diff options
Diffstat (limited to 'WebCore/bindings/v8/custom/V8CustomBinding.cpp')
| -rw-r--r-- | WebCore/bindings/v8/custom/V8CustomBinding.cpp | 122 |
1 files changed, 120 insertions, 2 deletions
diff --git a/WebCore/bindings/v8/custom/V8CustomBinding.cpp b/WebCore/bindings/v8/custom/V8CustomBinding.cpp index 7789797..ee45abd 100644 --- a/WebCore/bindings/v8/custom/V8CustomBinding.cpp +++ b/WebCore/bindings/v8/custom/V8CustomBinding.cpp @@ -49,9 +49,9 @@ namespace WebCore { bool allowSettingFrameSrcToJavascriptUrl(HTMLFrameElementBase* frame, String value) { - if (protocolIs(parseURL(value), "javascript")) { + if (protocolIs(deprecatedParseURL(value), "javascript")) { Node* contentDoc = frame->contentDocument(); - if (contentDoc && !V8Proxy::CheckNodeSecurity(contentDoc)) + if (contentDoc && !V8Proxy::checkNodeSecurity(contentDoc)) return false; } return true; @@ -64,6 +64,7 @@ bool allowSettingSrcToJavascriptURL(Element* element, String name, String value) return true; } +#ifdef MANUAL_MERGE_REQUIRED // DOMImplementation is a singleton in WebCore. If we use our normal // mapping from DOM objects to V8 wrappers, the same wrapper will be // shared for all frames in the same process. This is a major @@ -179,4 +180,121 @@ V8ClassIndex::V8WrapperType V8Custom::DowncastSVGPathSeg(void* pathSeg) #endif // ENABLE(SVG) +#else // MANUAL_MERGE_REQUIRED +// DOMImplementation is a singleton in WebCore. If we use our normal +// mapping from DOM objects to V8 wrappers, the same wrapper will be +// shared for all frames in the same process. This is a major +// security problem. Therefore, we generate a DOMImplementation +// wrapper per document and store it in an internal field of the +// document. Since the DOMImplementation object is a singleton, we do +// not have to do anything to keep the DOMImplementation object alive +// for the lifetime of the wrapper. +ACCESSOR_GETTER(DocumentImplementation) +{ + ASSERT(info.Holder()->InternalFieldCount() >= kDocumentMinimumInternalFieldCount); + + // Check if the internal field already contains a wrapper. + v8::Local<v8::Value> implementation = info.Holder()->GetInternalField(kDocumentImplementationIndex); + if (!implementation->IsUndefined()) + return implementation; + + // Generate a wrapper. + Document* document = V8DOMWrapper::convertDOMWrapperToNative<Document>(info.Holder()); + v8::Handle<v8::Value> wrapper = V8DOMWrapper::convertDOMImplementationToV8Object(document->implementation()); + + // Store the wrapper in the internal field. + info.Holder()->SetInternalField(kDocumentImplementationIndex, wrapper); + + return wrapper; +} + +// --------------- Security Checks ------------------------- +INDEXED_ACCESS_CHECK(History) +{ + ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::HISTORY); + // Only allow same origin access. + History* history = V8DOMWrapper::convertToNativeObject<History>(V8ClassIndex::HISTORY, host); + return V8Proxy::canAccessFrame(history->frame(), false); +} + +NAMED_ACCESS_CHECK(History) +{ + ASSERT(V8ClassIndex::FromInt(data->Int32Value()) == V8ClassIndex::HISTORY); + // Only allow same origin access. + History* history = V8DOMWrapper::convertToNativeObject<History>(V8ClassIndex::HISTORY, host); + return V8Proxy::canAccessFrame(history->frame(), false); +} + +#undef INDEXED_ACCESS_CHECK +#undef NAMED_ACCESS_CHECK +#undef NAMED_PROPERTY_GETTER +#undef NAMED_PROPERTY_SETTER + +Frame* V8Custom::GetTargetFrame(v8::Local<v8::Object> host, v8::Local<v8::Value> data) +{ + Frame* target = 0; + switch (V8ClassIndex::FromInt(data->Int32Value())) { + case V8ClassIndex::DOMWINDOW: { + v8::Handle<v8::Object> window = V8DOMWrapper::lookupDOMWrapper(V8ClassIndex::DOMWINDOW, host); + if (window.IsEmpty()) + return target; + + DOMWindow* targetWindow = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, window); + target = targetWindow->frame(); + break; + } + case V8ClassIndex::LOCATION: { + History* history = V8DOMWrapper::convertToNativeObject<History>(V8ClassIndex::HISTORY, host); + target = history->frame(); + break; + } + case V8ClassIndex::HISTORY: { + Location* location = V8DOMWrapper::convertToNativeObject<Location>(V8ClassIndex::LOCATION, host); + target = location->frame(); + break; + } + default: + break; + } + return target; +} + +#if ENABLE(SVG) +V8ClassIndex::V8WrapperType V8Custom::DowncastSVGPathSeg(void* pathSeg) +{ + WebCore::SVGPathSeg* realPathSeg = reinterpret_cast<WebCore::SVGPathSeg*>(pathSeg); + + switch (realPathSeg->pathSegType()) { +#define MAKE_CASE(svgValue, v8Value) case WebCore::SVGPathSeg::svgValue: return V8ClassIndex::v8Value + + MAKE_CASE(PATHSEG_CLOSEPATH, SVGPATHSEGCLOSEPATH); + MAKE_CASE(PATHSEG_MOVETO_ABS, SVGPATHSEGMOVETOABS); + MAKE_CASE(PATHSEG_MOVETO_REL, SVGPATHSEGMOVETOREL); + MAKE_CASE(PATHSEG_LINETO_ABS, SVGPATHSEGLINETOABS); + MAKE_CASE(PATHSEG_LINETO_REL, SVGPATHSEGLINETOREL); + MAKE_CASE(PATHSEG_CURVETO_CUBIC_ABS, SVGPATHSEGCURVETOCUBICABS); + MAKE_CASE(PATHSEG_CURVETO_CUBIC_REL, SVGPATHSEGCURVETOCUBICREL); + MAKE_CASE(PATHSEG_CURVETO_QUADRATIC_ABS, SVGPATHSEGCURVETOQUADRATICABS); + MAKE_CASE(PATHSEG_CURVETO_QUADRATIC_REL, SVGPATHSEGCURVETOQUADRATICREL); + MAKE_CASE(PATHSEG_ARC_ABS, SVGPATHSEGARCABS); + MAKE_CASE(PATHSEG_ARC_REL, SVGPATHSEGARCREL); + MAKE_CASE(PATHSEG_LINETO_HORIZONTAL_ABS, SVGPATHSEGLINETOHORIZONTALABS); + MAKE_CASE(PATHSEG_LINETO_HORIZONTAL_REL, SVGPATHSEGLINETOHORIZONTALREL); + MAKE_CASE(PATHSEG_LINETO_VERTICAL_ABS, SVGPATHSEGLINETOVERTICALABS); + MAKE_CASE(PATHSEG_LINETO_VERTICAL_REL, SVGPATHSEGLINETOVERTICALREL); + MAKE_CASE(PATHSEG_CURVETO_CUBIC_SMOOTH_ABS, SVGPATHSEGCURVETOCUBICSMOOTHABS); + MAKE_CASE(PATHSEG_CURVETO_CUBIC_SMOOTH_REL, SVGPATHSEGCURVETOCUBICSMOOTHREL); + MAKE_CASE(PATHSEG_CURVETO_QUADRATIC_SMOOTH_ABS, SVGPATHSEGCURVETOQUADRATICSMOOTHABS); + MAKE_CASE(PATHSEG_CURVETO_QUADRATIC_SMOOTH_REL, SVGPATHSEGCURVETOQUADRATICSMOOTHREL); + +#undef MAKE_CASE + + default: + return V8ClassIndex::INVALID_CLASS_INDEX; + } +} + +#endif // ENABLE(SVG) + +#endif // MANUAL_MERGE_REQUIRED } // namespace WebCore |