Backed out changeset 8ce65f4eb1ba (bug 820170) for suspicion of causing bug 860903 on a CLOSED TREE.

content/base/src/nsDocument.cpp

@@ -1852,13 +1852,6 @@ nsDocument::Init()
   mRadioGroups.Init();
   mCustomPrototypes.Init();
 
-  // If after creation the owner js global is not set for a document
-  // we use the default compartment for this document, instead of creating
-  // wrapper in some random compartment when the document is exposed to js
-  // via some events.
-  mScopeObject = do_GetWeakReference(xpc::GetNativeForGlobal(xpc::GetJunkScope()));
-  MOZ_ASSERT(mScopeObject);
-
   // Force initialization.
   nsINode::nsSlots* slots = Slots();
 

content/xul/document/src/XULDocument.cpp

@@ -1520,25 +1520,6 @@ XULDocument::GetHeight(ErrorResult& aRv)
     return height;
 }
 
-nsIGlobalObject*
-GetScopeObjectOfNode(nsIDOMNode* node)
-{
-    // Window root occasionally keeps alive a node of a document whose
-    // window is already dead. If in this brief period someone calls
-    // GetPopupNode and we return that node, nsNodeSH::PreCreate will throw,
-    // because it will not know which scope this node belongs to. Returning
-    // an orphan node like that to JS would be a bug anyway, so to avoid
-    // this, let's do the same check as nsNodeSH::PreCreate does to
-    // determine the scope and if it fails let's just return null in
-    // XULDocument::GetPopupNode.
-    nsIDocument* doc = nullptr;
-    for (nsCOMPtr<nsINode> inode = do_QueryInterface(node);
-         !doc && inode; inode = inode->GetParent()) {
-        doc = inode->OwnerDoc();
-    }
-    return doc ? doc->GetScopeObject() : nullptr;
-}
-
 //----------------------------------------------------------------------
 //
 // nsIDOMXULDocument interface
@@ -1561,10 +1542,8 @@ XULDocument::GetPopupNode(nsIDOMNode** aNode)
         }
     }
 
-    if (node && nsContentUtils::CanCallerAccess(node)
-        && GetScopeObjectOfNode(node)) {
-        node.swap(*aNode);
-    }
+    if (node && nsContentUtils::CanCallerAccess(node))
+      node.swap(*aNode);
 
     return NS_OK;
 }

dom/base/nsDOMClassInfo.cpp

@@ -5707,6 +5707,18 @@ nsNodeSH::PreCreate(nsISupports *nativeObj, JSContext *cx, JSObject *globalObj,
   // See http://bugzilla.mozilla.org/show_bug.cgi?id=227417
   nsIDocument* doc = node->OwnerDoc();
 
+  // If we have a document, make sure one of these is true
+  // (1) it has a script handling object,
+  // (2) has had one, or has been marked to have had one,
+  // (3) we are running a privileged script.
+  // Event handling is possible only if (1). If (2) event handling is prevented.
+  // If document has never had a script handling object,
+  // untrusted scripts (3) shouldn't touch it!
+  bool hasHadScriptHandlingObject = false;
+  NS_ENSURE_STATE(doc->GetScriptHandlingObject(hasHadScriptHandlingObject) ||
+                  hasHadScriptHandlingObject ||
+                  nsContentUtils::IsCallerChrome());
+
   nsINode *native_parent;
 
   bool nodeIsElement = node->IsElement();
@@ -5755,14 +5767,26 @@ nsNodeSH::PreCreate(nsISupports *nativeObj, JSContext *cx, JSObject *globalObj,
     }
   } else {
     // We're called for a document object; set the parent to be the
-    // document's global object
+    // document's global object, if there is one
 
-    // Document should know its global but if the owner window of the
-    // document is already dead at this point, then just throw.
-    nsIGlobalObject* scope = doc->GetScopeObject();
-    NS_ENSURE_TRUE(scope, NS_ERROR_UNEXPECTED);
+    // Get the scope object from the document.
+    nsISupports *scope = doc->GetScopeObject();
 
-    *parentObj = scope->GetGlobalJSObject();
+    if (scope) {
+        jsval v;
+        nsCOMPtr<nsIXPConnectJSObjectHolder> holder;
+        nsresult rv = WrapNative(cx, globalObj, scope, false, &v,
+                                 getter_AddRefs(holder));
+        NS_ENSURE_SUCCESS(rv, rv);
+
+        holder->GetJSObject(parentObj);
+    }
+    else {
+      // No global object reachable from this document, use the
+      // global object that was passed to this method.
+
+      *parentObj = globalObj;
+    }
 
     // No slim wrappers for a document's scope object.
     return node->ChromeOnlyAccess() ?

js/xpconnect/tests/unit/test_allowedDomainsXHR.js

@@ -32,17 +32,8 @@ function checkResults(xhr)
   return true;
 }
 
-var httpServersClosed = 0;
-function finishIfDone()
-{
-  if (++httpServersClosed == 2)
-    do_test_finished();
-}
-
 function run_test()
 {
-  do_test_pending();
-
   httpserver.registerPathHandler(testpath, serverHandler);
   httpserver.start(4444);
 
@@ -54,6 +45,14 @@ function run_test()
   var res = cu.evalInSandbox('var sync = createXHR("4444/simple"); sync.send(null); sync', sb);
   checkResults(res);
 
+  // Test async XHR sending
+  var async = cu.evalInSandbox('var async = createXHR("4444/simple", true); async', sb);
+  async.addEventListener("readystatechange", function(event) {
+    if (checkResults(async))
+      httpserver.stop(do_test_finished);
+  }, false);
+  async.send(null);
+
   // negative test sync XHR sending (to ensure that the xhr do not have chrome caps, see bug 779821)
   try {
     cu.evalInSandbox('var createXHR = ' + createXHR.toString(), sb);
@@ -62,28 +61,8 @@ function run_test()
   } catch (e) {
     do_check_true(true);
   }
-
-  httpserver2.stop(finishIfDone);
-
-  // Test async XHR sending
-  sb.finish = function(){
-    httpserver.stop(finishIfDone);
-  }
-
-  sb.checkResults = checkResults;
   
-  sb.do_check_eq = do_check_eq;
-
-  function changeListener(event) {
-    if (checkResults(async))
-      finish();
-  }
-
-  var async = cu.evalInSandbox('var async = createXHR("4444/simple", true);' +
-                               'async.addEventListener("readystatechange", ' +
-                                                       changeListener.toString() + ', false);' +
-                               'async', sb);
-  async.send(null);
+  do_test_pending();
 }
 
 function serverHandler(metadata, response)