Bug 1036214 - Do a subsumes check on object and any parameters (and things containing them) to JS-implemented WebIDL. r=bz, a=sledru
☠☠ backed out by 947dd9a0f12b ☠ ☠
authorBobby Holley <bobbyholley@gmail.com>
Tue, 19 Aug 2014 18:12:15 -0700
changeset 217603 57cdea2c224d33d72cd3e2c5501f9cbf4db8dcb3
parent 217602 c78e3dc81484fa9fe3764579499a14b38f361645
child 217604 ea25dee8ad3fc5eec2349390779cc365197d1157
push id515
push userraliiev@mozilla.com
push dateMon, 06 Oct 2014 12:51:51 +0000
treeherdermozilla-release@267c7a481bef [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz, sledru
bugs1036214
milestone33.0a2
Bug 1036214 - Do a subsumes check on object and any parameters (and things containing them) to JS-implemented WebIDL. r=bz, a=sledru
dom/bindings/BindingUtils.cpp
dom/bindings/BindingUtils.h
dom/bindings/Codegen.py
dom/bindings/Errors.msg
--- a/dom/bindings/BindingUtils.cpp
+++ b/dom/bindings/BindingUtils.cpp
@@ -2586,10 +2586,17 @@ AssertReturnTypeMatchesJitinfo(const JSJ
   default:
     // Someone messed up their jitinfo type.
     MOZ_ASSERT(false, "Unexpected JSValueType stored in jitinfo");
     break;
   }
 }
 #endif
 
+bool
+CallerSubsumes(JSObject *aObject)
+{
+  nsIPrincipal* objPrin = nsContentUtils::ObjectPrincipal(js::UncheckedUnwrap(aObject));
+  return nsContentUtils::SubjectPrincipal()->Subsumes(objPrin);
+}
+
 } // namespace dom
 } // namespace mozilla
--- a/dom/bindings/BindingUtils.h
+++ b/dom/bindings/BindingUtils.h
@@ -2905,12 +2905,24 @@ AssertReturnTypeMatchesJitinfo(const JSJ
                                JS::Handle<JS::Value> aValue);
 #endif
 
 // Returns true if aObj's global has any of the permissions named in aPermissions
 // set to nsIPermissionManager::ALLOW_ACTION. aPermissions must be null-terminated.
 bool
 CheckPermissions(JSContext* aCx, JSObject* aObj, const char* const aPermissions[]);
 
+bool
+CallerSubsumes(JSObject* aObject);
+
+MOZ_ALWAYS_INLINE bool
+CallerSubsumes(JS::Handle<JS::Value> aValue)
+{
+  if (!aValue.isObject()) {
+    return true;
+  }
+  return CallerSubsumes(&aValue.toObject());
+}
+
 } // namespace dom
 } // namespace mozilla
 
 #endif /* mozilla_dom_BindingUtils_h__ */
--- a/dom/bindings/Codegen.py
+++ b/dom/bindings/Codegen.py
@@ -3450,16 +3450,19 @@ class JSToNativeConversionInfo():
 
           ${val} is a handle to the JS::Value in question
           ${holderName} replaced by the holder's name, if any
           ${declName} replaced by the declaration's name
           ${haveValue} replaced by an expression that evaluates to a boolean
                        for whether we have a JS::Value.  Only used when
                        defaultValue is not None or when True is passed for
                        checkForValue to instantiateJSToNativeConversion.
+          ${passedToJSImpl} replaced by an expression that evaluates to a boolean
+                            for whether this value is being passed to a JS-
+                            implemented interface.
 
         declType: A CGThing representing the native C++ type we're converting
                   to.  This is allowed to be None if the conversion code is
                   supposed to be used as-is.
 
         holderType: A CGThing representing the type of a "holder" which will
                     hold a possible reference to the C++ thing whose type we
                     returned in declType, or  None if no such holder is needed.
@@ -3705,32 +3708,45 @@ def getJSToNativeConversionInfo(type, de
                 # Our caller will handle it
                 pass
             else:
                 assert defaultValue is None
 
         return templateBody
 
     # A helper function for converting things that look like a JSObject*.
-    def handleJSObjectType(type, isMember, failureCode):
+    def handleJSObjectType(type, isMember, failureCode, exceptionCode, sourceDescription):
         if not isMember:
             if isOptional:
                 # We have a specialization of Optional that will use a
                 # Rooted for the storage here.
                 declType = CGGeneric("JS::Handle<JSObject*>")
             else:
                 declType = CGGeneric("JS::Rooted<JSObject*>")
             declArgs = "cx"
         else:
             assert (isMember in
                     ("Sequence", "Variadic", "Dictionary", "OwningUnion", "MozMap"))
             # We'll get traced by the sequence or dictionary or union tracer
             declType = CGGeneric("JSObject*")
             declArgs = None
         templateBody = "${declName} = &${val}.toObject();\n"
+
+        # For JS-implemented APIs, we refuse to allow passing objects that the
+        # API consumer does not subsume.
+        if not isinstance(descriptorProvider, Descriptor) or descriptorProvider.interface.isJSImplemented():
+            templateBody = fill("""
+                            if ($${passedToJSImpl} && !CallerSubsumes($${val})) {
+                              ThrowErrorMessage(cx, MSG_PERMISSION_DENIED_TO_PASS_ARG, "${sourceDescription}");
+                              $*{exceptionCode}
+                            }
+                            """,
+                            sourceDescription=sourceDescription,
+                            exceptionCode=exceptionCode) + templateBody
+
         setToNullCode = "${declName} = nullptr;\n"
         template = wrapObjectTemplate(templateBody, type, setToNullCode,
                                       failureCode)
         return JSToNativeConversionInfo(template, declType=declType,
                                         dealWithOptional=isOptional,
                                         declArgs=declArgs)
 
     assert not (isEnforceRange and isClamp)  # These are mutually exclusive
@@ -3795,17 +3811,18 @@ def getJSToNativeConversionInfo(type, de
             arrayRef = "${declName}"
 
         elementConversion = string.Template(elementInfo.template).substitute({
                 "val": "temp",
                 "declName": "slot",
                 # We only need holderName here to handle isExternal()
                 # interfaces, which use an internal holder for the
                 # conversion even when forceOwningType ends up true.
-                "holderName": "tempHolder"
+                "holderName": "tempHolder",
+                "passedToJSImpl": "${passedToJSImpl}"
             })
 
         # NOTE: Keep this in sync with variadic conversions as needed
         templateBody = fill(
             """
             JS::ForOfIterator iter(cx);
             if (!iter.init($${val}, JS::ForOfIterator::AllowNonIterable)) {
               $*{exceptionCode}
@@ -3899,17 +3916,18 @@ def getJSToNativeConversionInfo(type, de
             mozMapRef = "${declName}"
 
         valueConversion = string.Template(valueInfo.template).substitute({
                 "val": "temp",
                 "declName": "slot",
                 # We only need holderName here to handle isExternal()
                 # interfaces, which use an internal holder for the
                 # conversion even when forceOwningType ends up true.
-                "holderName": "tempHolder"
+                "holderName": "tempHolder",
+                "passedToJSImpl": "${passedToJSImpl}"
             })
 
         templateBody = fill(
             """
             ${mozMapType} &mozMap = ${mozMapRef};
 
             JS::Rooted<JSObject*> mozMapObj(cx, &$${val}.toObject());
             JS::AutoIdArray ids(cx, JS_Enumerate(cx, mozMapObj));
@@ -3989,30 +4007,30 @@ def getJSToNativeConversionInfo(type, de
         names = []
 
         interfaceMemberTypes = filter(lambda t: t.isNonCallbackInterface(), memberTypes)
         if len(interfaceMemberTypes) > 0:
             interfaceObject = []
             for memberType in interfaceMemberTypes:
                 name = getUnionMemberName(memberType)
                 interfaceObject.append(
-                    CGGeneric("(failed = !%s.TrySetTo%s(cx, ${val}, tryNext)) || !tryNext" %
+                    CGGeneric("(failed = !%s.TrySetTo%s(cx, ${val}, tryNext, ${passedToJSImpl})) || !tryNext" %
                               (unionArgumentObj, name)))
                 names.append(name)
             interfaceObject = CGWrapper(CGList(interfaceObject, " ||\n"),
                                         pre="done = ", post=";\n\n", reindent=True)
         else:
             interfaceObject = None
 
         arrayObjectMemberTypes = filter(lambda t: t.isArray() or t.isSequence(), memberTypes)
         if len(arrayObjectMemberTypes) > 0:
             assert len(arrayObjectMemberTypes) == 1
             name = getUnionMemberName(arrayObjectMemberTypes[0])
             arrayObject = CGGeneric(
-                "done = (failed = !%s.TrySetTo%s(cx, ${val}, tryNext)) || !tryNext;\n" %
+                "done = (failed = !%s.TrySetTo%s(cx, ${val}, tryNext, ${passedToJSImpl})) || !tryNext;\n" %
                 (unionArgumentObj, name))
             names.append(name)
         else:
             arrayObject = None
 
         dateObjectMemberTypes = filter(lambda t: t.isDate(), memberTypes)
         if len(dateObjectMemberTypes) > 0:
             assert len(dateObjectMemberTypes) == 1
@@ -4026,52 +4044,54 @@ def getJSToNativeConversionInfo(type, de
             dateObject = None
 
         callbackMemberTypes = filter(lambda t: t.isCallback() or t.isCallbackInterface(), memberTypes)
         if len(callbackMemberTypes) > 0:
             assert len(callbackMemberTypes) == 1
             memberType = callbackMemberTypes[0]
             name = getUnionMemberName(memberType)
             callbackObject = CGGeneric(
-                "done = (failed = !%s.TrySetTo%s(cx, ${val}, tryNext)) || !tryNext;\n" %
+                "done = (failed = !%s.TrySetTo%s(cx, ${val}, tryNext, ${passedToJSImpl})) || !tryNext;\n" %
                 (unionArgumentObj, name))
             names.append(name)
         else:
             callbackObject = None
 
         dictionaryMemberTypes = filter(lambda t: t.isDictionary(), memberTypes)
         if len(dictionaryMemberTypes) > 0:
             assert len(dictionaryMemberTypes) == 1
             name = getUnionMemberName(dictionaryMemberTypes[0])
             setDictionary = CGGeneric(
-                "done = (failed = !%s.TrySetTo%s(cx, ${val}, tryNext)) || !tryNext;\n" %
+                "done = (failed = !%s.TrySetTo%s(cx, ${val}, tryNext, ${passedToJSImpl})) || !tryNext;\n" %
                 (unionArgumentObj, name))
             names.append(name)
         else:
             setDictionary = None
 
         mozMapMemberTypes = filter(lambda t: t.isMozMap(), memberTypes)
         if len(mozMapMemberTypes) > 0:
             assert len(mozMapMemberTypes) == 1
             name = getUnionMemberName(mozMapMemberTypes[0])
             mozMapObject = CGGeneric(
-                "done = (failed = !%s.TrySetTo%s(cx, ${val}, tryNext)) || !tryNext;\n" %
+                "done = (failed = !%s.TrySetTo%s(cx, ${val}, tryNext, ${passedToJSImpl})) || !tryNext;\n" %
                 (unionArgumentObj, name))
             names.append(name)
         else:
             mozMapObject = None
 
         objectMemberTypes = filter(lambda t: t.isObject(), memberTypes)
         if len(objectMemberTypes) > 0:
             assert len(objectMemberTypes) == 1
             # Very important to NOT construct a temporary Rooted here, since the
             # SetToObject call can call a Rooted constructor and we need to keep
             # stack discipline for Rooted.
-            object = CGGeneric("%s.SetToObject(cx, &${val}.toObject());\n"
-                               "done = true;\n" % unionArgumentObj)
+            object = CGGeneric("if (!%s.SetToObject(cx, &${val}.toObject(), ${passedToJSImpl})) {\n"
+                               "%s"
+                               "}\n"
+                               "done = true;\n" % (unionArgumentObj, indent(exceptionCode)))
             names.append(objectMemberTypes[0].name)
         else:
             object = None
 
         hasObjectTypes = interfaceObject or arrayObject or dateObject or callbackObject or object or mozMapObject
         if hasObjectTypes:
             # "object" is not distinguishable from other types
             assert not object or not (interfaceObject or arrayObject or dateObject or callbackObject or mozMapObject)
@@ -4293,17 +4313,17 @@ def getJSToNativeConversionInfo(type, de
         assert not isEnforceRange and not isClamp
 
         descriptor = descriptorProvider.getDescriptor(
             type.unroll().inner.identifier.name)
 
         if descriptor.nativeType == 'JSObject':
             # XXXbz Workers code does this sometimes
             assert descriptor.workers
-            return handleJSObjectType(type, isMember, failureCode)
+            return handleJSObjectType(type, isMember, failureCode, exceptionCode, sourceDescription)
 
         if descriptor.interface.isCallback():
             name = descriptor.interface.identifier.name
             if type.nullable() or isCallbackReturnValue:
                 declType = CGGeneric("nsRefPtr<%s>" % name)
             else:
                 declType = CGGeneric("OwningNonNull<%s>" % name)
             conversion = indent(CGCallbackTempRoot(name).define())
@@ -4375,17 +4395,17 @@ def getJSToNativeConversionInfo(type, de
                 templateBody += str(FailureFatalCastableObjectUnwrapper(
                     descriptor,
                     "&${val}.toObject()",
                     "${declName}",
                     exceptionCode,
                     isCallbackReturnValue,
                     firstCap(sourceDescription)))
         elif descriptor.workers:
-            return handleJSObjectType(type, isMember, failureCode)
+            return handleJSObjectType(type, isMember, failureCode, exceptionCode, sourceDescription)
         else:
             # Either external, or new-binding non-castable.  We always have a
             # holder for these, because we don't actually know whether we have
             # to addref when unwrapping or not.  So we just pass an
             # getter_AddRefs(nsRefPtr) to XPConnect and if we'll need a release
             # it'll put a non-null pointer in there.
             if forceOwningType:
                 # Don't return a holderType in this case; our declName
@@ -4688,32 +4708,45 @@ def getJSToNativeConversionInfo(type, de
             declType = "JS::Value"
         else:
             assert not isMember
             declType = "JS::Rooted<JS::Value>"
             declArgs = "cx"
 
         assert not isOptional
         templateBody = "${declName} = ${val};\n"
+
+        # For JS-implemented APIs, we refuse to allow passing objects that the
+        # API consumer does not subsume.
+        if not isinstance(descriptorProvider, Descriptor) or descriptorProvider.interface.isJSImplemented():
+            templateBody = fill("""
+                            if ($${passedToJSImpl} && !CallerSubsumes($${val})) {
+                              ThrowErrorMessage(cx, MSG_PERMISSION_DENIED_TO_PASS_ARG, "${sourceDescription}");
+                              $*{exceptionCode}
+                            }
+                            """,
+                            sourceDescription=sourceDescription,
+                            exceptionCode=exceptionCode) + templateBody
+
         # We may not have a default value if we're being converted for
         # a setter, say.
         if defaultValue:
             if isinstance(defaultValue, IDLNullValue):
                 defaultHandling = "${declName} = JS::NullValue();\n"
             else:
                 assert isinstance(defaultValue, IDLUndefinedValue)
                 defaultHandling = "${declName} = JS::UndefinedValue();\n"
             templateBody = handleDefault(templateBody, defaultHandling)
         return JSToNativeConversionInfo(templateBody,
                                         declType=CGGeneric(declType),
                                         declArgs=declArgs)
 
     if type.isObject():
         assert not isEnforceRange and not isClamp
-        return handleJSObjectType(type, isMember, failureCode)
+        return handleJSObjectType(type, isMember, failureCode, exceptionCode, sourceDescription)
 
     if type.isDictionary():
         # There are no nullable dictionaries
         assert not type.nullable() or isCallbackReturnValue
         # All optional dictionaries always have default values, so we
         # should be able to assume not isOptional here.
         assert not isOptional
         # In the callback return value case we never have to worry
@@ -4753,17 +4786,17 @@ def getJSToNativeConversionInfo(type, de
                 "!%s(cx, ${val})" % dictionaryTest).define() + "\n"
         else:
             template = ""
 
         dictLoc = "${declName}"
         if type.nullable():
             dictLoc += ".SetValue()"
 
-        template += ('if (!%s.Init(cx, %s, "%s")) {\n'
+        template += ('if (!%s.Init(cx, %s, "%s", ${passedToJSImpl})) {\n'
                      "%s"
                      "}\n" % (dictLoc, val, firstCap(sourceDescription),
                               exceptionCodeIndented.define()))
 
         if type.nullable():
             declType = CGTemplatedType("Nullable", declType)
             template = CGIfElseWrapper("${val}.isNullOrUndefined()",
                                        CGGeneric("${declName}.SetNull();\n"),
@@ -5029,17 +5062,18 @@ class CGArgumentConverter(CGThing):
 
         replacer = {
             "index": index,
             "argc": "args.length()"
         }
         self.replacementVariables = {
             "declName": "arg%d" % index,
             "holderName": ("arg%d" % index) + "_holder",
-            "obj": "obj"
+            "obj": "obj",
+            "passedToJSImpl": toStringBool(isJSImplementedDescriptor(descriptorProvider))
         }
         self.replacementVariables["val"] = string.Template(
             "args[${index}]").substitute(replacer)
         haveValueCheck = string.Template(
             "args.hasDefined(${index})").substitute(replacer)
         self.replacementVariables["haveValue"] = haveValueCheck
         self.descriptorProvider = descriptorProvider
         if self.argument.optional and not self.argument.defaultValue:
@@ -5107,17 +5141,18 @@ class CGArgumentConverter(CGThing):
             string.Template(typeConversion.template).substitute({
                 "val": val,
                 "declName": "slot",
                 # We only need holderName here to handle isExternal()
                 # interfaces, which use an internal holder for the
                 # conversion even when forceOwningType ends up true.
                 "holderName": "tempHolder",
                 # Use the same ${obj} as for the variadic arg itself
-                "obj": replacer["obj"]
+                "obj": replacer["obj"],
+                "passedToJSImpl": toStringBool(isJSImplementedDescriptor(self.descriptorProvider))
             }), 4)
 
         variadicConversion += ("  }\n"
                                "}\n")
         return variadicConversion
 
 
 def getMaybeWrapValueFuncForType(type):
@@ -6581,17 +6616,18 @@ class CGMethodCall(CGThing):
                                                 isNullOrUndefined=isNullOrUndefined,
                                                 isOptional=argIsOptional,
                                                 sourceDescription=(argDesc % (distinguishingIndex + 1))),
                     {
                         "declName": "arg%d" % distinguishingIndex,
                         "holderName": ("arg%d" % distinguishingIndex) + "_holder",
                         "val": distinguishingArg,
                         "obj": "obj",
-                        "haveValue": "args.hasDefined(%d)" % distinguishingIndex
+                        "haveValue": "args.hasDefined(%d)" % distinguishingIndex,
+                        "passedToJSImpl": toStringBool(isJSImplementedDescriptor(descriptor))
                     },
                     checkForValue=argIsOptional)
                 caseBody.append(CGIndenter(testCode, indent))
 
                 # If we got this far, we know we unwrapped to the right
                 # C++ type, so just do the call.  Start conversion with
                 # distinguishingIndex + 1, since we already converted
                 # distinguishingIndex.
@@ -8152,19 +8188,32 @@ def getUnionTypeTemplateVars(unionType, 
                 mType = eObject;
                 """)
         else:
             body = dedent("""
                 MOZ_ASSERT(mUnion.mType == mUnion.eUninitialized);
                 mUnion.mValue.mObject.SetValue(cx, obj);
                 mUnion.mType = mUnion.eObject;
                 """)
-        setter = ClassMethod("SetToObject", "void",
+
+        # It's a bit sketchy to do the security check after setting the value,
+        # but it keeps the code cleaner and lets us avoid rooting |obj| over the
+        # call to CallerSubsumes().
+        body = body + dedent("""
+            if (passedToJSImpl && !CallerSubsumes(obj)) {
+              ThrowErrorMessage(cx, MSG_PERMISSION_DENIED_TO_PASS_ARG, "%s");
+              return false;
+            }
+            return true;
+            """)
+
+        setter = ClassMethod("SetToObject", "bool",
                              [Argument("JSContext*", "cx"),
-                              Argument("JSObject*", "obj")],
+                              Argument("JSObject*", "obj"),
+                              Argument("bool", "passedToJSImpl", default="false")],
                              inline=True, bodyInHeader=True,
                              body=body)
 
     else:
         # Important: we need to not have our declName involve
         # maybe-GCing operations.
         if conversionInfo.holderType is not None:
             holderArgs = conversionInfo.holderArgs
@@ -8174,17 +8223,18 @@ def getUnionTypeTemplateVars(unionType, 
         else:
             initHolder = ""
 
         jsConversion = fill(
             initHolder + conversionInfo.template,
             val="value",
             declName="memberSlot",
             holderName=(holderName if ownsMembers else "%s.ref()" % holderName),
-            destroyHolder=destroyHolder)
+            destroyHolder=destroyHolder,
+            passedToJSImpl="passedToJSImpl")
 
         jsConversion = fill(
             """
             tryNext = false;
             { // scope for memberSlot
               ${structType}& memberSlot = RawSetAs${name}(${ctorArgs});
               $*{jsConversion}
             }
@@ -8193,17 +8243,18 @@ def getUnionTypeTemplateVars(unionType, 
             structType=structType,
             name=name,
             ctorArgs=ctorArgs,
             jsConversion=jsConversion)
 
         setter = ClassMethod("TrySetTo" + name, "bool",
                              [Argument("JSContext*", "cx"),
                               Argument("JS::Handle<JS::Value>", "value"),
-                              Argument("bool&", "tryNext")],
+                              Argument("bool&", "tryNext"),
+                              Argument("bool", "passedToJSImpl", default="false")],
                              inline=not ownsMembers,
                              bodyInHeader=not ownsMembers,
                              body=jsConversion)
 
     return {
         "name": name,
         "structType": structType,
         "externalType": externalType,
@@ -9285,17 +9336,18 @@ class CGProxySpecialOperation(CGPerSigna
                 sourceDescription=("value being assigned to %s setter" %
                                    descriptor.interface.identifier.name))
             if argumentMutableValue is None:
                 argumentMutableValue = "desc.value()"
             templateValues = {
                 "declName": argument.identifier.name,
                 "holderName": argument.identifier.name + "_holder",
                 "val": argumentMutableValue,
-                "obj": "obj"
+                "obj": "obj",
+                "passedToJSImpl": "false"
             }
             self.cgRoot.prepend(instantiateJSToNativeConversion(info, templateValues))
         elif operation.isGetter() or operation.isDeleter():
             self.cgRoot.prepend(CGGeneric("bool found;\n"))
 
     def getArguments(self):
         args = [(a, a.identifier.name) for a in self.arguments]
         if self.idlNode.isGetter() or self.idlNode.isDeleter():
@@ -10784,17 +10836,18 @@ class CGDictionary(CGThing):
                 """,
                 memberInits="\n".join(memberInits))
 
         body += "return true;\n"
 
         return ClassMethod("Init", "bool", [
             Argument('JSContext*', 'cx'),
             Argument('JS::Handle<JS::Value>', 'val'),
-            Argument('const char*', 'sourceDescription', default='"Value"')
+            Argument('const char*', 'sourceDescription', default='"Value"'),
+            Argument('bool', 'passedToJSImpl', default='false')
         ], body=body)
 
     def initFromJSONMethod(self):
         return ClassMethod(
             "Init", "bool",
             [Argument('const nsAString&', 'aJSON')],
             body=dedent("""
                 MOZ_ASSERT(NS_IsMainThread());
@@ -11003,17 +11056,18 @@ class CGDictionary(CGThing):
     def getMemberConversion(self, memberInfo):
         member, conversionInfo = memberInfo
         replacements = {
             "val": "temp.ref()",
             "declName": self.makeMemberName(member.identifier.name),
             # We need a holder name for external interfaces, but
             # it's scoped down to the conversion so we can just use
             # anything we want.
-            "holderName": "holder"
+            "holderName": "holder",
+            "passedToJSImpl": "passedToJSImpl"
         }
         # We can't handle having a holderType here
         assert conversionInfo.holderType is None
         if conversionInfo.dealWithOptional:
             replacements["declName"] = "(" + replacements["declName"] + ".Value())"
         if member.defaultValue:
             replacements["haveValue"] = "!isNull && !temp.ref().isUndefined()"
 
@@ -11139,16 +11193,21 @@ class CGDictionary(CGThing):
                 trace = CGGeneric('%s.TraceDictionary(trc);\n' % memberData)
             elif type.isUnion():
                 trace = CGGeneric('%s.TraceUnion(trc);\n' % memberData)
             else:
                 assert type.isSpiderMonkeyInterface()
                 trace = CGGeneric('%s.TraceSelf(trc);\n' % memberData)
             if type.nullable():
                 trace = CGIfWrapper(trace, "!%s.IsNull()" % memberNullable)
+        elif type.isMozMap():
+            # If you implement this, add a MozMap<object> to
+            # TestInterfaceJSDictionary and test it in test_bug1036214.html
+            # to make sure we end up with the correct security properties.
+            assert False
         else:
             assert False  # unknown type
 
         if not member.defaultValue:
             trace = CGIfWrapper(trace, "%s.WasPassed()" % memberLoc)
 
         return trace.define()
 
@@ -13012,17 +13071,18 @@ class CallbackMember(CGNativeMember):
     def getResultConversion(self):
         replacements = {
             "val": "rval",
             "holderName": "rvalHolder",
             "declName": "rvalDecl",
             # We actually want to pass in a null scope object here, because
             # wrapping things into our current compartment (that of mCallback)
             # is what we want.
-            "obj": "nullptr"
+            "obj": "nullptr",
+            "passedToJSImpl": "false"
         }
 
         if isJSImplementedDescriptor(self.descriptorProvider):
             isCallbackReturnValue = "JSImpl"
         else:
             isCallbackReturnValue = "Callback"
         sourceDescription = "return value of %s" % self.getPrettyName()
         convertType = instantiateJSToNativeConversion(
--- a/dom/bindings/Errors.msg
+++ b/dom/bindings/Errors.msg
@@ -49,8 +49,9 @@ MSG_DEF(MSG_INVALID_VERSION, 0, "0 (Zero
 MSG_DEF(MSG_INVALID_BYTESTRING, 2, "Cannot convert string to ByteString because the character"
         " at index {0} has value {1} which is greater than 255.")
 MSG_DEF(MSG_NOT_DATE, 1, "{0} is not a date.")
 MSG_DEF(MSG_INVALID_ADVANCE_COUNT, 0, "0 (Zero) is not a valid advance count.")
 MSG_DEF(MSG_DEFINEPROPERTY_ON_GSP, 0, "Not allowed to define a property on the named properties object.")
 MSG_DEF(MSG_INVALID_URL, 1, "{0} is not a valid URL.")
 MSG_DEF(MSG_METADATA_NOT_CONFIGURED, 0, "Either size or lastModified should be true.")
 MSG_DEF(MSG_INVALID_READ_SIZE, 0, "0 (Zero) is not a valid read size.")
+MSG_DEF(MSG_PERMISSION_DENIED_TO_PASS_ARG, 1, "Permission denied to pass cross-origin object as {0}.")