Diff
Modified: trunk/LayoutTests/ChangeLog (196675 => 196676)
--- trunk/LayoutTests/ChangeLog 2016-02-17 01:29:37 UTC (rev 196675)
+++ trunk/LayoutTests/ChangeLog 2016-02-17 01:37:56 UTC (rev 196676)
@@ -1,3 +1,17 @@
+2016-02-16 Gavin Barraclough <[email protected]>
+
+ JSDOMWindow::getOwnPropertySlot should not search photo chain
+ https://bugs.webkit.org/show_bug.cgi?id=154102
+
+ Reviewed by Chris Dumez.
+
+ Should only return *own* properties.
+
+ * fast/dom/Window/es52-globals-expected.txt:
+ * http/tests/security/window-named-valueOf-expected.txt:
+ * imported/w3c/web-platform-tests/html/dom/interfaces-expected.txt:
+ - update test results.
+
2016-02-16 Keith Miller <[email protected]>
Spread operator should be allowed when not the first argument of parameter list
Modified: trunk/LayoutTests/fast/dom/Window/es52-globals-expected.txt (196675 => 196676)
--- trunk/LayoutTests/fast/dom/Window/es52-globals-expected.txt 2016-02-17 01:29:37 UTC (rev 196675)
+++ trunk/LayoutTests/fast/dom/Window/es52-globals-expected.txt 2016-02-17 01:37:56 UTC (rev 196676)
@@ -1,6 +1,6 @@
PASS window.hasOwnProperty("Element") is true
PASS window.hasOwnProperty("x") is true
-FAIL window.hasOwnProperty("y") should be false. Was true.
+PASS window.hasOwnProperty("y") is false
PASS window.hasOwnProperty("f") is true
PASS window.hasOwnProperty("div") is true
FAIL window.hasOwnProperty("a") should be true. Was false.
Modified: trunk/LayoutTests/http/tests/security/window-named-valueOf-expected.txt (196675 => 196676)
--- trunk/LayoutTests/http/tests/security/window-named-valueOf-expected.txt 2016-02-17 01:29:37 UTC (rev 196675)
+++ trunk/LayoutTests/http/tests/security/window-named-valueOf-expected.txt 2016-02-17 01:37:56 UTC (rev 196676)
@@ -1,3 +1,5 @@
CONSOLE MESSAGE: line 1: Blocked a frame with origin "null" from accessing a frame with origin "http://localhost:8080". The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "null" from accessing a frame with origin "http://localhost:8080". The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
+
This passes if it doesn't alert the contents of innocent-victim.
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/dom/interfaces-expected.txt (196675 => 196676)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/dom/interfaces-expected.txt 2016-02-17 01:29:37 UTC (rev 196675)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/dom/interfaces-expected.txt 2016-02-17 01:37:56 UTC (rev 196676)
@@ -4084,12 +4084,16 @@
FAIL Window interface: calling createImageBitmap(ImageBitmapSource,long,long,long,long) on window with too few arguments must throw TypeError assert_own_property: expected property "createImageBitmap" missing
PASS Window interface: window must inherit property "sessionStorage" with the proper type (123)
PASS Window interface: window must inherit property "localStorage" with the proper type (124)
-FAIL EventTarget interface: window must inherit property "addEventListener" with the proper type (0) assert_inherits: property "addEventListener" found on object expected in prototype chain
-FAIL EventTarget interface: calling addEventListener(DOMString,EventListener,boolean) on window with too few arguments must throw TypeError assert_inherits: property "addEventListener" found on object expected in prototype chain
-FAIL EventTarget interface: window must inherit property "removeEventListener" with the proper type (1) assert_inherits: property "removeEventListener" found on object expected in prototype chain
-FAIL EventTarget interface: calling removeEventListener(DOMString,EventListener,boolean) on window with too few arguments must throw TypeError assert_inherits: property "removeEventListener" found on object expected in prototype chain
-FAIL EventTarget interface: window must inherit property "dispatchEvent" with the proper type (2) assert_inherits: property "dispatchEvent" found on object expected in prototype chain
-FAIL EventTarget interface: calling dispatchEvent(Event) on window with too few arguments must throw TypeError assert_inherits: property "dispatchEvent" found on object expected in prototype chain
+PASS EventTarget interface: window must inherit property "addEventListener" with the proper type (0)
+FAIL EventTarget interface: calling addEventListener(DOMString,EventListener,boolean) on window with too few arguments must throw TypeError assert_throws: Called with 0 arguments function "function () {
+ [native code]
+}" did not throw
+PASS EventTarget interface: window must inherit property "removeEventListener" with the proper type (1)
+FAIL EventTarget interface: calling removeEventListener(DOMString,EventListener,boolean) on window with too few arguments must throw TypeError assert_throws: Called with 0 arguments function "function () {
+ [native code]
+}" did not throw
+PASS EventTarget interface: window must inherit property "dispatchEvent" with the proper type (2)
+PASS EventTarget interface: calling dispatchEvent(Event) on window with too few arguments must throw TypeError
PASS BarProp interface: existence and properties of interface object
PASS BarProp interface object length
PASS BarProp interface object name
Modified: trunk/Source/_javascript_Core/ChangeLog (196675 => 196676)
--- trunk/Source/_javascript_Core/ChangeLog 2016-02-17 01:29:37 UTC (rev 196675)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-02-17 01:37:56 UTC (rev 196676)
@@ -1,3 +1,16 @@
+2016-02-16 Gavin Barraclough <[email protected]>
+
+ JSDOMWindow::getOwnPropertySlot should not search photo chain
+ https://bugs.webkit.org/show_bug.cgi?id=154102
+
+ Reviewed by Chris Dumez.
+
+ Should only return *own* properties.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::getOwnPropertyDescriptor):
+ - remove hack/special-case for DOMWindow; we no longer need this.
+
2016-02-16 Keith Miller <[email protected]>
Spread operator should be allowed when not the first argument of parameter list
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (196675 => 196676)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2016-02-17 01:29:37 UTC (rev 196675)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2016-02-17 01:37:56 UTC (rev 196676)
@@ -2552,15 +2552,6 @@
if (!methodTable(exec->vm())->getOwnPropertySlot(this, exec, propertyName, slot))
return false;
- // JSDOMWindow::getOwnPropertySlot() may return attributes from the prototype chain but getOwnPropertyDescriptor()
- // should only work for 'own' properties so we exit early if we detect that the property is not an own property.
- if (slot.slotBase() != this && slot.slotBase()) {
- auto* proxy = jsDynamicCast<JSProxy*>(this);
- // In the case of DOMWindow, |this| may be a JSDOMWindowShell so we also need to check the shell's target Window.
- if (!proxy || proxy->target() != slot.slotBase())
- return false;
- }
-
if (slot.isAccessor())
descriptor.setAccessorDescriptor(slot.getterSetter(), slot.attributes());
else if (slot.attributes() & CustomAccessor) {
Modified: trunk/Source/WebCore/ChangeLog (196675 => 196676)
--- trunk/Source/WebCore/ChangeLog 2016-02-17 01:29:37 UTC (rev 196675)
+++ trunk/Source/WebCore/ChangeLog 2016-02-17 01:37:56 UTC (rev 196676)
@@ -1,3 +1,15 @@
+2016-02-16 Gavin Barraclough <[email protected]>
+
+ JSDOMWindow::getOwnPropertySlot should not search photo chain
+ https://bugs.webkit.org/show_bug.cgi?id=154102
+
+ Reviewed by Chris Dumez.
+
+ Should only return *own* properties.
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::jsDOMWindowGetOwnPropertySlotNamedItemGetter):
+
2016-02-16 Alex Christensen <[email protected]>
CMake build fix.
Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (196675 => 196676)
--- trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2016-02-17 01:29:37 UTC (rev 196675)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2016-02-17 01:37:56 UTC (rev 196676)
@@ -192,11 +192,9 @@
static bool jsDOMWindowGetOwnPropertySlotNamedItemGetter(JSDOMWindow* thisObject, Frame& frame, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
{
- // FIXME: If the property is present on the prototype we should 'return false;', not
- // return the property. This is supposed to be an 'own' access.
JSValue proto = thisObject->prototype();
- if (proto.isObject() && asObject(proto)->getPropertySlot(exec, propertyName, slot))
- return true;
+ if (proto.isObject() && asObject(proto)->hasProperty(exec, propertyName))
+ return false;
// Check for child frames by name before built-in properties to match Mozilla. This does
// not match IE, but some sites end up naming frames things that conflict with window
