Bug 514435 - Change up wrapperization a little. r=jst sr=sicking
--- a/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp
+++ b/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp
@@ -863,27 +863,16 @@ XPC_SJOW_Construct(JSContext *cx, JSObje
return ThrowException(NS_ERROR_INVALID_ARG, cx);
}
SLIM_LOG_WILL_MORPH(cx, objToWrap);
if(IS_SLIM_WRAPPER(objToWrap) && !MorphSlimWrapper(cx, objToWrap)) {
return ThrowException(NS_ERROR_FAILURE, cx);
}
- if (STOBJ_GET_CLASS(objToWrap) == &sXPC_XOW_JSClass.base) {
- // We're being asked to wrap a XOW. By using XPCWrapper::Unwrap,
- // we guarantee that the wrapped object is same-origin to us. If
- // it isn't, then just wrap the XOW for an added layer of wrapping.
-
- JSObject *maybeInner = XPCWrapper::Unwrap(cx, objToWrap);
- if (maybeInner) {
- objToWrap = maybeInner;
- }
- }
-
// Check that the caller can access the unsafe object.
if (!CanCallerAccess(cx, objToWrap)) {
// CanCallerAccess() already threw for us.
return JS_FALSE;
}
JSObject *unsafeObj = GetUnsafeObject(objToWrap);
@@ -979,16 +968,28 @@ XPC_SJOW_Iterator(JSContext *cx, JSObjec
}
// Check that the caller can access the unsafe object.
if (!CanCallerAccess(cx, unsafeObj)) {
// CanCallerAccess() already threw for us.
return nsnull;
}
+ JSObject *tmp = XPCWrapper::UnwrapGeneric(cx, &sXPC_XOW_JSClass, unsafeObj);
+ if (tmp) {
+ unsafeObj = tmp;
+
+ // Repeat the CanCallerAccess check because the XOW is parented to our
+ // scope's global object which makes the above CanCallerAccess call lie.
+ if (!CanCallerAccess(cx, unsafeObj)) {
+ // CanCallerAccess() already threw for us.
+ return nsnull;
+ }
+ }
+
// Create our dummy SJOW.
JSObject *wrapperIter =
::JS_NewObjectWithGivenProto(cx, &sXPC_SJOW_JSClass.base, nsnull,
unsafeObj);
if (!wrapperIter) {
return nsnull;
}
