| blob | dc8da122974c8161dfe9df660a42d404e6526476 |
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=2 sw=2 et tw=78: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
18 static bool
20 {
21 // If we're same-origin with the child, go ahead and expose it.
26 }
28 // If we're not same-origin, expose it _only_ if the name of the browsing
29 // context matches the 'name' attribute of the frame element in the parent.
30 // The motivations behind this heuristic are worth explaining here.
31 //
32 // Historically, all UAs supported global named access to any child browsing
33 // context (that is to say, window.dolske returns a child frame where either
34 // the "name" attribute on the frame element was set to "dolske", or where
35 // the child explicitly set window.name = "dolske").
36 //
37 // This is problematic because it allows possibly-malicious and unrelated
38 // cross-origin subframes to pollute the global namespace of their parent in
39 // unpredictable ways (see bug 860494). This is also problematic for browser
40 // engines like Servo that want to run cross-origin script on different
41 // threads.
42 //
43 // The naive solution here would be to filter out any cross-origin subframes
44 // obtained when doing named lookup in global scope. But that is unlikely to
45 // be web-compatible, since it will break named access for consumers that do
46 // <iframe name="dolske" src="http://cross-origin.com/sadtrombone.html"> and
47 // expect to be able to access the cross-origin subframe via named lookup on
48 // the global.
49 //
50 // The optimal behavior would be to do the following:
51 // (a) Look for any child browsing context with name="dolske".
52 // (b) If the result is cross-origin, null it out.
53 // (c) If we have null, look for a frame element whose 'name' attribute is
54 // "dolske".
55 //
56 // Unfortunately, (c) would require some engineering effort to be performant
57 // in Gecko, and probably in other UAs as well. So we go with a simpler
58 // approximation of the above. This approximation will only break sites that
59 // rely on their cross-origin subframes setting window.name to a known value,
60 // which is unlikely to be very common. And while it does introduce a
61 // dependency on cross-origin state when doing global lookups, it doesn't
62 // allow the child to arbitrarily pollute the parent namespace, and requires
63 // cross-origin communication only in a limited set of cases that can be
64 // computed independently by the parent.
70 }
74 {
78 }
83 }
85 bool
91 const
92 {
94 // Nothing to do if we're resolving a non-string property.
96 }
101 }
103 nsAutoJSString str;
106 }
108 // Grab the DOM window.
113 // We found a subframe of the right name. Shadowing via |var foo| in
114 // global scope is still allowed, since |var| only looks up |own|
115 // properties. But unqualified shadowing will fail, per-spec.
119 }
124 }
125 }
127 // The rest of this function is for HTML documents only.
131 }
139 }
144 }
150 }
155 }
160 }
162 bool
167 {
168 ErrorResult rv;
172 }
174 bool
179 {
180 // Grab the DOM window.
184 // Filter out the ones we wouldn't expose from getOwnPropertyDescriptor.
185 // We iterate backwards so we can remove things from the list easily.
191 }
192 }
195 }
201 }
208 }
211 }
213 bool
217 {
220 }
222 // static
223 void
226 {
230 }
232 // Note: since the scope polluter proxy lives on the window's prototype
233 // chain, it needs a singleton type to avoid polluting type information
234 // for properties on the window.
241 options);
244 }
246 // And then set the prototype of the interface prototype object to be the
247 // global scope polluter.
249 }