Revision: 5687
Author: [email protected]
Date: Thu Jun 5 18:53:51 2014 UTC
Log: Backport to es53 branch: 5680,5681,5682,5683,5685,5686
https://codereview.appspot.com/102210044
All changes since the previous merge except for r5679 which is a
post-es53-removal build fix, and r5684 which applies to typed array
taming which only exists in trunk.
The merge command was
svn merge -c 5680,5681,5682,5683,5685,5686 ^/trunk
and there were two conflicts from r5685:
* changes to Proxy feature test in browser-test-case.js
* changes to Typed Array repairs which do not exist in es53 branch
[email protected]
http://code.google.com/p/google-caja/source/detail?r=5687
Modified:
/branches/es53
/branches/es53/src/com/google/caja/plugin/domado.js
/branches/es53/src/com/google/caja/ses/WeakMap.js
/branches/es53/src/com/google/caja/ses/repairES5.js
/branches/es53/src/com/google/caja/ses/startSES.js
/branches/es53/tests/com/google/caja/plugin/browser-test-case.js
/branches/es53/tests/com/google/caja/plugin/test-domado-dom-guest.html
/branches/es53/tests/com/google/caja/plugin/test-scan-guest.js
=======================================
--- /branches/es53/src/com/google/caja/plugin/domado.js Tue Apr 8 17:39:52
2014 UTC
+++ /branches/es53/src/com/google/caja/plugin/domado.js Thu Jun 5 18:53:51
2014 UTC
@@ -118,7 +118,10 @@
}
}
- var proxiesAvailable = typeof Proxy !== 'undefined';
+ // test for old-style proxies, not ES6 direct proxies, because that's
what we
+ // used and what ES5/3 provides.
+ // TODO(kpreid): Need to migrate to ES6-planned proxy API
+ var proxiesAvailable = typeof Proxy !== 'undefined' && !!Proxy.create;
var proxiesInterceptNumeric = proxiesAvailable && (function() {
var handler = {
toString: function() { return 'proxiesInterceptNumeric test
handler'; },
@@ -4703,13 +4706,16 @@
defineElement({
domClass: 'HTMLAnchorElement',
properties: function() { return {
+ // TODO(kpreid): Implement all components-of-the-URL properties
in
+ // a generic and consistently-virtualized way.
hash: PT.filter(
false,
function (value) { return unsuffix(value, idSuffix, value); },
false,
// TODO(felix8a): add suffix if href is self
identity),
- href: NP_UriValuedProperty('a', 'href')
+ href: NP_UriValuedProperty('a', 'href'),
+ pathname: PT.ROView(String)
}; }
});
=======================================
--- /branches/es53/src/com/google/caja/ses/WeakMap.js Tue Feb 4 17:26:19
2014 UTC
+++ /branches/es53/src/com/google/caja/ses/WeakMap.js Thu Jun 5 18:53:51
2014 UTC
@@ -240,7 +240,7 @@
},
preSeverity: severities.UNSAFE_SPEC_VIOLATION,
canRepair: true,
- urls: [], // TODO(kpreid): File/find bug with IE 11
+ urls:
['https://connect.microsoft.com/IE/feedback/details/871401/weakmaps-drop-frozen-keys'],
sections: [], // TODO(kpreid): cite ES6 when published
tests: [] // TODO(kpreid): should be in test262
});
=======================================
--- /branches/es53/src/com/google/caja/ses/repairES5.js Tue Feb 4 17:26:19
2014 UTC
+++ /branches/es53/src/com/google/caja/ses/repairES5.js Thu Jun 5 18:53:51
2014 UTC
@@ -666,8 +666,13 @@
return false;
}
+ // Create a new iframe and pass its 'window' object to the provided
callback.
+ // If the environment is not a browser, return undefined and do not call
the
+ // callback.
function inTestFrame(callback) {
- if (!document || !document.createElement) { return undefined; }
+ if (!(typeof document !== 'undefined' && document.createElement)) {
+ return undefined;
+ }
var iframe = document.createElement('iframe');
var container = document.body ||
document.getElementsByTagName('head')[0] ||
document.documentElement || document;
@@ -2572,6 +2577,60 @@
return 'Unexpected error from strict nested function: ' + err;
}
}
+
+ /**
+ * Bug in IE versions 9 to 11 (current as of this writing):
+ *
http://webreflection.blogspot.co.uk/2014/04/all-ie-objects-are-broken.html
+ *
+ * An object which is a product of Object.create(somePrototype), and
which has
+ * only numeric-named properties, will in some ways appear to not have
those
+ * properties.
+ */
+ function test_NUMERIC_PROPERTIES_INVISIBLE() {
+ var o1 = Object.create({}, {0: {value: 1}}); // normal
+ var o2 = Object.create({}); // demonstrates bug
+ o2[0] = 1;
+
+ if (o1.hasOwnProperty('0') && o1[0] === 1 &&
+ o2.hasOwnProperty('0') && o2[0] === 1) {
+ return false;
+ } else if (o1.hasOwnProperty('0') && o1[0] === 1 &&
+ !o2.hasOwnProperty('0') && o2[0] === 1) {
+ return true;
+ } else {
+ return 'Unexpected results from numeric property on created object';
+ }
+ }
+
+ /**
+ * Tests for https://code.google.com/p/v8/issues/detail?id=3334
+ * which reports that setting a function's prototype with
+ * defineProperty can update its descriptor without updating the
+ * actual value when also changing writable from true to false.
+ */
+ function test_DEFINE_PROPERTY_CONFUSES_FUNC_PROTO() {
+ function bar() {}
+ var oldBarPrototype = bar.prototype;
+ Object.defineProperty(bar, 'prototype', {value: 2, writable: false});
+ var desc = Object.getOwnPropertyDescriptor(bar, 'prototype');
+ if (desc.value !== 2) {
+ return 'Unexpected descriptor from setting a function\'s ' +
+ 'protptype with defineProperty: ' + JSON.stringify(desc);
+ }
+ if (bar.prototype === 2) {
+ return false;
+ } else if (typeof bar.prototype === 'object') {
+ if (bar.prototype === oldBarPrototype) {
+ return true;
+ } else {
+ return 'Unexpected prototype identity from setting a function\'s '
+
+ 'prototype with defineProperty.';
+ }
+ } else {
+ return 'Unexpected result of setting a function\'s prototype ' +
+ 'with defineProperty: ' + typeof bar.prototype;
+ }
+ }
////////////////////// Repairs /////////////////////
//
@@ -2591,8 +2650,9 @@
var isExtensible = Object.isExtensible;
/*
- * Fixes both FUNCTION_PROTOTYPE_DESCRIPTOR_LIES and
- * DEFINING_READ_ONLY_PROTO_FAILS_SILENTLY.
+ * Fixes FUNCTION_PROTOTYPE_DESCRIPTOR_LIES,
+ * DEFINING_READ_ONLY_PROTO_FAILS_SILENTLY and
+ * DEFINE_PROPERTY_CONFUSES_FUNC_PROTO.
*/
function repair_DEFINE_PROPERTY() {
function repairedDefineProperty(base, name, desc) {
@@ -2603,6 +2663,7 @@
base.prototype = desc.value;
} catch (err) {
logger.warn('prototype fixup failed', err);
+ throw err;
}
} else if (name === '__proto__' && !isExtensible(base)) {
throw TypeError('Cannot redefine __proto__ on a non-extensible
object');
@@ -3168,6 +3229,32 @@
Object.defineProperty(object, name, desc);
});
}
+
+ function repair_NUMERIC_PROPERTIES_INVISIBLE() {
+ var create = Object.create;
+
+ var tempPropName = '0';
+ var tempPropDesc = {configurable: true};
+
+ Object.defineProperty(Object, 'create', {
+ configurable: true,
+ writable: true, // allow other repairs to stack on
+ value: function repairedCreate(prototype, props) {
+ var o = create(prototype);
+ // Any property defined using a descriptor is sufficient to
suppress
+ // the misbehavior.
+ Object.defineProperty(o, tempPropName, tempPropDesc);
+ delete o[tempPropName];
+ // By deferring the defineProperties operation, we avoid possibly
+ // conflicting with the caller-specified property names, without
+ // needing to examine props twice.
+ if (props !== undefined) {
+ Object.defineProperties(o, props);
+ }
+ return o;
+ }
+ });
+ }
////////////////////// Generic tests/repairs /////////////////////
//
@@ -3778,6 +3865,18 @@
sections: ['8.6.2'],
tests: [] // TODO(jasvir): Add to test262
},
+ {
+ id: 'DEFINE_PROPERTY_CONFUSES_FUNC_PROTO',
+ description: 'Setting a function\'s prototype with defineProperty ' +
+ 'doesn\'t change its value',
+ test: test_DEFINE_PROPERTY_CONFUSES_FUNC_PROTO,
+ repair: repair_DEFINE_PROPERTY,
+ preSeverity: severities.UNSAFE_SPEC_VIOLATION,
+ canRepair: true,
+ urls: ['https://code.google.com/p/v8/issues/detail?id=3334'],
+ sections: [],
+ tests: [] // TODO(kpreid): contribute tests
+ },
{
id: 'STRICT_EVAL_LEAKS_GLOBAL_VARS',
description: 'Strict eval function leaks variable definitions',
@@ -4141,6 +4240,18 @@
'http://wiki.ecmascript.org/doku.php?id=conventions:recommendations_for_implementors'],
sections: [],
tests: [] // hopefully will be in ES6 tests
+ },
+ {
+ id: 'NUMERIC_PROPERTIES_INVISIBLE',
+ description: 'Numeric properties not reflectable on create()d
objects',
+ test: test_NUMERIC_PROPERTIES_INVISIBLE,
+ repair: repair_NUMERIC_PROPERTIES_INVISIBLE,
+ preSeverity: severities.UNSAFE_SPEC_VIOLATION,
+ canRepair: true,
+ urls:
['http://webreflection.blogspot.co.uk/2014/04/all-ie-objects-are-broken.html'],
+ // TODO(kpreid): link Microsoft info page when available
+ sections: ['8.12.6'],
+ tests: [] // TODO(kpreid): contribute tests
}
];
@@ -4191,7 +4302,7 @@
strictForEachFn(supportedProblems, ses._repairer.registerProblem);
ses._repairer.testAndRepair();
}
-
+
var reports = ses._repairer.getReports();
// Made available to allow for later code reusing our diagnoses to work
=======================================
--- /branches/es53/src/com/google/caja/ses/startSES.js Tue Apr 8 17:39:52
2014 UTC
+++ /branches/es53/src/com/google/caja/ses/startSES.js Thu Jun 5 18:53:51
2014 UTC
@@ -1141,7 +1141,12 @@
}
constFunc(lengthGetter);
- var nativeProxies = global.Proxy && (function () {
+ // test for old-style proxies, not ES6 direct proxies
+ // TODO(kpreid): Need to migrate to ES6-planned proxy API
+ var proxiesAvailable = global.Proxy !== undefined &&
+ !!global.Proxy.create;
+
+ var nativeProxies = proxiesAvailable && (function () {
var obj = {0: 'hi'};
var p = global.Proxy.create({
get: function(O, P) {
=======================================
--- /branches/es53/tests/com/google/caja/plugin/browser-test-case.js Tue
Sep 24 17:41:30 2013 UTC
+++ /branches/es53/tests/com/google/caja/plugin/browser-test-case.js Thu
Jun 5 18:53:51 2014 UTC
@@ -562,8 +562,12 @@
standardImports.inES5Mode = inES5Mode;
standardImports.proxiesAvailableToTamingCode = inES5Mode
- // In ES5, Domado runs in the taming frame's real global env
- ? typeof frameGroup.iframe.Proxy !== 'undefined'
+ // In ES5, Domado runs in the taming frame's real global env.
+ // Test for old-style proxies, not ES6 direct proxies, because
that's what
+ // Domado uses.
+ // TODO(kpreid): Need to migrate to ES6-planned proxy API
+ ? frameGroup.iframe.Proxy !== undefined &&
+ !!frameGroup.iframe.Proxy.create
// ES5/3 provides proxies always.
: true;
=======================================
--- /branches/es53/tests/com/google/caja/plugin/test-domado-dom-guest.html
Tue Apr 8 17:39:52 2014 UTC
+++ /branches/es53/tests/com/google/caja/plugin/test-domado-dom-guest.html
Thu Jun 5 18:53:51 2014 UTC
@@ -3247,11 +3247,11 @@
});
</script>
-<div class="testcontainer" id="testHash">
+<div class="testcontainer" id="testAnchorHash">
<a id='test-hash' href="#foo">test a.hash and hash in a.href</a>
</div>
<script type="text/javascript">
- jsunitRegister('testHash', function testHash() {
+ jsunitRegister('testAnchorHash', function testHash() {
var a = document.getElementById('test-hash');
assertEquals('#foo', a.hash);
@@ -3265,6 +3265,33 @@
assertEquals(window.location + '#bar', a.getAttribute('href'));
assertEquals(window.location + '#bar', a.href);
+ pass();
+ });
+</script>
+
+<div class="testcontainer" id="testAnchorPathname">
+ <a id="testAnchorPathname-a" href="http://example.invalid/path?query";>
+ testAnchorPathname
+ </a>
+</div>
+<script type="text/javascript">
+ jsunitRegister('testAnchorPathname', function testHash() {
+ var a = document.getElementById('testAnchorPathname-a');
+
+ // The path of the output of the URI rewriter is "/".
+ // Seeing the rewritten URI is not actually desirable, but is
consistent
+ // with other behaviors. TODO(kpreid): Look into storing the original
+ // URI.
+ assertEquals('/', a.pathname);
+
+ // Currently do not support modifying a URL since the URI policy
rewrite
+ // is not reversible
+ expectFailure(function() {
+ a.pathname = '1';
+ }, 'Assignment fails', function(e) {
+ return e.name === 'TypeError';
+ });
+
pass();
});
</script>
=======================================
--- /branches/es53/tests/com/google/caja/plugin/test-scan-guest.js Tue Jan
7 21:20:26 2014 UTC
+++ /branches/es53/tests/com/google/caja/plugin/test-scan-guest.js Thu Jun
5 18:53:51 2014 UTC
@@ -795,6 +795,7 @@
}
}));
+ argsByIdentity(window.Proxy, G.none); // TODO abuse
argsByIdentity(window.Proxy && Proxy.create, G.none); // TODO abuse
argsByIdentity(window.Proxy && Proxy.createFunction, G.none); // TODO
abuse
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
