Merge webkit.org at r54127 : Initial merge by git

Change-Id: Ib661abb595522f50ea406f72d3a0ce17f7193c82

5 files changed, 467 insertions, 0 deletions

diff --git a/WebCore/bindings/generic/BindingDOMWindow.h b/WebCore/bindings/generic/BindingDOMWindow.h
new file mode 100644
index 0000000..b968e2c
--- /dev/null
+++ b/WebCore/bindings/generic/BindingDOMWindow.h
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2010 Google Inc. All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * 
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef BindingDOMWindow_h
+#define BindingDOMWindow_h
+
+#include "Frame.h"
+#include "FrameLoadRequest.h"
+#include "GenericBinding.h"
+#include "Page.h"
+
+namespace WebCore {
+
+template <class Binding>
+class BindingDOMWindow {
+public:
+    typedef typename Binding::Value BindingValue;
+
+    static Frame* createWindow(State<Binding>*,
+                               Frame* callingFrame,
+                               Frame* enteredFrame,
+                               Frame* openerFrame,
+                               const String& url,
+                               const String& frameName,
+                               const WindowFeatures& windowFeatures,
+                               BindingValue dialogArgs);
+};
+
+// Implementations of templated methods must be in this file.
+
+template <class Binding>
+Frame* BindingDOMWindow<Binding>::createWindow(State<Binding>* state,
+                                               Frame* callingFrame,
+                                               Frame* enteredFrame,
+                                               Frame* openerFrame,
+                                               const String& url,
+                                               const String& frameName,
+                                               const WindowFeatures& windowFeatures,
+                                               BindingValue dialogArgs)
+{
+    ASSERT(callingFrame);
+    ASSERT(enteredFrame);
+
+    // Sandboxed iframes cannot open new auxiliary browsing contexts.
+    if (callingFrame && callingFrame->loader()->isSandboxed(SandboxNavigation))
+        return 0;
+
+    ResourceRequest request;
+
+    // For whatever reason, Firefox uses the entered frame to determine
+    // the outgoingReferrer.  We replicate that behavior here.
+    String referrer = enteredFrame->loader()->outgoingReferrer();
+    request.setHTTPReferrer(referrer);
+    FrameLoader::addHTTPOriginIfNeeded(request, enteredFrame->loader()->outgoingOrigin());
+    FrameLoadRequest frameRequest(request, frameName);
+
+    // FIXME: It's much better for client API if a new window starts with a URL,
+    // here where we know what URL we are going to open. Unfortunately, this
+    // code passes the empty string for the URL, but there's a reason for that.
+    // Before loading we have to set up the opener, openedByDOM,
+    // and dialogArguments values. Also, to decide whether to use the URL
+    // we currently do an allowsAccessFrom call using the window we create,
+    // which can't be done before creating it. We'd have to resolve all those
+    // issues to pass the URL instead of "".
+
+    bool created;
+    // We pass in the opener frame here so it can be used for looking up the
+    // frame name, in case the active frame is different from the opener frame,
+    // and the name references a frame relative to the opener frame, for example
+    // "_self" or "_parent".
+    Frame* newFrame = callingFrame->loader()->createWindow(openerFrame->loader(), frameRequest, windowFeatures, created);
+    if (!newFrame)
+        return 0;
+
+    newFrame->loader()->setOpener(openerFrame);
+    newFrame->page()->setOpenedByDOM();
+
+    Binding::DOMWindow::storeDialogArgs(state, newFrame, dialogArgs);
+
+    if (!protocolIsJavaScript(url) || BindingSecurity<Binding>::canAccessFrame(state, newFrame, true)) {
+        KURL completedUrl =
+            url.isEmpty() ? KURL(ParsedURLString, "") : completeURL(url);
+        bool userGesture = processingUserGesture();
+
+        if (created)
+            newFrame->loader()->changeLocation(completedUrl, referrer, false, false, userGesture);
+        else if (!url.isEmpty())
+            newFrame->redirectScheduler()->scheduleLocationChange(completedUrl.string(), referrer, false, userGesture);
+    }
+
+    return newFrame;
+}
+
+} // namespace WebCore
+
+#endif // BindingDOMWindow_h
diff --git a/WebCore/bindings/generic/BindingSecurity.h b/WebCore/bindings/generic/BindingSecurity.h
new file mode 100644
index 0000000..929b8f4
--- /dev/null
+++ b/WebCore/bindings/generic/BindingSecurity.h
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) 2009 Google Inc. All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * 
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef BindingSecurity_h
+#define BindingSecurity_h
+
+#include "BindingSecurityBase.h"
+#include "CSSHelper.h"
+#include "Element.h"
+#include "GenericBinding.h"
+#include "HTMLFrameElementBase.h"
+
+namespace WebCore {
+
+class DOMWindow;
+class Frame;
+class Node;
+
+// Security functions shared by various language bindings.
+template <class Binding>
+class BindingSecurity : public BindingSecurityBase {
+public:
+    // Check if the active execution context can access the target frame.
+    static bool canAccessFrame(State<Binding>*, Frame*, bool reportError);
+
+    // Check if it is safe to access the given node from the
+    // current security context.
+    static bool checkNodeSecurity(State<Binding>*, Node* target);
+
+    static bool allowSettingFrameSrcToJavascriptUrl(State<Binding>*, HTMLFrameElementBase*, String value);
+    static bool allowSettingSrcToJavascriptURL(State<Binding>*, Element*, String name, String value);
+
+private:
+    explicit BindingSecurity() {}
+    ~BindingSecurity();
+
+    // Check if the current DOMWindow's security context can access the target
+    // DOMWindow.  This function does not report errors, so most callers should
+    // use canAccessFrame instead.
+    static bool canAccessWindow(State<Binding>*, DOMWindow* target);
+};
+
+// Implementations of templated methods must be in this file.
+
+template <class Binding>
+bool BindingSecurity<Binding>::canAccessWindow(State<Binding>* state,
+                                               DOMWindow* targetWindow)
+{
+    DOMWindow* activeWindow = state->getActiveWindow();
+    return canAccess(activeWindow, targetWindow);
+}
+
+template <class Binding>
+bool BindingSecurity<Binding>::canAccessFrame(State<Binding>* state,
+                                              Frame* target,
+                                              bool reportError)
+{
+    // The subject is detached from a frame, deny accesses.
+    if (!target)
+        return false;
+
+    if (!canAccessWindow(state, getDOMWindow(target))) {
+        if (reportError)
+            state->immediatelyReportUnsafeAccessTo(target);
+        return false;
+    }
+    return true;
+}
+
+template <class Binding>
+bool BindingSecurity<Binding>::checkNodeSecurity(State<Binding>* state, Node* node)
+{
+    if (!node)
+        return false;
+
+    Frame* target = getFrame(node);
+
+    if (!target)
+        return false;
+
+    return canAccessFrame(state, target, true);
+}
+
+template <class Binding>
+bool BindingSecurity<Binding>::allowSettingFrameSrcToJavascriptUrl(State<Binding>* state, HTMLFrameElementBase* frame, String value)
+{
+    if (protocolIsJavaScript(deprecatedParseURL(value))) {
+        Node* contentDoc = frame->contentDocument();
+        if (contentDoc && !checkNodeSecurity(state, contentDoc))
+            return false;
+    }
+    return true;
+}
+
+template <class Binding>
+bool BindingSecurity<Binding>::allowSettingSrcToJavascriptURL(State<Binding>* state, Element* element, String name, String value)
+{
+    if ((element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src"))
+        return allowSettingFrameSrcToJavascriptUrl(state, static_cast<HTMLFrameElementBase*>(element), value);
+    return true;
+}
+
+}
+
+#endif // BindingSecurity_h
diff --git a/WebCore/bindings/generic/BindingSecurityBase.cpp b/WebCore/bindings/generic/BindingSecurityBase.cpp
new file mode 100644
index 0000000..1598781
--- /dev/null
+++ b/WebCore/bindings/generic/BindingSecurityBase.cpp
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2009 Google Inc. All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * 
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "BindingSecurityBase.h"
+
+#include "DOMWindow.h"
+#include "Frame.h"
+#include "SecurityOrigin.h"
+
+namespace WebCore {
+
+DOMWindow* BindingSecurityBase::getDOMWindow(Frame* frame)
+{
+    return frame->domWindow();
+}
+
+Frame* BindingSecurityBase::getFrame(Node* node)
+{
+    return node->document()->frame();
+}
+
+// Same origin policy implementation:
+//
+// Same origin policy prevents JS code from domain A from accessing JS & DOM
+// objects in a different domain B. There are exceptions and several objects
+// are accessible by cross-domain code. For example, the window.frames object
+// is accessible by code from a different domain, but window.document is not.
+//
+// The JS binding code sets security check callbacks on a function template,
+// and accessing instances of the template calls the callback function.
+// The callback function enforces the same origin policy.
+//
+// Callback functions are expensive. Binding code should use a security token
+// string to do fast access checks for the common case where source and target
+// are in the same domain. A security token is a string object that represents
+// the protocol/url/port of a domain.
+//
+// There are special cases where security token matching is not enough.
+// For example, JS can set its domain to a super domain by calling
+// document.setDomain(...). In these cases, the binding code can reset
+// a context's security token to its global object so that the fast access
+// check will always fail.
+
+// Helper to check if the current execution context can access a target frame.
+// First it checks same domain policy using the lexical context.
+//
+// This is equivalent to KJS::Window::allowsAccessFrom(ExecState*).
+bool BindingSecurityBase::canAccess(DOMWindow* activeWindow,
+                                    DOMWindow* targetWindow)
+{
+    ASSERT(targetWindow);
+
+    String message;
+
+    if (activeWindow == targetWindow)
+        return true;
+
+    if (!activeWindow)
+        return false;
+
+    const SecurityOrigin* activeSecurityOrigin = activeWindow->securityOrigin();
+    const SecurityOrigin* targetSecurityOrigin = targetWindow->securityOrigin();
+
+    // We have seen crashes were the security origin of the target has not been
+    // initialized. Defend against that.
+    if (!targetSecurityOrigin)
+        return false;
+
+    if (activeSecurityOrigin->canAccess(targetSecurityOrigin))
+        return true;
+
+    // Allow access to a "about:blank" page if the dynamic context is a
+    // detached context of the same frame as the blank page.
+    if (targetSecurityOrigin->isEmpty() && activeWindow->frame() == targetWindow->frame())
+        return true;
+
+    return false;
+}
+
+} // namespace WebCore
diff --git a/WebCore/bindings/generic/BindingSecurityBase.h b/WebCore/bindings/generic/BindingSecurityBase.h
new file mode 100644
index 0000000..cfa2e99
--- /dev/null
+++ b/WebCore/bindings/generic/BindingSecurityBase.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2009 Google Inc. All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * 
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef BindingSecurityBase_h
+#define BindingSecurityBase_h
+
+namespace WebCore {
+
+class DOMWindow;
+class Frame;
+class Node;
+
+// Helper functions for BindingSecurity that depend on WebCore classes, and
+// thus should not be implemented in BindingSecurity.h, which contains template
+// method definitions.
+class BindingSecurityBase {
+protected:
+    static DOMWindow* getDOMWindow(Frame*);
+    static Frame* getFrame(Node*);
+    static bool canAccess(DOMWindow* active, DOMWindow* target);
+};
+
+}
+
+#endif // BindingSecurityBase_h
diff --git a/WebCore/bindings/generic/GenericBinding.h b/WebCore/bindings/generic/GenericBinding.h
new file mode 100644
index 0000000..d030b45
--- /dev/null
+++ b/WebCore/bindings/generic/GenericBinding.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2009 Google Inc. All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * 
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef GenericBinding_h
+#define GenericBinding_h
+
+namespace WebCore {
+
+// Used to instantiate binding templates for any methods shared among all
+// language bindings.
+class GenericBinding {};
+
+// Class to represent execution state for each language binding.
+template <class T>
+class State {};
+
+// Common notion of execution state for language bindings.
+template <>
+class State<GenericBinding> {
+    // Any methods shared across bindings can go here.
+};
+
+}
+
+#endif // GenericBinding_h