Closed Bug 505915 Opened 10 years ago Closed 10 years ago

Throw when someone tries to unwrap a XOW they don't have access to

Categories

(Core :: XPConnect, defect)

x86
Linux
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: mrbkap, Assigned: mrbkap)

References

Details

Attachments

(1 file, 2 obsolete files)

Currently, given something like

var w = cross_origin_window; // XOW wrapped
document.body.appendChild(w);

we successfully call nsGenericElement::AppendChild and fail later on in that function. We should instead, bail in XPConnect when we detect the attempt to use the cross origin window.
Attached patch Proposed fix (obsolete) — Splinter Review
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #398279 - Flags: review?(jst)
Attachment #398279 - Flags: superreview+
Attachment #398279 - Flags: review?(jst)
Attachment #398279 - Flags: review+
Attachment #398279 - Attachment is obsolete: true
Attachment #398279 - Flags: superreview+
Attachment #398279 - Flags: review-
Attachment #398279 - Flags: review+
Comment on attachment 398279 [details] [diff] [review]
Proposed fix

This is overly pessimistic. New patch coming.
Attached patch Better patch (obsolete) — Splinter Review
Two things wrong with the previous patch:
  * It ignored quickstubs.
  * There are security wrappers that wrap non WrappedNatives. So (new XMLHttpRequest()).onreadystatechange = new XPCSafeJSObjectWrapper(function(){}) would throw because we wouldn't get a wrapped native from it *and* it was wrapped by a security wrapper. This patch fixes that problem (and avoids double-unwrapping the security wrapper).
Attachment #398320 - Flags: review?(jst)
Attached patch Best patch yetSplinter Review
I forgot to get rid of GetISupportsFromJSObject. I feel better now.
Attachment #398320 - Attachment is obsolete: true
Attachment #400906 - Flags: review?(jst)
Attachment #398320 - Flags: review?(jst)
Attachment #400906 - Flags: review?(jst) → review+
http://hg.mozilla.org/mozilla-central/rev/a01f270b961a
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
I had to back this out to fix tinderbox orange.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I think you'll need to add code to deal with slim wrappers in XPCConvert::JSObject2NativeInterface, iirc they fall through to the GetISupportsFromJSObject call.
Yeah, they do. I added that call back and things seem to mostly work now.
http://hg.mozilla.org/mozilla-central/rev/0071000d8c4c
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
Depends on: 724193
You need to log in before you can comment on or make changes to this bug.