Bug 1553276. Don't enter the content compartment when calling a Web IDL legacycaller over Xrays. r=bholley

Differential Revision: https://phabricator.services.mozilla.com/D32047 --HG-- extra : moz-landing-system : lando
2019-05-21 19:49:18 +00:00 · 2019-05-21 19:49:18 +00:00 · 47341d0933
--- a/dom/base/nsObjectLoadingContent.h
+++ b/dom/base/nsObjectLoadingContent.h
@ -228,10 +228,6 @@ class nsObjectLoadingContent : public nsImageLoadingContent,
                        mozilla::ErrorResult& aRv) {
    aRv.Throw(NS_ERROR_NOT_IMPLEMENTED);
  }
-  void LegacyCall(JSContext* aCx, JS::Handle<JS::Value> aThisVal,
-                  const mozilla::dom::Sequence<JS::Value>& aArguments,
-                  JS::MutableHandle<JS::Value> aRetval,
-                  mozilla::ErrorResult& aRv);

  uint32_t GetRunID(mozilla::dom::SystemCallerGuarantee,
                    mozilla::ErrorResult& aRv);
--- a/js/xpconnect/wrappers/XrayWrapper.cpp
+++ b/js/xpconnect/wrappers/XrayWrapper.cpp
@ -1752,27 +1752,17 @@ bool DOMXrayTraits::call(JSContext* cx, HandleObject wrapper,
  // object, or a WebIDL instance object.  WebIDL prototype objects never have
  // a clasp->call.  WebIDL interface objects we want to invoke on the xray
  // compartment.  WebIDL instance objects either don't have a clasp->call or
-  // are using "legacycaller", which basically means plug-ins.  We want to
-  // call those on the content compartment.
-  if (clasp->flags & JSCLASS_IS_DOMIFACEANDPROTOJSCLASS) {
-    if (JSNative call = clasp->getCall()) {
-      // call it on the Xray compartment
-      if (!call(cx, args.length(), args.base())) {
-        return false;
-      }
-    } else {
-      RootedValue v(cx, ObjectValue(*wrapper));
-      js::ReportIsNotFunction(cx, v);
-      return false;
-    }
-  } else {
-    // This is only reached for WebIDL instance objects, and in practice
-    // only for plugins.  Just call them on the content compartment.
-    if (!baseInstance.call(cx, wrapper, args)) {
-      return false;
-    }
+  // are using "legacycaller".  At this time for all the legacycaller users it
+  // makes more sense to invoke on the xray compartment, so we just go ahead
+  // and do that for everything.
+  if (JSNative call = clasp->getCall()) {
+    // call it on the Xray compartment
+    return call(cx, args.length(), args.base());
  }
-  return JS_WrapValue(cx, args.rval());
+
+  RootedValue v(cx, ObjectValue(*wrapper));
+  js::ReportIsNotFunction(cx, v);
+  return false;
 }

 bool DOMXrayTraits::construct(JSContext* cx, HandleObject wrapper,