Bug 965898 - Squelch exceptions during the shadowing detection in isCrossOriginAccessPermitted. r=gabor
authorBobby Holley <bobbyholley@gmail.com>
Wed, 30 Jul 2014 12:23:03 -0700
changeset 196849 d099909ba007c821bf0e5d5d9ef11a0f004570c6
parent 196848 a5b95c1ec2528af2da5c4517055bac74623ff43c
child 196850 7185b7e3b96bf43e553f5b153bd614278983923b
push id46984
push userbobbyholley@gmail.com
push dateWed, 30 Jul 2014 19:24:00 +0000
treeherdermozilla-inbound@22e1b7b69877 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgabor
bugs965898
milestone34.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 965898 - Squelch exceptions during the shadowing detection in isCrossOriginAccessPermitted. r=gabor
js/xpconnect/wrappers/AccessCheck.cpp
--- a/js/xpconnect/wrappers/AccessCheck.cpp
+++ b/js/xpconnect/wrappers/AccessCheck.cpp
@@ -187,16 +187,29 @@ AccessCheck::isCrossOriginAccessPermitte
     // Check for frame IDs. If we're resolving named frames, make sure to only
     // resolve ones that don't shadow native properties. See bug 860494.
     if (IsWindow(name)) {
         if (JSID_IS_STRING(id) && !XrayUtils::IsXrayResolving(cx, wrapper, id)) {
             bool wouldShadow = false;
             if (!XrayUtils::HasNativeProperty(cx, wrapper, id, &wouldShadow) ||
                 wouldShadow)
             {
+                // If the named subframe matches the name of a DOM constructor,
+                // the global resolve triggered by the HasNativeProperty call
+                // above will try to perform a CheckedUnwrap on |wrapper|, and
+                // throw a security error if it fails. That exception isn't
+                // really useful for our callers, so we silence it and just
+                // deny access to the property (since it matched a builtin).
+                //
+                // Note that this would be a problem if the resolve code ever
+                // tried to CheckedUnwrap the wrapper _before_ concluding that
+                // the name corresponds to a builtin global property, since it
+                // would mean that we'd never permit cross-origin named subframe
+                // access (something we regrettably need to support).
+                JS_ClearPendingException(cx);
                 return false;
             }
         }
         return IsFrameId(cx, obj, id);
     }
     return false;
 }