Bug 1092446 - [e10s] Allow unprivileged scopes to call content-to-chrome CPOWs (r=bholley)

2014-11-04 17:38:19 -08:00 · 2014-11-04 17:38:19 -08:00 · 3fbb75d480
--- a/dom/base/test/chrome/cpows_child.js
+++ b/dom/base/test/chrome/cpows_child.js
@ -87,6 +87,15 @@ function parent_test()
  addMessageListener("cpows:from_parent", (msg) => {
    let obj = msg.objects.obj;
    ok(obj.a == 1, "correct value from parent");
+
+    // Test that a CPOW reference to a function in the chrome process
+    // is callable from unprivileged content. Greasemonkey uses this
+    // functionality.
+    let func = msg.objects.func;
+    let sb = Cu.Sandbox('http://www.example.com', {});
+    sb.func = func;
+    ok(sb.eval('func()') == 101, "can call parent's function in child");
+
    done_count++;
    if (done_count == 2)
      sendSyncMessage("cpows:done", {});
--- a/dom/base/test/chrome/cpows_parent.xul
+++ b/dom/base/test/chrome/cpows_parent.xul
@ -181,8 +181,11 @@
      let func = message.objects.func;
      let result = func(n => 2*n);
      ok(result == 20, "result == 20");
+      function f() {
+        return 101;
+      }
      let obj = {a:1, __exposedProps__: {"a": "r"}};
-      savedMM.sendAsyncMessage("cpows:from_parent", {}, {obj: obj});
+      savedMM.sendAsyncMessage("cpows:from_parent", {}, {obj: obj, func: f});
    }

    // Make sure errors in this file actually hit window.onerror.
--- a/js/xpconnect/wrappers/WrapperFactory.cpp
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@ -16,9 +16,11 @@
 #include "xpcprivate.h"
 #include "XPCMaps.h"
 #include "mozilla/dom/BindingUtils.h"
+#include "JavaScriptParent.h"
 #include "jsfriendapi.h"
 #include "mozilla/Likely.h"
 #include "nsContentUtils.h"
+#include "nsXULAppAPI.h"

 using namespace JS;
 using namespace js;
@ -423,9 +425,12 @@ WrapperFactory::Rewrap(JSContext *cx, HandleObject existing, HandleObject obj,
    }

    // If this is a chrome function being exposed to content, we need to allow
-    // call (but nothing else).
+    // call (but nothing else). We allow CPOWs that purport to be function's
+    // here, but only in the content process.
    else if (originIsChrome && !targetIsChrome &&
-             IdentifyStandardInstance(obj) == JSProto_Function)
+             (IdentifyStandardInstance(obj) == JSProto_Function ||
+              (jsipc::IsCPOW(obj) && JS::IsCallable(obj) &&
+               XRE_GetProcessType() == GeckoProcessType_Content)))
    {
        wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, OpaqueWithCall>::singleton;
    }