Fix bug 636097 (r=gal, a=blocker).
authormrbkap@gmail.com
Wed, 23 Feb 2011 22:13:17 -0800
changeset 63074 918a7ef8abb3becdadda2f454b8ef1652aacf669
parent 63073 285a09f4cc4915fad29e71df0bb1ccd566c91238
child 63075 2b2fc7d3a193591c1b75bc668e6e02bd808901c0
push idunknown
push userunknown
push dateunknown
reviewersgal, blocker
bugs636097
milestone2.0b13pre
Fix bug 636097 (r=gal, a=blocker).
js/src/xpconnect/tests/mochitest/Makefile.in
js/src/xpconnect/tests/mochitest/test_bug636097.html
js/src/xpconnect/wrappers/AccessCheck.cpp
js/src/xpconnect/wrappers/AccessCheck.h
--- a/js/src/xpconnect/tests/mochitest/Makefile.in
+++ b/js/src/xpconnect/tests/mochitest/Makefile.in
@@ -82,14 +82,15 @@ include $(topsrcdir)/config/rules.mk
 		test_bug601299.html \
 		test_bug629227.html \
 		file1_bug629227.html \
 		file2_bug629227.html \
 		test_bug629331.html \
 		test1_bug629331.html \
 		test2_bug629331.html \
 		test_bug618017.html \
+		test_bug636097.html \
 		$(NULL)
 
 		#test_bug484107.html \
 
 libs:: $(_TEST_FILES)
 	$(INSTALL) $^ $(DEPTH)/_tests/testing/mochitest/tests/$(relativesrcdir)
new file mode 100644
--- /dev/null
+++ b/js/src/xpconnect/tests/mochitest/test_bug636097.html
@@ -0,0 +1,63 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=504877
+test by moz_bug_r_a4@yahoo.com
+-->
+<head>
+  <title>Test for Bug 504877</title>
+  <script type="application/javascript" src="/MochiKit/packed.js"></script>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=504877">Mozilla Bug 504877</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 504877 **/
+SimpleTest.waitForExplicitFinish();
+
+var targetUrl = "http://example.com/";
+var l;
+
+function a() {
+        var r = "FAIL", s;
+        try {
+                s = l.toString();
+        }
+        catch (e) {
+                if (/Permission denied/.test(e))
+                        r = "PASS";
+                s = e;
+        }
+
+        is(r, "PASS", "should have thrown an exception");
+        SimpleTest.finish();
+}
+
+var p = 0;
+function b() {
+        switch (++p) {
+        case 1:
+                frames[0].location = "about:blank";
+                break;
+        case 2:
+                l = frames[0].location;
+                frames[0].location = targetUrl;
+                break;
+        case 3:
+                a();
+                break;
+        }
+}
+</script>
+
+</pre>
+<iframe onload="b()"></iframe>
+</body>
+</html>
--- a/js/src/xpconnect/wrappers/AccessCheck.cpp
+++ b/js/src/xpconnect/wrappers/AccessCheck.cpp
@@ -88,17 +88,19 @@ bool
 AccessCheck::isLocationObjectSameOrigin(JSContext *cx, JSObject *wrapper)
 {
     JSObject *obj = wrapper->unwrap()->getParent();
     if (!obj->getClass()->ext.innerObject) {
         obj = obj->unwrap();
         JS_ASSERT(obj->getClass()->ext.innerObject);
     }
     OBJ_TO_INNER_OBJECT(cx, obj);
-    return obj && isSameOrigin(wrapper->compartment(), obj->compartment());
+    return obj &&
+           (isSameOrigin(wrapper->compartment(), obj->compartment()) ||
+            documentDomainMakesSameOrigin(cx, obj));
 }
 
 bool
 AccessCheck::isChrome(JSCompartment *compartment)
 {
     nsIScriptSecurityManager *ssm = XPCWrapper::GetSecurityManager();
     if (!ssm) {
         return false;
--- a/js/src/xpconnect/wrappers/AccessCheck.h
+++ b/js/src/xpconnect/wrappers/AccessCheck.h
@@ -116,18 +116,17 @@ struct CrossOriginAccessiblePropertiesOn
 };
 
 // This policy only permits access to properties that are safe to be used
 // across origins.
 struct SameOriginOrCrossOriginAccessiblePropertiesOnly : public Policy {
     static bool check(JSContext *cx, JSObject *wrapper, jsid id, JSWrapper::Action act,
                       Permission &perm) {
         if (AccessCheck::isCrossOriginAccessPermitted(cx, wrapper, id, act) ||
-            AccessCheck::isLocationObjectSameOrigin(cx, wrapper) ||
-            AccessCheck::documentDomainMakesSameOrigin(cx, wrapper->unwrap())) {
+            AccessCheck::isLocationObjectSameOrigin(cx, wrapper)) {
             perm = PermitPropertyAccess;
             return true;
         }
         perm = DenyAccess;
         JSAutoEnterCompartment ac;
         if (!ac.enter(cx, wrapper))
             return false;
         AccessCheck::deny(cx, id);