Ensure TreeWalker operations return Node in its own context, not the
receiver's
Normally, when Nodes are accessible across frames, we apply the
extended attribute [CheckSecurity=ReturnValue] in the IDL. The
generated bindings then perform the necessary security checks and
wrap the Node in its own context, not the receiver context.
TreeWalker is different. The root node is already known to be
accessible (otherwise it couldn't be passed to the constructor), and
therefore any Node returned by TreeWalker must be accessible, since
TreeWalker doesn't walk across frame boundaries. However, the
TreeWalker and the Node are not required to be from the same
context (I don't know why, it's an old API, this seems like the
kind of design flaw we would catch in a modern API). So TreeWalker
is in a weird middle ground: it doesn't need security checks, but
it does need to wrap any Nodes it returns in the Node's context,
not the TreeWalker's context.
This CL adds a new extended attribute, [NodeWrapInOwnContext], for
TreeWalker (and related APIs, NodeIterator and NodeFilter). When
the extended attribute is present, the Node will be wrapped for use
in V8 with the Node's v8::Context, not the TreeWalker's v8::Context.
Fixed: 324929076
Change-Id: I1359483a9b89f7fcc4d1d522a203e357f2136734
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5331177
Reviewed-by: Andrey Kosyakov caseq@chromium.org
Commit-Queue: Nate Chapin japhet@chromium.org
Cr-Commit-Position: refs/heads/main@{#1352303}