Bug 781476 - Cross-compartment wrap same-origin objects with PreCreate even if PreCreate requests one wrapper per scope. r=mrbkap
authorBobby Holley <bobbyholley@gmail.com>
Tue, 21 Aug 2012 10:51:43 -0700
changeset 102453 ab5ca4c67ba1709176e18f37c92a0144f9024ba2
parent 102452 d7b344615437c427cb602eeeafcdc27292f16026
child 102454 cdcde4d200d49f026c622a87da5a131ecb81ecee
push id1942
push userbobbyholley@gmail.com
push dateTue, 21 Aug 2012 18:20:16 +0000
treeherdermozilla-aurora@0112ad558432 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmrbkap
bugs781476
milestone16.0a2
Bug 781476 - Cross-compartment wrap same-origin objects with PreCreate even if PreCreate requests one wrapper per scope. r=mrbkap
js/xpconnect/wrappers/WrapperFactory.cpp
--- a/js/xpconnect/wrappers/WrapperFactory.cpp
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@@ -224,16 +224,25 @@ WrapperFactory::PrepareForWrapping(JSCon
                 // Check for case (2).
                 if (probe != currentScope) {
                     MOZ_ASSERT(probe == scope);
                     return DoubleWrap(cx, obj, flags);
                 }
 
                 // Ok, must be case (1). Fall through and create a new wrapper.
             }
+
+            // Nasty hack for late-breaking bug 781476. This will confuse identity checks,
+            // but it's probably better than any of our alternatives.
+            if (!AccessCheck::isChrome(js::GetObjectCompartment(scope)) &&
+                 AccessCheck::subsumes(js::GetObjectCompartment(scope),
+                                       js::GetObjectCompartment(obj)))
+            {
+                return DoubleWrap(cx, obj, flags);
+            }
         }
     }
 
     // NB: Passing a holder here inhibits slim wrappers under
     // WrapNativeToJSVal.
     nsCOMPtr<nsIXPConnectJSObjectHolder> holder;
 
     // This public WrapNativeToJSVal API enters the compartment of 'scope'