add security fix to webkit

do not merge

bug is described by http://b/issue?id=1892983 (23148)
originally fixed by http://trac.webkit.org/changeset/42216

with this fix in place, these exploits fail:

http://evil.webblaze.org/jww/tests/location-exploit.html
  generates:
D/WebCore (  788): Console: Unsafe JavaScript attempt to access frame with URL http://evil.webblaze.org/jww/tests/location-exploit.html from frame with URL http://good.webblaze.org/jww/tests/location-exploit-iframe.html. Domains, protocols and ports must match.
D/WebCore (  788):  line: 1 source:
D/WebCore (  788): Console: TypeError: Result of expression 'location.__defineGetter__.argumentNames' [undefined] is not a function. line: 3 source: http://evil.webblaze.org/jww/tests/location-exploit.html

http://evil.webblaze.org/jww/tests/location-test.html
  puts up an alert that says "undefined"

http://evil.webblaze.org/jww/tests/history-test.html
  puts up an alert that says "undefined"

1 files changed, 8 insertions, 1 deletions

diff --git a/WebCore/bindings/js/JSDocumentCustom.cpp b/WebCore/bindings/js/JSDocumentCustom.cpp
index fff0ea5..596b78f 100644
--- a/WebCore/bindings/js/JSDocumentCustom.cpp
+++ b/WebCore/bindings/js/JSDocumentCustom.cpp
@@ -55,7 +55,14 @@ JSValuePtr JSDocument::location(ExecState* exec) const
     if (!frame)
         return jsNull();
 
-    return toJS(exec, frame->domWindow()->location());
+    Location* location = frame->domWindow()->location();
+    if (DOMObject* wrapper = getCachedDOMObjectWrapper(exec->globalData(), location))
+        return wrapper;
+
+    JSDOMWindow* window = static_cast<JSDOMWindow*>(exec->lexicalGlobalObject());
+    JSLocation* jsLocation = new (exec) JSLocation(getDOMStructure<JSLocation>(exec, window), location);
+    cacheDOMObjectWrapper(exec->globalData(), location, jsLocation);
+    return jsLocation;
 }
 
 void JSDocument::setLocation(ExecState* exec, JSValuePtr value)