From 1c918e826c337bb46277cb224e29107ce576eeab Mon Sep 17 00:00:00 2001
From: Luke Wilde <lukew@serenityos.org>
Date: Tue, 28 Feb 2023 01:08:49 +0000
Subject: [PATCH] LibWeb: Define navigator/clientInformation with
 define_native_accessor

Defining it as a direct property causes it to have no getter/setter
function, which causes an empty Optional crash when attempting to
access such getter on a cross-origin iframe.

Fixes amazon.com crashing on this particular crash.
---
 Userland/Libraries/LibWeb/HTML/Window.cpp | 10 ++++++++--
 Userland/Libraries/LibWeb/HTML/Window.h   |  2 ++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/Userland/Libraries/LibWeb/HTML/Window.cpp b/Userland/Libraries/LibWeb/HTML/Window.cpp
index b21314182e..b6634d508f 100644
--- a/Userland/Libraries/LibWeb/HTML/Window.cpp
+++ b/Userland/Libraries/LibWeb/HTML/Window.cpp
@@ -1146,8 +1146,8 @@ void Window::initialize_web_interfaces(Badge<WindowEnvironmentSettingsObject>)
     m_location = heap().allocate<HTML::Location>(realm, realm).release_allocated_value_but_fixme_should_propagate_errors();
 
     m_navigator = heap().allocate<HTML::Navigator>(realm, realm).release_allocated_value_but_fixme_should_propagate_errors();
-    define_direct_property("navigator", m_navigator, JS::Attribute::Enumerable | JS::Attribute::Configurable);
-    define_direct_property("clientInformation", m_navigator, JS::Attribute::Enumerable | JS::Attribute::Configurable);
+    define_native_accessor(realm, "navigator", navigator_getter, {}, JS::Attribute::Enumerable | JS::Attribute::Configurable);
+    define_native_accessor(realm, "clientInformation", navigator_getter, {}, JS::Attribute::Enumerable | JS::Attribute::Configurable);
 
     // NOTE: location is marked as [LegacyUnforgeable], meaning it isn't configurable.
     define_native_accessor(realm, "location", location_getter, location_setter, JS::Attribute::Enumerable);
@@ -1898,6 +1898,12 @@ JS_DEFINE_NATIVE_FUNCTION(Window::name_setter)
     return JS::js_undefined();
 }
 
+JS_DEFINE_NATIVE_FUNCTION(Window::navigator_getter)
+{
+    auto* impl = TRY(impl_from(vm));
+    return impl->m_navigator;
+}
+
 #define __ENUMERATE(attribute, event_name)                                      \
     JS_DEFINE_NATIVE_FUNCTION(Window::attribute##_getter)                       \
     {                                                                           \
diff --git a/Userland/Libraries/LibWeb/HTML/Window.h b/Userland/Libraries/LibWeb/HTML/Window.h
index 7e2c69a034..9a1d8c85da 100644
--- a/Userland/Libraries/LibWeb/HTML/Window.h
+++ b/Userland/Libraries/LibWeb/HTML/Window.h
@@ -275,6 +275,8 @@ private:
 
     JS_DECLARE_NATIVE_FUNCTION(crypto_getter);
 
+    JS_DECLARE_NATIVE_FUNCTION(navigator_getter);
+
 #define __ENUMERATE(attribute, event_name)          \
     JS_DECLARE_NATIVE_FUNCTION(attribute##_getter); \
     JS_DECLARE_NATIVE_FUNCTION(attribute##_setter);