Closed
Bug 505915
Opened 15 years ago
Closed 15 years ago
Throw when someone tries to unwrap a XOW they don't have access to
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: mrbkap, Assigned: mrbkap)
References
Details
Attachments
(1 file, 2 obsolete files)
9.11 KB,
patch
|
jst
:
review+
|
Details | Diff | Splinter Review |
Currently, given something like
var w = cross_origin_window; // XOW wrapped
document.body.appendChild(w);
we successfully call nsGenericElement::AppendChild and fail later on in that function. We should instead, bail in XPConnect when we detect the attempt to use the cross origin window.
Assignee | ||
Comment 1•15 years ago
|
||
Updated•15 years ago
|
Attachment #398279 -
Flags: superreview+
Attachment #398279 -
Flags: review?(jst)
Attachment #398279 -
Flags: review+
Assignee | ||
Updated•15 years ago
|
Attachment #398279 -
Attachment is obsolete: true
Attachment #398279 -
Flags: superreview+
Attachment #398279 -
Flags: review-
Attachment #398279 -
Flags: review+
Assignee | ||
Comment 2•15 years ago
|
||
Comment on attachment 398279 [details] [diff] [review]
Proposed fix
This is overly pessimistic. New patch coming.
Assignee | ||
Comment 3•15 years ago
|
||
Two things wrong with the previous patch:
* It ignored quickstubs.
* There are security wrappers that wrap non WrappedNatives. So (new XMLHttpRequest()).onreadystatechange = new XPCSafeJSObjectWrapper(function(){}) would throw because we wouldn't get a wrapped native from it *and* it was wrapped by a security wrapper. This patch fixes that problem (and avoids double-unwrapping the security wrapper).
Attachment #398320 -
Flags: review?(jst)
Assignee | ||
Comment 4•15 years ago
|
||
I forgot to get rid of GetISupportsFromJSObject. I feel better now.
Attachment #398320 -
Attachment is obsolete: true
Attachment #400906 -
Flags: review?(jst)
Attachment #398320 -
Flags: review?(jst)
Updated•15 years ago
|
Attachment #400906 -
Flags: review?(jst) → review+
Assignee | ||
Comment 5•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Assignee | ||
Comment 6•15 years ago
|
||
I had to back this out to fix tinderbox orange.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 7•15 years ago
|
||
I think you'll need to add code to deal with slim wrappers in XPCConvert::JSObject2NativeInterface, iirc they fall through to the GetISupportsFromJSObject call.
Assignee | ||
Comment 8•15 years ago
|
||
Yeah, they do. I added that call back and things seem to mostly work now.
Assignee | ||
Comment 9•15 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → FIXED
Depends on: 688417
You need to log in
before you can comment on or make changes to this bug.
Description
•