<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[205354] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/205354">205354</a></dd>
<dt>Author</dt> <dd>cdumez@apple.com</dd>
<dt>Date</dt> <dd>2016-09-02 11:04:25 -0700 (Fri, 02 Sep 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Align proto getter / setter behavior with other browsers
https://bugs.webkit.org/show_bug.cgi?id=161455
Reviewed by Mark Lam.
Source/JavaScriptCore:
Drop allowsAccessFrom from the methodTable and delegate cross-origin
checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
This is more consistent with other operations (e.g. [[GetOwnProperty]]).
* jsc.cpp:
* runtime/JSGlobalObject.cpp:
* runtime/JSGlobalObject.h:
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncProtoGetter):
(JSC::globalFuncProtoSetter):
(JSC::globalFuncBuiltinLog): Deleted.
* runtime/JSGlobalObjectFunctions.h:
* runtime/JSObject.h:
(JSC::JSObject::getArrayLength): Deleted.
* runtime/JSProxy.cpp:
(JSC::JSProxy::setPrototype):
(JSC::JSProxy::getPrototype):
* runtime/JSProxy.h:
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorGetPrototypeOf):
(JSC::objectConstructorSetPrototypeOf):
(JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
(JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
* runtime/ObjectConstructor.h:
* runtime/ReflectObject.cpp:
(JSC::reflectObjectGetPrototypeOf):
(JSC::reflectObjectSetPrototypeOf):
* runtime/JSObject.cpp:
(JSC::JSObject::setPrototypeWithCycleCheck):
Comment out check added in <a href="http://trac.webkit.org/projects/webkit/changeset/197648">r197648</a>. This check was added to match
the latest EcmaScript spec:
- https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
This check allowed for [[Prototype]] chain cycles if the prototype
chain includes objects that do not use the ordinary object definitions
for [[GetPrototypeOf]] and [[SetPrototypeOf]].
The issue is that the rest of our code base does not properly handle
such cycles and we can end up in infinite loops. This became obvious
because this patch updates Window / Location so that they no longer
use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
comment out this check, I get an infinite loop in
Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
called from JSObject::setPrototypeDirect(), when running the following
layout test:
- html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
issue.
Source/WebCore:
Align cross-origin __proto__ getter / setter behavior with other
browsers and the specification:
[[SetPrototypeOf]] should throw a TypeError:
- https://html.spec.whatwg.org/#windowproxy-setprototypeof
- https://html.spec.whatwg.org/#location-setprototypeof
- https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
[[GetPrototypeOf]] should return null cross-origin:
- https://html.spec.whatwg.org/#windowproxy-getprototypeof
- https://html.spec.whatwg.org/#location-getprototypeof
Test: js/dom/setPrototypeOf-location-window.html
* bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::JSDOMWindowBase): Deleted.
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::setPrototype):
(WebCore::JSDOMWindow::getPrototype):
* bindings/js/JSLocationCustom.cpp:
(WebCore::JSLocation::setPrototype):
(WebCore::JSLocation::getPrototype):
* bindings/js/JSWorkerGlobalScopeBase.cpp:
(WebCore::JSWorkerGlobalScopeBase::supportsRichSourceInfo): Deleted.
* bindings/js/JSWorkerGlobalScopeBase.h:
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader):
* bindings/scripts/IDLAttributes.txt:
* page/DOMWindow.idl:
* page/Location.idl:
LayoutTests:
Add layout test coverage and update a few existing test to reflect
behavior change.
* http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt:
* http/tests/security/cross-frame-access-object-getPrototypeOf.html:
* http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
* http/tests/security/cross-frame-access-object-setPrototypeOf.html:
* http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt:
* http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto.html:
* http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt:
* http/tests/security/xss-DENIED-method-with-iframe-proto.html:
* http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt:
* http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto.html:
* http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt:
* http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html:
* js/dom/setPrototypeOf-location-window-expected.txt: Added.
* js/dom/setPrototypeOf-location-window.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsfastdomWindowwindowcustomprototypecrashexpectedtxt">trunk/LayoutTests/fast/dom/Window/window-custom-prototype-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessobjectgetPrototypeOfexpectedtxt">trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessobjectgetPrototypeOfhtml">trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessobjectsetPrototypeOfexpectedtxt">trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessobjectsetPrototypeOfhtml">trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssDENIEDhtmlelelmentwithiframeprotoexpectedtxt">trunk/LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssDENIEDhtmlelelmentwithiframeprotohtml">trunk/LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssDENIEDmethodwithiframeprotoexpectedtxt">trunk/LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssDENIEDmethodwithiframeprotohtml">trunk/LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssDENIEDnonshadowableproptertywithiframeprotoexpectedtxt">trunk/LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssDENIEDnonshadowableproptertywithiframeprotohtml">trunk/LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssDENIEDregularproptertywithiframeprotoexpectedtxt">trunk/LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssDENIEDregularproptertywithiframeprotohtml">trunk/LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html</a></li>
<li><a href="#trunkLayoutTestsjsobjectliteralshorthandconstructionexpectedtxt">trunk/LayoutTests/js/object-literal-shorthand-construction-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsscripttestsobjectliteralshorthandconstructionjs">trunk/LayoutTests/js/script-tests/object-literal-shorthand-construction.js</a></li>
<li><a href="#trunkLayoutTestsjsscripttestssloppygettersetterglobalobjectjs">trunk/LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js</a></li>
<li><a href="#trunkLayoutTestsjssloppygettersetterglobalobjectexpectedtxt">trunk/LayoutTests/js/sloppy-getter-setter-global-object-expected.txt</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorejsccpp">trunk/Source/JavaScriptCore/jsc.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp">trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjecth">trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjectFunctionscpp">trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjectFunctionsh">trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjectcpp">trunk/Source/JavaScriptCore/runtime/JSObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjecth">trunk/Source/JavaScriptCore/runtime/JSObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSProxycpp">trunk/Source/JavaScriptCore/runtime/JSProxy.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSProxyh">trunk/Source/JavaScriptCore/runtime/JSProxy.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeObjectConstructorcpp">trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeObjectConstructorh">trunk/Source/JavaScriptCore/runtime/ObjectConstructor.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeReflectObjectcpp">trunk/Source/JavaScriptCore/runtime/ReflectObject.cpp</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDOMWindowBasecpp">trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDOMWindowCustomcpp">trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSLocationCustomcpp">trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSWorkerGlobalScopeBasecpp">trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSWorkerGlobalScopeBaseh">trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.h</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm">trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptsIDLAttributestxt">trunk/Source/WebCore/bindings/scripts/IDLAttributes.txt</a></li>
<li><a href="#trunkSourceWebCorepageDOMWindowidl">trunk/Source/WebCore/page/DOMWindow.idl</a></li>
<li><a href="#trunkSourceWebCorepageLocationidl">trunk/Source/WebCore/page/Location.idl</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsjsdomsetPrototypeOflocationwindowexpectedtxt">trunk/LayoutTests/js/dom/setPrototypeOf-location-window-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsdomsetPrototypeOflocationwindowhtml">trunk/LayoutTests/js/dom/setPrototypeOf-location-window.html</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfastdomWindowscripttestswindowcustomprototypejs">trunk/LayoutTests/fast/dom/Window/script-tests/window-custom-prototype.js</a></li>
<li><a href="#trunkLayoutTestsfastdomWindowwindowcustomprototypeexpectedtxt">trunk/LayoutTests/fast/dom/Window/window-custom-prototype-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastdomWindowwindowcustomprototypehtml">trunk/LayoutTests/fast/dom/Window/window-custom-prototype.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/ChangeLog 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,3 +1,28 @@
</span><ins>+2016-09-02 Chris Dumez <cdumez@apple.com>
+
+ Align proto getter / setter behavior with other browsers
+ https://bugs.webkit.org/show_bug.cgi?id=161455
+
+ Reviewed by Mark Lam.
+
+ Add layout test coverage and update a few existing test to reflect
+ behavior change.
+
+ * http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt:
+ * http/tests/security/cross-frame-access-object-getPrototypeOf.html:
+ * http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
+ * http/tests/security/cross-frame-access-object-setPrototypeOf.html:
+ * http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt:
+ * http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto.html:
+ * http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt:
+ * http/tests/security/xss-DENIED-method-with-iframe-proto.html:
+ * http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt:
+ * http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto.html:
+ * http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt:
+ * http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html:
+ * js/dom/setPrototypeOf-location-window-expected.txt: Added.
+ * js/dom/setPrototypeOf-location-window.html: Added.
+
</ins><span class="cx"> 2016-09-02 Eric Carlson <eric.carlson@apple.com>
</span><span class="cx">
</span><span class="cx"> [MediaStream] applyConstraints pt. 1 - mandatory constraints
</span></span></pre></div>
<a id="trunkLayoutTestsfastdomWindowscripttestswindowcustomprototypejs"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/fast/dom/Window/script-tests/window-custom-prototype.js (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/dom/Window/script-tests/window-custom-prototype.js 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/fast/dom/Window/script-tests/window-custom-prototype.js 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,18 +0,0 @@
</span><del>-description("Test what happens when you set the window's prototype to various values.");
-
-var originalWindowPrototype = __proto__;
-var chainPointingBackToWindow = { __proto__: window };
-var anotherObject = { };
-
-shouldThrow("__proto__ = window; __proto", "'TypeError: cyclic __proto__ value'");
-shouldThrow("__proto__ = chainPointingBackToWindow; __proto__", "'TypeError: cyclic __proto__ value'");
-shouldBe("__proto__ = 1; __proto__", "originalWindowPrototype");
-shouldBe("__proto__ = 'a string'; __proto__", "originalWindowPrototype");
-shouldBe("__proto__ = anotherObject; __proto__", "anotherObject");
-shouldThrow("anotherObject.__proto__ = window; __proto__", "'TypeError: cyclic __proto__ value'");
-shouldBe("__proto__ = 1; __proto__", "anotherObject");
-shouldBe("__proto__ = 'a string'; __proto__", "anotherObject");
-shouldBe("__proto__ = anotherObject; __proto__", "anotherObject");
-shouldBe("__proto__ = originalWindowPrototype; __proto__", "originalWindowPrototype");
-shouldBe("anotherObject.__proto__ = window; anotherObject.__proto__", "window");
-shouldBe("__proto__ = null; __proto__", "null");
</del></span></pre></div>
<a id="trunkLayoutTestsfastdomWindowwindowcustomprototypecrashexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/fast/dom/Window/window-custom-prototype-crash-expected.txt (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/dom/Window/window-custom-prototype-crash-expected.txt 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/fast/dom/Window/window-custom-prototype-crash-expected.txt 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1 +1,2 @@
</span><ins>+CONSOLE MESSAGE: line 7: TypeError: Cannot set prototype of this object
</ins><span class="cx"> If this did not crash the test has succeeded.
</span></span></pre></div>
<a id="trunkLayoutTestsfastdomWindowwindowcustomprototypeexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/fast/dom/Window/window-custom-prototype-expected.txt (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/dom/Window/window-custom-prototype-expected.txt 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/fast/dom/Window/window-custom-prototype-expected.txt 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,21 +0,0 @@
</span><del>-Test what happens when you set the window's prototype to various values.
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS __proto__ = window; __proto threw exception TypeError: cyclic __proto__ value.
-PASS __proto__ = chainPointingBackToWindow; __proto__ threw exception TypeError: cyclic __proto__ value.
-PASS __proto__ = 1; __proto__ is originalWindowPrototype
-PASS __proto__ = 'a string'; __proto__ is originalWindowPrototype
-PASS __proto__ = anotherObject; __proto__ is anotherObject
-PASS anotherObject.__proto__ = window; __proto__ threw exception TypeError: cyclic __proto__ value.
-PASS __proto__ = 1; __proto__ is anotherObject
-PASS __proto__ = 'a string'; __proto__ is anotherObject
-PASS __proto__ = anotherObject; __proto__ is anotherObject
-PASS __proto__ = originalWindowPrototype; __proto__ is originalWindowPrototype
-PASS anotherObject.__proto__ = window; anotherObject.__proto__ is window
-PASS __proto__ = null; __proto__ is null
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
</del></span></pre></div>
<a id="trunkLayoutTestsfastdomWindowwindowcustomprototypehtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/fast/dom/Window/window-custom-prototype.html (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/dom/Window/window-custom-prototype.html 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/fast/dom/Window/window-custom-prototype.html 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,10 +0,0 @@
</span><del>-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="script-tests/window-custom-prototype.js"></script>
-<script src="../../../resources/js-test-post.js"></script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessobjectgetPrototypeOfexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,9 +1,9 @@
</span><del>-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</del><span class="cx"> This tests that you can't get the prototype of the window or history objects cross-origin using Object.getPrototypeOf().
</span><span class="cx">
</span><span class="cx"> PASS: Object.getPrototypeOf(targetWindow) should be 'null' and is.
</span><span class="cx"> PASS: Object.getPrototypeOf(targetWindow.location) should be 'null' and is.
</span><ins>+PASS: protoGetter.call(targetWindow) should be 'null' and is.
+PASS: protoGetter.call(targetWindow.location) should be 'null' and is.
</ins><span class="cx"> PASS targetWindow.history threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
</span><span class="cx"> PASS: successfullyParsed should be 'true' and is.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessobjectgetPrototypeOfhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -18,6 +18,10 @@
</span><span class="cx">
</span><span class="cx"> shouldBeNull("Object.getPrototypeOf(targetWindow)");
</span><span class="cx"> shouldBeNull("Object.getPrototypeOf(targetWindow.location)");
</span><ins>+ protoGetter = Object.getOwnPropertyDescriptor(Object.prototype, '__proto__').get;
+ shouldBeNull("protoGetter.call(targetWindow)");
+ shouldBeNull("protoGetter.call(targetWindow.location)");
+
</ins><span class="cx"> shouldThrowErrorName("targetWindow.history", "SecurityError");
</span><span class="cx">
</span><span class="cx"> finishJSTest();
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessobjectsetPrototypeOfexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,5 +1,3 @@
</span><del>-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</del><span class="cx"> This tests that you can't set the prototype of the window or location objects cross-origin using Object.setPrototypeOf()
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span><span class="lines">@@ -6,11 +4,17 @@
</span><span class="cx">
</span><span class="cx">
</span><span class="cx"> PASS: targetWindow instanceof Array should be 'false' and is.
</span><del>-PASS Object.setPrototypeOf(targetWindow, Array.prototype) threw exception TypeError: Permission denied.
</del><ins>+PASS Object.setPrototypeOf(targetWindow, Array.prototype) threw exception TypeError: Cannot set prototype of this object.
</ins><span class="cx"> PASS: targetWindow instanceof Array should be 'false' and is.
</span><span class="cx"> PASS: targetWindow.location instanceof Array should be 'false' and is.
</span><del>-PASS Object.setPrototypeOf(targetWindow.location, Array.prototype) threw exception TypeError: Permission denied.
</del><ins>+PASS Object.setPrototypeOf(targetWindow.location, Array.prototype) threw exception TypeError: Cannot set prototype of this object.
</ins><span class="cx"> PASS: targetWindow.location instanceof Array should be 'false' and is.
</span><ins>+PASS: targetWindow instanceof Array should be 'false' and is.
+PASS protoSetter.call(targetWindow, Array.prototype) threw exception TypeError: Cannot set prototype of this object.
+PASS: targetWindow instanceof Array should be 'false' and is.
+PASS: targetWindow.location instanceof Array should be 'false' and is.
+PASS protoSetter.call(targetWindow.location, Array.prototype) threw exception TypeError: Cannot set prototype of this object.
+PASS: targetWindow.location instanceof Array should be 'false' and is.
</ins><span class="cx"> PASS: successfullyParsed should be 'true' and is.
</span><span class="cx">
</span><span class="cx"> TEST COMPLETE
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessobjectsetPrototypeOfhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -24,6 +24,15 @@
</span><span class="cx"> shouldThrowErrorName("Object.setPrototypeOf(targetWindow.location, Array.prototype)", "TypeError");
</span><span class="cx"> shouldBeFalse("targetWindow.location instanceof Array");
</span><span class="cx">
</span><ins>+ protoSetter = Object.getOwnPropertyDescriptor(Object.prototype, '__proto__').set;
+ shouldBeFalse("targetWindow instanceof Array");
+ shouldThrowErrorName("protoSetter.call(targetWindow, Array.prototype)", "TypeError");
+ shouldBeFalse("targetWindow instanceof Array");
+
+ shouldBeFalse("targetWindow.location instanceof Array");
+ shouldThrowErrorName("protoSetter.call(targetWindow.location, Array.prototype)", "TypeError");
+ shouldBeFalse("targetWindow.location instanceof Array");
+
</ins><span class="cx"> finishJSTest();
</span><span class="cx"> }
</span><span class="cx"> </script>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssDENIEDhtmlelelmentwithiframeprotoexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -4,6 +4,7 @@
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span><span class="cx">
</span><span class="cx">
</span><ins>+PASS __proto__ = targetWindow threw exception TypeError: Cannot set prototype of this object.
</ins><span class="cx"> PASS targetWindow.myinput threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
</span><span class="cx"> PASS: successfullyParsed should be 'true' and is.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssDENIEDhtmlelelmentwithiframeprotohtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto.html (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto.html 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto.html 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -14,7 +14,7 @@
</span><span class="cx"> targetWindow = frames[0];
</span><span class="cx">
</span><span class="cx"> window.onload = function() {
</span><del>- __proto__ = targetWindow;
</del><ins>+ shouldThrowErrorName("__proto__ = targetWindow", "TypeError");
</ins><span class="cx"> shouldThrowErrorName('targetWindow.myinput', 'SecurityError');
</span><span class="cx"> finishJSTest();
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssDENIEDmethodwithiframeprotoexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,6 +1,14 @@
</span><del>-CONSOLE MESSAGE: line 40: SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 47: SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 54: SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</del><ins>+CONSOLE MESSAGE: line 36: SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 43: SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 50: SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</ins><span class="cx">
</span><span class="cx"> Tests that making other frame window a prototype doesn't expose that window methods
</span><span class="cx">
</span><ins>+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS __proto__ = targetWindow threw exception TypeError: Cannot set prototype of this object.
+PASS: successfullyParsed should be 'true' and is.
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssDENIEDmethodwithiframeprotohtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto.html (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto.html 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto.html 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,5 +1,6 @@
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><ins>+<script src="/js-test-resources/js-test-pre.js"></script>
</ins><span class="cx"> <script src="resources/cross-frame-access.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><span class="lines">@@ -6,13 +7,9 @@
</span><span class="cx"> <iframe src="http://localhost:8000/" style=""></iframe>
</span><span class="cx"> <pre id="console"></pre>
</span><span class="cx"> <script>
</span><del>-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
-}
</del><ins>+description("Tests that making other frame window a prototype doesn't expose that window methods");
+jsTestIsAsync = true;
</ins><span class="cx">
</span><del>-log("Tests that making other frame window a prototype doesn't expose that window methods");
-
</del><span class="cx"> targetWindow = frames[0];
</span><span class="cx">
</span><span class="cx"> wasInvoked = false;
</span><span class="lines">@@ -23,14 +20,13 @@
</span><span class="cx">
</span><span class="cx"> function check() {
</span><span class="cx"> shouldBeFalse('this.wasInvoked');
</span><del>- if (window.testRunner)
- testRunner.notifyDone();
</del><ins>+ finishJSTest();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> window.onload = function() {
</span><span class="cx"> originalSetTimeout = setTimeout;
</span><span class="cx">
</span><del>- __proto__ = targetWindow;
</del><ins>+ shouldThrowErrorName("__proto__ = targetWindow", "TypeError");
</ins><span class="cx">
</span><span class="cx"> var needsCheck = false;
</span><span class="cx"> try {
</span><span class="lines">@@ -57,10 +53,10 @@
</span><span class="cx"> if (needsCheck) {
</span><span class="cx"> originalSetTimeout(check, 10);
</span><span class="cx"> } else {
</span><del>- if (window.testRunner)
- testRunner.notifyDone();
</del><ins>+ finishJSTest();
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> </script>
</span><ins>+<script src="/js-test-resources/js-test-post.js"></script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssDENIEDnonshadowableproptertywithiframeprotoexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,5 +1,13 @@
</span><span class="cx">
</span><span class="cx"> Tests that making other frame window a prototype doesn't expose that window properties
</span><ins>+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS __proto__ = targetWindow threw exception TypeError: Cannot set prototype of this object.
</ins><span class="cx"> PASS: location === originalLocation should be 'true' and is.
</span><span class="cx"> PASS: this.location === originalLocation should be 'true' and is.
</span><ins>+PASS: successfullyParsed should be 'true' and is.
</ins><span class="cx">
</span><ins>+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssDENIEDnonshadowableproptertywithiframeprotohtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto.html (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto.html 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto.html 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,5 +1,6 @@
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><ins>+<script src="/js-test-resources/js-test-pre.js"></script>
</ins><span class="cx"> <script src="resources/cross-frame-access.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><span class="lines">@@ -6,21 +7,21 @@
</span><span class="cx"> <iframe src="http://localhost:8000/" style=""></iframe>
</span><span class="cx"> <pre id="console"></pre>
</span><span class="cx"> <script>
</span><del>-if (window.testRunner)
- testRunner.dumpAsText();
</del><ins>+description("Tests that making other frame window a prototype doesn't expose that window properties");
+jsTestIsAsync = true;
</ins><span class="cx">
</span><del>-log("Tests that making other frame window a prototype doesn't expose that window properties");
-
</del><span class="cx"> targetWindow = frames[0];
</span><span class="cx">
</span><span class="cx"> window.onload = function() {
</span><span class="cx"> originalLocation = location;
</span><span class="cx">
</span><del>- __proto__ = targetWindow;
</del><ins>+ shouldThrowErrorName("__proto__ = targetWindow", "TypeError");
</ins><span class="cx">
</span><span class="cx"> shouldBeTrue('location === originalLocation');
</span><span class="cx"> shouldBeTrue('this.location === originalLocation');
</span><ins>+ finishJSTest();
</ins><span class="cx"> }
</span><span class="cx"> </script>
</span><ins>+<script src="/js-test-resources/js-test-post.js"></script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssDENIEDregularproptertywithiframeprotoexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,5 +1,13 @@
</span><span class="cx">
</span><span class="cx"> Tests that making other frame window a prototype doesn't expose that window properties
</span><ins>+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS __proto__ = targetWindow threw exception TypeError: Cannot set prototype of this object.
</ins><span class="cx"> PASS: innerHeight === originalInnerHeight should be 'true' and is.
</span><span class="cx"> PASS: this.innerHeight === originalInnerHeight should be 'true' and is.
</span><ins>+PASS: successfullyParsed should be 'true' and is.
</ins><span class="cx">
</span><ins>+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssDENIEDregularproptertywithiframeprotohtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,5 +1,6 @@
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><ins>+<script src="/js-test-resources/js-test-pre.js"></script>
</ins><span class="cx"> <script src="resources/cross-frame-access.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><span class="lines">@@ -6,21 +7,21 @@
</span><span class="cx"> <iframe src="http://localhost:8000/" style=""></iframe>
</span><span class="cx"> <pre id="console"></pre>
</span><span class="cx"> <script>
</span><del>-if (window.testRunner)
- testRunner.dumpAsText();
</del><ins>+description("Tests that making other frame window a prototype doesn't expose that window properties");
+jsTestIsAsync = true;
</ins><span class="cx">
</span><del>-log("Tests that making other frame window a prototype doesn't expose that window properties");
-
</del><span class="cx"> targetWindow = frames[0];
</span><span class="cx">
</span><span class="cx"> window.onload = function() {
</span><span class="cx"> originalInnerHeight = innerHeight;
</span><span class="cx">
</span><del>- __proto__ = targetWindow;
</del><ins>+ shouldThrowErrorName("__proto__ = targetWindow", "TypeError");
</ins><span class="cx">
</span><span class="cx"> shouldBeTrue('innerHeight === originalInnerHeight');
</span><span class="cx"> shouldBeTrue('this.innerHeight === originalInnerHeight');
</span><ins>+ finishJSTest();
</ins><span class="cx"> }
</span><span class="cx"> </script>
</span><ins>+<script src="/js-test-resources/js-test-post.js"></script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestsjsdomsetPrototypeOflocationwindowexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dom/setPrototypeOf-location-window-expected.txt (0 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dom/setPrototypeOf-location-window-expected.txt (rev 0)
+++ trunk/LayoutTests/js/dom/setPrototypeOf-location-window-expected.txt 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+Test that it is not possible to set the prototype of Window or Location.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Object.getPrototypeOf(window) is Window.prototype
+PASS Object.setPrototypeOf(window, Node.prototype) threw exception TypeError: Cannot set prototype of this object.
+PASS Object.getPrototypeOf(window) is Window.prototype
+PASS Object.getPrototypeOf(window) is Window.prototype
+PASS protoSetter.call(window, Node.prototype) threw exception TypeError: Cannot set prototype of this object.
+PASS Object.getPrototypeOf(window) is Window.prototype
+PASS Object.getPrototypeOf(window.location) is Location.prototype
+PASS Object.setPrototypeOf(window.location, Node.prototype) threw exception TypeError: Cannot set prototype of this object.
+PASS Object.getPrototypeOf(window.location) is Location.prototype
+PASS Object.getPrototypeOf(window.location) is Location.prototype
+PASS protoSetter.call(window.location, Node.prototype) threw exception TypeError: Cannot set prototype of this object.
+PASS Object.getPrototypeOf(window.location) is Location.prototype
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsdomsetPrototypeOflocationwindowhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dom/setPrototypeOf-location-window.html (0 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dom/setPrototypeOf-location-window.html (rev 0)
+++ trunk/LayoutTests/js/dom/setPrototypeOf-location-window.html 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<script src="../../resources/js-test-pre.js"></script>
+<script>
+description("Test that it is not possible to set the prototype of Window or Location.");
+
+var protoSetter = Object.getOwnPropertyDescriptor(Object.prototype, '__proto__').set;
+
+shouldBe("Object.getPrototypeOf(window)", "Window.prototype");
+shouldThrowErrorName("Object.setPrototypeOf(window, Node.prototype)", "TypeError");
+shouldBe("Object.getPrototypeOf(window)", "Window.prototype");
+
+shouldBe("Object.getPrototypeOf(window)", "Window.prototype");
+shouldThrowErrorName("protoSetter.call(window, Node.prototype)", "TypeError");
+shouldBe("Object.getPrototypeOf(window)", "Window.prototype");
+
+shouldBe("Object.getPrototypeOf(window.location)", "Location.prototype");
+shouldThrowErrorName("Object.setPrototypeOf(window.location, Node.prototype)", "TypeError");
+shouldBe("Object.getPrototypeOf(window.location)", "Location.prototype");
+
+shouldBe("Object.getPrototypeOf(window.location)", "Location.prototype");
+shouldThrowErrorName("protoSetter.call(window.location, Node.prototype)", "TypeError");
+shouldBe("Object.getPrototypeOf(window.location)", "Location.prototype");
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</script>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsobjectliteralshorthandconstructionexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/object-literal-shorthand-construction-expected.txt (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/object-literal-shorthand-construction-expected.txt 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/js/object-literal-shorthand-construction-expected.txt 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -61,9 +61,7 @@
</span><span class="cx"> PASS !!Object.getOwnPropertyDescriptor({set x(value){}}, 'x').set is true
</span><span class="cx"> PASS !!Object.getOwnPropertyDescriptor({set 'x'(value){}}, 'x').set is true
</span><span class="cx"> PASS !!Object.getOwnPropertyDescriptor({set 42(value){}}, '42').set is true
</span><del>-PASS __proto__ = []; ({__proto__: __proto__}) instanceof Array is true
-PASS __proto__ = []; ({__proto__}) instanceof Array is false
-PASS __proto__ = []; ({__proto__}).__proto__ instanceof Array is true
</del><ins>+PASS __proto__ = [] threw exception TypeError: Cannot set prototype of this object.
</ins><span class="cx"> PASS successfullyParsed is true
</span><span class="cx">
</span><span class="cx"> TEST COMPLETE
</span></span></pre></div>
<a id="trunkLayoutTestsjsscripttestsobjectliteralshorthandconstructionjs"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/script-tests/object-literal-shorthand-construction.js (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/script-tests/object-literal-shorthand-construction.js 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/js/script-tests/object-literal-shorthand-construction.js 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -109,7 +109,4 @@
</span><span class="cx"> shouldBeTrue("!!Object.getOwnPropertyDescriptor({set 'x'(value){}}, 'x').set");
</span><span class="cx"> shouldBeTrue("!!Object.getOwnPropertyDescriptor({set 42(value){}}, '42').set");
</span><span class="cx">
</span><del>-// __proto__ shorthand should be not modify the prototype.
-shouldBeTrue("__proto__ = []; ({__proto__: __proto__}) instanceof Array");
-shouldBeFalse("__proto__ = []; ({__proto__}) instanceof Array");
-shouldBeTrue("__proto__ = []; ({__proto__}).__proto__ instanceof Array");
</del><ins>+shouldThrowErrorName("__proto__ = []", "TypeError");
</ins></span></pre></div>
<a id="trunkLayoutTestsjsscripttestssloppygettersetterglobalobjectjs"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -33,4 +33,4 @@
</span><span class="cx"> shouldNotThrow("top_level_sloppy_getter();");
</span><span class="cx">
</span><span class="cx"> var top_level_sloppy_setter = Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set;
</span><del>-shouldNotThrow("top_level_sloppy_setter(['foo']);");
</del><ins>+shouldThrowErrorName("top_level_sloppy_setter(['foo']);", "TypeError");
</ins></span></pre></div>
<a id="trunkLayoutTestsjssloppygettersetterglobalobjectexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/sloppy-getter-setter-global-object-expected.txt (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/sloppy-getter-setter-global-object-expected.txt 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/LayoutTests/js/sloppy-getter-setter-global-object-expected.txt 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -11,7 +11,7 @@
</span><span class="cx"> PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)() threw exception TypeError: Can't convert undefined or null to object.
</span><span class="cx"> PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set)(['foo']) threw exception TypeError: Can't convert undefined or null to object.
</span><span class="cx"> PASS top_level_sloppy_getter(); did not throw exception.
</span><del>-PASS top_level_sloppy_setter(['foo']); did not throw exception.
</del><ins>+PASS top_level_sloppy_setter(['foo']); threw exception TypeError: Cannot set prototype of this object.
</ins><span class="cx"> PASS successfullyParsed is true
</span><span class="cx">
</span><span class="cx"> TEST COMPLETE
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,3 +1,58 @@
</span><ins>+2016-09-02 Chris Dumez <cdumez@apple.com>
+
+ Align proto getter / setter behavior with other browsers
+ https://bugs.webkit.org/show_bug.cgi?id=161455
+
+ Reviewed by Mark Lam.
+
+ Drop allowsAccessFrom from the methodTable and delegate cross-origin
+ checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
+ This is more consistent with other operations (e.g. [[GetOwnProperty]]).
+
+ * jsc.cpp:
+ * runtime/JSGlobalObject.cpp:
+ * runtime/JSGlobalObject.h:
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::globalFuncProtoGetter):
+ (JSC::globalFuncProtoSetter):
+ (JSC::globalFuncBuiltinLog): Deleted.
+ * runtime/JSGlobalObjectFunctions.h:
+ * runtime/JSObject.h:
+ (JSC::JSObject::getArrayLength): Deleted.
+ * runtime/JSProxy.cpp:
+ (JSC::JSProxy::setPrototype):
+ (JSC::JSProxy::getPrototype):
+ * runtime/JSProxy.h:
+ * runtime/ObjectConstructor.cpp:
+ (JSC::objectConstructorGetPrototypeOf):
+ (JSC::objectConstructorSetPrototypeOf):
+ (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
+ (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
+ * runtime/ObjectConstructor.h:
+ * runtime/ReflectObject.cpp:
+ (JSC::reflectObjectGetPrototypeOf):
+ (JSC::reflectObjectSetPrototypeOf):
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::setPrototypeWithCycleCheck):
+ Comment out check added in r197648. This check was added to match
+ the latest EcmaScript spec:
+ - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
+ This check allowed for [[Prototype]] chain cycles if the prototype
+ chain includes objects that do not use the ordinary object definitions
+ for [[GetPrototypeOf]] and [[SetPrototypeOf]].
+ The issue is that the rest of our code base does not properly handle
+ such cycles and we can end up in infinite loops. This became obvious
+ because this patch updates Window / Location so that they no longer
+ use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
+ comment out this check, I get an infinite loop in
+ Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
+ called from JSObject::setPrototypeDirect(), when running the following
+ layout test:
+ - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
+ I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
+ issue.
+
</ins><span class="cx"> 2016-09-01 Yusuke Suzuki <utatane.tea@gmail.com>
</span><span class="cx">
</span><span class="cx"> Add toJS for JSC::PrivateName
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejsccpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jsc.cpp (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jsc.cpp 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/JavaScriptCore/jsc.cpp 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -903,7 +903,7 @@
</span><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> const ClassInfo GlobalObject::s_info = { "global", &JSGlobalObject::s_info, nullptr, CREATE_METHOD_TABLE(GlobalObject) };
</span><del>-const GlobalObjectMethodTable GlobalObject::s_globalObjectMethodTable = { &allowsAccessFrom, &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, 0, &shouldInterruptScriptBeforeTimeout, &moduleLoaderResolve, &moduleLoaderFetch, nullptr, nullptr, nullptr, nullptr };
</del><ins>+const GlobalObjectMethodTable GlobalObject::s_globalObjectMethodTable = { &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, 0, &shouldInterruptScriptBeforeTimeout, &moduleLoaderResolve, &moduleLoaderFetch, nullptr, nullptr, nullptr, nullptr };
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx"> GlobalObject::GlobalObject(VM& vm, Structure* structure)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -207,7 +207,7 @@
</span><span class="cx">
</span><span class="cx"> const ClassInfo JSGlobalObject::s_info = { "GlobalObject", &Base::s_info, &globalObjectTable, CREATE_METHOD_TABLE(JSGlobalObject) };
</span><span class="cx">
</span><del>-const GlobalObjectMethodTable JSGlobalObject::s_globalObjectMethodTable = { &allowsAccessFrom, &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, nullptr, &shouldInterruptScriptBeforeTimeout, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr };
</del><ins>+const GlobalObjectMethodTable JSGlobalObject::s_globalObjectMethodTable = { &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, nullptr, &shouldInterruptScriptBeforeTimeout, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr };
</ins><span class="cx">
</span><span class="cx"> /* Source for JSGlobalObject.lut.h
</span><span class="cx"> @begin globalObjectTable
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -148,9 +148,6 @@
</span><span class="cx"> typedef Vector<ExecState*, 16> ExecStateStack;
</span><span class="cx">
</span><span class="cx"> struct GlobalObjectMethodTable {
</span><del>- typedef bool (*AllowsAccessFromFunctionPtr)(const JSGlobalObject*, ExecState*);
- AllowsAccessFromFunctionPtr allowsAccessFrom;
-
</del><span class="cx"> typedef bool (*SupportsRichSourceInfoFunctionPtr)(const JSGlobalObject*);
</span><span class="cx"> SupportsRichSourceInfoFunctionPtr supportsRichSourceInfo;
</span><span class="cx">
</span><span class="lines">@@ -712,7 +709,6 @@
</span><span class="cx">
</span><span class="cx"> const GlobalObjectMethodTable* globalObjectMethodTable() const { return m_globalObjectMethodTable; }
</span><span class="cx">
</span><del>- static bool allowsAccessFrom(const JSGlobalObject*, ExecState*) { return true; }
</del><span class="cx"> static bool supportsRichSourceInfo(const JSGlobalObject*) { return true; }
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE ExecState* globalExec();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjectFunctionscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -866,38 +866,6 @@
</span><span class="cx"> return throwVMTypeError(exec, scope, "'arguments', 'callee', and 'caller' cannot be accessed in strict mode.");
</span><span class="cx"> }
</span><span class="cx">
</span><del>-class GlobalFuncProtoGetterFunctor {
-public:
- GlobalFuncProtoGetterFunctor(ExecState* exec, JSObject* thisObject)
- : m_exec(exec)
- , m_hasSkippedFirstFrame(false)
- , m_thisObject(thisObject)
- , m_result(JSValue::encode(jsUndefined()))
- {
- }
-
- EncodedJSValue result() { return m_result; }
-
- StackVisitor::Status operator()(StackVisitor& visitor) const
- {
- if (!m_hasSkippedFirstFrame) {
- m_hasSkippedFirstFrame = true;
- return StackVisitor::Continue;
- }
-
- if (m_thisObject->allowsAccessFrom(visitor->callFrame()))
- m_result = JSValue::encode(m_thisObject->getPrototype(m_exec->vm(), m_exec));
-
- return StackVisitor::Done;
- }
-
-private:
- ExecState* m_exec;
- mutable bool m_hasSkippedFirstFrame;
- JSObject* m_thisObject;
- mutable EncodedJSValue m_result;
-};
-
</del><span class="cx"> EncodedJSValue JSC_HOST_CALL globalFuncProtoGetter(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="lines">@@ -915,49 +883,9 @@
</span><span class="cx"> return JSValue::encode(prototype);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- GlobalFuncProtoGetterFunctor functor(exec, thisObject);
- // This can throw but it's just unneeded extra work to check for it. The return
- // value from this function is only used as the return value from a host call.
- // Therefore, the return value is only used if there wasn't an exception.
- exec->iterate(functor);
- return functor.result();
</del><ins>+ return JSValue::encode(thisObject->getPrototype(vm, exec));
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-class GlobalFuncProtoSetterFunctor {
-public:
- GlobalFuncProtoSetterFunctor(JSObject* thisObject)
- : m_hasSkippedFirstFrame(false)
- , m_allowsAccess(false)
- , m_thisObject(thisObject)
- {
- }
-
- bool allowsAccess() const { return m_allowsAccess; }
-
- StackVisitor::Status operator()(StackVisitor& visitor) const
- {
- if (!m_hasSkippedFirstFrame) {
- m_hasSkippedFirstFrame = true;
- return StackVisitor::Continue;
- }
-
- m_allowsAccess = m_thisObject->allowsAccessFrom(visitor->callFrame());
- return StackVisitor::Done;
- }
-
-private:
- mutable bool m_hasSkippedFirstFrame;
- mutable bool m_allowsAccess;
- JSObject* m_thisObject;
-};
-
-bool checkProtoSetterAccessAllowed(ExecState* exec, JSObject* object)
-{
- GlobalFuncProtoSetterFunctor functor(object);
- exec->iterate(functor);
- return functor.allowsAccess();
-}
-
</del><span class="cx"> EncodedJSValue JSC_HOST_CALL globalFuncProtoSetter(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="lines">@@ -974,9 +902,6 @@
</span><span class="cx"> if (!thisObject)
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx">
</span><del>- if (!checkProtoSetterAccessAllowed(exec, thisObject))
- return JSValue::encode(jsUndefined());
-
</del><span class="cx"> // Setting __proto__ to a non-object, non-null value is silently ignored to match Mozilla.
</span><span class="cx"> if (!value.isObject() && !value.isNull())
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjectFunctionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -52,8 +52,6 @@
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL globalFuncProtoSetter(ExecState*);
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL globalFuncBuiltinLog(ExecState*);
</span><span class="cx">
</span><del>-bool checkProtoSetterAccessAllowed(ExecState*, JSObject*);
-
</del><span class="cx"> static const double mantissaOverflowLowerBound = 9007199254740992.0;
</span><span class="cx"> double parseIntOverflow(const LChar*, unsigned length, int radix);
</span><span class="cx"> bool isStrWhiteSpace(UChar);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.cpp (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.cpp 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.cpp 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1371,7 +1371,6 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JSValue nextPrototype = prototype;
</span><del>- MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;
</del><span class="cx"> while (nextPrototype && nextPrototype.isObject()) {
</span><span class="cx"> if (nextPrototype == this) {
</span><span class="cx"> if (shouldThrowIfCantSet)
</span><span class="lines">@@ -1378,8 +1377,11 @@
</span><span class="cx"> throwTypeError(exec, scope, ASCIILiteral("cyclic __proto__ value"));
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><del>- if (UNLIKELY(asObject(nextPrototype)->methodTable(vm)->getPrototype != defaultGetPrototype))
- break; // We're done. Set the prototype.
</del><ins>+ // FIXME: The specification says we should do this but this allows for cycles and our
+ // code base currently does not deal properly with such cycles.
+ // https://bugs.webkit.org/show_bug.cgi?id=161534
+ // if (UNLIKELY(asObject(nextPrototype)->methodTable(vm)->getPrototype != JSObject::getPrototype))
+ // break; // We're done. Set the prototype.
</ins><span class="cx"> nextPrototype = asObject(nextPrototype)->getPrototypeDirect();
</span><span class="cx"> }
</span><span class="cx"> setPrototypeDirect(vm, prototype);
</span><span class="lines">@@ -1401,12 +1403,6 @@
</span><span class="cx"> return methodTable(vm)->setPrototype(this, exec, prototype, shouldThrowIfCantSet);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool JSObject::allowsAccessFrom(ExecState* exec)
-{
- JSGlobalObject* globalObject = this->globalObject();
- return globalObject->globalObjectMethodTable()->allowsAccessFrom(globalObject, exec);
-}
-
</del><span class="cx"> bool JSObject::putGetter(ExecState* exec, PropertyName propertyName, JSValue getter, unsigned attributes)
</span><span class="cx"> {
</span><span class="cx"> PropertyDescriptor descriptor;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.h (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.h 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.h 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -168,8 +168,6 @@
</span><span class="cx"> // being returned. Once this is fixed we should migrate code & remove this method.
</span><span class="cx"> JS_EXPORT_PRIVATE bool getOwnPropertyDescriptor(ExecState*, PropertyName, PropertyDescriptor&);
</span><span class="cx">
</span><del>- JS_EXPORT_PRIVATE bool allowsAccessFrom(ExecState*);
-
</del><span class="cx"> unsigned getArrayLength() const
</span><span class="cx"> {
</span><span class="cx"> if (!hasIndexedProperties(indexingType()))
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSProxycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSProxy.cpp (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSProxy.cpp 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/JavaScriptCore/runtime/JSProxy.cpp 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -139,4 +139,16 @@
</span><span class="cx"> thisObject->target()->methodTable(exec->vm())->getOwnPropertyNames(thisObject->target(), exec, propertyNames, mode);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool JSProxy::setPrototype(JSObject* object, ExecState* exec, JSValue value, bool shouldThrowIfCantSet)
+{
+ JSProxy* thisObject = jsCast<JSProxy*>(object);
+ return thisObject->target()->methodTable(exec->vm())->setPrototype(thisObject->target(), exec, value, shouldThrowIfCantSet);
+}
+
+JSValue JSProxy::getPrototype(JSObject* object, ExecState* exec)
+{
+ JSProxy* thisObject = jsCast<JSProxy*>(object);
+ return thisObject->target()->methodTable(exec->vm())->getPrototype(thisObject->target(), exec);
+}
+
</ins><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSProxyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSProxy.h (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSProxy.h 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/JavaScriptCore/runtime/JSProxy.h 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -94,6 +94,8 @@
</span><span class="cx"> JS_EXPORT_PRIVATE static void getStructurePropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</span><span class="cx"> JS_EXPORT_PRIVATE static void getGenericPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</span><span class="cx"> JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&, bool shouldThrow);
</span><ins>+ JS_EXPORT_PRIVATE static bool setPrototype(JSObject*, ExecState*, JSValue, bool shouldThrowIfCantSet);
+ JS_EXPORT_PRIVATE static JSValue getPrototype(JSObject*, ExecState*);
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> WriteBarrier<JSObject> m_target;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeObjectConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -166,55 +166,12 @@
</span><span class="cx"> return CallType::Host;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-class ObjectConstructorGetPrototypeOfFunctor {
-public:
- ObjectConstructorGetPrototypeOfFunctor(ExecState* exec, JSObject* object)
- : m_exec(exec)
- , m_hasSkippedFirstFrame(false)
- , m_object(object)
- , m_result(jsUndefined())
- {
- }
-
- JSValue result() const { return m_result; }
-
- StackVisitor::Status operator()(StackVisitor& visitor) const
- {
- if (!m_hasSkippedFirstFrame) {
- m_hasSkippedFirstFrame = true;
- return StackVisitor::Continue;
- }
-
- if (m_object->allowsAccessFrom(visitor->callFrame()))
- m_result = m_object->getPrototype(m_exec->vm(), m_exec);
- else
- m_result = jsNull();
- return StackVisitor::Done;
- }
-
-private:
- ExecState* m_exec;
- mutable bool m_hasSkippedFirstFrame;
- JSObject* m_object;
- mutable JSValue m_result;
-};
-
-JSValue objectConstructorGetPrototypeOf(ExecState* exec, JSObject* object)
-{
- ObjectConstructorGetPrototypeOfFunctor functor(exec, object);
- // This can throw but it's just unneeded extra work to check for it. The return
- // value from this function is only used as the return value from a host call.
- // Therefore, the return value is only used if there wasn't an exception.
- exec->iterate(functor);
- return functor.result();
-}
-
</del><span class="cx"> EncodedJSValue JSC_HOST_CALL objectConstructorGetPrototypeOf(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSObject* object = exec->argument(0).toObject(exec);
</span><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><del>- return JSValue::encode(objectConstructorGetPrototypeOf(exec, object));
</del><ins>+ return JSValue::encode(object->getPrototype(exec->vm(), exec));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL objectConstructorSetPrototypeOf(ExecState* exec)
</span><span class="lines">@@ -234,11 +191,6 @@
</span><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(objectValue);
</span><span class="cx">
</span><del>- if (!checkProtoSetterAccessAllowed(exec, object)) {
- throwTypeError(exec, scope, ASCIILiteral("Permission denied"));
- return JSValue::encode(objectValue);
- }
-
</del><span class="cx"> bool shouldThrowIfCantSet = true;
</span><span class="cx"> bool didSetPrototype = object->setPrototype(vm, exec, protoValue, shouldThrowIfCantSet);
</span><span class="cx"> ASSERT_UNUSED(didSetPrototype, vm.exception() || didSetPrototype);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeObjectConstructorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ObjectConstructor.h (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ObjectConstructor.h 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/JavaScriptCore/runtime/ObjectConstructor.h 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -124,7 +124,6 @@
</span><span class="cx">
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE JSObject* objectConstructorFreeze(ExecState*, JSObject*);
</span><del>-JSValue objectConstructorGetPrototypeOf(ExecState*, JSObject*);
</del><span class="cx"> JSValue objectConstructorGetOwnPropertyDescriptor(ExecState*, JSObject*, const Identifier&);
</span><span class="cx"> JSValue objectConstructorGetOwnPropertyDescriptors(ExecState*, JSObject*);
</span><span class="cx"> JSArray* ownPropertyKeys(ExecState*, JSObject*, PropertyNameMode, DontEnumPropertiesMode);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeReflectObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ReflectObject.cpp (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ReflectObject.cpp 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/JavaScriptCore/runtime/ReflectObject.cpp 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -215,7 +215,7 @@
</span><span class="cx"> JSValue target = exec->argument(0);
</span><span class="cx"> if (!target.isObject())
</span><span class="cx"> return JSValue::encode(throwTypeError(exec, scope, ASCIILiteral("Reflect.getPrototypeOf requires the first argument be an object")));
</span><del>- return JSValue::encode(objectConstructorGetPrototypeOf(exec, asObject(target)));
</del><ins>+ return JSValue::encode(asObject(target)->getPrototype(exec->vm(), exec));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // https://tc39.github.io/ecma262/#sec-reflect.isextensible
</span><span class="lines">@@ -302,9 +302,6 @@
</span><span class="cx">
</span><span class="cx"> JSObject* object = asObject(target);
</span><span class="cx">
</span><del>- if (!checkProtoSetterAccessAllowed(exec, object))
- return JSValue::encode(jsBoolean(false));
-
</del><span class="cx"> bool shouldThrowIfCantSet = false;
</span><span class="cx"> bool didSetPrototype = object->setPrototype(vm, exec, proto, shouldThrowIfCantSet);
</span><span class="cx"> if (vm.exception())
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/WebCore/ChangeLog 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1,3 +1,41 @@
</span><ins>+2016-09-02 Chris Dumez <cdumez@apple.com>
+
+ Align proto getter / setter behavior with other browsers
+ https://bugs.webkit.org/show_bug.cgi?id=161455
+
+ Reviewed by Mark Lam.
+
+ Align cross-origin __proto__ getter / setter behavior with other
+ browsers and the specification:
+
+ [[SetPrototypeOf]] should throw a TypeError:
+ - https://html.spec.whatwg.org/#windowproxy-setprototypeof
+ - https://html.spec.whatwg.org/#location-setprototypeof
+ - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
+
+ [[GetPrototypeOf]] should return null cross-origin:
+ - https://html.spec.whatwg.org/#windowproxy-getprototypeof
+ - https://html.spec.whatwg.org/#location-getprototypeof
+
+ Test: js/dom/setPrototypeOf-location-window.html
+
+ * bindings/js/JSDOMWindowBase.cpp:
+ (WebCore::JSDOMWindowBase::JSDOMWindowBase): Deleted.
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::JSDOMWindow::setPrototype):
+ (WebCore::JSDOMWindow::getPrototype):
+ * bindings/js/JSLocationCustom.cpp:
+ (WebCore::JSLocation::setPrototype):
+ (WebCore::JSLocation::getPrototype):
+ * bindings/js/JSWorkerGlobalScopeBase.cpp:
+ (WebCore::JSWorkerGlobalScopeBase::supportsRichSourceInfo): Deleted.
+ * bindings/js/JSWorkerGlobalScopeBase.h:
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateHeader):
+ * bindings/scripts/IDLAttributes.txt:
+ * page/DOMWindow.idl:
+ * page/Location.idl:
+
</ins><span class="cx"> 2016-09-02 Eric Carlson <eric.carlson@apple.com>
</span><span class="cx">
</span><span class="cx"> [MediaStream] applyConstraints pt. 1 - mandatory constraints
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDOMWindowBasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -57,14 +57,9 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><del>-static bool shouldAllowAccessFrom(const JSGlobalObject* thisObject, ExecState* exec)
-{
- return BindingSecurity::shouldAllowAccessToDOMWindow(exec, asJSDOMWindow(thisObject)->wrapped());
-}
-
</del><span class="cx"> const ClassInfo JSDOMWindowBase::s_info = { "Window", &JSDOMGlobalObject::s_info, 0, CREATE_METHOD_TABLE(JSDOMWindowBase) };
</span><span class="cx">
</span><del>-const GlobalObjectMethodTable JSDOMWindowBase::s_globalObjectMethodTable = { &shouldAllowAccessFrom, &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, &queueTaskToEventLoop, &shouldInterruptScriptBeforeTimeout, &moduleLoaderResolve, &moduleLoaderFetch, nullptr, nullptr, &moduleLoaderEvaluate, &defaultLanguage };
</del><ins>+const GlobalObjectMethodTable JSDOMWindowBase::s_globalObjectMethodTable = { &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, &queueTaskToEventLoop, &shouldInterruptScriptBeforeTimeout, &moduleLoaderResolve, &moduleLoaderFetch, nullptr, nullptr, &moduleLoaderEvaluate, &defaultLanguage };
</ins><span class="cx">
</span><span class="cx"> JSDOMWindowBase::JSDOMWindowBase(VM& vm, Structure* structure, RefPtr<DOMWindow>&& window, JSDOMWindowShell* shell)
</span><span class="cx"> : JSDOMGlobalObject(vm, structure, shell->world(), &s_globalObjectMethodTable)
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDOMWindowCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -342,6 +342,25 @@
</span><span class="cx"> return Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool JSDOMWindow::setPrototype(JSObject*, ExecState* exec, JSValue, bool shouldThrowIfCantSet)
+{
+ auto scope = DECLARE_THROW_SCOPE(exec->vm());
+
+ if (shouldThrowIfCantSet)
+ throwTypeError(exec, scope, ASCIILiteral("Cannot set prototype of this object"));
+
+ return false;
+}
+
+JSValue JSDOMWindow::getPrototype(JSObject* object, ExecState* exec)
+{
+ JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
+ if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped(), DoNotReportSecurityError))
+ return jsNull();
+
+ return Base::getPrototype(object, exec);
+}
+
</ins><span class="cx"> // Custom Attributes
</span><span class="cx">
</span><span class="cx"> void JSDOMWindow::setLocation(ExecState& state, JSValue value)
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSLocationCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -124,6 +124,25 @@
</span><span class="cx"> return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool JSLocation::setPrototype(JSObject*, ExecState* exec, JSValue, bool shouldThrowIfCantSet)
+{
+ auto scope = DECLARE_THROW_SCOPE(exec->vm());
+
+ if (shouldThrowIfCantSet)
+ throwTypeError(exec, scope, ASCIILiteral("Cannot set prototype of this object"));
+
+ return false;
+}
+
+JSValue JSLocation::getPrototype(JSObject* object, ExecState* exec)
+{
+ JSLocation* thisObject = jsCast<JSLocation*>(object);
+ if (!BindingSecurity::shouldAllowAccessToFrame(exec, thisObject->wrapped().frame(), DoNotReportSecurityError))
+ return jsNull();
+
+ return Base::getPrototype(object, exec);
+}
+
</ins><span class="cx"> bool JSLocationPrototype::putDelegate(ExecState* exec, PropertyName propertyName, JSValue, PutPropertySlot&, bool& putResult)
</span><span class="cx"> {
</span><span class="cx"> putResult = false;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSWorkerGlobalScopeBasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.cpp (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.cpp 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.cpp 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -45,7 +45,7 @@
</span><span class="cx">
</span><span class="cx"> const ClassInfo JSWorkerGlobalScopeBase::s_info = { "WorkerGlobalScope", &JSDOMGlobalObject::s_info, 0, CREATE_METHOD_TABLE(JSWorkerGlobalScopeBase) };
</span><span class="cx">
</span><del>-const GlobalObjectMethodTable JSWorkerGlobalScopeBase::s_globalObjectMethodTable = { &allowsAccessFrom, &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, &queueTaskToEventLoop, &shouldInterruptScriptBeforeTimeout, nullptr, nullptr, nullptr, nullptr, nullptr, &defaultLanguage };
</del><ins>+const GlobalObjectMethodTable JSWorkerGlobalScopeBase::s_globalObjectMethodTable = { &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, &queueTaskToEventLoop, &shouldInterruptScriptBeforeTimeout, nullptr, nullptr, nullptr, nullptr, nullptr, &defaultLanguage };
</ins><span class="cx">
</span><span class="cx"> JSWorkerGlobalScopeBase::JSWorkerGlobalScopeBase(JSC::VM& vm, JSC::Structure* structure, RefPtr<WorkerGlobalScope>&& impl)
</span><span class="cx"> : JSDOMGlobalObject(vm, structure, normalWorld(vm), &s_globalObjectMethodTable)
</span><span class="lines">@@ -79,11 +79,6 @@
</span><span class="cx"> return m_wrapped.get();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool JSWorkerGlobalScopeBase::allowsAccessFrom(const JSGlobalObject* object, ExecState* exec)
-{
- return JSGlobalObject::allowsAccessFrom(object, exec);
-}
-
</del><span class="cx"> bool JSWorkerGlobalScopeBase::supportsRichSourceInfo(const JSGlobalObject* object)
</span><span class="cx"> {
</span><span class="cx"> return JSGlobalObject::supportsRichSourceInfo(object);
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSWorkerGlobalScopeBaseh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.h (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.h 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.h 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -53,7 +53,6 @@
</span><span class="cx">
</span><span class="cx"> static const JSC::GlobalObjectMethodTable s_globalObjectMethodTable;
</span><span class="cx">
</span><del>- static bool allowsAccessFrom(const JSC::JSGlobalObject*, JSC::ExecState*);
</del><span class="cx"> static bool supportsRichSourceInfo(const JSC::JSGlobalObject*);
</span><span class="cx"> static bool shouldInterruptScript(const JSC::JSGlobalObject*);
</span><span class="cx"> static bool shouldInterruptScriptBeforeTimeout(const JSC::JSGlobalObject*);
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -1322,6 +1322,10 @@
</span><span class="cx"> # Custom defineOwnProperty function
</span><span class="cx"> push(@headerContent, " static bool defineOwnProperty(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, const JSC::PropertyDescriptor&, bool shouldThrow);\n") if $interface->extendedAttributes->{"JSCustomDefineOwnProperty"};
</span><span class="cx">
</span><ins>+ # Custom getPrototype / setPrototype functions.
+ push (@headerContent, " static JSC::JSValue getPrototype(JSC::JSObject*, JSC::ExecState*);\n") if $interface->extendedAttributes->{"CustomGetPrototype"};
+ push (@headerContent, " static bool setPrototype(JSC::JSObject*, JSC::ExecState*, JSC::JSValue, bool shouldThrowIfCantSet);\n") if $interface->extendedAttributes->{"CustomSetPrototype"};
+
</ins><span class="cx"> # Override toBoolean to return false for objects that want to 'MasqueradesAsUndefined'.
</span><span class="cx"> if ($interface->extendedAttributes->{"MasqueradesAsUndefined"}) {
</span><span class="cx"> $structureFlags{"JSC::MasqueradesAsUndefined"} = 1;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptsIDLAttributestxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/IDLAttributes.txt (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/IDLAttributes.txt 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/WebCore/bindings/scripts/IDLAttributes.txt 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -41,6 +41,7 @@
</span><span class="cx"> CustomDeleteProperty
</span><span class="cx"> CustomEnumerateProperty
</span><span class="cx"> CustomGetOwnPropertySlot
</span><ins>+CustomGetPrototype
</ins><span class="cx"> CustomGetter
</span><span class="cx"> CustomIndexedSetter
</span><span class="cx"> CustomIsReachable
</span><span class="lines">@@ -49,6 +50,7 @@
</span><span class="cx"> CustomProxyToJSObject
</span><span class="cx"> CustomPutFunction
</span><span class="cx"> CustomReturn
</span><ins>+CustomSetPrototype
</ins><span class="cx"> CustomSetter
</span><span class="cx"> CustomToJSObject
</span><span class="cx"> Deletable
</span></span></pre></div>
<a id="trunkSourceWebCorepageDOMWindowidl"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/DOMWindow.idl (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/DOMWindow.idl 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/WebCore/page/DOMWindow.idl 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -29,8 +29,10 @@
</span><span class="cx"> CustomDeleteProperty,
</span><span class="cx"> CustomEnumerateProperty,
</span><span class="cx"> CustomGetOwnPropertySlot,
</span><ins>+ CustomGetPrototype,
</ins><span class="cx"> CustomProxyToJSObject,
</span><span class="cx"> CustomPutFunction,
</span><ins>+ CustomSetPrototype,
</ins><span class="cx"> ExportMacro=WEBCORE_EXPORT,
</span><span class="cx"> ImplicitThis,
</span><span class="cx"> InterfaceName=Window,
</span></span></pre></div>
<a id="trunkSourceWebCorepageLocationidl"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/Location.idl (205353 => 205354)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/Location.idl 2016-09-02 18:01:51 UTC (rev 205353)
+++ trunk/Source/WebCore/page/Location.idl 2016-09-02 18:04:25 UTC (rev 205354)
</span><span class="lines">@@ -30,7 +30,9 @@
</span><span class="cx"> CheckSecurity,
</span><span class="cx"> CustomDeleteProperty,
</span><span class="cx"> CustomEnumerateProperty,
</span><ins>+ CustomGetPrototype,
</ins><span class="cx"> CustomNamedSetter,
</span><ins>+ CustomSetPrototype,
</ins><span class="cx"> GenerateIsReachable=ImplFrame,
</span><span class="cx"> JSCustomDefineOwnProperty,
</span><span class="cx"> JSCustomDefineOwnPropertyOnPrototype,
</span></span></pre>
</div>
</div>
</body>
</html>