Bug 781476 - Cross-compartment wrap same-origin objects with PreCreate even if PreCreate requests one wrapper per scope. r=mrbkap a=lsblakk
☠☠ backed out by 9226979297aa ☠ ☠
authorBobby Holley <bobbyholley@gmail.com>
Tue, 14 Aug 2012 12:27:27 -0700
changeset 100505 a0b80f83795252337571e9bc76cf7d5b77c17cb5
parent 100504 fe13653f05ecfa5efc271dd9c1d75a65bfdcd68f
child 100506 aa331c131a658b69f42ec582461f643482f202cd
push id1277
push userbobbyholley@gmail.com
push dateTue, 14 Aug 2012 19:28:33 +0000
treeherdermozilla-beta@a0b80f837952 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmrbkap, lsblakk
bugs781476
milestone15.0
Bug 781476 - Cross-compartment wrap same-origin objects with PreCreate even if PreCreate requests one wrapper per scope. r=mrbkap a=lsblakk
js/xpconnect/tests/mochitest/Makefile.in
js/xpconnect/tests/mochitest/file_bug781476.html
js/xpconnect/tests/mochitest/test_bug781476.html
js/xpconnect/wrappers/WrapperFactory.cpp
--- a/js/xpconnect/tests/mochitest/Makefile.in
+++ b/js/xpconnect/tests/mochitest/Makefile.in
@@ -60,16 +60,18 @@ include $(topsrcdir)/config/rules.mk
 		test_bug650273.html \
 		file_bug650273.html \
 		file_bug658560.html \
 		test_bug655297.html \
 		test_bug691059.html \
 		test_bug745483.html \
 		file_bug758563.html \
 		test_bug764389.html \
+		test_bug781476.html \
+		file_bug781476.html \
 		file_nodelists.html \
 		file_bug706301.html \
 		file_exnstack.html \
 		file_expandosharing.html \
 		file_empty.html \
 		$(NULL)
 
 _CHROME_FILES	= \
new file mode 100644
--- /dev/null
+++ b/js/xpconnect/tests/mochitest/file_bug781476.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script type="application/javascript">
+function makeEvent() {
+  var evt = new Event("MouseEvents");
+  evt.expando = 42;
+  is(evt.expando, 42, "Expando properly visible in iframe");
+  return evt;
+}
+</script>
+</head>
+<body>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/js/xpconnect/tests/mochitest/test_bug781476.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=781476
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 781476</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=781476">Mozilla Bug 781476</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+<iframe onload="go();" id="ifr" src="file_bug781476.html"></iframe>
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 781476 **/
+SimpleTest.waitForExplicitFinish();
+
+function go() {
+  var iwin = document.getElementById('ifr').contentWindow;
+  iwin.is = is;
+  var evt = iwin.makeEvent();
+  is(evt.expando, 42, "Expando properly visible in caller frame");
+  SimpleTest.finish();
+}
+
+
+</script>
+</pre>
+</body>
+</html>
--- a/js/xpconnect/wrappers/WrapperFactory.cpp
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@@ -217,16 +217,24 @@ WrapperFactory::PrepareForWrapping(JSCon
                 // Check for case (2).
                 if (probe != currentScope) {
                     MOZ_ASSERT(probe == scope);
                     return DoubleWrap(cx, obj, flags);
                 }
 
                 // Ok, must be case (1). Fall through and create a new wrapper.
             }
+
+            // Nasty hack for late-breaking bug 781476. This will confuse identity checks,
+            // but it's probably better than any of our alternatives.
+            if (AccessCheck::isSameOrigin(js::GetObjectCompartment(scope),
+                                          js::GetObjectCompartment(obj)))
+            {
+                return DoubleWrap(cx, obj, flags);
+            }
         }
     }
 
     // NB: Passing a holder here inhibits slim wrappers under
     // WrapNativeToJSVal.
     nsCOMPtr<nsIXPConnectJSObjectHolder> holder;
 
     // This public WrapNativeToJSVal API enters the compartment of 'scope'