Bug 1152784 - Be more robust about possible intermediate wrappers in IsFrameId. r=bz

Boris and I debugged this. It looks like we're somehow ending up with an
XrayWaiver on the other end of a CrossOriginXrayWrapper. The specifics of how
this happens are a bit fuzzy to me, but it's presumably happening in all the
brain transplant weirdness we do when recomputing wrappers during document.domain.

Having an XrayWaiver there isn't unsafe - the wrapper computation algorithm
will ignore the waiver if the principals don't allow the caller to waive. But
it does throw a wrench in some brittle code that only expects certain kinds
of wrappers. Let's just do what XrayTraits::getTargetObject does. I don't think
this is really unsafe at all, because the only wrapper with a security boundary
is the CCW, and we're already stripping that off unconditionally with
Wrapper::wrappedObject.

js/xpconnect/wrappers/AccessCheck.cpp

@@ -110,13 +110,11 @@ IsPermitted(CrossOriginObjectType type, JSFlatString* prop, bool set)
 }
 
 static bool
-IsFrameId(JSContext* cx, JSObject* objArg, jsid idArg)
+IsFrameId(JSContext* cx, JSObject* obj, jsid idArg)
 {
-    RootedObject obj(cx, objArg);
+    MOZ_ASSERT(!js::IsWrapper(obj));
     RootedId id(cx, idArg);
 
-    obj = JS_ObjectToInnerObject(cx, obj);
-    MOZ_ASSERT(!js::IsWrapper(obj));
     nsGlobalWindow* win = WindowOrNull(obj);
     if (!win) {
         return false;
@@ -174,8 +172,7 @@ AccessCheck::isCrossOriginAccessPermitted(JSContext* cx, HandleObject wrapper, H
                isCrossOriginAccessPermitted(cx, wrapper, id, Wrapper::SET);
     }
 
-    RootedObject obj(cx, Wrapper::wrappedObject(wrapper));
-
+    RootedObject obj(cx, js::UncheckedUnwrap(wrapper, /* stopAtOuter = */ false));
     CrossOriginObjectType type = IdentifyCrossOriginObject(obj);
     if (JSID_IS_STRING(id)) {
         if (IsPermitted(type, JSID_TO_FLAT_STRING(id), act == Wrapper::SET))