v8binding: Adds 'then' as one of special cross origin properties.

yuki3 · Commit Bot · commit 09b22d9f4754 · 2017-11-21T06:47:55.000Z
According to the discussion (and request) at whatwg/dom#536 this patch adds 'then' as a cross origin accessible property returning 'undefined'. HTML 7.2.3.3 CrossOriginGetOwnPropertyHelper ( O, P ) https://html.spec.whatwg.org/multipage/browsers.html#crossorigingetownpropertyhelper-(-o,-p-) is not yet updated, but it should be quite soon. The proposed change is at whatwg/html#3242 Bug: Change-Id: Icb72ba01ccf8eabaad607b61805411d1b4845f86 Reviewed-on: https://chromium-review.googlesource.com/779319 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Yuki Shiino <yukishiino@chromium.org> Cr-Commit-Position: refs/heads/master@{#518158}
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/cross-origin-window-properties-undefined.html b/third_party/WebKit/LayoutTests/http/tests/security/cross-origin-window-properties-undefined.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<iframe id="cross-origin-iframe" src="https://localhost:8000/security/resources/blank.html"></iframe>
+<!--
+  HTML 7.2.3.3 CrossOriginGetOwnPropertyHelper ( O, P )
+  https://html.spec.whatwg.org/multipage/browsers.html#crossorigingetownpropertyhelper-(-o,-p-)
+  step 3. If P is "then", @@toStringTag, @@hasInstance, or @@isConcatSpreadable, then return PropertyDescriptor{ [[Value]]: undefined, [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }.
+
+  Test that window.then and location.then return undefined in case of cross origin.
+-->
+<script>
+onload = function() {
+
+  test(function() {
+    let iframe = document.getElementById('cross-origin-iframe');
+    let w = iframe.contentWindow;  // cross origin window
+    assert_throws('SecurityError', function() { w.document; }, "The window 'w' must be cross origin.");
+    assert_equals(w.then, undefined, "The value of 'then' must be undefined.");
+    assert_equals(w.location.then, undefined, "The value of 'location.then' must be undefined.");
+
+  }, "Test that 'then' on cross origin window and location returns undefined.");
+
+  test(function() {
+    let iframe = document.getElementById('cross-origin-iframe');
+    let w = iframe.contentWindow;  // cross origin window
+    assert_throws('SecurityError', function() { w.document; }, "The window 'w' must be cross origin.");
+
+    // Make a child browsing context named 'then', which shouldn't be shadowed.
+    let child_then_frame = document.createElement('iframe');
+    child_then_frame.name = 'then';
+    child_then_frame.src = 'https://localhost:8000/security/resources/blank.html';
+    document.body.appendChild(child_then_frame);
+
+    assert_equals(typeof w.then, 'object', "The value of 'then' must be a WindowProxy.");
+    assert_equals(w.location.then, undefined, "The value of 'location.then' must be undefined.");
+  }, "Test that a child browsing context named 'then' is not shadowed.");
+
+};
+</script>
diff --git a/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp b/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
@@ -346,6 +346,17 @@ void V8Window::namedPropertyGetterCustom(
   if (!BindingSecurity::ShouldAllowAccessTo(
           CurrentDOMWindow(info.GetIsolate()), window,
           BindingSecurity::ErrorReportOption::kDoNotReport)) {
+    // HTML 7.2.3.3 CrossOriginGetOwnPropertyHelper ( O, P )
+    // https://html.spec.whatwg.org/multipage/browsers.html#crossorigingetownpropertyhelper-(-o,-p-)
+    // step 3. If P is "then", @@toStringTag, @@hasInstance, or
+    //   @@isConcatSpreadable, then return PropertyDescriptor{ [[Value]]:
+    //   undefined, [[Writable]]: false, [[Enumerable]]: false,
+    //   [[Configurable]]: true }.
+    if (name == "then") {
+      V8SetReturnValueFast(info, v8::Undefined(info.GetIsolate()), window);
+      return;
+    }
+
     BindingSecurity::FailedAccessCheckFor(
         info.GetIsolate(), window->GetWrapperTypeInfo(), info.Holder());
     return;
diff --git a/third_party/WebKit/Source/bindings/templates/interface_base.cpp.tmpl b/third_party/WebKit/Source/bindings/templates/interface_base.cpp.tmpl
@@ -282,6 +282,17 @@ void {{v8_class_or_partial}}::crossOriginNamedGetter(v8::Local<v8::Name> name, c
   {{cpp_class}}V8Internal::namedPropertyGetter(propertyName, info);
   {% endif %}
   {% else %}
+  // HTML 7.2.3.3 CrossOriginGetOwnPropertyHelper ( O, P )
+  // https://html.spec.whatwg.org/multipage/browsers.html#crossorigingetownpropertyhelper-(-o,-p-)
+  // step 3. If P is "then", @@toStringTag, @@hasInstance, or
+  //   @@isConcatSpreadable, then return PropertyDescriptor{ [[Value]]:
+  //   undefined, [[Writable]]: false, [[Enumerable]]: false,
+  //   [[Configurable]]: true }.
+  if (propertyName == "then") {
+    V8SetReturnValue(info, v8::Undefined(info.GetIsolate()));
+    return;
+  }
+
   BindingSecurity::FailedAccessCheckFor(
       info.GetIsolate(),
       &{{v8_class}}::wrapperTypeInfo,
diff --git a/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterfaceCheckSecurity.cpp b/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterfaceCheckSecurity.cpp
@@ -492,6 +492,17 @@ void V8TestInterfaceCheckSecurity::crossOriginNamedGetter(v8::Local<v8::Name> na
     }
   }
 
+  // HTML 7.2.3.3 CrossOriginGetOwnPropertyHelper ( O, P )
+  // https://html.spec.whatwg.org/multipage/browsers.html#crossorigingetownpropertyhelper-(-o,-p-)
+  // step 3. If P is "then", @@toStringTag, @@hasInstance, or
+  //   @@isConcatSpreadable, then return PropertyDescriptor{ [[Value]]:
+  //   undefined, [[Writable]]: false, [[Enumerable]]: false,
+  //   [[Configurable]]: true }.
+  if (propertyName == "then") {
+    V8SetReturnValue(info, v8::Undefined(info.GetIsolate()));
+    return;
+  }
+
   BindingSecurity::FailedAccessCheckFor(
       info.GetIsolate(),
       &V8TestInterfaceCheckSecurity::wrapperTypeInfo,
