Added security check for cross origin

This CL adds a security check for cross origin with BindingSecurity::ShouldAllowAccessToCreationContext(). |js_event|, a V8 wrapper object for event object, must be created in the relevant realm of the event target, but it is possible that listener's relevant context cannnot access the relevant realm of event target (ex. when Document.origin is changed). We have to check this before invoking event listener. Bug: 872138, 884516 Change-Id: Ic5d0c8e6cda4db57a2097ce230e75cc59905b350 Reviewed-on: https://chromium-review.googlesource.com/c/1270300 Commit-Queue: Yuki Yamada <yukiy@google.com> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Hitoshi Yoshida <peria@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Cr-Commit-Position: refs/heads/master@{#599154}

Added security check for cross origin
This CL adds a security check for cross origin with BindingSecurity::ShouldAllowAccessToCreationContext(). |js_event|, a V8 wrapper object for event object, must be created in the relevant realm of the event target, but it is possible that listener's relevant context cannnot access the relevant realm of event target (ex. when Document.origin is changed). We have to check this before invoking event listener. Bug: 872138, 884516 Change-Id: Ic5d0c8e6cda4db57a2097ce230e75cc59905b350 Reviewed-on: https://chromium-review.googlesource.com/c/1270300 Commit-Queue: Yuki Yamada <yukiy@google.com> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Hitoshi Yoshida <peria@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Cr-Commit-Position: refs/heads/master@{#599154}
1d2509fc · Yuki Yamada · Commit Bot · fe100b29 · 1d2509fc
Commit 1d2509fc authored Oct 12, 2018 by Yuki Yamada Committed by Commit Bot Oct 12, 2018
Show whitespace changes
Inline Side-by-side

Showing with 17 additions and 0 deletions

third_party/blink/renderer/bindings/core/v8/js_based_event_listener.cc ...link/renderer/bindings/core/v8/js_based_event_listener.cc +17 -0

No files found.
--- a/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.cc
+++ b/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.cc
@@ -4,6 +4,7 @@
 #include "third_party/blink/renderer/bindings/core/v8/js_based_event_listener.h"
+#include "third_party/blink/renderer/bindings/core/v8/binding_security.h"
 #include "third_party/blink/renderer/bindings/core/v8/source_location.h"
 #include "third_party/blink/renderer/bindings/core/v8/v8_binding_for_core.h"
 #include "third_party/blink/renderer/core/dom/document.h"
@@ -105,6 +106,22 @@ void JSBasedEventListener::handleEvent(
      ToV8Context(execution_context_of_event_target, GetWorld());
  if (v8_context_of_event_target.IsEmpty())
    return;
+  if (v8_context_of_event_target != script_state_of_listener->GetContext()) {
+    // Catch exceptions thrown in the event listener if any and report them to
+    // DevTools console.
+    v8::TryCatch try_catch(isolate);
+    try_catch.SetVerbose(true);
+    // Check if the current context, which is set to the listener's relevant
+    // context by creating |listener_script_state_scope|, has access to the
+    // event target's relevant context before creating |js_event|. SecurityError
+    // is thrown if it doesn't have access.
+    if (!BindingSecurity::ShouldAllowAccessToCreationContext(
+            v8_context_of_event_target, event->GetWrapperTypeInfo()))
+      return;
+  }
  v8::Local<v8::Value> js_event =
      ToV8(event, v8_context_of_event_target->Global(), isolate);
  if (js_event.IsEmpty())