v8binding: Run content attributes injected by Extensions in the main world

Run script in content attributes that are injected by Chrome
extensions (content scripts) in the main world in order to keep
backward compatibility.

Change-Id: Ie50d62e4a19c050dd2187638b383680bde492e2a
Bug: 912069
Reviewed-on: https://chromium-review.googlesource.com/c/1373283
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#615860}

third_party/blink/renderer/bindings/core/v8/script_event_listener.cc

@@ -56,7 +56,6 @@ EventListener* CreateAttributeEventListener(Node* node,
   String source_url;
 
   v8::Isolate* isolate = node->GetDocument().GetIsolate();
-  v8::HandleScope scope(isolate);
 
   if (LocalFrame* frame = node->GetDocument().GetFrame()) {
     ScriptController& script_controller = frame->GetScriptController();
@@ -66,16 +65,15 @@ EventListener* CreateAttributeEventListener(Node* node,
     source_url = node->GetDocument().Url().GetString();
   }
 
-  // |v8_context| can be an empty handle when this listener is added as content
-  // attribute like <hoge onclick="fuga"></hoge> because there is no JS context
-  // when parsing HTML. In that case we should assume the main world.
-  v8::Local<v8::Context> v8_context = isolate->GetCurrentContext();
+  // An assumption here is that the content attributes are used only in the main
+  // world or the isolated world for the content scripts, they are never used in
+  // other isolated worlds nor worker/worklets.
+  // In case of the content scripts, Blink runs script in the main world instead
+  // of the isolated world for the content script by design.
+  DOMWrapperWorld& world = DOMWrapperWorld::MainWorld();
 
   return JSEventHandlerForContentAttribute::Create(
-      name.LocalName(), value, source_url, position, isolate,
-      v8_context.IsEmpty() ? DOMWrapperWorld::MainWorld()
-                           : ScriptState::From(v8_context)->World(),
-      type);
+      name.LocalName(), value, source_url, position, isolate, world, type);
 }
 
 EventListener* CreateAttributeEventListener(LocalFrame* frame,
@@ -95,18 +93,16 @@ EventListener* CreateAttributeEventListener(LocalFrame* frame,
   String source_url = frame->GetDocument()->Url().GetString();
 
   v8::Isolate* isolate = ToIsolate(frame);
-  v8::HandleScope scope(isolate);
 
-  // |v8_context| can be an empty handle when this listener is added as content
-  // attribute like <hoge onclick="fuga"></hoge> because there is no JS context
-  // when parsing HTML. In that case we should assume the main world.
-  v8::Local<v8::Context> v8_context = isolate->GetCurrentContext();
+  // An assumption here is that the content attributes are used only in the main
+  // world or the isolated world for the content scripts, they are never used in
+  // other isolated worlds nor worker/worklets.
+  // In case of the content scripts, Blink runs script in the main world instead
+  // of the isolated world for the content script by design.
+  DOMWrapperWorld& world = DOMWrapperWorld::MainWorld();
 
   return JSEventHandlerForContentAttribute::Create(
-      name.LocalName(), value, source_url, position, isolate,
-      v8_context.IsEmpty() ? DOMWrapperWorld::MainWorld()
-                           : ScriptState::From(v8_context)->World(),
-      type);
+      name.LocalName(), value, source_url, position, isolate, world, type);
 }
 
 }  // namespace blink

third_party/blink/web_tests/http/tests/security/isolatedWorld/no-bypass-main-world-csp-for-delayed-execution-expected.txt

@@ -2,6 +2,8 @@ ALERT: PASS: Case 3 was not blocked by a CSP.
 CONSOLE MESSAGE: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
 
 ALERT: PASS: Case 2 was blocked by a CSP.
+CONSOLE ERROR: line 46: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
+
 ALERT: PASS: Case 1 was not evaluated in main world.
-ALERT: PASS: Case 1 was evaluated in isolated world.
+ALERT: undefined
 Test a script that bypasses the main world's CSP to see if its *content* bypasses the main world as well (it should not).

third_party/blink/web_tests/http/tests/security/isolatedWorld/resources/no-bypass-main-world-csp-for-delayed-execution.js

@@ -40,8 +40,8 @@ function test(message) {
             if (message != "done") {
                 testRunner.setIsolatedWorldContentSecurityPolicy(1, permissiveCSP);
                 document.clickMessage = "PASS: Case " + tests + " was not evaluated in main world.";
-                // The listener defined inline by injectButtonWithInlineClickHandler should be evaluated in isolated world.
-                testRunner.evaluateScriptInIsolatedWorld(1, String(injectButtonWithInlineClickHandler) + "\ninjectButtonWithInlineClickHandler('document.clickMessage =\"PASS: Case " + tests + " was evaluated in isolated world.\"');");
+                // The listener defined inline by injectButtonWithInlineClickHandler should be evaluated in the main world instead of an isolated world.
+                testRunner.evaluateScriptInIsolatedWorld(1, String(injectButtonWithInlineClickHandler) + "\ninjectButtonWithInlineClickHandler('document.clickMessage =\"FAIL: Case " + tests + " was evaluated in isolated world.\"');");
             } else {
                 document.getElementById("button").click();
                 alert(document.clickMessage);