Fix bug 636097 (r=gal, a=blocker).

2024-09-13 09:24:08 -07:00 · 2011-02-23 22:13:17 -08:00 · 2011-02-23 22:13:17 -08:00 · f853de3fb7
commit f853de3fb7
parent f20e96eab6
4 changed files with 68 additions and 3 deletions
--- a/js/src/xpconnect/tests/mochitest/Makefile.in
+++ b/js/src/xpconnect/tests/mochitest/Makefile.in
@ -87,6 +87,7 @@ _TEST_FILES =	bug500931_helper.html \
 		test1_bug629331.html \
 		test2_bug629331.html \
 		test_bug618017.html \
+		test_bug636097.html \
 		$(NULL)

 		#test_bug484107.html \
--- a/js/src/xpconnect/tests/mochitest/test_bug636097.html
+++ b/js/src/xpconnect/tests/mochitest/test_bug636097.html
@ -0,0 +1,63 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=504877
+test by moz_bug_r_a4@yahoo.com
+-->
+<head>
+  <title>Test for Bug 504877</title>
+  <script type="application/javascript" src="/MochiKit/packed.js"></script>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=504877">Mozilla Bug 504877</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 504877 **/
+SimpleTest.waitForExplicitFinish();
+
+var targetUrl = "http://example.com/";
+var l;
+
+function a() {
+        var r = "FAIL", s;
+        try {
+                s = l.toString();
+        }
+        catch (e) {
+                if (/Permission denied/.test(e))
+                        r = "PASS";
+                s = e;
+        }
+
+        is(r, "PASS", "should have thrown an exception");
+        SimpleTest.finish();
+}
+
+var p = 0;
+function b() {
+        switch (++p) {
+        case 1:
+                frames[0].location = "about:blank";
+                break;
+        case 2:
+                l = frames[0].location;
+                frames[0].location = targetUrl;
+                break;
+        case 3:
+                a();
+                break;
+        }
+}
+</script>
+
+</pre>
+<iframe onload="b()"></iframe>
+</body>
+</html>
--- a/js/src/xpconnect/wrappers/AccessCheck.cpp
+++ b/js/src/xpconnect/wrappers/AccessCheck.cpp
@ -93,7 +93,9 @@ AccessCheck::isLocationObjectSameOrigin(JSContext *cx, JSObject *wrapper)
        JS_ASSERT(obj->getClass()->ext.innerObject);
    }
    OBJ_TO_INNER_OBJECT(cx, obj);
-    return obj && isSameOrigin(wrapper->compartment(), obj->compartment());
+    return obj &&
+           (isSameOrigin(wrapper->compartment(), obj->compartment()) ||
+            documentDomainMakesSameOrigin(cx, obj));
 }

 bool
--- a/js/src/xpconnect/wrappers/AccessCheck.h
+++ b/js/src/xpconnect/wrappers/AccessCheck.h
@ -121,8 +121,7 @@ struct SameOriginOrCrossOriginAccessiblePropertiesOnly : public Policy {
    static bool check(JSContext *cx, JSObject *wrapper, jsid id, JSWrapper::Action act,
                      Permission &perm) {
        if (AccessCheck::isCrossOriginAccessPermitted(cx, wrapper, id, act) ||
-            AccessCheck::isLocationObjectSameOrigin(cx, wrapper) ||
-            AccessCheck::documentDomainMakesSameOrigin(cx, wrapper->unwrap())) {
+            AccessCheck::isLocationObjectSameOrigin(cx, wrapper)) {
            perm = PermitPropertyAccess;
            return true;
        }