JSDOMWindowCustom.cpp [plain text]
#include "config.h"
#include "JSDOMWindowCustom.h"
#include "DOMWindowIndexedDatabase.h"
#include "Frame.h"
#include "HTMLCollection.h"
#include "HTMLDocument.h"
#include "HTMLFrameOwnerElement.h"
#include "HTTPParsers.h"
#include "JSDOMBindingSecurity.h"
#include "JSDOMConvertNullable.h"
#include "JSDOMConvertNumbers.h"
#include "JSDOMConvertStrings.h"
#include "JSEvent.h"
#include "JSEventListener.h"
#include "JSHTMLAudioElement.h"
#include "JSHTMLCollection.h"
#include "JSHTMLOptionElement.h"
#include "JSIDBFactory.h"
#include "JSRemoteDOMWindow.h"
#include "JSWindowProxy.h"
#include "JSWorker.h"
#include "Location.h"
#include "RuntimeEnabledFeatures.h"
#include "ScheduledAction.h"
#include "Settings.h"
#include "WebCoreJSClientData.h"
#include <JavaScriptCore/JSCInlines.h>
#include <JavaScriptCore/Lookup.h>
#if ENABLE(USER_MESSAGE_HANDLERS)
#include "JSWebKitNamespace.h"
#endif
namespace WebCore {
using namespace JSC;
static CrossOriginWindowPolicy effectiveCrossOriginWindowPolicyForAccess(ExecState& state, AbstractDOMWindow& target)
{
static_assert(CrossOriginWindowPolicy::Deny < CrossOriginWindowPolicy::AllowPostMessage && CrossOriginWindowPolicy::AllowPostMessage < CrossOriginWindowPolicy::Allow, "More restrictive cross-origin options should have lower values");
return std::min(activeDOMWindow(state).crossOriginWindowPolicy(), target.crossOriginWindowPolicy());
}
EncodedJSValue JSC_HOST_CALL jsDOMWindowInstanceFunctionShowModalDialog(ExecState*);
void JSDOMWindow::visitAdditionalChildren(SlotVisitor& visitor)
{
if (Frame* frame = wrapped().frame())
visitor.addOpaqueRoot(frame);
wrapped().visitJSEventListeners(visitor);
}
#if ENABLE(USER_MESSAGE_HANDLERS)
static EncodedJSValue jsDOMWindowWebKit(ExecState* exec, EncodedJSValue thisValue, PropertyName)
{
VM& vm = exec->vm();
JSDOMWindow* castedThis = toJSDOMWindow(vm, JSValue::decode(thisValue));
if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, castedThis->wrapped()))
return JSValue::encode(jsUndefined());
return JSValue::encode(toJS(exec, castedThis->globalObject(), castedThis->wrapped().webkitNamespace()));
}
#endif
template <DOMWindowType windowType>
bool jsDOMWindowGetOwnPropertySlotRestrictedAccess(JSDOMGlobalObject* thisObject, AbstractDOMWindow& window, ExecState& state, PropertyName propertyName, PropertySlot& slot, const String& errorMessage)
{
VM& vm = state.vm();
auto scope = DECLARE_THROW_SCOPE(vm);
auto& builtinNames = static_cast<JSVMClientData*>(vm.clientData)->builtinNames();
if (propertyName == vm.propertyNames->toStringTagSymbol || propertyName == vm.propertyNames->hasInstanceSymbol || propertyName == vm.propertyNames->isConcatSpreadableSymbol) {
slot.setValue(thisObject, JSC::PropertyAttribute::ReadOnly | JSC::PropertyAttribute::DontEnum, jsUndefined());
return true;
}
switch (effectiveCrossOriginWindowPolicyForAccess(state, window)) {
case CrossOriginWindowPolicy::AllowPostMessage:
if (propertyName == builtinNames.postMessagePublicName()) {
slot.setCustom(thisObject, static_cast<unsigned>(JSC::PropertyAttribute::ReadOnly | JSC::PropertyAttribute::DontEnum), windowType == DOMWindowType::Remote ? nonCachingStaticFunctionGetter<jsRemoteDOMWindowInstanceFunctionPostMessage, 0> : nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionPostMessage, 2>);
return true;
}
FALLTHROUGH;
case CrossOriginWindowPolicy::Deny:
throwSecurityError(state, scope, errorMessage);
slot.setUndefined();
return false;
case CrossOriginWindowPolicy::Allow:
break;
}
if (propertyName == builtinNames.blurPublicName()) {
slot.setCustom(thisObject, static_cast<unsigned>(JSC::PropertyAttribute::ReadOnly | JSC::PropertyAttribute::DontEnum), windowType == DOMWindowType::Remote ? nonCachingStaticFunctionGetter<jsRemoteDOMWindowInstanceFunctionBlur, 0> : nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionBlur, 0>);
return true;
}
if (propertyName == builtinNames.closePublicName()) {
slot.setCustom(thisObject, static_cast<unsigned>(JSC::PropertyAttribute::ReadOnly | JSC::PropertyAttribute::DontEnum), windowType == DOMWindowType::Remote ? nonCachingStaticFunctionGetter<jsRemoteDOMWindowInstanceFunctionClose, 0> : nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionClose, 0>);
return true;
}
if (propertyName == builtinNames.focusPublicName()) {
slot.setCustom(thisObject, static_cast<unsigned>(JSC::PropertyAttribute::ReadOnly | JSC::PropertyAttribute::DontEnum), windowType == DOMWindowType::Remote ? nonCachingStaticFunctionGetter<jsRemoteDOMWindowInstanceFunctionFocus, 0> : nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionFocus, 0>);
return true;
}
if (propertyName == builtinNames.postMessagePublicName()) {
slot.setCustom(thisObject, static_cast<unsigned>(JSC::PropertyAttribute::ReadOnly | JSC::PropertyAttribute::DontEnum), windowType == DOMWindowType::Remote ? nonCachingStaticFunctionGetter<jsRemoteDOMWindowInstanceFunctionPostMessage, 0> : nonCachingStaticFunctionGetter<jsDOMWindowInstanceFunctionPostMessage, 2>);
return true;
}
auto* classInfo = windowType == DOMWindowType::Remote ? JSRemoteDOMWindow::info() : JSDOMWindow::info();
if (auto* entry = classInfo->staticPropHashTable->entry(propertyName)) {
if (propertyName == builtinNames.locationPublicName()
|| propertyName == builtinNames.closedPublicName()
|| propertyName == vm.propertyNames->length
|| propertyName == builtinNames.selfPublicName()
|| propertyName == builtinNames.windowPublicName()
|| propertyName == builtinNames.framesPublicName()
|| propertyName == builtinNames.openerPublicName()
|| propertyName == builtinNames.parentPublicName()
|| propertyName == builtinNames.topPublicName()) {
bool shouldExposeSetter = propertyName == builtinNames.locationPublicName();
CustomGetterSetter* customGetterSetter = CustomGetterSetter::create(vm, entry->propertyGetter(), shouldExposeSetter ? entry->propertyPutter() : nullptr);
slot.setCustomGetterSetter(thisObject, static_cast<unsigned>(JSC::PropertyAttribute::CustomAccessor | JSC::PropertyAttribute::DontEnum), customGetterSetter);
return true;
}
throwSecurityError(state, scope, errorMessage);
slot.setUndefined();
return false;
}
auto* frame = window.frame();
if (frame && is<Frame>(*frame)) {
if (auto* scopedChild = downcast<Frame>(*frame).tree().scopedChild(propertyNameToAtomicString(propertyName))) {
slot.setValue(thisObject, JSC::PropertyAttribute::ReadOnly | JSC::PropertyAttribute::DontDelete | JSC::PropertyAttribute::DontEnum, toJS(&state, scopedChild->document()->domWindow()));
return true;
}
}
throwSecurityError(state, scope, errorMessage);
slot.setUndefined();
return false;
}
template bool jsDOMWindowGetOwnPropertySlotRestrictedAccess<DOMWindowType::Local>(JSDOMGlobalObject*, AbstractDOMWindow&, ExecState&, PropertyName, PropertySlot&, const String&);
template bool jsDOMWindowGetOwnPropertySlotRestrictedAccess<DOMWindowType::Remote>(JSDOMGlobalObject*, AbstractDOMWindow&, ExecState&, PropertyName, PropertySlot&, const String&);
bool JSDOMWindow::getOwnPropertySlot(JSObject* object, ExecState* state, PropertyName propertyName, PropertySlot& slot)
{
if (std::optional<unsigned> index = parseIndex(propertyName))
return getOwnPropertySlotByIndex(object, state, index.value(), slot);
auto* thisObject = jsCast<JSDOMWindow*>(object);
String errorMessage;
if (!BindingSecurity::shouldAllowAccessToDOMWindow(*state, thisObject->wrapped(), errorMessage))
return jsDOMWindowGetOwnPropertySlotRestrictedAccess<DOMWindowType::Local>(thisObject, thisObject->wrapped(), *state, propertyName, slot, errorMessage);
slot.setWatchpointSet(thisObject->m_windowCloseWatchpoints);
PropertySlot slotCopy = slot;
if (Base::getOwnPropertySlot(thisObject, state, propertyName, slot)) {
auto* frame = thisObject->wrapped().frame();
bool isShowModalDialogAndShouldHide = propertyName == static_cast<JSVMClientData*>(state->vm().clientData)->builtinNames().showModalDialogPublicName()
&& (!frame || !DOMWindow::canShowModalDialog(*frame))
&& slot.isValue() && isHostFunction(slot.getValue(state, propertyName), jsDOMWindowInstanceFunctionShowModalDialog);
if (!isShowModalDialogAndShouldHide)
return true;
slot = slotCopy;
}
#if ENABLE(USER_MESSAGE_HANDLERS)
if (propertyName == static_cast<JSVMClientData*>(state->vm().clientData)->builtinNames().webkitPublicName() && thisObject->wrapped().shouldHaveWebKitNamespaceForWorld(thisObject->world())) {
slot.setCacheableCustom(thisObject, JSC::PropertyAttribute::DontDelete | JSC::PropertyAttribute::ReadOnly, jsDOMWindowWebKit);
return true;
}
#endif
return false;
}
bool JSDOMWindow::getOwnPropertySlotByIndex(JSObject* object, ExecState* state, unsigned index, PropertySlot& slot)
{
auto* thisObject = jsCast<JSDOMWindow*>(object);
auto& window = thisObject->wrapped();
auto* frame = window.frame();
slot.disableCaching();
String errorMessage;
std::optional<bool> cachedIsCrossOriginAccess;
auto isCrossOriginAccess = [&] {
if (!cachedIsCrossOriginAccess)
cachedIsCrossOriginAccess = !BindingSecurity::shouldAllowAccessToDOMWindow(*state, window, errorMessage);
return *cachedIsCrossOriginAccess;
};
switch (effectiveCrossOriginWindowPolicyForAccess(*state, window)) {
case CrossOriginWindowPolicy::Deny:
case CrossOriginWindowPolicy::AllowPostMessage:
if (isCrossOriginAccess())
break;
FALLTHROUGH;
case CrossOriginWindowPolicy::Allow:
if (frame && index < frame->tree().scopedChildCount()) {
slot.setValue(thisObject, static_cast<unsigned>(JSC::PropertyAttribute::ReadOnly), toJS(state, frame->tree().scopedChild(index)->document()->domWindow()));
return true;
}
break;
}
if (isCrossOriginAccess())
return jsDOMWindowGetOwnPropertySlotRestrictedAccess<DOMWindowType::Local>(thisObject, window, *state, Identifier::from(state, index), slot, errorMessage);
return Base::getOwnPropertySlotByIndex(thisObject, state, index, slot);
}
bool JSDOMWindow::put(JSCell* cell, ExecState* state, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
{
VM& vm = state->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
auto* thisObject = jsCast<JSDOMWindow*>(cell);
if (!thisObject->wrapped().frame())
return false;
String errorMessage;
if (!BindingSecurity::shouldAllowAccessToDOMWindow(*state, thisObject->wrapped(), errorMessage)) {
if (propertyName == static_cast<JSVMClientData*>(vm.clientData)->builtinNames().locationPublicName()) {
bool putResult = false;
if (lookupPut(state, propertyName, thisObject, value, *s_info.staticPropHashTable, slot, putResult))
return putResult;
return false;
}
throwSecurityError(*state, scope, errorMessage);
return false;
}
return Base::put(thisObject, state, propertyName, value, slot);
}
bool JSDOMWindow::putByIndex(JSCell* cell, ExecState* exec, unsigned index, JSValue value, bool shouldThrow)
{
auto* thisObject = jsCast<JSDOMWindow*>(cell);
if (!thisObject->wrapped().frame() || !BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped()))
return false;
return Base::putByIndex(thisObject, exec, index, value, shouldThrow);
}
bool JSDOMWindow::deleteProperty(JSCell* cell, ExecState* exec, PropertyName propertyName)
{
JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(cell);
if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped(), ThrowSecurityError))
return false;
return Base::deleteProperty(thisObject, exec, propertyName);
}
bool JSDOMWindow::deletePropertyByIndex(JSCell* cell, ExecState* exec, unsigned propertyName)
{
JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(cell);
if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped(), ThrowSecurityError))
return false;
return Base::deletePropertyByIndex(thisObject, exec, propertyName);
}
static void addCrossOriginWindowPropertyNames(ExecState& state, AbstractDOMWindow& window, PropertyNameArray& propertyNames)
{
auto& vm = state.vm();
static const Identifier* const properties[] = {
&static_cast<JSVMClientData*>(vm.clientData)->builtinNames().blurPublicName(),
&static_cast<JSVMClientData*>(vm.clientData)->builtinNames().closePublicName(),
&static_cast<JSVMClientData*>(vm.clientData)->builtinNames().closedPublicName(),
&static_cast<JSVMClientData*>(vm.clientData)->builtinNames().focusPublicName(),
&static_cast<JSVMClientData*>(vm.clientData)->builtinNames().framesPublicName(),
&vm.propertyNames->length,
&static_cast<JSVMClientData*>(vm.clientData)->builtinNames().locationPublicName(),
&static_cast<JSVMClientData*>(vm.clientData)->builtinNames().openerPublicName(),
&static_cast<JSVMClientData*>(vm.clientData)->builtinNames().parentPublicName(),
&static_cast<JSVMClientData*>(vm.clientData)->builtinNames().postMessagePublicName(),
&static_cast<JSVMClientData*>(vm.clientData)->builtinNames().selfPublicName(),
&static_cast<JSVMClientData*>(vm.clientData)->builtinNames().topPublicName(),
&static_cast<JSVMClientData*>(vm.clientData)->builtinNames().windowPublicName()
};
switch (effectiveCrossOriginWindowPolicyForAccess(state, window)) {
case CrossOriginWindowPolicy::Allow:
for (auto* property : properties)
propertyNames.add(*property);
break;
case CrossOriginWindowPolicy::AllowPostMessage:
propertyNames.add(static_cast<JSVMClientData*>(vm.clientData)->builtinNames().postMessagePublicName());
break;
case CrossOriginWindowPolicy::Deny:
break;
}
}
static void addScopedChildrenIndexes(ExecState& state, DOMWindow& window, PropertyNameArray& propertyNames)
{
auto* document = window.document();
if (!document)
return;
auto* frame = document->frame();
if (!frame)
return;
switch (effectiveCrossOriginWindowPolicyForAccess(state, window)) {
case CrossOriginWindowPolicy::Allow:
break;
case CrossOriginWindowPolicy::Deny:
case CrossOriginWindowPolicy::AllowPostMessage:
return;
}
unsigned scopedChildCount = frame->tree().scopedChildCount();
for (unsigned i = 0; i < scopedChildCount; ++i)
propertyNames.add(Identifier::from(&state, i));
}
void addCrossOriginWindowOwnPropertyNames(ExecState& state, AbstractDOMWindow& window, PropertyNameArray& propertyNames)
{
addCrossOriginWindowPropertyNames(state, window, propertyNames);
auto& vm = state.vm();
propertyNames.add(vm.propertyNames->toStringTagSymbol);
propertyNames.add(vm.propertyNames->hasInstanceSymbol);
propertyNames.add(vm.propertyNames->isConcatSpreadableSymbol);
}
void JSDOMWindow::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
{
JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
addScopedChildrenIndexes(*exec, thisObject->wrapped(), propertyNames);
if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped(), DoNotReportSecurityError)) {
if (mode.includeDontEnumProperties())
addCrossOriginWindowOwnPropertyNames(*exec, thisObject->wrapped(), propertyNames);
return;
}
Base::getOwnPropertyNames(thisObject, exec, propertyNames, mode);
}
bool JSDOMWindow::defineOwnProperty(JSC::JSObject* object, JSC::ExecState* exec, JSC::PropertyName propertyName, const JSC::PropertyDescriptor& descriptor, bool shouldThrow)
{
JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped(), ThrowSecurityError))
return false;
if (descriptor.isAccessorDescriptor() && propertyName == Identifier::fromString(exec, "location"))
return false;
return Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow);
}
JSValue JSDOMWindow::getPrototype(JSObject* object, ExecState* exec)
{
JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped(), DoNotReportSecurityError))
return jsNull();
return Base::getPrototype(object, exec);
}
bool JSDOMWindow::preventExtensions(JSObject*, ExecState* exec)
{
auto scope = DECLARE_THROW_SCOPE(exec->vm());
throwTypeError(exec, scope, "Cannot prevent extensions on this object"_s);
return false;
}
String JSDOMWindow::toStringName(const JSObject* object, ExecState* exec)
{
auto* thisObject = jsCast<const JSDOMWindow*>(object);
if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped(), DoNotReportSecurityError))
return "Object"_s;
return "Window"_s;
}
JSValue JSDOMWindow::event(ExecState& state) const
{
Event* event = currentEvent();
if (!event)
return jsUndefined();
return toJS(&state, const_cast<JSDOMWindow*>(this), event);
}
class DialogHandler {
public:
explicit DialogHandler(ExecState& exec)
: m_exec(exec)
{
}
void dialogCreated(DOMWindow&);
JSValue returnValue() const;
private:
ExecState& m_exec;
RefPtr<Frame> m_frame;
};
inline void DialogHandler::dialogCreated(DOMWindow& dialog)
{
m_frame = dialog.frame();
JSDOMWindow* globalObject = toJSDOMWindow(m_frame.get(), normalWorld(m_exec.vm()));
if (JSValue dialogArguments = m_exec.argument(1))
globalObject->putDirect(m_exec.vm(), Identifier::fromString(&m_exec, "dialogArguments"), dialogArguments);
}
inline JSValue DialogHandler::returnValue() const
{
JSDOMWindow* globalObject = toJSDOMWindow(m_frame.get(), normalWorld(m_exec.vm()));
if (!globalObject)
return jsUndefined();
Identifier identifier = Identifier::fromString(&m_exec, "returnValue");
PropertySlot slot(globalObject, PropertySlot::InternalMethodType::Get);
if (!JSGlobalObject::getOwnPropertySlot(globalObject, &m_exec, identifier, slot))
return jsUndefined();
return slot.getValue(&m_exec, identifier);
}
JSValue JSDOMWindow::showModalDialog(ExecState& state)
{
VM& vm = state.vm();
auto scope = DECLARE_THROW_SCOPE(vm);
if (UNLIKELY(state.argumentCount() < 1))
return throwException(&state, scope, createNotEnoughArgumentsError(&state));
String urlString = convert<IDLNullable<IDLDOMString>>(state, state.argument(0));
RETURN_IF_EXCEPTION(scope, JSValue());
String dialogFeaturesString = convert<IDLNullable<IDLDOMString>>(state, state.argument(2));
RETURN_IF_EXCEPTION(scope, JSValue());
DialogHandler handler(state);
wrapped().showModalDialog(urlString, dialogFeaturesString, activeDOMWindow(state), firstDOMWindow(state), [&handler](DOMWindow& dialog) {
handler.dialogCreated(dialog);
});
return handler.returnValue();
}
DOMWindow* JSDOMWindow::toWrapped(VM& vm, JSValue value)
{
if (!value.isObject())
return nullptr;
JSObject* object = asObject(value);
if (object->inherits<JSDOMWindow>(vm))
return &jsCast<JSDOMWindow*>(object)->wrapped();
if (object->inherits<JSWindowProxy>(vm)) {
if (auto* jsDOMWindow = jsDynamicCast<JSDOMWindow*>(vm, jsCast<JSWindowProxy*>(object)->window()))
return &jsDOMWindow->wrapped();
}
return nullptr;
}
void JSDOMWindow::setOpener(JSC::ExecState& state, JSC::JSValue value)
{
if (!BindingSecurity::shouldAllowAccessToDOMWindow(&state, wrapped(), ThrowSecurityError))
return;
if (value.isNull()) {
wrapped().disownOpener();
return;
}
replaceStaticPropertySlot(state.vm(), this, Identifier::fromString(&state.vm(), "opener"), value);
}
}