|
|
Throw an exception when denying access to 'Frame's 'location' setter.
Currently, we write an access-denied message to the console when we deny
a page's attempt to set a frame's location to a 'javascript:' URL. This
patch changes our behavior to throw an exception.
Firefox currently does not throw an exception, but silently denies
access to set the property cross-origin. I don't believe that's behavior
we should seek to replicate.
This patch removes the one-off
'BindingSecurity::allowSettingFrameSrcToJavascriptUrl', moving the guts of
the protocol check into the custom bindings, and delegating the security
aspects to 'allowAccessToFrame'. 'allowAccessToFrame' can now accept an
'ExceptionState' rather than a reporting enum, and that's piped through
to a new 'canAccessDocument' method. This has the happy effect of
beginning to put the pieces in place for future patches which will
migrate other 'allowAccessToFrame' calls to the new, exception-throwing
model.
The patch also adds 'ExceptionState::throwSecurityError', which
accepts two strings: a sanitized string, and an unsanitized optional
string. Those values get piped through V8ThrowException, and are stored
on 'DOMException' which tunnels through V8 and pops out in
'V8Initializer'. There, I set the unsanitized message on the 'ErrorEvent'
object that's handed off to the exception reporting code in
'ScriptExecutionContext'.
This is a re-land of [1]; the only difference is the 'V8DOMWrapper'
check in 'V8Initializer'.
BUG= 17325
TBR=arv@chromium.org, abarth@chromium.org
[1]: https://codereview.chromium.org/22829002
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=156200
|
Unified diffs |
Side-by-side diffs |
Delta from patch set |
Stats (+233 lines, -66 lines) |
Patch |
 |
M |
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-location-htmldom.html
|
View
|
|
1 chunk |
+27 lines, -28 lines |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-location-htmldom-expected.txt
|
View
|
|
1 chunk |
+6 lines, -3 lines |
0 comments
|
Download
|
|
A |
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-location-htmldom-uncaught.html
|
View
|
|
1 chunk |
+39 lines, -0 lines |
0 comments
|
Download
|
|
A |
LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-location-htmldom-uncaught-expected.txt
|
View
|
|
1 chunk |
+13 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/bindings/v8/BindingSecurity.h
|
View
|
|
2 chunks |
+2 lines, -2 lines |
0 comments
|
Download
|
|
M |
Source/bindings/v8/BindingSecurity.cpp
|
View
|
|
3 chunks |
+27 lines, -10 lines |
0 comments
|
Download
|
|
M |
Source/bindings/v8/ExceptionState.h
|
View
|
|
2 chunks |
+2 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/bindings/v8/ExceptionState.cpp
|
View
|
|
2 chunks |
+12 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/bindings/v8/ExceptionStatePlaceholder.h
|
View
|
|
2 chunks |
+2 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/bindings/v8/ExceptionStatePlaceholder.cpp
|
View
|
|
1 chunk |
+5 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/bindings/v8/V8Initializer.cpp
|
View
|
|
2 chunks |
+12 lines, -1 line |
0 comments
|
Download
|
|
M |
Source/bindings/v8/V8ThrowException.h
|
View
|
|
1 chunk |
+10 lines, -2 lines |
0 comments
|
Download
|
|
M |
Source/bindings/v8/V8ThrowException.cpp
|
View
|
|
2 chunks |
+8 lines, -5 lines |
0 comments
|
Download
|
|
M |
Source/bindings/v8/custom/V8HTMLFrameElementCustom.cpp
|
View
|
|
2 chunks |
+6 lines, -1 line |
0 comments
|
Download
|
|
M |
Source/core/dom/DOMException.h
|
View
|
|
1 chunk |
+10 lines, -4 lines |
0 comments
|
Download
|
|
M |
Source/core/dom/DOMException.cpp
|
View
|
|
2 chunks |
+11 lines, -4 lines |
0 comments
|
Download
|
|
M |
Source/core/dom/ErrorEvent.h
|
View
|
|
1 chunk |
+9 lines, -2 lines |
0 comments
|
Download
|
|
M |
Source/core/dom/ErrorEvent.cpp
|
View
|
|
3 chunks |
+8 lines, -2 lines |
0 comments
|
Download
|
|
M |
Source/core/dom/ScriptExecutionContext.cpp
|
View
|
|
1 chunk |
+2 lines, -2 lines |
0 comments
|
Download
|
|
M |
Source/core/page/DOMWindow.h
|
View
|
|
1 chunk |
+1 line, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/page/DOMWindow.cpp
|
View
|
|
1 chunk |
+21 lines, -0 lines |
0 comments
|
Download
|
Total messages: 4 (0 generated)
|
Chromium Code Reviews
Issue
22985006:
Throw an exception when denying access to 'Frame's 'location' setter. (Closed)
