Bug 874083 - Ignore domain in PrepareForWrapping prototype remapping. r=gabor, billm

js/src/jswrapper.cpp

@@ -981,6 +981,7 @@ js::RemapWrapper(JSContext *cx, JSObject *wobjArg, JSObject *newTargetArg)
 
     // Update the entry in the compartment's wrapper map to point to the old
     // wrapper, which has now been updated (via reuse or swap).
+    JS_ASSERT(wobj->isWrapper());
     wcompartment->putWrapper(ObjectValue(*newTarget), ObjectValue(*wobj));
     return true;
 }

js/xpconnect/tests/mochitest/test_bug789713.html

@@ -28,6 +28,10 @@ function go() {
   var walker = doc.createTreeWalker(doc.body);
   pass = pass && (walker.root === doc.body);
 
+  // Grab a reference to Object.prototype to make sure we test the machinery
+  // with respect to standard prototype remapping.
+  var objProto = ifr.contentWindow.Object.prototype;
+
   // First, do the document.domain operation. This shouldn't crash.
   document.domain = "example.org";
 

js/xpconnect/wrappers/WrapperFactory.cpp

@@ -172,8 +172,12 @@ WrapperFactory::PrepareForWrapping(JSContext *cx, HandleObject scope,
     // COW(obj) => COW(foo) => COW(bar) => contentWin.StandardClass.prototype
     //
     // NB: We now remap all non-subsuming access of standard prototypes.
-    bool subsumes = AccessCheck::subsumes(js::GetContextCompartment(cx),
-                                          js::GetObjectCompartment(obj));
+    //
+    // NB: We need to ignore domain here so that the security relationship we
+    // compute here can't change over time. See the comment above the other
+    // subsumesIgnoringDomain call below.
+    bool subsumes = AccessCheck::subsumesIgnoringDomain(js::GetContextCompartment(cx),
+                                                        js::GetObjectCompartment(obj));
     XrayType xrayType = GetXrayType(obj);
     if (!subsumes && xrayType == NotXray) {
         JSProtoKey key = JSProto_Null;