Bug 911864 - Only expose XBL members which have the exposeToUntrustedContent attribute set. r=smaug

content/xbl/src/nsXBLProtoImpl.cpp

@@ -20,6 +20,7 @@
 #include "nsIURI.h"
 #include "mozilla/dom/XULElementBinding.h"
 #include "xpcpublic.h"
+#include "js/CharacterEncoding.h"
 
 using namespace mozilla;
 using js::GetGlobalForObjectCrossCompartment;
@@ -116,14 +117,22 @@ nsXBLProtoImpl::InstallImplementation(nsXBLPrototypeBinding* aPrototypeBinding,
   JSAutoCompartment ac2(cx, targetClassObject);
 
   // Now, if we're using a separate XBL scope, enter the compartment of the
-  // bound node and copy the properties to the prototype there. This rewraps
-  // them appropriately, which should result in cross-compartment function
-  // wrappers.
+  // bound node and copy exposable properties to the prototype there. This
+  // rewraps them appropriately, which should result in cross-compartment
+  // function wrappers.
   if (propertyHolder != targetClassObject) {
     AssertSameCompartment(propertyHolder, scopeObject);
     AssertSameCompartment(targetClassObject, globalObject);
-    bool ok = JS_CopyPropertiesFrom(cx, targetClassObject, propertyHolder);
-    NS_ENSURE_TRUE(ok, NS_ERROR_UNEXPECTED);
+    for (nsXBLProtoImplMember* curr = mMembers; curr; curr = curr->GetNext()) {
+      if (curr->ShouldExposeToUntrustedContent()) {
+        JS::Rooted<jsid> id(cx);
+        JS::TwoByteChars chars(curr->GetName(), NS_strlen(curr->GetName()));
+        bool ok = JS_CharsToId(cx, chars, &id);
+        NS_ENSURE_TRUE(ok, NS_ERROR_UNEXPECTED);
+        JS_CopyPropertyFrom(cx, id, targetClassObject, propertyHolder);
+        NS_ENSURE_TRUE(ok, NS_ERROR_UNEXPECTED);
+      }
+    }
   }
 
   // Install all of our field accessors.

content/xbl/test/file_bug821850.xhtml

@@ -43,6 +43,16 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=821850
           is(bound.primitiveField, undefined, "Xrays don't show fields");
           is(bound.wrappedJSObject.primitiveField, 2, "Waiving Xrays show fields");
 
+          // Check exposure behavior.
+          is(typeof bound.unexposedMethod, 'function',
+             "Unexposed method should be visible to XBL");
+          is(typeof bound.wrappedJSObject.unexposedMethod, 'undefined',
+             "Unexposed method should not be defined in content");
+          is(typeof bound.unexposedProperty, 'number',
+             "Unexposed property should be visible to XBL");
+          is(typeof bound.wrappedJSObject.unexposedProperty, 'undefined',
+             "Unexposed property should not be defined in content");
+
           // Check that here document.QueryInterface works
           ok("QueryInterface" in document,
              "Should have a document.QueryInterface here");
@@ -65,6 +75,8 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=821850
           win.go();
         </constructor>
         <field name="primitiveField">2</field>
+        <method name="unexposedMethod"><body></body></method>
+        <property name="unexposedProperty" onget="return 2;" readonly="true"></property>
         <method name="method" exposeToUntrustedContent="true">
           <parameter name="arg" />
           <body>