753769 - Location object brain transplants broken with Compartment-Per-Global

Status: RESOLVED INVALID

(Core :: XPConnect, defect)

Description

[Bobby Holley (:bholley)]

There was a long game of whack-a-mole (bug 733984, bug 739796) in the lead-up to compartment-per-global dealing with Location objects and their same-compartment security wrapper. Unfortunately, it still appears to be broken.

In bug 739796, I altered things a bit so that same-origin cross-compartment wrappers for Location objects go through the same-compartment security wrapper, rather than going directly to the object. This allowed expandos to be shared. Unfortunately, I didn't realize at the time that it violated assumptions within js_TransplantObjectWithWrapper, which assumes that the SCSW is invisible to other compartments (since their CCWs would always point directly to the underlying object). But this isn't true anymore.

I think the best way to proceed here is to remove js_TransplantObjectWithWrapper entirely, and do two calls to JS_TransplantObject, remapping both the original object and the original SCSW to the new SCSW if the destination is non-chrome, or to the new underlying object if the destination is non-chrome. When the transplant fixes up cross-compartment references into the new compartment, the SCSW will be unwrapped, and everything will be recomputed correctly. And the aforementioned mapping ensures that intra-compartment references for the destination get set up properly.

Comment 1

[Bobby Holley (:bholley)]

Actually, I think this function actually works. The reason is that we do the CCW->SCW->Object trick in the wrap callback, rather than the prewrap callback. So the actual object in the crossCompartmentWrapperMap still points to the underlying object.

There are some cosmetic changes to make, but I'll put that in bug 753277.