Closed Bug 605167 Opened 10 years ago Closed 10 years ago
It's possible to access properties of a cross-origin window
This is a regression from landing of compartments. 1. Get a function from a same-origin window. 2. Load a cross-origin page in that window. With that function, ComputeGlobalThis gets an outer window proxy that belongs to the cross-origin window. Thus, it's possible to access properties of the cross-origin window via that outer window proxy. The attached testcase aborts a debug build: Assertion failure: compartment mismatched, at /home/.../mozilla/js/src/jscntxtinlines.h:513
This tries to get cookies for www.mozilla.com.
Andreas has a patch in bug 604516 that gets rid of the inner and outer object hooks in favor of slots with the outer object for that compartment. That'll make this patch obsolete, but the upshot here is that we need to make sure that when we outerize, we return the outer window for the right compartment. I looked through all of the cases where we outerize and it appeared that there were exactly two where we actually wanted the uncompartmentalized outer window (both in WrapperFactory.cpp).
Attachment #484098 - Flags: review?(peterv)
Comment on attachment 484098 [details] [diff] [review] Fix Sorry, I enjoyed the discussion, but I am unqualified to review this.
Comment on attachment 484098 [details] [diff] [review] Fix Please add an automated testcase.
Attachment #484098 - Flags: review?(peterv) → review+
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.