Fix bug 605167. r=peterv

dom/base/nsDOMClassInfo.cpp

@@ -7016,6 +7016,11 @@ nsWindowSH::OuterObject(nsIXPConnectWrappedNative *wrapper, JSContext * cx,
     return NS_OK;
   }
 
+  if (!JS_WrapObject(cx, &winObj)) {
+    *_retval = nsnull;
+    return NS_ERROR_UNEXPECTED;
+  }
+
   *_retval = winObj;
   return NS_OK;
 }

js/src/xpconnect/tests/mochitest/Makefile.in

@@ -74,6 +74,7 @@ _TEST_FILES =	bug500931_helper.html \
 		test_frameWrapping.html \
 		test_bug589028.html \
 		bug589028_helper.html \
+		test_bug605167.html \
 		$(NULL)
 
 		#test_bug484107.html \

js/src/xpconnect/tests/mochitest/test_bug605167.html

@@ -0,0 +1,56 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=505915
+-->
+<head>
+  <title>Test for Bug 505915</title>
+  <script type="application/javascript" src="/MochiKit/packed.js"></script>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=505915">Mozilla Bug 505915</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  
+</div>
+<pre id="test">
+<script type="application/javascript;version=1.7">
+
+/** Test for Bug 505915 **/
+var dataUrl = "data:text/html,<script>parent.f = function() { return this; };<" + "/script>";
+var targetUrl = "http://example.com";
+var f;
+
+var p = 0;
+function go() {
+        switch (++p) {
+        case 1:
+                frames[0].location = dataUrl;
+                break;
+        case 2:
+                frames[0].location = targetUrl;
+                break;
+        case 3:
+                try {
+                    f().cross_origin_property;
+                    ok(false, "should have thrown an exception");
+                } catch (e) {
+                    ok(/Permission denied/.test(e), "threw the correct exception");
+                }
+                SimpleTest.finish();
+                break;
+        }
+}
+
+
+SimpleTest.waitForExplicitFinish();
+
+</script>
+</pre>
+
+<iframe id="ifr" onload="go();"></iframe>
+
+</body>
+</html>

js/src/xpconnect/wrappers/WrapperFactory.cpp

@@ -77,6 +77,19 @@ DoubleWrap(JSContext *cx, JSObject *obj, uintN flags)
     return obj;
 }
 
+static JSObject *
+GetCurrentOuter(JSContext *cx, JSObject *obj)
+{
+    OBJ_TO_OUTER_OBJECT(cx, obj);
+    if (obj->isWrapper() && !obj->getClass()->ext.innerObject) {
+        obj = obj->unwrap();
+        NS_ASSERTION(obj->getClass()->ext.innerObject,
+                     "weird object, expecting an outer window proxy");
+    }
+
+    return obj;
+}
+
 JSObject *
 WrapperFactory::PrepareForWrapping(JSContext *cx, JSObject *scope, JSObject *obj, uintN flags)
 {
@@ -94,9 +107,9 @@ WrapperFactory::PrepareForWrapping(JSContext *cx, JSObject *scope, JSObject *obj
         return nsnull;
 
     // We only hand out outer objects to script.
-    OBJ_TO_OUTER_OBJECT(cx, obj);
-    if (!obj)
-        return nsnull;
+    GetCurrentOuter(cx, obj);
+    if (obj->getClass()->ext.innerObject)
+        return DoubleWrap(cx, obj, flags);
 
     // Now, our object is ready to be wrapped, but several objects (notably
     // nsJSIIDs) have a wrapper per scope. If we are about to wrap one of
@@ -285,9 +298,7 @@ WrapperFactory::WaiveXrayAndWrap(JSContext *cx, jsval *vp)
 
     // We have to make sure that if we're wrapping an outer window, that
     // the .wrappedJSObject also wraps the outer window.
-    OBJ_TO_OUTER_OBJECT(cx, obj);
-    if (!obj)
-        return false;
+    obj = GetCurrentOuter(cx, obj);
 
     {
         js::SwitchToCompartment sc(cx, obj->compartment());