From 2a7c750b84b20300881991da7a80a03e143482ce Mon Sep 17 00:00:00 2001
From: Andrew McCreight <continuation@gmail.com>
Date: Mon, 26 Aug 2019 18:26:02 +0000
Subject: [PATCH] Bug 1575711 - CallerSubsumes should return false for remote
 object proxies. r=peterv

This check is used to reject cross-origin objects from being passed in
as |any| or |object| parameters to WebIDL methods. Remote object
proxies are technically same-origin, but we want to make them behave
the same as when Fission is not enabled.

Differential Revision: https://phabricator.services.mozilla.com/D43105

--HG--
extra : moz-landing-system : lando
---
 dom/bindings/BindingUtils.cpp          |  6 ++++++
 dom/bindings/test/test_bug1036214.html | 10 ++++++++++
 2 files changed, 16 insertions(+)

diff --git a/dom/bindings/BindingUtils.cpp b/dom/bindings/BindingUtils.cpp
index b05f2daf92e2..7d33d0556b86 100644
--- a/dom/bindings/BindingUtils.cpp
+++ b/dom/bindings/BindingUtils.cpp
@@ -3283,6 +3283,12 @@ void AssertReturnTypeMatchesJitinfo(const JSJitInfo* aJitInfo,
 #endif
 
 bool CallerSubsumes(JSObject* aObject) {
+  // Remote object proxies are not CCWs, so unwrapping them does not get you
+  // their "real" principal, but we want to treat them like cross-origin objects
+  // when considering them as WebIDL arguments, for consistency.
+  if (IsRemoteObjectProxy(aObject)) {
+    return false;
+  }
   nsIPrincipal* objPrin =
       nsContentUtils::ObjectPrincipal(js::UncheckedUnwrap(aObject));
   return nsContentUtils::SubjectPrincipal()->Subsumes(objPrin);
diff --git a/dom/bindings/test/test_bug1036214.html b/dom/bindings/test/test_bug1036214.html
index 178261804819..04be84ac919f 100644
--- a/dom/bindings/test/test_bug1036214.html
+++ b/dom/bindings/test/test_bug1036214.html
@@ -15,6 +15,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1036214
   SimpleTest.waitForExplicitFinish();
   var xoObjects = [];
   function setup() {
+    // window[0] is same-process and cross-origin, even with Fission enabled.
     xoObjects.push(window[0]);
     xoObjects.push(window[0].location);
     xoObjects.push(SpecialPowers.unwrap(SpecialPowers.wrap(window[0]).document));
@@ -23,6 +24,14 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1036214
     SpecialPowers.pushPrefEnv({set: [["dom.expose_test_interfaces", true]]}, go);
   }
 
+  function setup2() {
+    if (SpecialPowers.useRemoteSubframes) {
+      // window[1] is cross-origin and out of process, with Fission enabled.
+      xoObjects.push(window[1]);
+      xoObjects.push(window[1].location);
+    }
+  }
+
   function checkThrows(f, msg) {
     try {
       f();
@@ -127,5 +136,6 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1036214
 <pre id="test">
 </pre>
 <iframe id="ifr" onload="setup();" src="http://test1.mochi.test:8888/tests/js/xpconnect/tests/mochitest/file_empty.html"></iframe>
+<iframe id="ifr2" onload="setup2();" src="http://example.org/tests/js/xpconnect/tests/mochitest/file_empty.html"></iframe>
 </body>
 </html>