Bug 1448736 part 1. Stop attaching Components to untrusted windows in SpecialPowers. r=kmag

testing/specialpowers/content/specialpowers.js

@@ -20,12 +20,8 @@ function SpecialPowers(window) {
   this._crashDumpDir = null;
   this.DOMWindowUtils = bindDOMWindowUtils(window);
   Object.defineProperty(this, "Components", {
-      configurable: true, enumerable: true, get() {
-          var win = this.window.get();
-          if (!win)
-              return null;
-          return getRawComponents(win);
-      }});
+      configurable: true, enumerable: true, value: this.getFullComponents()
+  });
   this._pongHandlers = [];
   this._messageListener = this._messageReceived.bind(this);
   this._grandChildFrameMM = null;

testing/specialpowers/content/specialpowersAPI.js

@@ -58,17 +58,6 @@ function bindDOMWindowUtils(aWindow) {
   return wrapPrivileged(util);
 }
 
-function getRawComponents(aWindow) {
-  // If we're running in automation that supports enablePrivilege, then we also
-  // provided access to the privileged Components.
-  try {
-    let win = Cu.waiveXrays(aWindow);
-    if (typeof win.netscape.security.PrivilegeManager == "object")
-      Cu.forcePrivilegedComponentsForScope(aWindow);
-  } catch (e) {}
-  return Cu.getComponentsForScope(aWindow);
-}
-
 function isWrappable(x) {
   if (typeof x === "object")
     return x !== null;
@@ -655,27 +644,9 @@ SpecialPowersAPI.prototype = {
   },
 
   /*
-   * In general, any Components object created for unprivileged scopes is
-   * neutered (it implements nsIXPCComponentsBase, but not nsIXPCComponents).
-   * We override this in certain legacy automation configurations (see the
-   * implementation of getRawComponents() above), but don't want to support
-   * it in cases where it isn't already required.
-   *
-   * In scopes with neutered Components, we don't have a natural referent for
-   * things like SpecialPowers.Cc. So in those cases, we fall back to the
-   * Components object from the SpecialPowers scope. This doesn't quite behave
-   * the same way (in particular, SpecialPowers.Cc[foo].createInstance() will
-   * create an instance in the SpecialPowers scope), but SpecialPowers wrapping
-   * is already a YMMV / Whatever-It-Takes-To-Get-TBPL-Green sort of thing.
-   *
-   * It probably wouldn't be too much work to just make SpecialPowers.Components
-   * unconditionally point to the Components object in the SpecialPowers scope.
-   * Try will tell what needs to be fixed up.
+   * A getter for the privileged Components object we have.
    */
   getFullComponents() {
-    if (this.Components && typeof this.Components.classes == "object") {
-      return this.Components;
-    }
     return Components;
   },
 
@@ -685,17 +656,7 @@ SpecialPowersAPI.prototype = {
   get Cc() { return wrapPrivileged(this.getFullComponents().classes); },
   get Ci() { return wrapPrivileged(this.getFullComponents().interfaces); },
   get Cu() { return wrapPrivileged(this.getFullComponents().utils); },
-  get Cr() { return wrapPrivileged(this.Components.results); },
-
-  /*
-   * SpecialPowers.getRawComponents() allows content to get a reference to a
-   * naked (and, in certain automation configurations, privileged) Components
-   * object for its scope.
-   *
-   * SpecialPowers.getRawComponents(window) is defined as the global property
-   * window.SpecialPowers.Components for convenience.
-   */
-  getRawComponents,
+  get Cr() { return wrapPrivileged(this.getFullComponents().results); },
 
   getDOMWindowUtils(aWindow) {
     if (aWindow == this.window.get() && this.DOMWindowUtils != null)
@@ -2265,4 +2226,3 @@ SpecialPowersAPI.prototype = {
 
 this.SpecialPowersAPI = SpecialPowersAPI;
 this.bindDOMWindowUtils = bindDOMWindowUtils;
-this.getRawComponents = getRawComponents;