Bug 1291437 - Don't enter the compartment of a possibly-gray window object in PostMessageEvent::Run. r=smaug, a=ritu
authorBoris Zbarsky <bzbarsky@mit.edu>
Tue, 02 Aug 2016 13:21:16 -0700
changeset 350184 fc1db61e30cdbc18be66eea66948255ec7eb721b
parent 350183 f4b3eabf73713db73c49dbb32cf7ab1fa02b29b0
child 350185 7f90dcc0445b8c06aa7529bb63dbed5991fc590d
push id1230
push userjlund@mozilla.com
push dateMon, 31 Oct 2016 18:13:35 +0000
treeherdermozilla-release@5e06e3766db2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug, ritu
bugs1291437
milestone50.0a2
Bug 1291437 - Don't enter the compartment of a possibly-gray window object in PostMessageEvent::Run. r=smaug, a=ritu
dom/base/PostMessageEvent.cpp
--- a/dom/base/PostMessageEvent.cpp
+++ b/dom/base/PostMessageEvent.cpp
@@ -76,17 +76,17 @@ PostMessageEvent::Run()
   RefPtr<nsGlobalWindow> targetWindow;
   if (mTargetWindow->IsClosedOrClosing() ||
       !(targetWindow = mTargetWindow->GetCurrentInnerWindowInternal()) ||
       targetWindow->IsClosedOrClosing())
     return NS_OK;
 
   MOZ_ASSERT(targetWindow->IsInnerWindow(),
              "we ordered an inner window!");
-  JSAutoCompartment ac(cx, targetWindow->GetWrapperPreserveColor());
+  JSAutoCompartment ac(cx, targetWindow->GetWrapper());
 
   // Ensure that any origin which might have been provided is the origin of this
   // window's document.  Note that we do this *now* instead of when postMessage
   // is called because the target window might have been navigated to a
   // different location between then and now.  If this check happened when
   // postMessage was called, it would be fairly easy for a malicious webpage to
   // intercept messages intended for another site by carefully timing navigation
   // of the target window so it changed location after postMessage but before