Bug 812415 - Use wrapperSubsumes rather than isChrome in XPCNativeWrapper.unwrap. r=mrbkap

The current behavior breaks same-origin Xrays in sandboxes. This makes it match the check we do in XrayWrapper.cpp for the .wrappedJSObject property.
2024-09-13 09:24:08 -07:00 · 2012-11-21 17:55:58 -08:00 · 2012-11-21 17:55:58 -08:00 · d9bcd00b8c
commit d9bcd00b8c
parent 85dc9a9ee5
3 changed files with 39 additions and 1 deletions
--- a/js/xpconnect/src/XPCWrapper.cpp
+++ b/js/xpconnect/src/XPCWrapper.cpp
@ -39,7 +39,7 @@ UnwrapNW(JSContext *cx, unsigned argc, jsval *vp)
    return true;
  }

-  if (WrapperFactory::IsXrayWrapper(obj) && AccessCheck::isChrome(obj)) {
+  if (WrapperFactory::IsXrayWrapper(obj) && AccessCheck::wrapperSubsumes(obj)) {
    return JS_GetProperty(cx, obj, "wrappedJSObject", vp);
  }

--- a/js/xpconnect/tests/chrome/Makefile.in
+++ b/js/xpconnect/tests/chrome/Makefile.in
@ -46,6 +46,7 @@ MOCHITEST_CHROME_FILES = \
 		test_bug795275.xul \
 		test_bug799348.xul \
 		test_bug801241.xul \
+		test_bug812415.xul \
 		test_APIExposer.xul \
 		test_chrometoSource.xul \
 		outoflinexulscript.js \
--- a/js/xpconnect/tests/chrome/test_bug812415.xul
+++ b/js/xpconnect/tests/chrome/test_bug812415.xul
@ -0,0 +1,37 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/css" href="chrome://global/skin"?>
+<?xml-stylesheet type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"?>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=812415
+-->
+<window title="Mozilla Bug 812415"
+        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"/>
+
+  <!-- test results are displayed in the html:body -->
+  <body xmlns="http://www.w3.org/1999/xhtml">
+  <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=812415"
+     target="_blank">Mozilla Bug 812415</a>
+  </body>
+
+  <!-- test code goes here -->
+  <script type="application/javascript">
+  <![CDATA[
+  /** Test for Bug 812415 **/
+
+  const Cu = Components.utils;
+  SimpleTest.waitForExplicitFinish();
+  function go() {
+    var iwin = document.getElementById('ifr').contentWindow;
+    var sb = new Components.utils.Sandbox(iwin);
+    sb.win = iwin;
+    is(Cu.evalInSandbox('win', sb), iwin, "Basic identity works");
+    is(Cu.evalInSandbox('win.wrappedJSObject', sb), iwin.wrappedJSObject, "Waivers work via .wrappedJSObject");
+    is(Cu.evalInSandbox('XPCNativeWrapper.unwrap(win)', sb), iwin.wrappedJSObject, "Waivers work via XPCNativeWrapper.unwrap");
+    SimpleTest.finish();
+  }
+
+  ]]>
+  </script>
+  <iframe id="ifr" onload="go();" src="http://example.org/tests/js/xpconnect/tests/mochitest/file_empty.html" />
+</window>