Bug 781476 - Cross-compartment wrap same-origin objects with PreCreate even if PreCreate requests one wrapper per scope. r=mrbkap
authorBobby Holley <bobbyholley@gmail.com>
Thu, 16 Aug 2012 12:25:39 -0700
changeset 102567 87fb202e726151e7bc9bdc18fc0d68bcc007d45f
parent 102566 497806930eb6a81c69d914679bd79b45f6733b80
child 102568 7bd865cc52c5d496ac79b0cb165d4e1e995abe86
push id23297
push useremorley@mozilla.com
push dateFri, 17 Aug 2012 12:22:28 +0000
treeherdermozilla-central@e1cd9fb39dd7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmrbkap
bugs781476
milestone17.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 781476 - Cross-compartment wrap same-origin objects with PreCreate even if PreCreate requests one wrapper per scope. r=mrbkap
js/xpconnect/wrappers/WrapperFactory.cpp
--- a/js/xpconnect/wrappers/WrapperFactory.cpp
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@@ -224,16 +224,25 @@ WrapperFactory::PrepareForWrapping(JSCon
                 // Check for case (2).
                 if (probe != currentScope) {
                     MOZ_ASSERT(probe == scope);
                     return DoubleWrap(cx, obj, flags);
                 }
 
                 // Ok, must be case (1). Fall through and create a new wrapper.
             }
+
+            // Nasty hack for late-breaking bug 781476. This will confuse identity checks,
+            // but it's probably better than any of our alternatives.
+            if (!AccessCheck::isChrome(js::GetObjectCompartment(scope)) &&
+                 AccessCheck::subsumes(js::GetObjectCompartment(scope),
+                                       js::GetObjectCompartment(obj)))
+            {
+                return DoubleWrap(cx, obj, flags);
+            }
         }
     }
 
     // NB: Passing a holder here inhibits slim wrappers under
     // WrapNativeToJSVal.
     nsCOMPtr<nsIXPConnectJSObjectHolder> holder;
 
     // This public WrapNativeToJSVal API enters the compartment of 'scope'