Bug 995295 part 1. Create console events in the junk scope, not the untrusted content scope. r=baku
authorBoris Zbarsky <bzbarsky@mit.edu>
Wed, 16 Apr 2014 15:09:23 -0400
changeset 179099 00e2d9fabb8253d0f31b18737b9031879780fd77
parent 179098 5d75982d37a537f2b686243a4d336bbf2c9c83cd
child 179100 e8fb458e5d0fb6210aa908bb8aae8bf398ddcf07
push id26607
push userryanvm@gmail.com
push dateFri, 18 Apr 2014 02:31:26 +0000
treeherdermozilla-central@7fe3ee0cf8be [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbaku
bugs995295
milestone31.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 995295 part 1. Create console events in the junk scope, not the untrusted content scope. r=baku
dom/base/Console.cpp
--- a/dom/base/Console.cpp
+++ b/dom/base/Console.cpp
@@ -989,16 +989,28 @@ Console::ProcessCallData(ConsoleCallData
   else if (aData->mMethodName == MethodTimeEnd && !aData->mArguments.IsEmpty()) {
     event.mTimer = StopTimer(cx, aData->mArguments[0], aData->mMonotonicTimer);
   }
 
   else if (aData->mMethodName == MethodCount) {
     event.mCounter = IncreaseCounter(cx, frame, aData->mArguments);
   }
 
+  // We want to create a console event object and pass it to our
+  // nsIConsoleAPIStorage implementation.  We want to define some accessor
+  // properties on this object, and those will need to keep an nsIStackFrame
+  // alive.  But nsIStackFrame cannot be wrapped in an untrusted scope.  And
+  // further, passing untrusted objects to system code is likely to run afoul of
+  // Object Xrays.  So we want to wrap in a system-principal scope here.  But
+  // which one?  We could cheat and try to get the underlying JSObject* of
+  // mStorage, but that's a bit fragile.  Instead, we just use the junk scope,
+  // with explicit permission from the XPConnect module owner.  If you're
+  // tempted to do that anywhere else, talk to said module owner first.
+  JSAutoCompartment ac2(cx, xpc::GetJunkScope());
+
   JS::Rooted<JS::Value> eventValue(cx);
   if (!event.ToObject(cx, &eventValue)) {
     Throw(cx, NS_ERROR_FAILURE);
     return;
   }
 
   JS::Rooted<JSObject*> eventObj(cx, &eventValue.toObject());
   MOZ_ASSERT(eventObj);