Make PostMessageToJavaScript use new WebKit API instead of script.

I added some JavaScript code to test_case.html that previously would have made PostMessage not function (which I verified). This depends on the following WebKit issue: https://bugs.webkit.org/show_bug.cgi?id=71478 BUG=82604 TEST=N/A Review URL: http://codereview.chromium.org/8437093 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@110513 0039d316-1c4b-4281-b951-d872f2087c98

Make PostMessageToJavaScript use new WebKit API instead of script.
I added some JavaScript code to test_case.html that previously would have made PostMessage not function (which I verified). This depends on the following WebKit issue: https://bugs.webkit.org/show_bug.cgi?id=71478 BUG=82604 TEST=N/A Review URL: http://codereview.chromium.org/8437093 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@110513 0039d316-1c4b-4281-b951-d872f2087c98
c4cc74ce · dmichael@chromium.org · b9c3e559 · c4cc74ce · c4cc74ce · c4cc74ce
Commit c4cc74ce authored Nov 17, 2011 by dmichael@chromium.org
3 changed files
--- a/ppapi/tests/test_case.html
+++ b/ppapi/tests/test_case.html
@@ -159,9 +159,31 @@ onload = function() {
    obj.setAttribute("protocol", window.location.protocol);
    var container = document.getElementById("container");
    container.addEventListener("message", handleTestingMessage, true);
+    // Register a bad dispatchEvent to make sure it isn't used. See 'EVIL' note
+    // below.
+    obj.dispatchEvent = function() {
+      LogHTML("<p>Bad dispatchEvent called!");
+    }
    container.appendChild(obj);
  }
 }
+// EVIL Note:
+// This part of the script does some nefarious things to make sure that it
+// doesn't affect the behavior of PostMessage (on which all the tests rely). In
+// particular, we replace document.createEvent, MessageEvent.initMessageEvent,
+// and the MessageEvent constructor. Previous versions of the PostMessage
+// implementation made use of these and would fail (http://crbug.com/82604).
+document.createEvent = function() {
+  LogHTML("<p>Bad document.createEvent called!");
+}
+function MessageEvent() {
+  LogHTML("<p>Bad MessageEvent constructor called!");
+}
+MessageEvent.prototype.initMessageEvent = function() {
+  LogHTML("<p>Bad MessageEvent.initMessageEvent called!");
+}
 </script>
 </head><body>
 <div>

--- a/webkit/plugins/ppapi/message_channel.cc
+++ b/webkit/plugins/ppapi/message_channel.cc
@@ -10,17 +10,26 @@
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/message_loop.h"
+#include "ppapi/shared_impl/var.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebBindings.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebDocument.h"
+#include "third_party/WebKit/Source/WebKit/chromium/public/WebDOMMessageEvent.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebElement.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebFrame.h"
+#include "third_party/WebKit/Source/WebKit/chromium/public/WebNode.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebPluginContainer.h"
-#include "ppapi/shared_impl/var.h"
+#include "third_party/WebKit/Source/WebKit/chromium/public/WebSerializedScriptValue.h"
+#include "v8/include/v8.h"
 #include "webkit/plugins/ppapi/npapi_glue.h"
 #include "webkit/plugins/ppapi/ppapi_plugin_instance.h"
 using ppapi::StringVar;
 using WebKit::WebBindings;
+using WebKit::WebElement;
+using WebKit::WebDOMEvent;
+using WebKit::WebDOMMessageEvent;
+using WebKit::WebPluginContainer;
+using WebKit::WebSerializedScriptValue;
 namespace webkit {
@@ -42,50 +51,46 @@ bool IdentifierIsPostMessage(NPIdentifier identifier) {
  return WebBindings::getStringIdentifier(kPostMessage) == identifier;
 }
-// Converts the given PP_Var to an NPVariant, returning true on success.
+// Converts the given PP_Var to a v8::Value, returning true on success.
-// False means that the given variant is invalid. In this case, the result
+// False means that the given variant is invalid. In this case, |result| will
-// NPVariant will be set to a void one.
+// be set to an empty handle.
-//
+bool PPVarToV8Value(PP_Var var, v8::Handle<v8::Value>* result) {
-// The contents of the PP_Var will NOT be copied, so you need to ensure that
-// the PP_Var remains valid while the resultant NPVariant is in use.
-//
-// Note:  This is largely copied from var.cc so that we don't depend on code
-//        which will be removed.  TODO(dmichael) remove this comment when var
-//        is removed.
-bool PPVarToNPVariantNoCopy(PP_Var var, NPVariant* result) {
  switch (var.type) {
    case PP_VARTYPE_UNDEFINED:
-      VOID_TO_NPVARIANT(*result);
+      *result = v8::Undefined();
      break;
    case PP_VARTYPE_NULL:
-      NULL_TO_NPVARIANT(*result);
+      *result = v8::Null();
      break;
    case PP_VARTYPE_BOOL:
-      BOOLEAN_TO_NPVARIANT(var.value.as_bool, *result);
+      *result = (var.value.as_bool == PP_TRUE) ? v8::True() : v8::False();
      break;
    case PP_VARTYPE_INT32:
-      INT32_TO_NPVARIANT(var.value.as_int, *result);
+      *result = v8::Integer::New(var.value.as_int);
      break;
    case PP_VARTYPE_DOUBLE:
-      DOUBLE_TO_NPVARIANT(var.value.as_double, *result);
+      *result = v8::Number::New(var.value.as_double);
      break;
    case PP_VARTYPE_STRING: {
      StringVar* string = StringVar::FromPPVar(var);
      if (!string) {
-        VOID_TO_NPVARIANT(*result);
+        result->Clear();
        return false;
      }
      const std::string& value = string->value();
-      STRINGN_TO_NPVARIANT(value.c_str(), value.size(), *result);
+      // TODO(dmichael): We should consider caching the V8 string in the host-
+      // side StringVar, so that we only have to convert/copy once if a
+      // string is sent more than once.
+      *result = v8::String::New(value.c_str(), value.size());
      break;
    }
    case PP_VARTYPE_OBJECT:
      // Objects are not currently supported.
      NOTIMPLEMENTED();
-      VOID_TO_NPVARIANT(*result);
+      result->Clear();
      return false;
    default:
-      VOID_TO_NPVARIANT(*result);
+      result->Clear();
      return false;
  }
  return true;
@@ -286,8 +291,6 @@ MessageChannel::MessageChannel(PluginInstance* instance)
      passthrough_object_(NULL),
      np_object_(NULL),
      ALLOW_THIS_IN_INITIALIZER_LIST(weak_ptr_factory_(this)) {
-  VOID_TO_NPVARIANT(onmessage_invoker_);
  // Now create an NPObject for receiving calls to postMessage. This sets the
  // reference count to 1.  We release it in the destructor.
  NPObject* obj = WebBindings::createObject(NULL, &message_channel_class);
@@ -296,93 +299,55 @@ MessageChannel::MessageChannel(PluginInstance* instance)
  np_object_->message_channel = this;
 }
-bool MessageChannel::EvaluateOnMessageInvoker() {
+void MessageChannel::PostMessageToJavaScript(PP_Var message_data) {
-  // If we've already evaluated the function, just return.
+  // Serialize the message data.
-  if (NPVARIANT_IS_OBJECT(onmessage_invoker_))
+  v8::HandleScope scope;
-    return true;
+  v8::Handle<v8::Value> v8_val;
+  if (!PPVarToV8Value(message_data, &v8_val)) {
-  // This is the javascript code that we invoke to create and dispatch a
+    NOTREACHED();
-  // message event.
+    return;
-  const char invoke_onmessage_js[] =
-      "(function(window, module_instance, message_data) {"
-      "  if (module_instance) {"
-      "    var message_event = new MessageEvent('message', "
-      "                                         { data: message_data });"
-      "    module_instance.dispatchEvent(message_event);"
-      "  }"
-      "})";
-  // Note that we purposely omit |origin| and |source|. The |origin| is only
-  // specified for cross-document and server-sent messages, while |source| is
-  // only specified for cross-document messages:
-  //  http://www.whatwg.org/specs/web-apps/current-work/multipage/comms.html
-  // This currently behaves like Web Workers. On Firefox, Chrome, and Safari
-  // at least, postMessage on Workers does not provide the origin or source.
-  // TODO(dmichael):  Add origin if we change to a more iframe-like origin
-  //                  policy (see crbug.com/81537)
-  NPString function_string = { invoke_onmessage_js,
-                               sizeof(invoke_onmessage_js)-1 };
-  // Get the current frame to pass to the evaluate function.
-  WebKit::WebFrame* frame =
-      instance_->container()->element().document().frame();
-  // Evaluate the function and obtain an NPVariant pointing to it.
-  if (!WebBindings::evaluate(NULL, frame->windowObject(), &function_string,
-                             &onmessage_invoker_)) {
-    // If it fails, do nothing.
-    return false;
  }
-  DCHECK(NPVARIANT_IS_OBJECT(onmessage_invoker_));
-  return true;
-}
-void MessageChannel::PostMessageToJavaScript(PP_Var message_data) {
+  WebSerializedScriptValue serialized_val =
-  // Make a copy of the message data for the Task we will run.
+      WebSerializedScriptValue::serialize(v8_val);
-  PP_Var var_copy(CopyPPVar(message_data));
  MessageLoop::current()->PostTask(
      FROM_HERE,
      base::Bind(&MessageChannel::PostMessageToJavaScriptImpl,
                 weak_ptr_factory_.GetWeakPtr(),
-                 var_copy));
+                 serialized_val));
 }
-void MessageChannel::PostMessageToJavaScriptImpl(PP_Var message_data) {
+void MessageChannel::PostMessageToJavaScriptImpl(
-  // Make sure we have our function for invoking onmessage on JavaScript.
+    const WebSerializedScriptValue& message_data) {
-  bool success = EvaluateOnMessageInvoker();
-  DCHECK(success);
-  if (!success)
-    return;
  DCHECK(instance_);
-  NPVariant result_var;
+  WebPluginContainer* container = instance_->container();
-  VOID_TO_NPVARIANT(result_var);
+  // It's possible that container() is NULL if the plugin has been removed from
-  NPVariant npvariant_args[3];
+  // the DOM (but the PluginInstance is not destroyed yet).
-  // Get the frame so we can get the window object.
+  if (!container)
-  WebKit::WebFrame* frame =
-      instance_->container()->element().document().frame();
-  if (!frame)
    return;
-  OBJECT_TO_NPVARIANT(frame->windowObject(), npvariant_args[0]);
+  WebDOMEvent event =
-  OBJECT_TO_NPVARIANT(instance_->container()->scriptableObjectForElement(),
+      container->element().document().createEvent("MessageEvent");
-                      npvariant_args[1]);
+  WebDOMMessageEvent msg_event = event.to<WebDOMMessageEvent>();
-  // Convert message to an NPVariant without copying. At this point, the data
+  msg_event.initMessageEvent("message",  // type
-  // has already been copied.
+                             false,  // canBubble
-  if (!PPVarToNPVariantNoCopy(message_data, &npvariant_args[2])) {
+                             false,  // cancelable
-    // We couldn't create an NPVariant, so we can't invoke the method.  Thus,
+                             message_data,  // data
-    // WebBindings::invokeDefault does not take ownership of these variants, so
+                             "",  // origin [*]
-    // we must release our references to them explicitly.
+                             NULL,  // source [*]
-    WebBindings::releaseVariantValue(&npvariant_args[0]);
+                             "");  // lastEventId
-    WebBindings::releaseVariantValue(&npvariant_args[1]);
+  // [*] Note that the |origin| is only specified for cross-document and server-
-    return;
+  //     sent messages, while |source| is only specified for cross-document
-  }
+  //     messages:
+  //      http://www.whatwg.org/specs/web-apps/current-work/multipage/comms.html
-  WebBindings::invokeDefault(NULL,
+  //     This currently behaves like Web Workers. On Firefox, Chrome, and Safari
-                             NPVARIANT_TO_OBJECT(onmessage_invoker_),
+  //     at least, postMessage on Workers does not provide the origin or source.
-                             npvariant_args,
+  //     TODO(dmichael):  Add origin if we change to a more iframe-like origin
-                             sizeof(npvariant_args)/sizeof(*npvariant_args),
+  //                      policy (see crbug.com/81537)
-                             &result_var);
+  container->element().dispatchEvent(msg_event);
 }
 void MessageChannel::PostMessageToNative(PP_Var message_data) {
@@ -403,7 +368,6 @@ MessageChannel::~MessageChannel() {
  WebBindings::releaseObject(np_object_);
  if (passthrough_object_)
    WebBindings::releaseObject(passthrough_object_);
-  WebBindings::releaseVariantValue(&onmessage_invoker_);
 }
 void MessageChannel::SetPassthroughObject(NPObject* passthrough) {

--- a/webkit/plugins/ppapi/message_channel.h
+++ b/webkit/plugins/ppapi/message_channel.h
@@ -10,6 +10,9 @@
 #include "third_party/npapi/bindings/npruntime.h"
 struct PP_Var;
+namespace WebKit {
+class WebSerializedScriptValue;
+}
 namespace webkit {
 namespace ppapi {
@@ -80,18 +83,10 @@ class MessageChannel {
  // The NPObject we use to expose postMessage to JavaScript.
  MessageChannelNPObject* np_object_;
-  // An NPVariant referring to the JavaScript function we use to send a message
-  // to a JavaScript target.
-  NPVariant onmessage_invoker_;
-  // Evaluates the JavaScript code for onmessage_invoker_ and makes
-  // it a callable NPVariant for that function.  Returns true on success, false
-  // otherwise.
-  bool EvaluateOnMessageInvoker();
  // Post a message to the onmessage handler for this channel's instance
  // synchronously.  This is used by PostMessageToJavaScript.
-  void PostMessageToJavaScriptImpl(PP_Var message_data);
+  void PostMessageToJavaScriptImpl(
+      const WebKit::WebSerializedScriptValue& message_data);
  // Post a message to the PPP_Instance HandleMessage function for this
  // channel's instance.  This is used by PostMessageToNative.
  void PostMessageToNativeImpl(PP_Var message_data);