Bug 792280 - Only censor function.caller for non-same-origin calls. r=luke

js/src/jsfun.cpp

@@ -169,10 +169,20 @@ fun_getProperty(JSContext *cx, HandleObject obj_, HandleId id, MutableHandleValu
         }
 
         vp.set(iter.calleev());
+        if (!cx->compartment->wrap(cx, vp.address()))
+            return false;
 
-        /* Censor the caller if it is from another compartment. */
+        /*
+         * Censor the caller if we can't PUNCTURE it.
+         *
+         * NB - This will get much much nicer with bug 800915
+         */
         JSObject &caller = vp.toObject();
-        if (caller.compartment() != cx->compartment) {
+        JSErrorReporter reporter = JS_SetErrorReporter(cx, NULL);
+        bool punctureThrew = !UnwrapObjectChecked(cx, &caller);
+        JS_SetErrorReporter(cx, reporter);
+        if (punctureThrew) {
+            JS_ClearPendingException(cx);
             vp.setNull();
         } else if (caller.isFunction()) {
             JSFunction *callerFun = caller.toFunction();

js/xpconnect/tests/chrome/Makefile.in

@@ -39,6 +39,7 @@ MOCHITEST_CHROME_FILES = \
 		test_bug763343.xul \
 		test_bug771429.xul \
 		test_bug773962.xul \
+		test_bug792280.xul \
 		test_bug793433.xul \
 		test_bug795275.xul \
 		test_bug799348.xul \

js/xpconnect/tests/chrome/test_bug792280.xul

@@ -0,0 +1,37 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/css" href="chrome://global/skin"?>
+<?xml-stylesheet type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"?>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=792280
+-->
+<window title="Mozilla Bug 792280"
+        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"/>
+
+  <!-- test results are displayed in the html:body -->
+  <body xmlns="http://www.w3.org/1999/xhtml">
+  <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=792280"
+     target="_blank">Mozilla Bug 792280</a>
+  </body>
+
+  <!-- test code goes here -->
+  <script type="application/javascript">
+  <![CDATA[
+  /** Test for Bug 792280 **/
+  const Cu = Components.utils;
+
+  function checkSb(sb, allowed) {
+    var target = new Cu.Sandbox('http://www.example.com');
+    Cu.evalInSandbox('function fun() { return arguments.callee.caller; };', target);
+    sb.fun = target.fun;
+    var uncensored = Cu.evalInSandbox('function doTest() { return fun() == doTest; }; doTest()', sb);
+    is(uncensored, allowed, "should censor appropriately");
+  }
+
+  checkSb(new Cu.Sandbox('http://www.example.com'), true);
+  checkSb(new Cu.Sandbox('http://www.example.org'), false);
+  checkSb(new Cu.Sandbox(window), false);
+
+  ]]>
+  </script>
+</window>