Blink-in-JS should not run micro tasks
If Blink-in-JS runs micro tasks, there's a risk of causing a UXSS bug
(see 645211 for concrete steps).
This CL makes Blink-in-JS use callInternalFunction (instead of callFunction)
to avoid running micro tasks after Blink-in-JS' callbacks.
BUG=645211
Review-Url: https://codereview.chromium.org/2330843002
Cr-Commit-Position: refs/heads/master@{#417874}
diff --git a/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp b/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp
index 00fc8be..f4358df 100644
--- a/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp
+++ b/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp
@@ -200,7 +200,7 @@
if (classObject->Get(scriptState->context(), v8String(isolate, "initialize")).ToLocal(&initializeFunction) && initializeFunction->IsFunction()) {
v8::TryCatch block(isolate);
v8::Local<v8::Value> result;
- if (!V8ScriptRunner::callFunction(v8::Local<v8::Function>::Cast(initializeFunction), scriptState->getExecutionContext(), holder, 0, 0, isolate).ToLocal(&result)) {
+ if (!V8ScriptRunner::callInternalFunction(v8::Local<v8::Function>::Cast(initializeFunction), holder, 0, 0, isolate).ToLocal(&result)) {
fprintf(stderr, "Private script error: Object constructor threw an exception.\n");
dumpV8Message(context, block.Message());
RELEASE_NOTREACHED();
@@ -305,7 +305,7 @@
initializeHolderIfNeeded(scriptState, classObject, holder);
v8::TryCatch block(isolate);
v8::Local<v8::Value> result;
- if (!V8ScriptRunner::callFunction(v8::Local<v8::Function>::Cast(getter), scriptState->getExecutionContext(), holder, 0, 0, isolate).ToLocal(&result)) {
+ if (!V8ScriptRunner::callInternalFunction(v8::Local<v8::Function>::Cast(getter), holder, 0, 0, isolate).ToLocal(&result)) {
rethrowExceptionInPrivateScript(isolate, block, scriptStateInUserScript, ExceptionState::GetterContext, attributeName, className);
block.ReThrow();
return v8::Local<v8::Value>();
@@ -331,7 +331,7 @@
v8::Local<v8::Value> argv[] = { v8Value };
v8::TryCatch block(isolate);
v8::Local<v8::Value> result;
- if (!V8ScriptRunner::callFunction(v8::Local<v8::Function>::Cast(setter), scriptState->getExecutionContext(), holder, WTF_ARRAY_LENGTH(argv), argv, isolate).ToLocal(&result)) {
+ if (!V8ScriptRunner::callInternalFunction(v8::Local<v8::Function>::Cast(setter), holder, WTF_ARRAY_LENGTH(argv), argv, isolate).ToLocal(&result)) {
rethrowExceptionInPrivateScript(isolate, block, scriptStateInUserScript, ExceptionState::SetterContext, attributeName, className);
block.ReThrow();
return false;
@@ -350,7 +350,7 @@
initializeHolderIfNeeded(scriptState, classObject, holder);
v8::TryCatch block(scriptState->isolate());
v8::Local<v8::Value> result;
- if (!V8ScriptRunner::callFunction(v8::Local<v8::Function>::Cast(method), scriptState->getExecutionContext(), holder, argc, argv, scriptState->isolate()).ToLocal(&result)) {
+ if (!V8ScriptRunner::callInternalFunction(v8::Local<v8::Function>::Cast(method), holder, argc, argv, scriptState->isolate()).ToLocal(&result)) {
rethrowExceptionInPrivateScript(scriptState->isolate(), block, scriptStateInUserScript, ExceptionState::ExecutionContext, methodName, className);
block.ReThrow();
return v8::Local<v8::Value>();
