Bug 502959 - Restore code to make caps allow wrapping same-origin wrappedjs objects. r=jst sr=bzbarsky

caps/include/nsScriptSecurityManager.h

@@ -537,22 +537,32 @@ private:
      * has set the "security.xpconnect.plugin.unrestricted" pref to allow
      * anybody to script plugin objects from anywhere.
      *
+     * @param cx The context we're running on.
+     *           NB: If null, "sameOrigin" does not have any effect.
      * @param aObj The nsISupports representation of the object in question
      *             object, possibly null.
-     * @param aJSObject The JSObject representation of the object in question.
-     *                  Only used if |aObjectSecurityLevel| is "sameOrigin".
+     * @param aJSObject The JSObject representation of the object in question
+     *                  if |cx| is non-null and |aObjectSecurityLevel| is
+     *                  "sameOrigin". If null will be calculated from aObj (if
+     *                  non-null) if and only if aObj is an XPCWrappedJS. The
+     *                  rationale behind this is that if we're creating a JS
+     *                  wrapper for an XPCWrappedJS, this object definitely
+     *                  expects to be exposed to JS.
      * @param aSubjectPrincipal The nominal subject principal used when
-     *                          aObjectSecurityLevel is "sameOrigin".
+     *                          aObjectSecurityLevel is "sameOrigin". If null,
+     *                          this is calculated if it's needed.
      * @param aObjectSecurityLevel Can be one of three values:
      *                  - allAccess: Allow access no matter what.
      *                  - noAccess: Deny access no matter what.
-     *                  - sameOrigin: If both a subject principal and JS
-     *                                object have been passed in, returns
-     *                                true if the subject subsumes the object,
-     *                                otherwise, behaves like noAccess.
+     *                  - sameOrigin: If |cx| is null, behave like noAccess.
+     *                                Otherwise, possibly compute a subject
+     *                                and object principal and return true if
+     *                                and only if the subject has greater than
+     *                                or equal privileges to the object.
      */
     nsresult
-    CheckXPCPermissions(nsISupports* aObj, JSObject* aJSObject,
+    CheckXPCPermissions(JSContext* cx,
+                        nsISupports* aObj, JSObject* aJSObject,
                         nsIPrincipal* aSubjectPrincipal,
                         const char* aObjectSecurityLevel);
 

caps/src/nsScriptSecurityManager.cpp

@@ -812,7 +812,7 @@ nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction,
             }
         }
     }
-    rv = CheckXPCPermissions(aObj, aJSObject, subjectPrincipal,
+    rv = CheckXPCPermissions(cx, aObj, aJSObject, subjectPrincipal,
                              objectSecurityLevel);
 #ifdef DEBUG_CAPS_CheckPropertyAccessImpl
     if(NS_SUCCEEDED(rv))
@@ -2937,7 +2937,7 @@ nsScriptSecurityManager::CanCreateWrapper(JSContext *cx,
     if (checkedComponent)
         checkedComponent->CanCreateWrapper((nsIID *)&aIID, getter_Copies(objectSecurityLevel));
 
-    nsresult rv = CheckXPCPermissions(aObj, nsnull, nsnull, objectSecurityLevel);
+    nsresult rv = CheckXPCPermissions(cx, aObj, nsnull, nsnull, objectSecurityLevel);
     if (NS_FAILED(rv))
     {
         //-- Access denied, report an error
@@ -3048,7 +3048,7 @@ nsScriptSecurityManager::CanCreateInstance(JSContext *cx,
     NS_Free(cidStr);
 #endif
 
-    nsresult rv = CheckXPCPermissions(nsnull, nsnull, nsnull, nsnull);
+    nsresult rv = CheckXPCPermissions(nsnull, nsnull, nsnull, nsnull, nsnull);
     if (NS_FAILED(rv))
 #ifdef XPC_IDISPATCH_SUPPORT
     {
@@ -3085,7 +3085,7 @@ nsScriptSecurityManager::CanGetService(JSContext *cx,
     NS_Free(cidStr);
 #endif
 
-    nsresult rv = CheckXPCPermissions(nsnull, nsnull, nsnull, nsnull);
+    nsresult rv = CheckXPCPermissions(nsnull, nsnull, nsnull, nsnull, nsnull);
     if (NS_FAILED(rv))
     {
         //-- Access denied, report an error
@@ -3124,7 +3124,8 @@ nsScriptSecurityManager::CanAccess(PRUint32 aAction,
 }
 
 nsresult
-nsScriptSecurityManager::CheckXPCPermissions(nsISupports* aObj, JSObject* aJSObject,
+nsScriptSecurityManager::CheckXPCPermissions(JSContext* cx,
+                                             nsISupports* aObj, JSObject* aJSObject,
                                              nsIPrincipal* aSubjectPrincipal,
                                              const char* aObjectSecurityLevel)
 {
@@ -3138,8 +3139,27 @@ nsScriptSecurityManager::CheckXPCPermissions(nsISupports* aObj, JSObject* aJSObj
     {
         if (PL_strcasecmp(aObjectSecurityLevel, "allAccess") == 0)
             return NS_OK;
-        if (aSubjectPrincipal && aJSObject &&
-            PL_strcasecmp(aObjectSecurityLevel, "sameOrigin") == 0)
+        if (cx && PL_strcasecmp(aObjectSecurityLevel, "sameOrigin") == 0)
+        {
+            nsresult rv;
+            if (!aJSObject)
+            {
+                nsCOMPtr<nsIXPConnectWrappedJS> xpcwrappedjs =
+                    do_QueryInterface(aObj);
+                if (xpcwrappedjs)
+                {
+                    rv = xpcwrappedjs->GetJSObject(&aJSObject);
+                    NS_ENSURE_SUCCESS(rv, rv);
+                }
+            }
+
+            if (!aSubjectPrincipal)
+            {
+                // No subject principal passed in. Compute it.
+                aSubjectPrincipal = GetSubjectPrincipal(cx, &rv);
+                NS_ENSURE_SUCCESS(rv, rv);
+            }
+            if (aSubjectPrincipal && aJSObject)
             {
                 nsIPrincipal* objectPrincipal = doGetObjectPrincipal(aJSObject);
 
@@ -3148,12 +3168,13 @@ nsScriptSecurityManager::CheckXPCPermissions(nsISupports* aObj, JSObject* aJSObj
                 if (objectPrincipal)
                 {
                     PRBool subsumes;
-                nsresult rv = aSubjectPrincipal->Subsumes(objectPrincipal, &subsumes);
+                    rv = aSubjectPrincipal->Subsumes(objectPrincipal, &subsumes);
                     NS_ENSURE_SUCCESS(rv, rv);
                     if (subsumes)
                         return NS_OK;
                 }
             }
+        }
         else if (PL_strcasecmp(aObjectSecurityLevel, "noAccess") != 0)
         {
             PRBool canAccess = PR_FALSE;

js/src/xpconnect/tests/mochitest/Makefile.in

@@ -60,6 +60,7 @@ _TEST_FILES =	bug500931_helper.html \
 		test_bug484107.html \
 		test_bug484459.html \
 		test_bug500691.html \
+		test_bug502959.html \
 		test_bug503926.html \
 		$(NULL)
 

js/src/xpconnect/tests/mochitest/test_bug502959.html

@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=502959
+-->
+<head>
+  <title>Test for Bug 502959</title>
+  <script type="application/javascript" src="/MochiKit/packed.js"></script>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=502959">Mozilla Bug 502959</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 502959 **/
+var xhr = new XMLHttpRequest();
+
+xhr.onreadystatechange = function() { ok(true, "Able to call the double-wrapped function"); };
+var doublewrapped = xhr.onreadystatechange;
+ok(doublewrapped.toString().indexOf("wrapped") > 0, "got a double-wrapped object back");
+
+(function () {
+    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+    Components.utils.forceGC();
+})();
+
+doublewrapped.handleEvent({});
+
+</script>
+</pre>
+</body>
+</html>