Bug 911864 - Only expose XBL members which have the exposeToUntrustedContent attribute set. r=smaug

This commit is contained in:
Bobby Holley 2013-11-01 15:31:58 +01:00
parent 7b822eba16
commit c8fd7ea7d1
2 changed files with 26 additions and 5 deletions

View File

@ -20,6 +20,7 @@
#include "nsIURI.h"
#include "mozilla/dom/XULElementBinding.h"
#include "xpcpublic.h"
#include "js/CharacterEncoding.h"
using namespace mozilla;
using js::GetGlobalForObjectCrossCompartment;
@ -116,14 +117,22 @@ nsXBLProtoImpl::InstallImplementation(nsXBLPrototypeBinding* aPrototypeBinding,
JSAutoCompartment ac2(cx, targetClassObject);
// Now, if we're using a separate XBL scope, enter the compartment of the
// bound node and copy the properties to the prototype there. This rewraps
// them appropriately, which should result in cross-compartment function
// wrappers.
// bound node and copy exposable properties to the prototype there. This
// rewraps them appropriately, which should result in cross-compartment
// function wrappers.
if (propertyHolder != targetClassObject) {
AssertSameCompartment(propertyHolder, scopeObject);
AssertSameCompartment(targetClassObject, globalObject);
bool ok = JS_CopyPropertiesFrom(cx, targetClassObject, propertyHolder);
NS_ENSURE_TRUE(ok, NS_ERROR_UNEXPECTED);
for (nsXBLProtoImplMember* curr = mMembers; curr; curr = curr->GetNext()) {
if (curr->ShouldExposeToUntrustedContent()) {
JS::Rooted<jsid> id(cx);
JS::TwoByteChars chars(curr->GetName(), NS_strlen(curr->GetName()));
bool ok = JS_CharsToId(cx, chars, &id);
NS_ENSURE_TRUE(ok, NS_ERROR_UNEXPECTED);
JS_CopyPropertyFrom(cx, id, targetClassObject, propertyHolder);
NS_ENSURE_TRUE(ok, NS_ERROR_UNEXPECTED);
}
}
}
// Install all of our field accessors.

View File

@ -43,6 +43,16 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=821850
is(bound.primitiveField, undefined, "Xrays don't show fields");
is(bound.wrappedJSObject.primitiveField, 2, "Waiving Xrays show fields");
// Check exposure behavior.
is(typeof bound.unexposedMethod, 'function',
"Unexposed method should be visible to XBL");
is(typeof bound.wrappedJSObject.unexposedMethod, 'undefined',
"Unexposed method should not be defined in content");
is(typeof bound.unexposedProperty, 'number',
"Unexposed property should be visible to XBL");
is(typeof bound.wrappedJSObject.unexposedProperty, 'undefined',
"Unexposed property should not be defined in content");
// Check that here document.QueryInterface works
ok("QueryInterface" in document,
"Should have a document.QueryInterface here");
@ -65,6 +75,8 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=821850
win.go();
</constructor>
<field name="primitiveField">2</field>
<method name="unexposedMethod"><body></body></method>
<property name="unexposedProperty" onget="return 2;" readonly="true"></property>
<method name="method" exposeToUntrustedContent="true">
<parameter name="arg" />
<body>