Take IsolatedCopy() before registering isolated world's SecurityOrigin

XMLHttpRequest's responseXML's SecurityOrigin is aliased with
its ExecutionContext, i.e. either with Document or an isolated world,
in XMLHttpRequest::InitResponseDocument().

This CL is a preparation for making
SecurityContext::GetSecurityOrigin() and
XMLHttpRequest::GetSecurityOrigin() return const SecurityOrigin*
in [1], while preserving the aliasing behavior in XHR.

[1] https://chromium-review.googlesource.com/744586

This CL
- Introduces XMLHttpRequest::GetMutableSecurityOrigin(),
- Uses ExecutionContext::GetMutableSecurityOrigin() for
  aliasing with another Document and
- Uses the registered SecurityOrigin of an isolated world
  in DOMWrapperWorld for aliasing with the isolated world.

This CL Takes IsolatedCopy() before
DOMWrapperWorld::SetIsolatedWorldSecurityOrigin() in
WebLocalFrameImpl::SetIsolatedWorldSecurityOrigin(),
to make SecurityOrigin inside its argument (WebSecurityOrigin) const.
This IsolatedCopy() doesn't cause semantic changes, because
the callers of SetIsolatedWorldSecurityOrigin() never
pass an aliased WebSecurityOrigin.

Bug: 779730
Change-Id: I503c0623f15e37cba010a0c7f0b72e2b44f5af08
Reviewed-on: https://chromium-review.googlesource.com/752006
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Takeshi Yoshino <tyoshino@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Cr-Commit-Position: refs/heads/master@{#521260}

third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp

@@ -663,8 +663,8 @@ void WebLocalFrameImpl::SetIsolatedWorldSecurityOrigin(
     int world_id,
     const WebSecurityOrigin& security_origin) {
   DCHECK(GetFrame());
-  DOMWrapperWorld::SetIsolatedWorldSecurityOrigin(world_id,
-                                                  security_origin.Get());
+  DOMWrapperWorld::SetIsolatedWorldSecurityOrigin(
+      world_id, security_origin.Get()->IsolatedCopy());
 }
 
 void WebLocalFrameImpl::SetIsolatedWorldContentSecurityPolicy(

third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp

@@ -328,6 +328,12 @@ SecurityOrigin* XMLHttpRequest::GetSecurityOrigin() const {
              : GetExecutionContext()->GetSecurityOrigin();
 }
 
+SecurityOrigin* XMLHttpRequest::GetMutableSecurityOrigin() {
+  return isolated_world_security_origin_
+             ? isolated_world_security_origin_.get()
+             : GetExecutionContext()->GetMutableSecurityOrigin();
+}
+
 XMLHttpRequest::State XMLHttpRequest::readyState() const {
   return state_;
 }
@@ -376,7 +382,7 @@ void XMLHttpRequest::InitResponseDocument() {
     response_document_ = XMLDocument::Create(init);
 
   // FIXME: Set Last-Modified.
-  response_document_->SetSecurityOrigin(GetSecurityOrigin());
+  response_document_->SetSecurityOrigin(GetMutableSecurityOrigin());
   response_document_->SetContextFeatures(GetDocument()->GetContextFeatures());
   response_document_->SetMimeType(FinalResponseMIMETypeWithFallback());
 }

third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.h

@@ -181,6 +181,7 @@ class XMLHttpRequest final : public XMLHttpRequestEventTarget,
   // created in an isolated world. Otherwise, returns the SecurityOrigin of the
   // execution context.
   SecurityOrigin* GetSecurityOrigin() const;
+  SecurityOrigin* GetMutableSecurityOrigin();
 
   void DidSendData(unsigned long long bytes_sent,
                    unsigned long long total_bytes_to_be_sent) override;

third_party/WebKit/public/web/WebLocalFrame.h

@@ -370,6 +370,10 @@ class WebLocalFrame : public WebFrame {
   // Associates an isolated world (see above for description) with a security
   // origin. XMLHttpRequest instances used in that world will be considered
   // to come from that origin, not the frame's.
+  //
+  // Currently the origin shouldn't be aliased, because IsolatedCopy() is
+  // taken before associating it to an isolated world and aliased relationship,
+  // if any, is broken. crbug.com/779730
   virtual void SetIsolatedWorldSecurityOrigin(int world_id,
                                               const WebSecurityOrigin&) = 0;