blob: 9c935c8db06c16873265c28513155a71ce9bec47 [file] [log] [blame]
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "mojo/public/cpp/bindings/remote.h"
#include "services/network/public/mojom/cross_origin_opener_policy.mojom-blink.h"
#include "third_party/blink/public/common/tokens/tokens.h"
#include "third_party/blink/renderer/bindings/core/v8/serialization/transferables.h"
#include "third_party/blink/renderer/core/core_export.h"
#include "third_party/blink/renderer/core/dom/events/event_target.h"
#include "third_party/blink/renderer/core/frame/frame.h"
#include "third_party/blink/renderer/platform/heap/handle.h"
#include "third_party/blink/renderer/platform/wtf/assertions.h"
#include "third_party/blink/renderer/platform/wtf/forward.h"
#include "third_party/blink/renderer/platform/wtf/vector.h"
namespace blink {
class InputDeviceCapabilitiesConstants;
class LocalDOMWindow;
class Location;
class MessageEvent;
class ScriptValue;
class SecurityOrigin;
class SerializedScriptValue;
class WindowPostMessageOptions;
class WindowProxyManager;
// DOMWindow is an abstract class of Window interface implementations.
// We have two derived implementation classes; LocalDOMWindow and
// RemoteDOMWindow.
// TODO(tkent): Rename DOMWindow to Window. The class was named as 'DOMWindow'
// because WebKit already had KJS::Window. We have no reasons to avoid
// blink::Window now.
class CORE_EXPORT DOMWindow : public EventTargetWithInlineData {
enum class CrossDocumentAccessPolicy { kAllowed, kDisallowed };
~DOMWindow() override;
Frame* GetFrame() const {
// A Frame is typically reused for navigations. If |frame_| is not null,
// two conditions must always be true:
// - |frame_->domWindow()| must point back to this DOMWindow. If it does
// not, it is easy to introduce a bug where script execution uses the
// wrong DOMWindow (which may be cross-origin).
// - |frame_| must be attached, i.e. |frame_->page()| must not be null.
// If |frame_->page()| is null, this indicates a bug where the frame was
// detached but |frame_| was not set to null. This bug can lead to
// issues where executing script incorrectly schedules work on a detached
// frame.
(frame_->DomWindow() == this && frame_->GetPage()));
return frame_;
// GarbageCollected overrides:
void Trace(Visitor*) const override;
virtual bool IsLocalDOMWindow() const = 0;
virtual bool IsRemoteDOMWindow() const = 0;
// ScriptWrappable overrides:
v8::MaybeLocal<v8::Value> Wrap(ScriptState*) final;
v8::Local<v8::Object> AssociateWithWrapper(
const WrapperTypeInfo*,
v8::Local<v8::Object> wrapper) final;
// EventTarget overrides:
const AtomicString& InterfaceName() const override;
const DOMWindow* ToDOMWindow() const override;
bool IsWindowOrWorkerGlobalScope() const final;
// Cross-origin DOM Level 0
Location* location() const;
bool closed() const;
unsigned length() const;
// Self-referential attributes
DOMWindow* self() const;
DOMWindow* window() const { return self(); }
DOMWindow* frames() const { return self(); }
DOMWindow* opener() const;
DOMWindow* parent() const;
DOMWindow* top() const;
void focus(v8::Isolate*);
virtual void blur() = 0;
void close(v8::Isolate*);
void Close(LocalDOMWindow* incumbent_window);
void postMessage(v8::Isolate*,
const ScriptValue& message,
const String& target_origin,
HeapVector<ScriptValue>& transfer,
void postMessage(v8::Isolate*,
const ScriptValue& message,
const WindowPostMessageOptions* options,
// Indexed properties
DOMWindow* AnonymousIndexedGetter(uint32_t index);
String SanitizedCrossDomainAccessErrorMessage(
const LocalDOMWindow* accessing_window,
CrossDocumentAccessPolicy cross_document_access) const;
String CrossDomainAccessErrorMessage(
const LocalDOMWindow* accessing_window,
CrossDocumentAccessPolicy cross_document_access) const;
// FIXME: When this DOMWindow is no longer the active DOMWindow (i.e.,
// when its document is no longer the document that is displayed in its
// frame), we would like to zero out |frame_| to avoid being confused
// by the document that is currently active in |frame_|.
// See
bool IsCurrentlyDisplayedInFrame() const;
InputDeviceCapabilitiesConstants* GetInputDeviceCapabilities();
void PostMessageForTesting(scoped_refptr<SerializedScriptValue> message,
const MessagePortArray&,
const String& target_origin,
LocalDOMWindow* source,
// Cross-Origin-Opener-Policy (COOP):
// Check accesses from |accessing_frame| and every same-origin iframe toward
// this window. A report is sent to |reporter| when this happens.
void InstallCoopAccessMonitor(
network::mojom::blink::CoopAccessReportType report_type,
LocalFrame* accessing_frame,
network::mojom::blink::CrossOriginOpenerPolicyReporter> reporter,
bool endpoint_defined,
const WTF::String& reported_window_url);
// Whenever we detect that the enforcement of a report-only COOP policy would
// have resulted in preventing access to this window, a report is potentially
// sent when calling this function.
// This function must be called when accessing any attributes and methods
// marked as "CrossOrigin" in the window.idl.
void ReportCoopAccess(const char* property_name);
explicit DOMWindow(Frame&);
virtual void SchedulePostMessage(MessageEvent*,
scoped_refptr<const SecurityOrigin> target,
LocalDOMWindow* source) = 0;
void DisconnectFromFrame() { frame_ = nullptr; }
void DoPostMessage(scoped_refptr<SerializedScriptValue> message,
const MessagePortArray&,
const WindowPostMessageOptions* options,
LocalDOMWindow* source,
// Removed the CoopAccessMonitor with the given |accessing_main_frame| from
// the |coop_access_monitor| list. This is called when the COOP reporter is
// gone or a more recent CoopAccessMonitor is being added.
void DisconnectCoopAccessMonitor(const LocalFrameToken& accessing_main_frame);
Member<Frame> frame_;
// Unlike |frame_|, |window_proxy_manager_| is available even after the
// window's frame gets detached from the DOM, until the end of the lifetime
// of this object.
const Member<WindowProxyManager> window_proxy_manager_;
Member<InputDeviceCapabilitiesConstants> input_capabilities_;
mutable Member<Location> location_;
// Set to true when close() has been called. Needed for
// |window.closed| determinism; having it return 'true'
// only after the layout widget's deferred window close
// operation has been performed, exposes (confusing)
// implementation details to scripts.
bool window_is_closing_;
// Cross-Origin-Opener-Policy (COOP):
// Check accesses made toward this window from |accessing_main_frame|. If this
// happens a report will sent to |reporter|.
struct CoopAccessMonitor {
network::mojom::blink::CoopAccessReportType report_type;
blink::LocalFrameToken accessing_main_frame;
bool endpoint_defined;
WTF::String reported_window_url;
WTF::Vector<CoopAccessMonitor> coop_access_monitor_;
} // namespace blink