1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
|
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_DOM_WINDOW_H_
#define THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_DOM_WINDOW_H_
#include "mojo/public/cpp/bindings/remote.h"
#include "services/network/public/mojom/cross_origin_opener_policy.mojom-blink.h"
#include "third_party/blink/public/common/tokens/tokens.h"
#include "third_party/blink/renderer/bindings/core/v8/serialization/transferables.h"
#include "third_party/blink/renderer/core/core_export.h"
#include "third_party/blink/renderer/core/dom/events/event_target.h"
#include "third_party/blink/renderer/core/frame/frame.h"
#include "third_party/blink/renderer/platform/heap/handle.h"
#include "third_party/blink/renderer/platform/wtf/assertions.h"
#include "third_party/blink/renderer/platform/wtf/forward.h"
#include "third_party/blink/renderer/platform/wtf/vector.h"
namespace blink {
class InputDeviceCapabilitiesConstants;
class LocalDOMWindow;
class Location;
class MessageEvent;
class ScriptValue;
class SecurityOrigin;
class SerializedScriptValue;
class WindowPostMessageOptions;
class WindowProxyManager;
// DOMWindow is an abstract class of Window interface implementations.
// We have two derived implementation classes; LocalDOMWindow and
// RemoteDOMWindow.
//
// TODO(tkent): Rename DOMWindow to Window. The class was named as 'DOMWindow'
// because WebKit already had KJS::Window. We have no reasons to avoid
// blink::Window now.
class CORE_EXPORT DOMWindow : public EventTargetWithInlineData {
DEFINE_WRAPPERTYPEINFO();
public:
enum class CrossDocumentAccessPolicy { kAllowed, kDisallowed };
~DOMWindow() override;
Frame* GetFrame() const {
// A Frame is typically reused for navigations. If |frame_| is not null,
// two conditions must always be true:
// - |frame_->domWindow()| must point back to this DOMWindow. If it does
// not, it is easy to introduce a bug where script execution uses the
// wrong DOMWindow (which may be cross-origin).
// - |frame_| must be attached, i.e. |frame_->page()| must not be null.
// If |frame_->page()| is null, this indicates a bug where the frame was
// detached but |frame_| was not set to null. This bug can lead to
// issues where executing script incorrectly schedules work on a detached
// frame.
SECURITY_DCHECK(!frame_ ||
(frame_->DomWindow() == this && frame_->GetPage()));
return frame_;
}
// GarbageCollected overrides:
void Trace(Visitor*) const override;
virtual bool IsLocalDOMWindow() const = 0;
virtual bool IsRemoteDOMWindow() const = 0;
// ScriptWrappable overrides:
v8::Local<v8::Value> Wrap(v8::Isolate*,
v8::Local<v8::Object> creation_context) final;
v8::MaybeLocal<v8::Value> WrapV2(ScriptState*) final;
v8::Local<v8::Object> AssociateWithWrapper(
v8::Isolate*,
const WrapperTypeInfo*,
v8::Local<v8::Object> wrapper) final;
// EventTarget overrides:
const AtomicString& InterfaceName() const override;
const DOMWindow* ToDOMWindow() const override;
bool IsWindowOrWorkerGlobalScope() const final;
// Cross-origin DOM Level 0
Location* location() const;
bool closed() const;
unsigned length() const;
// Self-referential attributes
DOMWindow* self() const;
DOMWindow* window() const { return self(); }
DOMWindow* frames() const { return self(); }
DOMWindow* opener() const;
DOMWindow* parent() const;
DOMWindow* top() const;
void focus(v8::Isolate*);
virtual void blur() = 0;
void close(v8::Isolate*);
void Close(LocalDOMWindow* incumbent_window);
void postMessage(v8::Isolate*,
const ScriptValue& message,
const String& target_origin,
HeapVector<ScriptValue>& transfer,
ExceptionState&);
void postMessage(v8::Isolate*,
const ScriptValue& message,
const WindowPostMessageOptions* options,
ExceptionState&);
// Indexed properties
DOMWindow* AnonymousIndexedGetter(uint32_t index);
String SanitizedCrossDomainAccessErrorMessage(
const LocalDOMWindow* accessing_window,
CrossDocumentAccessPolicy cross_document_access) const;
String CrossDomainAccessErrorMessage(
const LocalDOMWindow* accessing_window,
CrossDocumentAccessPolicy cross_document_access) const;
// FIXME: When this DOMWindow is no longer the active DOMWindow (i.e.,
// when its document is no longer the document that is displayed in its
// frame), we would like to zero out |frame_| to avoid being confused
// by the document that is currently active in |frame_|.
// See https://bugs.webkit.org/show_bug.cgi?id=62054
bool IsCurrentlyDisplayedInFrame() const;
InputDeviceCapabilitiesConstants* GetInputDeviceCapabilities();
void PostMessageForTesting(scoped_refptr<SerializedScriptValue> message,
const MessagePortArray&,
const String& target_origin,
LocalDOMWindow* source,
ExceptionState&);
// Cross-Origin-Opener-Policy (COOP):
// Check accesses from |accessing_frame| and every same-origin iframe toward
// this window. A report is sent to |reporter| when this happens.
void InstallCoopAccessMonitor(
network::mojom::blink::CoopAccessReportType report_type,
LocalFrame* accessing_frame,
mojo::PendingRemote<
network::mojom::blink::CrossOriginOpenerPolicyReporter> reporter,
bool endpoint_defined,
const WTF::String& reported_window_url);
// Whenever we detect that the enforcement of a report-only COOP policy would
// have resulted in preventing access to this window, a report is potentially
// sent when calling this function.
//
// This function must be called when accessing any attributes and methods
// marked as "CrossOrigin" in the window.idl.
void ReportCoopAccess(const char* property_name);
protected:
explicit DOMWindow(Frame&);
virtual void SchedulePostMessage(MessageEvent*,
scoped_refptr<const SecurityOrigin> target,
LocalDOMWindow* source) = 0;
void DisconnectFromFrame() { frame_ = nullptr; }
private:
void DoPostMessage(scoped_refptr<SerializedScriptValue> message,
const MessagePortArray&,
const WindowPostMessageOptions* options,
LocalDOMWindow* source,
ExceptionState&);
// Removed the CoopAccessMonitor with the given |accessing_main_frame| from
// the |coop_access_monitor| list. This is called when the COOP reporter is
// gone or a more recent CoopAccessMonitor is being added.
void DisconnectCoopAccessMonitor(const LocalFrameToken& accessing_main_frame);
Member<Frame> frame_;
// Unlike |frame_|, |window_proxy_manager_| is available even after the
// window's frame gets detached from the DOM, until the end of the lifetime
// of this object.
const Member<WindowProxyManager> window_proxy_manager_;
Member<InputDeviceCapabilitiesConstants> input_capabilities_;
mutable Member<Location> location_;
// Set to true when close() has been called. Needed for
// |window.closed| determinism; having it return 'true'
// only after the layout widget's deferred window close
// operation has been performed, exposes (confusing)
// implementation details to scripts.
bool window_is_closing_;
// Cross-Origin-Opener-Policy (COOP):
// Check accesses made toward this window from |accessing_main_frame|. If this
// happens a report will sent to |reporter|.
struct CoopAccessMonitor {
network::mojom::blink::CoopAccessReportType report_type;
blink::LocalFrameToken accessing_main_frame;
mojo::Remote<network::mojom::blink::CrossOriginOpenerPolicyReporter>
reporter;
bool endpoint_defined;
WTF::String reported_window_url;
};
WTF::Vector<CoopAccessMonitor> coop_access_monitor_;
};
} // namespace blink
#endif // THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_DOM_WINDOW_H_
|
