Closed Bug 1525355 Opened 5 years ago Closed 5 years ago

Clear out the cross-origin function weakmap from the windowproxy slot before transplanting

Categories

(Core :: DOM: Core & HTML, enhancement)

Product:
Core
Component:
DOM: Core & HTML
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox67 --- fixed

People

(Reporter: bzbarsky, Assigned: bzbarsky)

Details

Attachments

(1 file)

Bug 1525355. Make sure to clear out the cached-function-map slot on WindowProxy before we transplant it. r=peterv
47 bytes, text/x-phabricator-request
Details | Review

The map in question, per spec, uses a key that is a combination of "current Realm" and "Realm of the Window object".

We optimize out the latter by having the weakmap live in a slot on the WindowProxy, having it be same-realm as the WindowProxy, and having the WindowProxy be same-realm with the Window.

OK, so what happens on navigation? We create a new WindowProxy (different Realm) and then transplant the old one and the new one. I can't tell what happens to slots when we do this, but the desired behavior is that the resulting WindowProxy object should have no weakmap hanging off it, because the new global has nothing cached for it yet. Modulo bug 1525354.

Anyway, the safe thing to do here is to empty out the slot prior to transplanting.

Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b7646b8ccfd3
Make sure to clear out the cached-function-map slot on WindowProxy before we transplant it.  r=peterv

https://hg.mozilla.org/mozilla-central/rev/b7646b8ccfd3

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: