Bug 514435 - Change up wrapperization a little. r=jst sr=sicking
authorBlake Kaplan <mrbkap@gmail.com>
Wed, 30 Sep 2009 15:15:51 -0700
changeset 33305 70475458eabb6b54c966917bc1df9146e19e671b
parent 33304 188996e474df4ae14ad61131b77a3ae6ff30c28b
child 33306 0071000d8c4ceb7afc73b3e16c181f2d9b8636f8
push idunknown
push userunknown
push dateunknown
reviewersjst, sicking
bugs514435
milestone1.9.3a1pre
Bug 514435 - Change up wrapperization a little. r=jst sr=sicking
js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp
--- a/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp
+++ b/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp
@@ -863,27 +863,16 @@ XPC_SJOW_Construct(JSContext *cx, JSObje
     return ThrowException(NS_ERROR_INVALID_ARG, cx);
   }
 
   SLIM_LOG_WILL_MORPH(cx, objToWrap);
   if(IS_SLIM_WRAPPER(objToWrap) && !MorphSlimWrapper(cx, objToWrap)) {
     return ThrowException(NS_ERROR_FAILURE, cx);
   }
 
-  if (STOBJ_GET_CLASS(objToWrap) == &sXPC_XOW_JSClass.base) {
-    // We're being asked to wrap a XOW. By using XPCWrapper::Unwrap,
-    // we guarantee that the wrapped object is same-origin to us. If
-    // it isn't, then just wrap the XOW for an added layer of wrapping.
-
-    JSObject *maybeInner = XPCWrapper::Unwrap(cx, objToWrap);
-    if (maybeInner) {
-      objToWrap = maybeInner;
-    }
-  }
-
   // Check that the caller can access the unsafe object.
   if (!CanCallerAccess(cx, objToWrap)) {
     // CanCallerAccess() already threw for us.
     return JS_FALSE;
   }
 
   JSObject *unsafeObj = GetUnsafeObject(objToWrap);
 
@@ -979,16 +968,28 @@ XPC_SJOW_Iterator(JSContext *cx, JSObjec
   }
 
   // Check that the caller can access the unsafe object.
   if (!CanCallerAccess(cx, unsafeObj)) {
     // CanCallerAccess() already threw for us.
     return nsnull;
   }
 
+  JSObject *tmp = XPCWrapper::UnwrapGeneric(cx, &sXPC_XOW_JSClass, unsafeObj);
+  if (tmp) {
+    unsafeObj = tmp;
+
+    // Repeat the CanCallerAccess check because the XOW is parented to our
+    // scope's global object which makes the above CanCallerAccess call lie.
+    if (!CanCallerAccess(cx, unsafeObj)) {
+      // CanCallerAccess() already threw for us.
+      return nsnull;
+    }
+  }
+
   // Create our dummy SJOW.
   JSObject *wrapperIter =
     ::JS_NewObjectWithGivenProto(cx, &sXPC_SJOW_JSClass.base, nsnull,
                                  unsafeObj);
   if (!wrapperIter) {
     return nsnull;
   }