Bug 995295 part 1. Create console events in the junk scope, not the untrusted content scope. r=baku

2024-09-13 09:24:08 -07:00 · 2014-04-16 15:09:23 -04:00 · 2014-04-16 15:09:23 -04:00 · b64cd2ae87
commit b64cd2ae87
parent c6a5fb4be3
1 changed files with 12 additions and 0 deletions
--- a/dom/base/Console.cpp
+++ b/dom/base/Console.cpp
@ -994,6 +994,18 @@ Console::ProcessCallData(ConsoleCallData* aData)
    event.mCounter = IncreaseCounter(cx, frame, aData->mArguments);
  }

+  // We want to create a console event object and pass it to our
+  // nsIConsoleAPIStorage implementation.  We want to define some accessor
+  // properties on this object, and those will need to keep an nsIStackFrame
+  // alive.  But nsIStackFrame cannot be wrapped in an untrusted scope.  And
+  // further, passing untrusted objects to system code is likely to run afoul of
+  // Object Xrays.  So we want to wrap in a system-principal scope here.  But
+  // which one?  We could cheat and try to get the underlying JSObject* of
+  // mStorage, but that's a bit fragile.  Instead, we just use the junk scope,
+  // with explicit permission from the XPConnect module owner.  If you're
+  // tempted to do that anywhere else, talk to said module owner first.
+  JSAutoCompartment ac2(cx, xpc::GetJunkScope());
+
  JS::Rooted<JS::Value> eventValue(cx);
  if (!event.ToObject(cx, &eventValue)) {
    Throw(cx, NS_ERROR_FAILURE);