angler-fishThe Vulnerability History Project

Make error messages for cross-domain access OOPIF-friendly.

      * Make crossDomainAccessErrorMessage and
  sanitizedCrossDomainAccessErrorMessage non-virtual members of
  DOMWindow, and tweak the logic to also work on RemoteDOMWindows
  using replicated origins.

* Change BindingSecurity::shouldAllowAccessToFrame to actually throw
  exceptions when encountering a RemoteFrame.  Previously, we returned
  false without throwing exceptions, which was breaking expectations
  for layout tests when running with --site-per-process.

BUG=478254,477150

TEST=Run
http/tests/security/cross-frame-access-set-window-properties.html with
--site-per-process, and ensure the calls that are supposed to throw
exceptions actually do so.

Review URL: https://codereview.chromium.org/1085973003

git-svn-id: svn://svn.chromium.org/blink/trunk@194331 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Clara the Markhor 2015-04-23 23:29:43 UTC
commit edd4854bfd651e73ebf774c022da6473430e5888
Chromium
third_party/WebKit/Source/bindings/core/v8/BindingSecurity.cpp
+25 -15
third_party/WebKit/Source/core/frame/DOMWindow.cpp
+1 -75
third_party/WebKit/Source/core/frame/DOMWindow.h
+5 -3
third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp
+78
third_party/WebKit/Source/core/frame/LocalDOMWindow.h
+4
third_party/WebKit/Source/core/frame/LocalFrame.cpp
+5 -4
third_party/WebKit/Source/core/frame/RemoteDOMWindow.cpp
+10
third_party/WebKit/Source/core/frame/RemoteDOMWindow.h
+2
expand_less