Object.getOwnPropertyDescriptor() does not work correctly cross origin
https://bugs.webkit.org/show_bug.cgi?id=162311
Reviewed by Gavin Barraclough.
LayoutTests/imported/w3c:
Rebaseline W3C test now that more checks are passing.
- web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt:
Source/JavaScriptCore:
Add a CustomGetterSetter field to PropertySlot that gets populated
by getOwnPropertySlot() and use it in getOwnPropertyDescriptor()
to properly populate the descriptor. We used to rely on reifying
the properties and then call getDirect() in order to get the
CustomGetterSetter. However, this hack was insufficient to support
the cross-origin case because we need to control more precisely
the visibility of the getter and the setter. For example, Location's
href property has both a getter and a setter in the same origin
case but only has a setter in the cross-origin case.
In the future, we can extend the use of PropertySlot's
customGetterSetter field to the same origin case and get rid of the
reification + getDirect() hack in getOwnPropertyDescriptor().
(JSC::JSObject::getOwnPropertyDescriptor):
- runtime/PropertySlot.cpp:
(JSC::PropertySlot::customAccessorGetter):
Source/WebCore:
Object.getOwnPropertyDescriptor() does not work correctly cross origin. In particular:
- We return value descriptors for attributes instead of getter/setter descriptors
- attributes / operations are wrongly marked as non-configurable
Corresponding specification:
Test: http/tests/security/cross-origin-descriptors.html
- bindings/js/JSDOMWindowCustom.cpp:
(WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):
- bindings/js/JSLocationCustom.cpp:
(WebCore::JSLocation::getOwnPropertySlotDelegate):
LayoutTests:
Add layout test coverage.
- http/tests/security/cross-origin-descriptors-expected.txt: Added.
- http/tests/security/cross-origin-descriptors.html: Added.
