In bug 1575272, I have a patch that makes dom/bindings/test/test_bug1036214.htm pass with Fission enabled by changing the test to stay cross-origin but same-process when Fission is enabled. At kmag's prompting, I started looking at what happens in the cross-process case.
To do this, you need to remove the line
xoObjects.push(SpecialPowers.unwrap(SpecialPowers.wrap(window).document));, because that just will throw an error.
Anyways, once you do that, the test still fails because you can pass a remote window proxy object as an |any| param (and presumably as an object, too). I'm guessing that CallerSubsumes() ends up returning true.
The guts of that method is:
nsIPrincipal* objPrin = nsContentUtils::ObjectPrincipal(js::UncheckedUnwrap(aObject));
It looks like the principal for a remote window proxy ends up being the principal of the origin page, which makes sense because there's no CCW we can unwrap to end up in another compartment.
Maybe this is okay, because the remote window proxy is such a limited object that passing it into a JS-implemented API is okay, but given the tricky nature of bug 1036214 I thought it would be worth filing a bug for. I'll just hide it for now.