Diff
Copied: branches/chromium/874/LayoutTests/http/tests/security/document-all-expected.txt (from rev 95489, trunk/LayoutTests/http/tests/security/document-all-expected.txt) (0 => 95814)
--- branches/chromium/874/LayoutTests/http/tests/security/document-all-expected.txt (rev 0)
+++ branches/chromium/874/LayoutTests/http/tests/security/document-all-expected.txt 2011-09-23 16:20:26 UTC (rev 95814)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 1: Uncaught TypeError: Illegal constructor
+
Copied: branches/chromium/874/LayoutTests/http/tests/security/document-all.html (from rev 95489, trunk/LayoutTests/http/tests/security/document-all.html) (0 => 95814)
--- branches/chromium/874/LayoutTests/http/tests/security/document-all.html (rev 0)
+++ branches/chromium/874/LayoutTests/http/tests/security/document-all.html 2011-09-23 16:20:26 UTC (rev 95814)
@@ -0,0 +1,28 @@
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+window._onload_ = function()
+{
+ frame = document.body.appendChild(document.createElement("iframe"));
+ frame.src = ""
+ frame._onload_ = function() {
+ frame._onload_ = null;
+
+ frame.contentWindow[0].location = "data:text/html,<script>(" + function() {
+
+ setTimeout(function() {
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }, 0);
+
+ window.name = "alert";
+ obj = document.all;
+ obj.__proto__ = parent;
+ alert(obj.alert.constructor("return document.body.innerHTML")());
+ } + ")()</scr" + "ipt>";
+ }
+}
+</script>
Modified: branches/chromium/874/Source/WebCore/bindings/v8/V8Collection.h (95813 => 95814)
--- branches/chromium/874/Source/WebCore/bindings/v8/V8Collection.h 2011-09-23 16:19:51 UTC (rev 95813)
+++ branches/chromium/874/Source/WebCore/bindings/v8/V8Collection.h 2011-09-23 16:20:26 UTC (rev 95814)
@@ -73,15 +73,11 @@
// A template of named property accessor of collections.
template<class Collection, class ItemType> static v8::Handle<v8::Value> collectionNamedPropertyGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
{
- v8::Handle<v8::Value> value = info.Holder()->GetRealNamedPropertyInPrototypeChain(name);
-
- if (!value.IsEmpty())
- return value;
-
- // Search local callback properties next to find IDL defined
- // properties.
+ if (!info.Holder()->GetRealNamedPropertyInPrototypeChain(name).IsEmpty())
+ return notHandledByInterceptor();
if (info.Holder()->HasRealNamedCallbackProperty(name))
return notHandledByInterceptor();
+
return getNamedPropertyOfCollection<Collection, ItemType>(name, info.Holder());
}
Modified: branches/chromium/874/Source/WebCore/bindings/v8/custom/V8DOMStringMapCustom.cpp (95813 => 95814)
--- branches/chromium/874/Source/WebCore/bindings/v8/custom/V8DOMStringMapCustom.cpp 2011-09-23 16:19:51 UTC (rev 95813)
+++ branches/chromium/874/Source/WebCore/bindings/v8/custom/V8DOMStringMapCustom.cpp 2011-09-23 16:20:26 UTC (rev 95814)
@@ -66,8 +66,8 @@
v8::Handle<v8::Boolean> V8DOMStringMap::namedPropertyDeleter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
{
INC_STATS("DOM.DOMStringMap.NamedPropertyDeleter");
- v8::Handle<v8::Value> value = info.Holder()->GetRealNamedPropertyInPrototypeChain(name);
- if (!value.IsEmpty())
+
+ if (!info.Holder()->GetRealNamedPropertyInPrototypeChain(name).IsEmpty())
return v8::False();
if (info.Holder()->HasRealNamedCallbackProperty(name))
return v8::False();
@@ -82,8 +82,8 @@
v8::Handle<v8::Value> V8DOMStringMap::namedPropertySetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
{
INC_STATS("DOM.DOMStringMap.NamedPropertySetter");
- v8::Handle<v8::Value> property = info.Holder()->GetRealNamedPropertyInPrototypeChain(name);
- if (!property.IsEmpty())
+
+ if (!info.Holder()->GetRealNamedPropertyInPrototypeChain(name).IsEmpty())
return value;
if (info.Holder()->HasRealNamedCallbackProperty(name))
return value;
Modified: branches/chromium/874/Source/WebCore/bindings/v8/custom/V8HTMLAllCollectionCustom.cpp (95813 => 95814)
--- branches/chromium/874/Source/WebCore/bindings/v8/custom/V8HTMLAllCollectionCustom.cpp 2011-09-23 16:19:51 UTC (rev 95813)
+++ branches/chromium/874/Source/WebCore/bindings/v8/custom/V8HTMLAllCollectionCustom.cpp 2011-09-23 16:20:26 UTC (rev 95814)
@@ -74,18 +74,12 @@
v8::Handle<v8::Value> V8HTMLAllCollection::namedPropertyGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
{
INC_STATS("DOM.HTMLAllCollection.NamedPropertyGetter");
- // Search the prototype chain first.
- v8::Handle<v8::Value> value = info.Holder()->GetRealNamedPropertyInPrototypeChain(name);
- if (!value.IsEmpty())
- return value;
-
- // Search local callback properties next to find IDL defined
- // properties.
+ if (!info.Holder()->GetRealNamedPropertyInPrototypeChain(name).IsEmpty())
+ return notHandledByInterceptor();
if (info.Holder()->HasRealNamedCallbackProperty(name))
- return v8::Handle<v8::Value>();
+ return notHandledByInterceptor();
- // Finally, search the DOM structure.
HTMLAllCollection* imp = V8HTMLAllCollection::toNative(info.Holder());
return getNamedItems(imp, v8StringToAtomicWebCoreString(name));
}
Modified: branches/chromium/874/Source/WebCore/bindings/v8/custom/V8HTMLCollectionCustom.cpp (95813 => 95814)
--- branches/chromium/874/Source/WebCore/bindings/v8/custom/V8HTMLCollectionCustom.cpp 2011-09-23 16:19:51 UTC (rev 95813)
+++ branches/chromium/874/Source/WebCore/bindings/v8/custom/V8HTMLCollectionCustom.cpp 2011-09-23 16:20:26 UTC (rev 95814)
@@ -77,18 +77,12 @@
v8::Handle<v8::Value> V8HTMLCollection::namedPropertyGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
{
INC_STATS("DOM.HTMLCollection.NamedPropertyGetter");
- // Search the prototype chain first.
- v8::Handle<v8::Value> value = info.Holder()->GetRealNamedPropertyInPrototypeChain(name);
- if (!value.IsEmpty())
- return value;
-
- // Search local callback properties next to find IDL defined
- // properties.
+ if (!info.Holder()->GetRealNamedPropertyInPrototypeChain(name).IsEmpty())
+ return notHandledByInterceptor();
if (info.Holder()->HasRealNamedCallbackProperty(name))
- return v8::Handle<v8::Value>();
+ return notHandledByInterceptor();
- // Finally, search the DOM structure.
HTMLCollection* imp = V8HTMLCollection::toNative(info.Holder());
return getNamedItems(imp, v8StringToAtomicWebCoreString(name));
}
Modified: branches/chromium/874/Source/WebCore/bindings/v8/custom/V8NamedNodeMapCustom.cpp (95813 => 95814)
--- branches/chromium/874/Source/WebCore/bindings/v8/custom/V8NamedNodeMapCustom.cpp 2011-09-23 16:19:51 UTC (rev 95813)
+++ branches/chromium/874/Source/WebCore/bindings/v8/custom/V8NamedNodeMapCustom.cpp 2011-09-23 16:20:26 UTC (rev 95814)
@@ -57,16 +57,12 @@
v8::Handle<v8::Value> V8NamedNodeMap::namedPropertyGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
{
INC_STATS("DOM.NamedNodeMap.NamedPropertyGetter");
- // Search the prototype chain first.
- v8::Handle<v8::Value> value = info.Holder()->GetRealNamedPropertyInPrototypeChain(name);
- if (!value.IsEmpty())
- return value;
- // Then look for IDL defined properties on the object itself.
+ if (!info.Holder()->GetRealNamedPropertyInPrototypeChain(name).IsEmpty())
+ return notHandledByInterceptor();
if (info.Holder()->HasRealNamedCallbackProperty(name))
return notHandledByInterceptor();
- // Finally, search the DOM.
NamedNodeMap* imp = V8NamedNodeMap::toNative(info.Holder());
RefPtr<Node> result = imp->getNamedItem(toWebCoreString(name));
if (!result)
Modified: branches/chromium/874/Source/WebCore/bindings/v8/custom/V8StorageCustom.cpp (95813 => 95814)
--- branches/chromium/874/Source/WebCore/bindings/v8/custom/V8StorageCustom.cpp 2011-09-23 16:19:51 UTC (rev 95813)
+++ branches/chromium/874/Source/WebCore/bindings/v8/custom/V8StorageCustom.cpp 2011-09-23 16:20:26 UTC (rev 95814)
@@ -102,8 +102,7 @@
if (name == "length")
return v8Value;
- v8::Handle<v8::Value> prototypeValue = info.Holder()->GetRealNamedPropertyInPrototypeChain(v8Name);
- if (!prototypeValue.IsEmpty())
+ if (!info.Holder()->GetRealNamedPropertyInPrototypeChain(v8Name).IsEmpty())
return notHandledByInterceptor();
ExceptionCode ec = 0;
