[webkit-changes] [96370] branches/chromium/874

Thu, 29 Sep 2011 15:38:50 -0700

Title: [96370] branches/chromium/874
Revision
96370
Author
[email protected]
Date
2011-09-29 15:39:53 -0700 (Thu, 29 Sep 2011)

Log Message

Merge 96341 - We should ignore the return value of GetRealNamedProperty
BUG=96885
Review URL: http://codereview.chromium.org/8090001


Modified Paths




Added Paths

Diff

Copied: branches/chromium/874/LayoutTests/http/tests/security/window-named-valueOf-expected.txt (from rev 96341, trunk/LayoutTests/http/tests/security/window-named-valueOf-expected.txt) (0 => 96370)


--- branches/chromium/874/LayoutTests/http/tests/security/window-named-valueOf-expected.txt	                        (rev 0)
+++ branches/chromium/874/LayoutTests/http/tests/security/window-named-valueOf-expected.txt	2011-09-29 22:39:53 UTC (rev 96370)
@@ -0,0 +1 @@
+This passes if it doesn't alert the contents of innocent-victim.

Copied: branches/chromium/874/LayoutTests/http/tests/security/window-named-valueOf.html (from rev 96341, trunk/LayoutTests/http/tests/security/window-named-valueOf.html) (0 => 96370)


--- branches/chromium/874/LayoutTests/http/tests/security/window-named-valueOf.html	                        (rev 0)
+++ branches/chromium/874/LayoutTests/http/tests/security/window-named-valueOf.html	2011-09-29 22:39:53 UTC (rev 96370)
@@ -0,0 +1,32 @@
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setCanOpenWindows();
+    layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+<body>
+This passes if it doesn't alert the contents of innocent-victim.
+<script>
+window._onload_ = function()
+{
+    frame = document.body.appendChild(document.createElement("iframe"));
+    frame.src = ""
+    frame._onload_ = function() {
+        frame._onload_ = null;
+
+        frame.contentWindow[0].location = "data:text/html,<script>(" + function() {
+            try {
+                window.name = "valueOf";
+                obj = window.open();
+                obj.__proto__.__proto__ = parent;
+                alert(obj.valueOf.constructor("return document.body.innerHTML")());
+            } catch(ex) {
+            }
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        } + ")()</scr" + "ipt>";
+    }
+}
+</script>

Modified: branches/chromium/874/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp (96369 => 96370)


--- branches/chromium/874/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp	2011-09-29 22:35:28 UTC (rev 96369)
+++ branches/chromium/874/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp	2011-09-29 22:39:53 UTC (rev 96370)
@@ -499,9 +499,8 @@
         return toV8(child->domWindow());
 
     // Search IDL functions defined in the prototype
-    v8::Handle<v8::Value> result = info.Holder()->GetRealNamedProperty(name);
-    if (!result.IsEmpty())
-        return result;
+    if (!info.Holder()->GetRealNamedProperty(name).IsEmpty())
+        return notHandledByInterceptor();
 
     // Search named items in the document.
     Document* doc = frame->document();

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to