diff options
Diffstat (limited to 'webkit')
| -rw-r--r-- | webkit/data/layout_tests/chrome/fast/dom/location-shadowing-expected.txt | 5 | ||||
| -rw-r--r-- | webkit/data/layout_tests/chrome/fast/dom/location-shadowing.html | 49 | ||||
| -rw-r--r-- | webkit/port/bindings/scripts/CodeGeneratorV8.pm | 26 | ||||
| -rw-r--r-- | webkit/port/page/DOMWindow.idl | 2 | ||||
| -rw-r--r-- | webkit/port/page/Location.idl | 12 |
5 files changed, 81 insertions, 13 deletions
diff --git a/webkit/data/layout_tests/chrome/fast/dom/location-shadowing-expected.txt b/webkit/data/layout_tests/chrome/fast/dom/location-shadowing-expected.txt new file mode 100644 index 0000000..a9b2554 --- /dev/null +++ b/webkit/data/layout_tests/chrome/fast/dom/location-shadowing-expected.txt @@ -0,0 +1,5 @@ +PASS +PASS +PASS +PASS + diff --git a/webkit/data/layout_tests/chrome/fast/dom/location-shadowing.html b/webkit/data/layout_tests/chrome/fast/dom/location-shadowing.html new file mode 100644 index 0000000..6e9bac4 --- /dev/null +++ b/webkit/data/layout_tests/chrome/fast/dom/location-shadowing.html @@ -0,0 +1,49 @@ +<html> +<body onload="test()"> +<script> +// This tests that the location property on the window object +// cannot be overwritten by using accessors defined using +// __defineGetter__ and __defineSetter__ and that functions +//on location objects are read-only. + +if (window.layoutTestController) { + layoutTestController.dumpAsText(); +} + +function check(passed) { + if (passed) { + document.write("PASS<br>"); + } else { + document.write("FAIL<br>"); + } +} + +var locationFunctions = ["reload", "replace", "assign", "toString"]; + +function overwrite() { return 'overwrite'; }; + +function testFunctionOverwrite() { + for (var i = 0; i < locationFunctions.length; i++) { + location[locationFunctions[i]] = overwrite; + check(location[locationFunctions[i]] != overwrite); + } +} + +function failIfCalled() { check(false); } + +function testAccessorOverwrite() { + __defineGetter__("location", failIfCalled); + var l = location; + window.__defineGetter__("location", failIfCalled); + l = window.location; + this.__defineGetter__("location", failIfCalled); + l = this.location; +} + +function test() { + testFunctionOverwrite(); + testAccessorOverwrite(); +} +</script> +</body> +</html> diff --git a/webkit/port/bindings/scripts/CodeGeneratorV8.pm b/webkit/port/bindings/scripts/CodeGeneratorV8.pm index 1da6318..1526b88 100644 --- a/webkit/port/bindings/scripts/CodeGeneratorV8.pm +++ b/webkit/port/bindings/scripts/CodeGeneratorV8.pm @@ -958,15 +958,20 @@ sub GenerateImplementation my $accessControl = "v8::DEFAULT"; if ($attrExt->{"DoNotCheckDomainSecurityOnGet"}) { - $accessControl = "v8::ALL_CAN_READ"; + $accessControl = "v8::ALL_CAN_READ"; } elsif ($attrExt->{"DoNotCheckDomainSecurityOnSet"}) { - $accessControl = "v8::ALL_CAN_WRITE"; + $accessControl = "v8::ALL_CAN_WRITE"; } elsif ($attrExt->{"DoNotCheckDomainSecurity"}) { - $accessControl = "v8::ALL_CAN_READ"; + $accessControl = "v8::ALL_CAN_READ"; if (!($attribute->type =~ /^readonly/)) { - $accessControl = "(v8::AccessControl)(v8::ALL_CAN_READ | v8::ALL_CAN_WRITE)"; + $accessControl .= "|v8::ALL_CAN_WRITE"; } } + if ($attrExt->{"v8ProhibitsOverwriting"}) { + $accessControl .= "|v8::PROHIBITS_OVERWRITING"; + } + $accessControl = "static_cast<v8::AccessControl>(" . $accessControl . ")"; + my $customAccessor = $attrExt->{"Custom"} || $attrExt->{"CustomSetter"} || $attrExt->{"CustomGetter"} || ""; if ($customAccessor eq 1) { @@ -1108,9 +1113,17 @@ END if ($attrExt->{"DontEnum"}) { $property_attributes .= "|v8::DontEnum"; } + if ($attrExt->{"ReadOnly"}) { + $property_attributes .= "|v8::ReadOnly"; + } my $commentInfo = "Function '$name' (ExtAttr: '" . join(' ', keys(%{$attrExt})) . "')"; + my $template = "proto"; + if ($attrExt->{"v8OnInstance"}) { + $template = "instance"; + } + if ($attrExt->{"DoNotCheckDomainSecurity"} && ($dataNode->extendedAttributes->{"CheckDomainSecurity"} || $interfaceName eq "DOMWindow")) { # Mark the accessor as ReadOnly and set it on the proto object so @@ -1126,13 +1139,13 @@ END # accessing '__proto__' # # The solution is very hacky and fragile, it really needs to be replaced - # by a better solution. + # by a better solution. $property_attributes .= "|v8::ReadOnly"; push(@implContent, <<END); // $commentInfo - proto->SetAccessor( + $template->SetAccessor( v8::String::New("$name"), ${interfaceName}Internal::${name}AttrGetter, 0, @@ -1143,7 +1156,6 @@ END next; } - my $template = "proto"; my $signature = "default_signature"; if ($attrExt->{"v8DoNotCheckSignature"}){ $signature = "v8::Local<v8::Signature>()"; diff --git a/webkit/port/page/DOMWindow.idl b/webkit/port/page/DOMWindow.idl index c6f51f3..a0a94b2 100644 --- a/webkit/port/page/DOMWindow.idl +++ b/webkit/port/page/DOMWindow.idl @@ -52,7 +52,7 @@ module window { attribute [Replaceable] BarInfo toolbar; attribute [Replaceable] Navigator navigator; attribute [Replaceable, v8referenceattr=navigator] Navigator clientInformation; - attribute [DoNotCheckDomainSecurity, CustomSetter] Location location; + attribute [DoNotCheckDomainSecurity, CustomSetter, v8ProhibitsOverwriting] Location location; DOMSelection getSelection(); diff --git a/webkit/port/page/Location.idl b/webkit/port/page/Location.idl index 473522a..092b81d 100644 --- a/webkit/port/page/Location.idl +++ b/webkit/port/page/Location.idl @@ -13,10 +13,12 @@ module core { attribute DOMString protocol; attribute DOMString search; - [DoNotCheckDomainSecurity] void reload(in boolean forceget); - [DoNotCheckDomainSecurity] void replace(in DOMString url); - [DoNotCheckDomainSecurity] void assign(in DOMString url); - - [DontEnum] DOMString toString(); + // For security reasons, these functions are on the instance + // instead of on the prototype object to insure that they cannot + // be overwritten. + [DoNotCheckDomainSecurity, v8OnInstance] void reload(in boolean forceget); + [DoNotCheckDomainSecurity, v8OnInstance] void replace(in DOMString url); + [DoNotCheckDomainSecurity, v8OnInstance] void assign(in DOMString url); + [ReadOnly, DontEnum, v8OnInstance] DOMString toString(); }; } |