v8binding: Disallow cross-origin named access on Window

We've been allowing cross-origin named access on Window just
in order to keep the backward compatibility for a while.
This patch finally fixes it and ignores cross-origin window
name when performing named access on Window.

Basically, this is a revert of
https://codereview.chromium.org/2753773003

Bug: 538562
Change-Id: I3856bb5c655a9415c2d0b87d1ec4b3743b94d076
Reviewed-on: https://chromium-review.googlesource.com/c/1314021Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#606373}

third_party/WebKit/LayoutTests/http/tests/security/document-all-expected.txt

-ALERT: true
+CONSOLE ERROR: line 11: Uncaught SecurityError: Blocked a frame with origin "null" from accessing a frame with origin "http://localhost:8080".  The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
+
 

third_party/WebKit/LayoutTests/http/tests/security/window-named-proto-expected.txt

-CONSOLE ERROR: line 3: Uncaught TypeError: Cannot read property 'innerHTML' of null
+CONSOLE ERROR: line 9: Uncaught SecurityError: Blocked a frame with origin "null" from accessing a frame with origin "http://localhost:8080".  The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
+
 

third_party/WebKit/LayoutTests/http/tests/security/xss-DENIED-window-name-alert-expected.txt

-CONSOLE MESSAGE: line 6: FAIL
-CONSOLE MESSAGE: line 7: compatible with old versions = true
+CONSOLE MESSAGE: line 9: SecurityError: Blocked a frame with origin "null" from accessing a cross-origin frame.
 

third_party/WebKit/LayoutTests/http/tests/security/xss-DENIED-window-name-navigator-expected.txt

 CONSOLE MESSAGE: line 6: iframe1: SecurityError: Blocked a frame with origin "null" from accessing a cross-origin frame.
-CONSOLE MESSAGE: line 12: FAIL
-CONSOLE MESSAGE: line 4: FAIL
+CONSOLE MESSAGE: line 14: iframe1: SecurityError: Blocked a frame with origin "null" from accessing a cross-origin frame.
+CONSOLE MESSAGE: line 6: iframe2: SecurityError: Blocked a frame with origin "null" from accessing a cross-origin frame.
  

third_party/blink/renderer/bindings/core/v8/custom/v8_window_custom.cc

@@ -235,6 +235,8 @@ void V8Window::namedPropertyGetterCustom(
         CurrentExecutionContext(info.GetIsolate()),
         WebFeature::
             kNamedAccessOnWindow_ChildBrowsingContext_CrossOriginNameMismatch);
+    if (!RuntimeEnabledFeatures::
+            IgnoreCrossOriginWindowWhenNamedAccessOnWindowEnabled()) {
       // In addition to the above spec'ed case, we return the child window
       // regardless of step 3 due to crbug.com/701489 for the time being.
       // TODO(yukishiino): Makes iframe.name update the browsing context name
@@ -243,6 +245,7 @@ void V8Window::namedPropertyGetterCustom(
       V8SetReturnValueFast(info, child->DomWindow(), window);
       return;
     }
+  }
 
   // This is a cross-origin interceptor. Check that the caller has access to the
   // named results.

third_party/blink/renderer/platform/runtime_enabled_features.json5

@@ -587,6 +587,10 @@
       name: "IdleTimeColdModeSpellChecking",
       status: "stable",
     },
+    {
+      name: "IgnoreCrossOriginWindowWhenNamedAccessOnWindow",
+      status: "experimental",
+    },
     {
       name: "ImageOrientation",
       status: "test",