[webkit-changes] [95028] trunk

weinig Tue, 13 Sep 2011 09:00:41 -0700

Title: [95028] trunk

Revision: 95028
Author: wei...@apple.com
Date: 2011-09-13 09:01:38 -0700 (Tue, 13 Sep 2011)

Log Message

Object.getPrototypeOf should use JSValue::get()
https://bugs.webkit.org/show_bug.cgi?id=67973


Reviewed by Darin Adler.

Source/_javascript_Core: 

* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorGetPrototypeOf):
Pipe through JSValue::get() to allow overrides.

LayoutTests: 

* http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt: Added.
* http/tests/security/cross-frame-access-object-getPrototypeOf.html: Added.
* http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-test.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp

Added Paths

trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt
trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html
trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-test.html

Diff

Modified: trunk/LayoutTests/ChangeLog (95027 => 95028)


--- trunk/LayoutTests/ChangeLog	2011-09-13 15:32:51 UTC (rev 95027)
+++ trunk/LayoutTests/ChangeLog	2011-09-13 16:01:38 UTC (rev 95028)
@@ -1,3 +1,14 @@
+2011-09-12  Sam Weinig  <s...@webkit.org>
+
+        Object.getPrototypeOf should use JSValue::get()
+        https://bugs.webkit.org/show_bug.cgi?id=67973
+
+        Reviewed by Darin Adler.
+
+        * http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt: Added.
+        * http/tests/security/cross-frame-access-object-getPrototypeOf.html: Added.
+        * http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-test.html: Added.
+
 2011-09-13  Fumitoshi Ukai  <u...@chromium.org>
 
         Unreviewed, update chromium test expectations

Added: trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt (0 => 95028)


--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt	2011-09-13 16:01:38 UTC (rev 95028)
@@ -0,0 +1,9 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-object-getPrototypeOf-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-object-getPrototypeOf.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-object-getPrototypeOf-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-object-getPrototypeOf.html. Domains, protocols and ports must match.
+
+This tests that you can't get the prototype of the window or history objects cross-origin using Object.getPrototypeOf().
+
+PASS: Object.getPrototypeOf(targetWindow) should be 'undefined' and is.
+PASS: Object.getPrototypeOf(targetWindow.history) should be 'undefined' and is.
+

Added: trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html (0 => 95028)


--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html	2011-09-13 16:01:38 UTC (rev 95028)
@@ -0,0 +1,34 @@
+<html>
+<head>
+    <script src=""
+    <script>
+        if (window.layoutTestController) {
+            layoutTestController.dumpAsText();
+            layoutTestController.waitUntilDone();
+        }
+
+        // Set up listener for message from iframe
+        addEventListener('message', function(event) {
+            if (event.data == "finishedLoad")
+                doTest();
+        }, false);
+
+
+        doTest = function()
+        {
+            targetWindow = document.getElementById("target").contentWindow;
+
+            shouldBeUndefined("Object.getPrototypeOf(targetWindow)");
+            shouldBeUndefined("Object.getPrototypeOf(targetWindow.history)");
+
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        }
+    </script>
+</head>
+<body>
+    <div>This tests that you can't get the prototype of the window or history objects cross-origin using Object.getPrototypeOf().</div>
+    <iframe id="target" src=""
+    <pre id="console"></pre>
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-test.html (0 => 95028)


--- trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-test.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-test.html	2011-09-13 16:01:38 UTC (rev 95028)
@@ -0,0 +1,13 @@
+<html>
+<head>
+    <script>
+        _onload_ = function()
+        {
+            parent.postMessage("finishedLoad", "*");
+        }
+    </script>
+</head>
+<body>
+    Body
+</body>
+</html>

Modified: trunk/Source/_javascript_Core/ChangeLog (95027 => 95028)


--- trunk/Source/_javascript_Core/ChangeLog	2011-09-13 15:32:51 UTC (rev 95027)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-09-13 16:01:38 UTC (rev 95028)
@@ -1,3 +1,14 @@
+2011-09-13  Sam Weinig  <s...@webkit.org>
+
+        Object.getPrototypeOf should use JSValue::get()
+        https://bugs.webkit.org/show_bug.cgi?id=67973
+
+        Reviewed by Darin Adler.
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorGetPrototypeOf):
+        Pipe through JSValue::get() to allow overrides.
+
 2011-09-12  Filip Pizlo  <fpi...@apple.com>
 
         _javascript_Core does not have baseline->speculative OSR

Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp (95027 => 95028)


--- trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp	2011-09-13 15:32:51 UTC (rev 95027)
+++ trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp	2011-09-13 16:01:38 UTC (rev 95028)
@@ -137,7 +137,11 @@
 {
     if (!exec->argument(0).isObject())
         return throwVMError(exec, createTypeError(exec, "Requested prototype of a value that is not an object."));
-    return JSValue::encode(asObject(exec->argument(0))->prototype());
+        
+    // This uses JSValue::get() instead of directly accessing the prototype from the object
+    // (using JSObject::prototype()) in order to allow objects to override the behavior, such
+    // as returning jsUndefined() for cross-origin access.
+    return JSValue::encode(exec->argument(0).get(exec, exec->propertyNames().underscoreProto));
 }
 
 EncodedJSValue JSC_HOST_CALL objectConstructorGetOwnPropertyDescriptor(ExecState* exec)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

[webkit-changes] [95028] trunk

Log Message

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (95027 => 95028)

Added: trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt (0 => 95028)

Added: trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html (0 => 95028)

Added: trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-object-getPrototypeOf-test.html (0 => 95028)

Modified: trunk/Source/_javascript_Core/ChangeLog (95027 => 95028)

Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp (95027 => 95028)

Reply via email to