[Backport] Blink-in-JS should not run micro tasks

If Blink-in-JS runs micro tasks, there's a risk of causing a UXSS bug
(see 645211 for concrete steps).

This CL makes Blink-in-JS use callInternalFunction (instead of callFunction)
to avoid running micro tasks after Blink-in-JS' callbacks.

BUG=645211

Review-Url: https://codereview.chromium.org/2330843002
Cr-Commit-Position: refs/heads/master@{#417874}
(cherry picked from commit 0a242b6c8a66ee530d5b68c74dfabe74e6415d45)

Review URL: https://codereview.chromium.org/2364523002 .
(CVE-2016-5181)

Change-Id: I4106a32f0a554fa4d102b7dc566ee46acac33677
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>

1 files changed, 4 insertions, 4 deletions

diff --git a/chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp b/chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp
index 87cc5538d47..cee73f1ed38 100644
--- a/chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp
+++ b/chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp
@@ -196,7 +196,7 @@ static void initializeHolderIfNeeded(ScriptState* scriptState, v8::Local<v8::Obj
         if (classObject->Get(scriptState->context(), v8String(isolate, "initialize")).ToLocal(&initializeFunction) && initializeFunction->IsFunction()) {
             v8::TryCatch block(isolate);
             v8::Local<v8::Value> result;
-            if (!V8ScriptRunner::callFunction(v8::Local<v8::Function>::Cast(initializeFunction), scriptState->executionContext(), holder, 0, 0, isolate).ToLocal(&result)) {
+            if (!V8ScriptRunner::callInternalFunction(v8::Local<v8::Function>::Cast(initializeFunction), holder, 0, 0, isolate).ToLocal(&result)) {
                 fprintf(stderr, "Private script error: Object constructor threw an exception.\n");
                 dumpV8Message(context, block.Message());
                 RELEASE_ASSERT_NOT_REACHED();
@@ -305,7 +305,7 @@ v8::Local<v8::Value> PrivateScriptRunner::runDOMAttributeGetter(ScriptState* scr
     initializeHolderIfNeeded(scriptState, classObject, holder);
     v8::TryCatch block(isolate);
     v8::Local<v8::Value> result;
-    if (!V8ScriptRunner::callFunction(v8::Local<v8::Function>::Cast(getter), scriptState->executionContext(), holder, 0, 0, isolate).ToLocal(&result)) {
+    if (!V8ScriptRunner::callInternalFunction(v8::Local<v8::Function>::Cast(getter), holder, 0, 0, isolate).ToLocal(&result)) {
         rethrowExceptionInPrivateScript(isolate, block, scriptStateInUserScript, ExceptionState::GetterContext, attributeName, className);
         block.ReThrow();
         return v8::Local<v8::Value>();
@@ -331,7 +331,7 @@ bool PrivateScriptRunner::runDOMAttributeSetter(ScriptState* scriptState, Script
     v8::Local<v8::Value> argv[] = { v8Value };
     v8::TryCatch block(isolate);
     v8::Local<v8::Value> result;
-    if (!V8ScriptRunner::callFunction(v8::Local<v8::Function>::Cast(setter), scriptState->executionContext(), holder, WTF_ARRAY_LENGTH(argv), argv, isolate).ToLocal(&result)) {
+    if (!V8ScriptRunner::callInternalFunction(v8::Local<v8::Function>::Cast(setter), holder, WTF_ARRAY_LENGTH(argv), argv, isolate).ToLocal(&result)) {
         rethrowExceptionInPrivateScript(isolate, block, scriptStateInUserScript, ExceptionState::SetterContext, attributeName, className);
         block.ReThrow();
         return false;
@@ -350,7 +350,7 @@ v8::Local<v8::Value> PrivateScriptRunner::runDOMMethod(ScriptState* scriptState,
     initializeHolderIfNeeded(scriptState, classObject, holder);
     v8::TryCatch block(scriptState->isolate());
     v8::Local<v8::Value> result;
-    if (!V8ScriptRunner::callFunction(v8::Local<v8::Function>::Cast(method), scriptState->executionContext(), holder, argc, argv, scriptState->isolate()).ToLocal(&result)) {
+    if (!V8ScriptRunner::callInternalFunction(v8::Local<v8::Function>::Cast(method), holder, argc, argv, scriptState->isolate()).ToLocal(&result)) {
         rethrowExceptionInPrivateScript(scriptState->isolate(), block, scriptStateInUserScript, ExceptionState::ExecutionContext, methodName, className);
         block.ReThrow();
         return v8::Local<v8::Value>();