Bug 834707 - Disable SOWs for remote XUL domains. r=bz

We have to do this if we want to proceed with eliminating SOWs entirely. Given the other restrictions around remote XUL, I don't think this is a problem. Note that we shouldn't need any special handling in the wrapper reparenting paths, because those all depend on whether a SOW was there already. So that would only be an issue if it were possible to adoptNode from a non-remote-XUL domain into a remote-XUL domain, which thankfully can't happen.
2024-09-13 09:24:08 -07:00 · 2013-05-06 19:38:22 -07:00 · 2013-05-06 19:38:22 -07:00 · 9a1a16ea75
commit 9a1a16ea75
parent 9de959b56d
3 changed files with 14 additions and 3 deletions
--- a/content/base/src/nsINode.cpp
+++ b/content/base/src/nsINode.cpp
@ -2396,7 +2396,8 @@ nsINode::WrapObject(JSContext *aCx, JS::Handle<JSObject*> aScope)

  JSObject* obj = WrapNode(aCx, aScope);
  if (obj && ChromeOnlyAccess() &&
-      !nsContentUtils::IsSystemPrincipal(NodePrincipal()))
+      !nsContentUtils::IsSystemPrincipal(NodePrincipal()) &&
+      xpc::AllowXBLScope(js::GetContextCompartment(aCx)))
  {
    // Create a new wrapper and cache it.
    JSAutoCompartment ac(aCx, obj);
--- a/js/xpconnect/src/XPCWrappedNative.cpp
+++ b/js/xpconnect/src/XPCWrappedNative.cpp
@ -2075,7 +2075,10 @@ XPCWrappedNative::GetSameCompartmentSecurityWrapper(JSContext *cx)
    // Check the possibilities. Note that we need to check for null in each
    // case in order to distinguish between the 'no need for wrapper' and
    // 'wrapping failed' cases.
-    if (NeedsSOW()) {
+    //
+    // NB: We don't make SOWs for remote XUL domains where XBL scopes are
+    // disallowed.
+    if (NeedsSOW() && xpc::AllowXBLScope(js::GetContextCompartment(cx))) {
        wrapper = xpc::WrapperFactory::WrapSOWObject(cx, flat);
        if (!wrapper)
            return NULL;
--- a/js/xpconnect/wrappers/WrapperFactory.cpp
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@ -392,11 +392,13 @@ WrapperFactory::Rewrap(JSContext *cx, HandleObject existing, HandleObject obj,
        wrapper = &ChromeObjectWrapper::singleton;

    // If content is accessing a Components object or NAC, we need a special filter,
-    // even if the object is same origin.
+    // even if the object is same origin. Note that we allow access to NAC for
+    // remote-XUL whitelisted domains, since they don't have XBL scopes.
    } else if (IsComponentsObject(obj) && !AccessCheck::isChrome(target)) {
        wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
                                    ComponentsObjectPolicy>::singleton;
    } else if (AccessCheck::needsSystemOnlyWrapper(obj) &&
+               xpc::AllowXBLScope(target) &&
               !(targetIsChrome || (targetSubsumesOrigin && nsContentUtils::IsCallerXBL())))
    {
        wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
@ -563,6 +565,11 @@ WrapperFactory::WrapSOWObject(JSContext *cx, JSObject *objArg)
 {
    RootedObject obj(cx, objArg);
    RootedObject proto(cx);
+
+    // If we're not allowing XBL scopes, that means we're running as a remote
+    // XUL domain, in which we can't have SOWs. We should never be called in
+    // that case.
+    MOZ_ASSERT(xpc::AllowXBLScope(js::GetContextCompartment(cx)));
    if (!JS_GetPrototype(cx, obj, proto.address()))
        return NULL;
    JSObject *wrapperObj =