1 /*
2 * Copyright (C) 2008, 2009 Google Inc. All rights reserved.
3 * Copyright (C) 2009 Apple Inc. All rights reserved.
4 * Copyright (C) 2014 Opera Software ASA. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are
8 * met:
9 *
10 * * Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * * Redistributions in binary form must reproduce the above
13 * copyright notice, this list of conditions and the following disclaimer
14 * in the documentation and/or other materials provided with the
15 * distribution.
16 * * Neither the name of Google Inc. nor the names of its
17 * contributors may be used to endorse or promote products derived from
18 * this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "config.h"
34 #include "bindings/core/v8/ScriptController.h"
35
36 #include "bindings/core/v8/BindingSecurity.h"
37 #include "bindings/core/v8/NPV8Object.h"
38 #include "bindings/core/v8/ScriptCallStackFactory.h"
39 #include "bindings/core/v8/ScriptSourceCode.h"
40 #include "bindings/core/v8/ScriptValue.h"
41 #include "bindings/core/v8/V8Binding.h"
42 #include "bindings/core/v8/V8Event.h"
43 #include "bindings/core/v8/V8GCController.h"
44 #include "bindings/core/v8/V8HTMLElement.h"
45 #include "bindings/core/v8/V8NPObject.h"
46 #include "bindings/core/v8/V8PerContextData.h"
47 #include "bindings/core/v8/V8ScriptRunner.h"
48 #include "bindings/core/v8/V8Window.h"
49 #include "bindings/core/v8/WindowProxy.h"
50 #include "bindings/core/v8/npruntime_impl.h"
51 #include "bindings/core/v8/npruntime_priv.h"
52 #include "core/dom/Document.h"
53 #include "core/dom/Node.h"
54 #include "core/dom/ScriptableDocumentParser.h"
55 #include "core/events/Event.h"
56 #include "core/events/EventListener.h"
57 #include "core/frame/LocalDOMWindow.h"
58 #include "core/frame/LocalFrame.h"
59 #include "core/frame/Settings.h"
60 #include "core/frame/UseCounter.h"
61 #include "core/frame/csp/ContentSecurityPolicy.h"
62 #include "core/html/HTMLPlugInElement.h"
63 #include "core/inspector/InspectorInstrumentation.h"
64 #include "core/inspector/InspectorTraceEvents.h"
65 #include "core/inspector/ScriptCallStack.h"
66 #include "core/loader/DocumentLoader.h"
67 #include "core/loader/FrameLoader.h"
68 #include "core/loader/FrameLoaderClient.h"
69 #include "core/plugins/PluginView.h"
70 #include "platform/NotImplemented.h"
71 #include "platform/TraceEvent.h"
72 #include "platform/UserGestureIndicator.h"
73 #include "platform/Widget.h"
74 #include "platform/weborigin/SecurityOrigin.h"
75 #include "public/platform/Platform.h"
76 #include "wtf/CurrentTime.h"
77 #include "wtf/StdLibExtras.h"
78 #include "wtf/StringExtras.h"
79 #include "wtf/text/CString.h"
80 #include "wtf/text/StringBuilder.h"
81 #include "wtf/text/TextPosition.h"
82
83 namespace blink {
84
canAccessFromCurrentOrigin(LocalFrame * frame)85 bool ScriptController::canAccessFromCurrentOrigin(LocalFrame *frame)
86 {
87 if (!frame)
88 return false;
89 v8::Isolate* isolate = toIsolate(frame);
90 return !isolate->InContext() || BindingSecurity::shouldAllowAccessToFrame(isolate, frame);
91 }
92
ScriptController(LocalFrame * frame)93 ScriptController::ScriptController(LocalFrame* frame)
94 : m_frame(frame)
95 , m_sourceURL(0)
96 , m_isolate(v8::Isolate::GetCurrent())
97 , m_windowProxy(WindowProxy::create(frame, DOMWrapperWorld::mainWorld(), m_isolate))
98 , m_windowScriptNPObject(0)
99 {
100 }
101
~ScriptController()102 ScriptController::~ScriptController()
103 {
104 // WindowProxy::clearForClose() must be invoked before destruction starts.
105 ASSERT(!m_windowProxy->isContextInitialized());
106 }
107
clearScriptObjects()108 void ScriptController::clearScriptObjects()
109 {
110 PluginObjectMap::iterator it = m_pluginObjects.begin();
111 for (; it != m_pluginObjects.end(); ++it) {
112 _NPN_UnregisterObject(it->value);
113 _NPN_ReleaseObject(it->value);
114 }
115 m_pluginObjects.clear();
116
117 if (m_windowScriptNPObject) {
118 // Dispose of the underlying V8 object before releasing our reference
119 // to it, so that if a plugin fails to release it properly we will
120 // only leak the NPObject wrapper, not the object, its document, or
121 // anything else they reference.
122 disposeUnderlyingV8Object(m_windowScriptNPObject, m_isolate);
123 _NPN_ReleaseObject(m_windowScriptNPObject);
124 m_windowScriptNPObject = 0;
125 }
126 }
127
clearForClose()128 void ScriptController::clearForClose()
129 {
130 double start = currentTime();
131 m_windowProxy->clearForClose();
132 for (IsolatedWorldMap::iterator iter = m_isolatedWorlds.begin(); iter != m_isolatedWorlds.end(); ++iter)
133 iter->value->clearForClose();
134 blink::Platform::current()->histogramCustomCounts("WebCore.ScriptController.clearForClose", (currentTime() - start) * 1000, 0, 10000, 50);
135 }
136
updateSecurityOrigin(SecurityOrigin * origin)137 void ScriptController::updateSecurityOrigin(SecurityOrigin* origin)
138 {
139 m_windowProxy->updateSecurityOrigin(origin);
140 }
141
callFunction(v8::Handle<v8::Function> function,v8::Handle<v8::Value> receiver,int argc,v8::Handle<v8::Value> info[])142 v8::Local<v8::Value> ScriptController::callFunction(v8::Handle<v8::Function> function, v8::Handle<v8::Value> receiver, int argc, v8::Handle<v8::Value> info[])
143 {
144 // Keep LocalFrame (and therefore ScriptController) alive.
145 RefPtrWillBeRawPtr<LocalFrame> protect(m_frame);
146 return ScriptController::callFunction(m_frame->document(), function, receiver, argc, info, m_isolate);
147 }
148
callFunction(ExecutionContext * context,v8::Handle<v8::Function> function,v8::Handle<v8::Value> receiver,int argc,v8::Handle<v8::Value> info[],v8::Isolate * isolate)149 v8::Local<v8::Value> ScriptController::callFunction(ExecutionContext* context, v8::Handle<v8::Function> function, v8::Handle<v8::Value> receiver, int argc, v8::Handle<v8::Value> info[], v8::Isolate* isolate)
150 {
151 TRACE_EVENT1(TRACE_DISABLED_BY_DEFAULT("devtools.timeline"), "FunctionCall", "data", devToolsTraceEventData(context, function, isolate));
152 TRACE_EVENT_INSTANT1(TRACE_DISABLED_BY_DEFAULT("devtools.timeline.stack"), "CallStack", "stack", InspectorCallStackEvent::currentCallStack());
153 // FIXME(361045): remove InspectorInstrumentation calls once DevTools Timeline migrates to tracing.
154 InspectorInstrumentationCookie cookie;
155 if (InspectorInstrumentation::timelineAgentEnabled(context)) {
156 int scriptId = 0;
157 String resourceName;
158 int lineNumber = 1;
159 GetDevToolsFunctionInfo(function, isolate, scriptId, resourceName, lineNumber);
160 cookie = InspectorInstrumentation::willCallFunction(context, scriptId, resourceName, lineNumber);
161 }
162
163 v8::Local<v8::Value> result = V8ScriptRunner::callFunction(function, context, receiver, argc, info, isolate);
164
165 InspectorInstrumentation::didCallFunction(cookie);
166 return result;
167 }
168
executeScriptAndReturnValue(v8::Handle<v8::Context> context,const ScriptSourceCode & source,AccessControlStatus corsStatus,double * compilationFinishTime)169 v8::Local<v8::Value> ScriptController::executeScriptAndReturnValue(v8::Handle<v8::Context> context, const ScriptSourceCode& source, AccessControlStatus corsStatus, double* compilationFinishTime)
170 {
171 TRACE_EVENT1(TRACE_DISABLED_BY_DEFAULT("devtools.timeline"), "EvaluateScript", "data", InspectorEvaluateScriptEvent::data(m_frame, source.url().string(), source.startLine()));
172 TRACE_EVENT_INSTANT1(TRACE_DISABLED_BY_DEFAULT("devtools.timeline.stack"), "CallStack", "stack", InspectorCallStackEvent::currentCallStack());
173 // FIXME(361045): remove InspectorInstrumentation calls once DevTools Timeline migrates to tracing.
174 InspectorInstrumentationCookie cookie = InspectorInstrumentation::willEvaluateScript(m_frame, source.url().string(), source.startLine());
175
176 v8::Local<v8::Value> result;
177 {
178 V8CacheOptions v8CacheOptions(V8CacheOptionsOff);
179 if (m_frame->settings())
180 v8CacheOptions = m_frame->settings()->v8CacheOptions();
181
182 // Isolate exceptions that occur when compiling and executing
183 // the code. These exceptions should not interfere with
184 // javascript code we might evaluate from C++ when returning
185 // from here.
186 v8::TryCatch tryCatch;
187 tryCatch.SetVerbose(true);
188
189 v8::Handle<v8::Script> script = V8ScriptRunner::compileScript(source, m_isolate, corsStatus, v8CacheOptions);
190
191 if (compilationFinishTime) {
192 *compilationFinishTime = WTF::monotonicallyIncreasingTime();
193 }
194 // Keep LocalFrame (and therefore ScriptController) alive.
195 RefPtrWillBeRawPtr<LocalFrame> protect(m_frame);
196 result = V8ScriptRunner::runCompiledScript(script, m_frame->document(), m_isolate);
197 ASSERT(!tryCatch.HasCaught() || result.IsEmpty());
198 }
199
200 InspectorInstrumentation::didEvaluateScript(cookie);
201 TRACE_EVENT_INSTANT1(TRACE_DISABLED_BY_DEFAULT("devtools.timeline"), "UpdateCounters", "data", InspectorUpdateCountersEvent::data());
202
203 return result;
204 }
205
initializeMainWorld()206 bool ScriptController::initializeMainWorld()
207 {
208 if (m_windowProxy->isContextInitialized())
209 return false;
210 return windowProxy(DOMWrapperWorld::mainWorld())->isContextInitialized();
211 }
212
existingWindowProxy(DOMWrapperWorld & world)213 WindowProxy* ScriptController::existingWindowProxy(DOMWrapperWorld& world)
214 {
215 if (world.isMainWorld())
216 return m_windowProxy->isContextInitialized() ? m_windowProxy.get() : 0;
217
218 IsolatedWorldMap::iterator iter = m_isolatedWorlds.find(world.worldId());
219 if (iter == m_isolatedWorlds.end())
220 return 0;
221 return iter->value->isContextInitialized() ? iter->value.get() : 0;
222 }
223
windowProxy(DOMWrapperWorld & world)224 WindowProxy* ScriptController::windowProxy(DOMWrapperWorld& world)
225 {
226 WindowProxy* windowProxy = 0;
227 if (world.isMainWorld()) {
228 windowProxy = m_windowProxy.get();
229 } else {
230 IsolatedWorldMap::iterator iter = m_isolatedWorlds.find(world.worldId());
231 if (iter != m_isolatedWorlds.end()) {
232 windowProxy = iter->value.get();
233 } else {
234 OwnPtr<WindowProxy> isolatedWorldWindowProxy = WindowProxy::create(m_frame, world, m_isolate);
235 windowProxy = isolatedWorldWindowProxy.get();
236 m_isolatedWorlds.set(world.worldId(), isolatedWorldWindowProxy.release());
237 }
238 }
239 if (!windowProxy->isContextInitialized() && windowProxy->initializeIfNeeded() && world.isMainWorld())
240 m_frame->loader().dispatchDidClearWindowObjectInMainWorld();
241 return windowProxy;
242 }
243
shouldBypassMainWorldCSP()244 bool ScriptController::shouldBypassMainWorldCSP()
245 {
246 v8::HandleScope handleScope(m_isolate);
247 v8::Handle<v8::Context> context = m_isolate->GetCurrentContext();
248 if (context.IsEmpty() || !toDOMWindow(context))
249 return false;
250 DOMWrapperWorld& world = DOMWrapperWorld::current(m_isolate);
251 return world.isIsolatedWorld() ? world.isolatedWorldHasContentSecurityPolicy() : false;
252 }
253
eventHandlerPosition() const254 TextPosition ScriptController::eventHandlerPosition() const
255 {
256 ScriptableDocumentParser* parser = m_frame->document()->scriptableDocumentParser();
257 if (parser)
258 return parser->textPosition();
259 return TextPosition::minimumPosition();
260 }
261
262 // Create a V8 object with an interceptor of NPObjectPropertyGetter.
bindToWindowObject(LocalFrame * frame,const String & key,NPObject * object)263 void ScriptController::bindToWindowObject(LocalFrame* frame, const String& key, NPObject* object)
264 {
265 ScriptState* scriptState = ScriptState::forMainWorld(frame);
266 if (scriptState->contextIsValid())
267 return;
268
269 ScriptState::Scope scope(scriptState);
270 v8::Handle<v8::Object> value = createV8ObjectForNPObject(object, 0, m_isolate);
271
272 // Attach to the global object.
273 scriptState->context()->Global()->Set(v8String(m_isolate, key), value);
274 }
275
enableEval()276 void ScriptController::enableEval()
277 {
278 if (!m_windowProxy->isContextInitialized())
279 return;
280 v8::HandleScope handleScope(m_isolate);
281 m_windowProxy->context()->AllowCodeGenerationFromStrings(true);
282 }
283
disableEval(const String & errorMessage)284 void ScriptController::disableEval(const String& errorMessage)
285 {
286 if (!m_windowProxy->isContextInitialized())
287 return;
288 v8::HandleScope handleScope(m_isolate);
289 v8::Local<v8::Context> v8Context = m_windowProxy->context();
290 v8Context->AllowCodeGenerationFromStrings(false);
291 v8Context->SetErrorMessageForCodeGenerationFromStrings(v8String(m_isolate, errorMessage));
292 }
293
createPluginWrapper(Widget * widget)294 PassRefPtr<SharedPersistent<v8::Object> > ScriptController::createPluginWrapper(Widget* widget)
295 {
296 ASSERT(widget);
297
298 if (!widget->isPluginView())
299 return nullptr;
300
301 v8::HandleScope handleScope(m_isolate);
302 v8::Local<v8::Object> scriptableObject = toPluginView(widget)->scriptableObject(m_isolate);
303
304 if (scriptableObject.IsEmpty())
305 return nullptr;
306
307 // LocalFrame Memory Management for NPObjects
308 // -------------------------------------
309 // NPObjects are treated differently than other objects wrapped by JS.
310 // NPObjects can be created either by the browser (e.g. the main
311 // window object) or by the plugin (the main plugin object
312 // for a HTMLEmbedElement). Further, unlike most DOM Objects, the frame
313 // is especially careful to ensure NPObjects terminate at frame teardown because
314 // if a plugin leaks a reference, it could leak its objects (or the browser's objects).
315 //
316 // The LocalFrame maintains a list of plugin objects (m_pluginObjects)
317 // which it can use to quickly find the wrapped embed object.
318 //
319 // Inside the NPRuntime, we've added a few methods for registering
320 // wrapped NPObjects. The purpose of the registration is because
321 // javascript garbage collection is non-deterministic, yet we need to
322 // be able to tear down the plugin objects immediately. When an object
323 // is registered, javascript can use it. When the object is destroyed,
324 // or when the object's "owning" object is destroyed, the object will
325 // be un-registered, and the javascript engine must not use it.
326 //
327 // Inside the javascript engine, the engine can keep a reference to the
328 // NPObject as part of its wrapper. However, before accessing the object
329 // it must consult the _NPN_Registry.
330
331 if (isWrappedNPObject(scriptableObject)) {
332 // Track the plugin object. We've been given a reference to the object.
333 m_pluginObjects.set(widget, v8ObjectToNPObject(scriptableObject));
334 }
335
336 return SharedPersistent<v8::Object>::create(scriptableObject, m_isolate);
337 }
338
cleanupScriptObjectsForPlugin(Widget * nativeHandle)339 void ScriptController::cleanupScriptObjectsForPlugin(Widget* nativeHandle)
340 {
341 PluginObjectMap::iterator it = m_pluginObjects.find(nativeHandle);
342 if (it == m_pluginObjects.end())
343 return;
344 _NPN_UnregisterObject(it->value);
345 _NPN_ReleaseObject(it->value);
346 m_pluginObjects.remove(it);
347 }
348
registeredExtensions()349 V8Extensions& ScriptController::registeredExtensions()
350 {
351 DEFINE_STATIC_LOCAL(V8Extensions, extensions, ());
352 return extensions;
353 }
354
registerExtensionIfNeeded(v8::Extension * extension)355 void ScriptController::registerExtensionIfNeeded(v8::Extension* extension)
356 {
357 const V8Extensions& extensions = registeredExtensions();
358 for (size_t i = 0; i < extensions.size(); ++i) {
359 if (extensions[i] == extension)
360 return;
361 }
362 v8::RegisterExtension(extension);
363 registeredExtensions().append(extension);
364 }
365
createNoScriptObject()366 static NPObject* createNoScriptObject()
367 {
368 notImplemented();
369 return 0;
370 }
371
createScriptObject(LocalFrame * frame,v8::Isolate * isolate)372 static NPObject* createScriptObject(LocalFrame* frame, v8::Isolate* isolate)
373 {
374 ScriptState* scriptState = ScriptState::forMainWorld(frame);
375 if (scriptState->contextIsValid())
376 return createNoScriptObject();
377
378 ScriptState::Scope scope(scriptState);
379 LocalDOMWindow* window = frame->domWindow();
380 v8::Handle<v8::Value> global = toV8(window, scriptState->context()->Global(), scriptState->isolate());
381 ASSERT(global->IsObject());
382 return npCreateV8ScriptObject(0, v8::Handle<v8::Object>::Cast(global), window, isolate);
383 }
384
windowScriptNPObject()385 NPObject* ScriptController::windowScriptNPObject()
386 {
387 if (m_windowScriptNPObject)
388 return m_windowScriptNPObject;
389
390 if (canExecuteScripts(NotAboutToExecuteScript)) {
391 // JavaScript is enabled, so there is a JavaScript window object.
392 // Return an NPObject bound to the window object.
393 m_windowScriptNPObject = createScriptObject(m_frame, m_isolate);
394 _NPN_RegisterObject(m_windowScriptNPObject, 0);
395 } else {
396 // JavaScript is not enabled, so we cannot bind the NPObject to the
397 // JavaScript window object. Instead, we create an NPObject of a
398 // different class, one which is not bound to a JavaScript object.
399 m_windowScriptNPObject = createNoScriptObject();
400 }
401 return m_windowScriptNPObject;
402 }
403
createScriptObjectForPluginElement(HTMLPlugInElement * plugin)404 NPObject* ScriptController::createScriptObjectForPluginElement(HTMLPlugInElement* plugin)
405 {
406 // Can't create NPObjects when JavaScript is disabled.
407 if (!canExecuteScripts(NotAboutToExecuteScript))
408 return createNoScriptObject();
409
410 ScriptState* scriptState = ScriptState::forMainWorld(m_frame);
411 if (scriptState->contextIsValid())
412 return createNoScriptObject();
413
414 ScriptState::Scope scope(scriptState);
415 LocalDOMWindow* window = m_frame->domWindow();
416 v8::Handle<v8::Value> v8plugin = toV8(plugin, scriptState->context()->Global(), scriptState->isolate());
417 if (!v8plugin->IsObject())
418 return createNoScriptObject();
419
420 return npCreateV8ScriptObject(0, v8::Handle<v8::Object>::Cast(v8plugin), window, scriptState->isolate());
421 }
422
clearWindowProxy()423 void ScriptController::clearWindowProxy()
424 {
425 double start = currentTime();
426 // V8 binding expects ScriptController::clearWindowProxy only be called
427 // when a frame is loading a new page. This creates a new context for the new page.
428
429 // The V8 context must be available for |clearScriptObjects()|.
430 // The below call must be before |clearForNavigation()| which disposes the V8 context.
431 clearScriptObjects();
432 m_windowProxy->clearForNavigation();
433 for (IsolatedWorldMap::iterator iter = m_isolatedWorlds.begin(); iter != m_isolatedWorlds.end(); ++iter)
434 iter->value->clearForNavigation();
435 blink::Platform::current()->histogramCustomCounts("WebCore.ScriptController.clearWindowProxy", (currentTime() - start) * 1000, 0, 10000, 50);
436 }
437
setCaptureCallStackForUncaughtExceptions(bool value)438 void ScriptController::setCaptureCallStackForUncaughtExceptions(bool value)
439 {
440 v8::V8::SetCaptureStackTraceForUncaughtExceptions(value, ScriptCallStack::maxCallStackSizeToCapture, stackTraceOptions);
441 }
442
collectIsolatedContexts(Vector<std::pair<ScriptState *,SecurityOrigin * >> & result)443 void ScriptController::collectIsolatedContexts(Vector<std::pair<ScriptState*, SecurityOrigin*> >& result)
444 {
445 for (IsolatedWorldMap::iterator it = m_isolatedWorlds.begin(); it != m_isolatedWorlds.end(); ++it) {
446 WindowProxy* isolatedWorldWindowProxy = it->value.get();
447 SecurityOrigin* origin = isolatedWorldWindowProxy->world().isolatedWorldSecurityOrigin();
448 if (!origin)
449 continue;
450 if (!isolatedWorldWindowProxy->isContextInitialized())
451 continue;
452 result.append(std::pair<ScriptState*, SecurityOrigin*>(isolatedWorldWindowProxy->scriptState(), origin));
453 }
454 }
455
setWorldDebugId(int worldId,int debuggerId)456 void ScriptController::setWorldDebugId(int worldId, int debuggerId)
457 {
458 ASSERT(debuggerId > 0);
459 bool isMainWorld = worldId == MainWorldId;
460 WindowProxy* windowProxy = 0;
461 if (isMainWorld) {
462 windowProxy = m_windowProxy.get();
463 } else {
464 IsolatedWorldMap::iterator iter = m_isolatedWorlds.find(worldId);
465 if (iter != m_isolatedWorlds.end())
466 windowProxy = iter->value.get();
467 }
468 if (!windowProxy || !windowProxy->isContextInitialized())
469 return;
470 v8::HandleScope scope(m_isolate);
471 v8::Local<v8::Context> context = windowProxy->context();
472 const char* worldName = isMainWorld ? "page" : "injected";
473 V8PerContextDebugData::setContextDebugData(context, worldName, debuggerId);
474 }
475
updateDocument()476 void ScriptController::updateDocument()
477 {
478 // For an uninitialized main window windowProxy, do not incur the cost of context initialization.
479 if (!m_windowProxy->isGlobalInitialized())
480 return;
481
482 if (!initializeMainWorld())
483 windowProxy(DOMWrapperWorld::mainWorld())->updateDocument();
484 }
485
namedItemAdded(HTMLDocument * doc,const AtomicString & name)486 void ScriptController::namedItemAdded(HTMLDocument* doc, const AtomicString& name)
487 {
488 windowProxy(DOMWrapperWorld::mainWorld())->namedItemAdded(doc, name);
489 }
490
namedItemRemoved(HTMLDocument * doc,const AtomicString & name)491 void ScriptController::namedItemRemoved(HTMLDocument* doc, const AtomicString& name)
492 {
493 windowProxy(DOMWrapperWorld::mainWorld())->namedItemRemoved(doc, name);
494 }
495
isInPrivateScriptIsolateWorld(v8::Isolate * isolate)496 static bool isInPrivateScriptIsolateWorld(v8::Isolate* isolate)
497 {
498 v8::Handle<v8::Context> context = isolate->GetCurrentContext();
499 return !context.IsEmpty() && toDOMWindow(context) && DOMWrapperWorld::current(isolate).isPrivateScriptIsolatedWorld();
500 }
501
canExecuteScripts(ReasonForCallingCanExecuteScripts reason)502 bool ScriptController::canExecuteScripts(ReasonForCallingCanExecuteScripts reason)
503 {
504 // For performance reasons, we check isInPrivateScriptIsolateWorld() only if
505 // canExecuteScripts is going to return false.
506
507 if (m_frame->document() && m_frame->document()->isSandboxed(SandboxScripts)) {
508 if (isInPrivateScriptIsolateWorld(m_isolate))
509 return true;
510 // FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists.
511 if (reason == AboutToExecuteScript)
512 m_frame->document()->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Blocked script execution in '" + m_frame->document()->url().elidedString() + "' because the document's frame is sandboxed and the 'allow-scripts' permission is not set."));
513 return false;
514 }
515
516 if (m_frame->document() && m_frame->document()->isViewSource()) {
517 ASSERT(m_frame->document()->securityOrigin()->isUnique());
518 return true;
519 }
520
521 Settings* settings = m_frame->settings();
522 const bool allowed = m_frame->loader().client()->allowScript(settings && settings->scriptEnabled())
523 || isInPrivateScriptIsolateWorld(m_isolate);
524 if (!allowed && reason == AboutToExecuteScript)
525 m_frame->loader().client()->didNotAllowScript();
526 return allowed;
527 }
528
executeScriptIfJavaScriptURL(const KURL & url)529 bool ScriptController::executeScriptIfJavaScriptURL(const KURL& url)
530 {
531 if (!protocolIsJavaScript(url))
532 return false;
533
534 if (!m_frame->page()
535 || !m_frame->document()->contentSecurityPolicy()->allowJavaScriptURLs(m_frame->document()->url(), eventHandlerPosition().m_line))
536 return true;
537
538 // We need to hold onto the LocalFrame here because executing script can
539 // destroy the frame.
540 RefPtrWillBeRawPtr<LocalFrame> protect(m_frame);
541 RefPtrWillBeRawPtr<Document> ownerDocument(m_frame->document());
542
543 const int javascriptSchemeLength = sizeof("javascript:") - 1;
544
545 bool locationChangeBefore = m_frame->navigationScheduler().locationChangePending();
546
547 String decodedURL = decodeURLEscapeSequences(url.string());
548 v8::HandleScope handleScope(m_isolate);
549 v8::Local<v8::Value> result = evaluateScriptInMainWorld(ScriptSourceCode(decodedURL.substring(javascriptSchemeLength)), NotSharableCrossOrigin, DoNotExecuteScriptWhenScriptsDisabled);
550
551 // If executing script caused this frame to be removed from the page, we
552 // don't want to try to replace its document!
553 if (!m_frame->page())
554 return true;
555
556 if (result.IsEmpty() || !result->IsString())
557 return true;
558 String scriptResult = toCoreString(v8::Handle<v8::String>::Cast(result));
559
560 // We're still in a frame, so there should be a DocumentLoader.
561 ASSERT(m_frame->document()->loader());
562 if (!locationChangeBefore && m_frame->navigationScheduler().locationChangePending())
563 return true;
564
565 m_frame->loader().replaceDocumentWhileExecutingJavaScriptURL(scriptResult, ownerDocument.get());
566 return true;
567 }
568
executeScriptInMainWorld(const String & script,ExecuteScriptPolicy policy)569 void ScriptController::executeScriptInMainWorld(const String& script, ExecuteScriptPolicy policy)
570 {
571 v8::HandleScope handleScope(m_isolate);
572 evaluateScriptInMainWorld(ScriptSourceCode(script), NotSharableCrossOrigin, policy);
573 }
574
executeScriptInMainWorld(const ScriptSourceCode & sourceCode,AccessControlStatus corsStatus,double * compilationFinishTime)575 void ScriptController::executeScriptInMainWorld(const ScriptSourceCode& sourceCode, AccessControlStatus corsStatus, double* compilationFinishTime)
576 {
577 v8::HandleScope handleScope(m_isolate);
578 evaluateScriptInMainWorld(sourceCode, corsStatus, DoNotExecuteScriptWhenScriptsDisabled, compilationFinishTime);
579 }
580
executeScriptInMainWorldAndReturnValue(const ScriptSourceCode & sourceCode)581 v8::Local<v8::Value> ScriptController::executeScriptInMainWorldAndReturnValue(const ScriptSourceCode& sourceCode)
582 {
583 return evaluateScriptInMainWorld(sourceCode, NotSharableCrossOrigin, DoNotExecuteScriptWhenScriptsDisabled);
584 }
585
evaluateScriptInMainWorld(const ScriptSourceCode & sourceCode,AccessControlStatus corsStatus,ExecuteScriptPolicy policy,double * compilationFinishTime)586 v8::Local<v8::Value> ScriptController::evaluateScriptInMainWorld(const ScriptSourceCode& sourceCode, AccessControlStatus corsStatus, ExecuteScriptPolicy policy, double* compilationFinishTime)
587 {
588 if (policy == DoNotExecuteScriptWhenScriptsDisabled && !canExecuteScripts(AboutToExecuteScript))
589 return v8::Local<v8::Value>();
590
591 String sourceURL = sourceCode.url();
592 const String* savedSourceURL = m_sourceURL;
593 m_sourceURL = &sourceURL;
594
595 v8::EscapableHandleScope handleScope(m_isolate);
596 v8::Handle<v8::Context> context = toV8Context(m_frame, DOMWrapperWorld::mainWorld());
597 if (context.IsEmpty())
598 return v8::Local<v8::Value>();
599
600 ScriptState* scriptState = ScriptState::from(context);
601 ScriptState::Scope scope(scriptState);
602
603 RefPtrWillBeRawPtr<LocalFrame> protect(m_frame);
604 if (m_frame->loader().stateMachine()->isDisplayingInitialEmptyDocument())
605 m_frame->loader().didAccessInitialDocument();
606
607 OwnPtr<ScriptSourceCode> maybeProcessedSourceCode = InspectorInstrumentation::preprocess(m_frame, sourceCode);
608 const ScriptSourceCode& sourceCodeToCompile = maybeProcessedSourceCode ? *maybeProcessedSourceCode : sourceCode;
609
610 v8::Local<v8::Value> object = executeScriptAndReturnValue(scriptState->context(), sourceCodeToCompile, corsStatus, compilationFinishTime);
611 m_sourceURL = savedSourceURL;
612
613 if (object.IsEmpty())
614 return v8::Local<v8::Value>();
615
616 return handleScope.Escape(object);
617 }
618
executeScriptInIsolatedWorld(int worldID,const Vector<ScriptSourceCode> & sources,int extensionGroup,Vector<v8::Local<v8::Value>> * results)619 void ScriptController::executeScriptInIsolatedWorld(int worldID, const Vector<ScriptSourceCode>& sources, int extensionGroup, Vector<v8::Local<v8::Value> >* results)
620 {
621 ASSERT(worldID > 0);
622
623 RefPtr<DOMWrapperWorld> world = DOMWrapperWorld::ensureIsolatedWorld(worldID, extensionGroup);
624 WindowProxy* isolatedWorldWindowProxy = windowProxy(*world);
625 if (!isolatedWorldWindowProxy->isContextInitialized())
626 return;
627
628 ScriptState* scriptState = isolatedWorldWindowProxy->scriptState();
629 v8::EscapableHandleScope handleScope(scriptState->isolate());
630 ScriptState::Scope scope(scriptState);
631 v8::Local<v8::Array> resultArray = v8::Array::New(m_isolate, sources.size());
632
633 for (size_t i = 0; i < sources.size(); ++i) {
634 v8::Local<v8::Value> evaluationResult = executeScriptAndReturnValue(scriptState->context(), sources[i]);
635 if (evaluationResult.IsEmpty())
636 evaluationResult = v8::Local<v8::Value>::New(m_isolate, v8::Undefined(m_isolate));
637 resultArray->Set(i, evaluationResult);
638 }
639
640 if (results) {
641 for (size_t i = 0; i < resultArray->Length(); ++i)
642 results->append(handleScope.Escape(resultArray->Get(i)));
643 }
644 }
645
646 } // namespace blink
647