Bug 975277 - Move the wrappedJSObject getter out of getPropertyDescriptor. r=gabor

The current setup is kinda wrong, and doesn't work with HasPrototype Xrays. This change requires us to manually munge the holder, but that's probably ok for now.
2024-09-13 09:24:08 -07:00 · 2014-02-21 16:03:08 -08:00 · 2014-02-21 16:03:08 -08:00 · 076b37d7fa
commit 076b37d7fa
parent 58c0c8876c
1 changed files with 19 additions and 14 deletions
--- a/js/xpconnect/wrappers/XrayWrapper.cpp
+++ b/js/xpconnect/wrappers/XrayWrapper.cpp
@ -884,6 +884,25 @@ XrayTraits::resolveOwnProperty(JSContext *cx, Wrapper &jsWrapper,
        desc.object().set(wrapper);
        return true;
    }
+
+    // Handle .wrappedJSObject for subsuming callers. This should move once we
+    // sort out own-ness for the holder.
+    if (id == GetRTIdByIndex(cx, XPCJSRuntime::IDX_WRAPPED_JSOBJECT) &&
+        AccessCheck::wrapperSubsumes(wrapper))
+    {
+        if (!JS_AlreadyHasOwnPropertyById(cx, holder, id, &found))
+            return false;
+        if (!found && !JS_DefinePropertyById(cx, holder, id, UndefinedValue(),
+                                             wrappedJSObject_getter, nullptr,
+                                             JSPROP_ENUMERATE | JSPROP_SHARED)) {
+            return false;
+        }
+        if (!JS_GetPropertyDescriptorById(cx, holder, id, 0, desc))
+            return false;
+        desc.object().set(wrapper);
+        return true;
+    }
+
    return true;
 }

@ -1458,20 +1477,6 @@ XrayWrapper<Base, Traits>::getPropertyDescriptor(JSContext *cx, HandleObject wra
    if (!holder)
        return false;

-    // Only chrome wrappers and same-origin xrays (used by jetpack sandboxes)
-    // get .wrappedJSObject. We can check this by determining if the compartment
-    // of the wrapper subsumes that of the wrappee.
-    XPCJSRuntime* rt = nsXPConnect::GetRuntimeInstance();
-    if (AccessCheck::wrapperSubsumes(wrapper) &&
-        id == rt->GetStringID(XPCJSRuntime::IDX_WRAPPED_JSOBJECT)) {
-        desc.object().set(wrapper);
-        desc.setAttributes(JSPROP_ENUMERATE|JSPROP_SHARED);
-        desc.setGetter(wrappedJSObject_getter);
-        desc.setSetter(nullptr);
-        desc.value().set(JSVAL_VOID);
-        return true;
-    }
-
    // Ordering is important here.
    //
    // We first need to call resolveOwnProperty, even before checking the holder,