v8binding: Disallow cross-origin named access on Window

We've been allowing cross-origin named access on Window just
in order to keep the backward compatibility for a while.
This patch finally fixes it and ignores cross-origin window
name when performing named access on Window.

Basically, this is a revert of
https://codereview.chromium.org/2753773003

Bug: 538562
Change-Id: I3856bb5c655a9415c2d0b87d1ec4b3743b94d076
Reviewed-on: https://chromium-review.googlesource.com/c/1314021Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#606373}

third_party/WebKit/LayoutTests/http/tests/security/document-all-expected.txt

-ALERT: true
+CONSOLE ERROR: line 11: Uncaught SecurityError: Blocked a frame with origin "null" from accessing a frame with origin "http://localhost:8080".  The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
+
 

third_party/WebKit/LayoutTests/http/tests/security/window-named-proto-expected.txt

-CONSOLE ERROR: line 3: Uncaught TypeError: Cannot read property 'innerHTML' of null
+CONSOLE ERROR: line 9: Uncaught SecurityError: Blocked a frame with origin "null" from accessing a frame with origin "http://localhost:8080".  The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
+
 

third_party/WebKit/LayoutTests/http/tests/security/xss-DENIED-window-name-alert-expected.txt

-CONSOLE MESSAGE: line 6: FAIL
-CONSOLE MESSAGE: line 7: compatible with old versions = true
+CONSOLE MESSAGE: line 9: SecurityError: Blocked a frame with origin "null" from accessing a cross-origin frame.
 

third_party/WebKit/LayoutTests/http/tests/security/xss-DENIED-window-name-navigator-expected.txt

 CONSOLE MESSAGE: line 6: iframe1: SecurityError: Blocked a frame with origin "null" from accessing a cross-origin frame.
-CONSOLE MESSAGE: line 12: FAIL
-CONSOLE MESSAGE: line 4: FAIL
+CONSOLE MESSAGE: line 14: iframe1: SecurityError: Blocked a frame with origin "null" from accessing a cross-origin frame.
+CONSOLE MESSAGE: line 6: iframe2: SecurityError: Blocked a frame with origin "null" from accessing a cross-origin frame.
  

third_party/blink/renderer/bindings/core/v8/custom/v8_window_custom.cc

@@ -235,13 +235,16 @@ void V8Window::namedPropertyGetterCustom(
         CurrentExecutionContext(info.GetIsolate()),
         WebFeature::
             kNamedAccessOnWindow_ChildBrowsingContext_CrossOriginNameMismatch);
-    // In addition to the above spec'ed case, we return the child window
-    // regardless of step 3 due to crbug.com/701489 for the time being.
-    // TODO(yukishiino): Makes iframe.name update the browsing context name
-    // appropriately and makes the new name available in the named access on
-    // window.  Then, removes the following two lines.
-    V8SetReturnValueFast(info, child->DomWindow(), window);
-    return;
+    if (!RuntimeEnabledFeatures::
+            IgnoreCrossOriginWindowWhenNamedAccessOnWindowEnabled()) {
+      // In addition to the above spec'ed case, we return the child window
+      // regardless of step 3 due to crbug.com/701489 for the time being.
+      // TODO(yukishiino): Makes iframe.name update the browsing context name
+      // appropriately and makes the new name available in the named access on
+      // window.  Then, removes the following two lines.
+      V8SetReturnValueFast(info, child->DomWindow(), window);
+      return;
+    }
   }
 
   // This is a cross-origin interceptor. Check that the caller has access to the

third_party/blink/renderer/platform/runtime_enabled_features.json5

@@ -587,6 +587,10 @@
       name: "IdleTimeColdModeSpellChecking",
       status: "stable",
     },
+    {
+      name: "IgnoreCrossOriginWindowWhenNamedAccessOnWindow",
+      status: "experimental",
+    },
     {
       name: "ImageOrientation",
       status: "test",