diff --git a/js/xpconnect/src/XPCConvert.cpp b/js/xpconnect/src/XPCConvert.cpp
index 2546d553093d..ef497058bf0e 100644
--- a/js/xpconnect/src/XPCConvert.cpp
+++ b/js/xpconnect/src/XPCConvert.cpp
@@ -980,10 +980,6 @@ XPCConvert::NativeInterface2JSObject(XPCLazyCallContext& lccx,
     if (!JS_WrapObject(ccx, &flat))
         return false;
 
-    // Outerize if necessary.
-    flat = JS_ObjectToOuterObject(cx, flat);
-    MOZ_ASSERT(flat, "bad outer object hook!");
-
     *d = OBJECT_TO_JSVAL(flat);
 
     if (dest) {
diff --git a/js/xpconnect/wrappers/WrapperFactory.cpp b/js/xpconnect/wrappers/WrapperFactory.cpp
index aa40838e70f5..42824b3bc8b0 100644
--- a/js/xpconnect/wrappers/WrapperFactory.cpp
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@@ -472,10 +472,17 @@ WrapperFactory::Rewrap(JSContext *cx, JSObject *existing, JSObject *obj,
 JSObject *
 WrapperFactory::WrapForSameCompartment(JSContext *cx, JSObject *obj)
 {
+    MOZ_ASSERT(js::IsObjectInContextCompartment(obj, cx));
+
     // NB: The contract of WrapForSameCompartment says that |obj| may or may not
     // be a security wrapper. These checks implicitly handle the security
     // wrapper case.
 
+    // Outerize if necessary. This, in combination with the check in
+    // PrepareForUnwrapping, means that calling JS_Wrap* always outerizes.
+    obj = JS_ObjectToOuterObject(cx, obj);
+    NS_ENSURE_TRUE(obj, nullptr);
+
     if (dom::GetSameCompartmentWrapperForDOMBinding(obj)) {
         return obj;
     }