): (WebCore::Document::implementation):
• dom/Document.h:

2011-02-21 Anton Muhin <​antonm@chromium.org>

Reviewed by Adam Barth and Alexey Proskuryakov.

Propagate security origin of parent document into HTML documents created with DOMImplementation
​https://bugs.webkit.org/show_bug.cgi?id=53611

Additional test which checks case when parent document can be collected while
its implementation is alive.

• fast/dom/gc-9.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/gc-9.html (modified) (2 diffs)
• Source/WebCore/Android.jscbindings.mk (modified) (1 diff)
• Source/WebCore/CMakeLists.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/WebCore.gypi (modified) (1 diff)
• Source/WebCore/WebCore.pro (modified) (1 diff)
• Source/WebCore/WebCore.vcproj/WebCore.vcproj (modified) (1 diff)
• Source/WebCore/WebCore.xcodeproj/project.pbxproj (modified) (5 diffs)
• Source/WebCore/bindings/js/JSBindingsAllInOne.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorV8.pm (modified) (3 diffs)
• Source/WebCore/bindings/v8/V8GCController.cpp (modified) (1 diff)
• Source/WebCore/dom/DOMImplementation.cpp (modified) (3 diffs)
• Source/WebCore/dom/DOMImplementation.h (modified) (3 diffs)
• Source/WebCore/dom/DOMImplementation.idl (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (2 diffs)
• Source/WebCore/dom/Document.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-02-21  Anton Muhin  <antonm@chromium.org>
+
+       Reviewed by Adam Barth and Alexey Proskuryakov.
+
+       Propagate security origin of parent document into HTML documents created with DOMImplementation
+       https://bugs.webkit.org/show_bug.cgi?id=53611
+
+       Additional test which checks case when parent document can be collected while
+       its implementation is alive.
+
+       * fast/dom/gc-9.html:
+
 2011-02-21  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/LayoutTests/fast/dom/gc-9.html

@@ -84 +84 @@
 }
 
+function testDOMImplementation()
+{
+  var impl = document.implementation.createHTMLDocument('').implementation;
+  gc();
+  impl.createHTMLDocument('');  // May crash or throw an exception if we collect parent document of impl.
+}
+
 function test() 
 {
@@ -98 +105 @@
 
     testEvents();
+    testDOMImplementation();
 }
 

trunk/Source/WebCore/Android.jscbindings.mk

@@ -88 +88 @@
         bindings/js/JSDOMFormDataCustom.cpp \
         bindings/js/JSDOMGlobalObject.cpp \
+        bindings/js/JSDOMImplementationCustom.cpp \
         bindings/js/JSDOMSettableTokenList.cpp \
         bindings/js/JSDOMTokenList.cpp \

trunk/Source/WebCore/CMakeLists.txt

@@ -486 +486 @@
     bindings/js/JSDOMFormDataCustom.cpp
     bindings/js/JSDOMGlobalObject.cpp
+    bindings/js/JSDOMImplementationCustom.cpp
     bindings/js/JSDOMMimeTypeArrayCustom.cpp
     bindings/js/JSDOMPluginArrayCustom.cpp

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-02-08  Anton Muhin  <antonm@chromium.org>
+
+       Reviewed by Adam Barth and Alexey Proskuryakov.
+
+       Propagate security origin of parent document into HTML documents created with DOMImplementation
+       https://bugs.webkit.org/show_bug.cgi?id=53611
+
+       This restores invariant that JS wrappers residing in the same JS context should come
+       from the same security origin.
+
+       Absence of regressions is covered by the current tests.  Different security origin of
+       DOMImplementation is difficult to check with layout tests as DOMImplementation
+       resides in the same JS context as parent document and therefore there are no security origin checks.
+       This is observable however in C++.
+
+       * Android.jscbindings.mk:
+       * CMakeLists.txt:
+       * WebCore.gypi:
+       * WebCore.pro:
+       * WebCore.vcproj/WebCore.vcproj:
+       * WebCore.xcodeproj/project.pbxproj:
+       * bindings/v8/V8GCController.cpp:
+       (WebCore::NodeGrouperVisitor::visitDOMWrapper):
+       * dom/DOMImplementation.cpp:
+       (WebCore::DOMImplementation::DOMImplementation):
+       (WebCore::DOMImplementation::createDocument):
+       * dom/DOMImplementation.h:
+       (WebCore::DOMImplementation::create):
+       (WebCore::DOMImplementation::documentDestroyed):
+       (WebCore::DOMImplementation::parentDocument):
+       * dom/DOMImplementation.idl:
+       * dom/Document.cpp:
+       (WebCore::Document::~Document):
+       (WebCore::Document::implementation):
+       * dom/Document.h:
+
 2011-02-21  Andrey Adaikin  <aandrey@google.com>
 

trunk/Source/WebCore/WebCore.gypi

@@ -618 +618 @@
             'bindings/js/JSDOMGlobalObject.cpp',
             'bindings/js/JSDOMGlobalObject.h',
+            'bindings/js/JSDOMImplementationCustom.cpp',
             'bindings/js/JSDOMStringMapCustom.cpp',
             'bindings/js/JSDOMStringMapCustom.h',

trunk/Source/WebCore/WebCore.pro

@@ -1397 +1397 @@
         bindings/js/JSDOMBinding.h \
         bindings/js/JSDOMGlobalObject.h \
+        bindings/js/JSDOMImplementationCustom.h \
         bindings/js/JSDOMStringMapCustom.h \
         bindings/js/JSDOMWindowBase.h \

trunk/Source/WebCore/WebCore.vcproj/WebCore.vcproj

@@ -58018 +58018 @@
                                 </File>
                                 <File
+                                        RelativePath="..\bindings\js\JSDOMImplementationCustom.cpp"
+                                        >
+                                        <FileConfiguration
+                                                Name="Debug|Win32"
+                                        ExcludedFromBuild="true"
+                                                >
+                                                <Tool
+                                                        Name="VCCLCompilerTool"
+                                                />
+                                        </FileConfiguration>
+                                        <FileConfiguration
+                                                Name="Release|Win32"
+                                                ExcludedFromBuild="true"
+                                                >
+                                                <Tool
+                                                        Name="VCCLCompilerTool"
+                                                />
+                                        </FileConfiguration>
+                                        <FileConfiguration
+                                                Name="Debug_Cairo_CFLite|Win32"
+                                                ExcludedFromBuild="true"
+                                                >
+                                                <Tool
+                                                        Name="VCCLCompilerTool"
+                                                />
+                                        </FileConfiguration>
+                                        <FileConfiguration
+                                                Name="Release_Cairo_CFLite|Win32"
+                                                ExcludedFromBuild="true"
+                                                >
+                                                <Tool
+                                                        Name="VCCLCompilerTool"
+                                                />
+                                        </FileConfiguration>
+                                        <FileConfiguration
+                                                Name="Debug_All|Win32"
+                                                ExcludedFromBuild="true"
+                                                >
+                                                <Tool
+                                                        Name="VCCLCompilerTool"
+                                                />
+                                        </FileConfiguration>
+                                        <FileConfiguration
+                                                Name="Release_LTCG|Win32"
+                                                ExcludedFromBuild="true"
+                                                >
+                                                <Tool
+                                                        Name="VCCLCompilerTool"
+                                                />
+                                        </FileConfiguration>
+                                </File>
+                                <File
                                         RelativePath="..\bindings\js\JSDOMMimeTypeArrayCustom.cpp"
                                         >

trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -653 +653 @@
                 20D629261253690B00081543 /* InspectorInstrumentation.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 20D629241253690B00081543 /* InspectorInstrumentation.cpp */; };
                 20D629271253690B00081543 /* InspectorInstrumentation.h in Headers */ = {isa = PBXBuildFile; fileRef = 20D629251253690B00081543 /* InspectorInstrumentation.h */; };
+                22885E641301AE4C00526E68 /* JSDOMImplementationCustom.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 22885E631301AE4C00526E68 /* JSDOMImplementationCustom.cpp */; };
                 228C284510D82500009D0D0E /* ScriptWrappable.h in Headers */ = {isa = PBXBuildFile; fileRef = 228C284410D82500009D0D0E /* ScriptWrappable.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 24F54EAC101FE914000AE741 /* ApplicationCacheHost.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 24F54EAA101FE914000AE741 /* ApplicationCacheHost.cpp */; };
@@ -7007 +7008 @@
                 20D629241253690B00081543 /* InspectorInstrumentation.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InspectorInstrumentation.cpp; sourceTree = "<group>"; };
                 20D629251253690B00081543 /* InspectorInstrumentation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InspectorInstrumentation.h; sourceTree = "<group>"; };
+                22885E631301AE4C00526E68 /* JSDOMImplementationCustom.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = JSDOMImplementationCustom.cpp; path = bindings/js/JSDOMImplementationCustom.cpp; sourceTree = "<group>"; };
                 228C284410D82500009D0D0E /* ScriptWrappable.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ScriptWrappable.h; sourceTree = "<group>"; };
                 2442BBF81194C9D300D49469 /* HashChangeEvent.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HashChangeEvent.h; sourceTree = "<group>"; };
@@ -12422 +12424 @@
                         isa = PBXGroup;
                         children = (
+                                22885E631301AE4C00526E68 /* JSDOMImplementationCustom.cpp */,
                                 65C97AF208EA908800ACD273 /* config.h */,
                                 EDEC98020AED7E170059137F /* WebCorePrefix.h */,
@@ -22541 +22544 @@
                         buildConfigurationList = 149C284308902B11008A9EFC /* Build configuration list for PBXProject "WebCore" */;
                         compatibilityVersion = "Xcode 2.4";
-                        developmentRegion = English;
                         hasScannedForEncodings = 1;
                         knownRegions = (
@@ -25168 +25170 @@
                                 A1E1154613015C4E0054AC8C /* PointLightSource.cpp in Sources */,
                                 A1E1154813015C5D0054AC8C /* SpotLightSource.cpp in Sources */,
+                                22885E641301AE4C00526E68 /* JSDOMImplementationCustom.cpp in Sources */,
                                 B8DBDB4B130B0F8A00F5CDB1 /* SetSelectionCommand.cpp in Sources */,
                                 B8DBDB4D130B0F8A00F5CDB1 /* SpellingCorrectionCommand.cpp in Sources */,

trunk/Source/WebCore/bindings/js/JSBindingsAllInOne.cpp

@@ -57 +57 @@
 #include "JSDOMFormDataCustom.cpp"
 #include "JSDOMGlobalObject.cpp"
+#include "JSDOMImplementationCustom.cpp"
 #include "JSDOMMimeTypeArrayCustom.cpp"
 #include "JSDOMPluginArrayCustom.cpp"

trunk/Source/WebCore/bindings/scripts/CodeGeneratorV8.pm

@@ -368 +368 @@
 {
 END
-    if ($domMapFunction) {
-        push(@headerContent, "    if (!forceNewObject) {\n") if IsDOMNodeType($interfaceName);
-        my $getWrapper = IsNodeSubType($dataNode) ? "V8DOMWrapper::getWrapper(impl)" : "${domMapFunction}.get(impl)";
-        push(@headerContent, <<END);
+    push(@headerContent, "    if (!forceNewObject) {\n") if IsDOMNodeType($interfaceName);
+    my $getWrapper = IsNodeSubType($dataNode) ? "V8DOMWrapper::getWrapper(impl)" : "${domMapFunction}.get(impl)";
+    push(@headerContent, <<END);
         v8::Handle<v8::Object> wrapper = ${getWrapper};
         if (!wrapper.IsEmpty())
             return wrapper;
 END
-        push(@headerContent, "    }\n") if IsDOMNodeType($interfaceName);
-    }
+    push(@headerContent, "    }\n") if IsDOMNodeType($interfaceName);
     push(@headerContent, <<END);
     return ${className}::wrapSlow(impl);
@@ -2502 +2500 @@
     }
 
-    if ($domMapFunction) {
-        push(@implContent, <<END);
+    push(@implContent, <<END);
     ${domMapFunction}.set(impl, v8::Persistent<v8::Object>::New(wrapper));
 END
-    }
 
     push(@implContent, <<END);
@@ -2550 +2546 @@
     return "getDOMSVGElementInstanceMap()" if $type eq "SVGElementInstance";
     return "getDOMNodeMap()" if ($dataNode && IsNodeSubType($dataNode));
-    return "" if $type eq "DOMImplementation";
     return "getActiveDOMObjectMap()" if IsActiveDomType($type);
     return "getDOMObjectMap()";

trunk/Source/WebCore/bindings/v8/V8GCController.cpp

@@ -291 +291 @@
             Document* document = reinterpret_cast<Document*>(node);
             addDOMObjectToGroup(store, groupId, document->styleSheets());
+            addDOMObjectToGroup(store, groupId, document->implementation());
         }
 

trunk/Source/WebCore/dom/DOMImplementation.cpp

@@ -172 +172 @@
 #endif
 
+DOMImplementation::DOMImplementation(Document* ownerDocument)
+    : m_ownerDocument(ownerDocument)
+{
+    ASSERT(m_ownerDocument);
+}
+
 bool DOMImplementation::hasFeature(const String& feature, const String& version)
 {
@@ -241 +247 @@
         doc = Document::create(0, KURL());
 
+    if (!m_ownerDocument) {
+        ec = INVALID_STATE_ERR;
+        return 0;
+    }
+    doc->setSecurityOrigin(m_ownerDocument->securityOrigin());
+
     RefPtr<Node> documentElement;
     if (!qualifiedName.isEmpty()) {
@@ -301 +313 @@
     d->write("<!doctype html><html><body></body></html>");
     d->setTitle(title);
+    ASSERT(m_ownerDocument);
+    if (m_ownerDocument)
+        d->setSecurityOrigin(m_ownerDocument->securityOrigin());
     return d.release();
 }

trunk/Source/WebCore/dom/DOMImplementation.h

@@ -42 +42 @@
 class DOMImplementation : public RefCounted<DOMImplementation> {
 public:
-    static PassRefPtr<DOMImplementation> create() { return adoptRef(new DOMImplementation); }
+    static PassRefPtr<DOMImplementation> create(Document* ownerDocument) { return adoptRef(new DOMImplementation(ownerDocument)); }
 
     // DOM methods & attributes for DOMImplementation
     static bool hasFeature(const String& feature, const String& version);
-    static PassRefPtr<DocumentType> createDocumentType(const String& qualifiedName, const String& publicId, const String &systemId, ExceptionCode&);
-    static PassRefPtr<Document> createDocument(const String& namespaceURI, const String& qualifiedName, DocumentType*, ExceptionCode&);
+    PassRefPtr<DocumentType> createDocumentType(const String& qualifiedName, const String& publicId, const String& systemId, ExceptionCode&);
+    PassRefPtr<Document> createDocument(const String& namespaceURI, const String& qualifiedName, DocumentType*, ExceptionCode&);
 
     DOMImplementation* getInterface(const String& feature);
@@ -55 +55 @@
 
     // From the HTMLDOMImplementation interface
-    static PassRefPtr<HTMLDocument> createHTMLDocument(const String& title);
+    PassRefPtr<HTMLDocument> createHTMLDocument(const String& title);
 
     // Other methods (not part of DOM)
@@ -63 +63 @@
     static bool isTextMIMEType(const String& MIMEType);
 
+    Document* ownerDocument() { return m_ownerDocument; }
+    void ownerDocumentDestroyed() { m_ownerDocument = 0; }
+
 private:
-    DOMImplementation() { }
+    DOMImplementation(Document* ownerDocument);
+
+    Document* m_ownerDocument;
 };
 

trunk/Source/WebCore/dom/DOMImplementation.idl

@@ -21 +21 @@
 module core {
 
-    interface DOMImplementation {
+    interface [
+        CustomMarkFunction
+    ] DOMImplementation {
 
         // DOM Level 1

trunk/Source/WebCore/dom/Document.cpp

@@ -603 +603 @@
     if (m_mediaQueryMatcher)
         m_mediaQueryMatcher->documentDestroyed();
+
+    if (m_implementation)
+        m_implementation->ownerDocumentDestroyed();
 }
 
@@ -684 +687 @@
 }
 
-DOMImplementation* Document::implementation() const
+DOMImplementation* Document::implementation()
 {
     if (!m_implementation)
-        m_implementation = DOMImplementation::create();
+        m_implementation = DOMImplementation::create(this);
     return m_implementation.get();
 }

trunk/Source/WebCore/dom/Document.h

@@ -307 +307 @@
     DocumentType* doctype() const { return m_docType.get(); }
 
-    DOMImplementation* implementation() const;
+    DOMImplementation* implementation();
     
     Element* documentElement() const