Bug 1521907 part 2. Add dynamic CheckedUnwrap support to CrossOriginObjectWrapper. r=peterv,sfink

This will allow us to correctly handle CheckedUnwrapDynamic on wrappers around WindowProxy and Location. Differential Revision: https://phabricator.services.mozilla.com/D17882 --HG-- extra : moz-landing-system : lando
2019-02-02 03:23:16 +00:00 · 2019-02-02 03:23:16 +00:00 · e5fac88563
--- a/dom/base/MaybeCrossOriginObject.cpp
+++ b/dom/base/MaybeCrossOriginObject.cpp
@ -27,8 +27,8 @@ namespace mozilla {
 namespace dom {

 /* static */
-bool MaybeCrossOriginObjectMixins::IsPlatformObjectSameOrigin(
-    JSContext* cx, JS::Handle<JSObject*> obj) {
+bool MaybeCrossOriginObjectMixins::IsPlatformObjectSameOrigin(JSContext* cx,
+                                                              JSObject* obj) {
  MOZ_ASSERT(!js::IsCrossCompartmentWrapper(obj));
  // WindowProxy and Window must always be same-Realm, so we can do
  // our IsPlatformObjectSameOrigin check against either one.  But verify that
--- a/dom/base/MaybeCrossOriginObject.h
+++ b/dom/base/MaybeCrossOriginObject.h
@ -38,7 +38,7 @@ namespace dom {
 // template parameter.  We can avoid having multiple instantiations of them by
 // pulling them out into this helper class.
 class MaybeCrossOriginObjectMixins {
- protected:
+ public:
  /**
   * Implementation of
   * <https://html.spec.whatwg.org/multipage/browsers.html#isplatformobjectsameorigin-(-o-)>.
@ -46,9 +46,9 @@ class MaybeCrossOriginObjectMixins {
   * same-compartment may not be same-Realm.  "obj" can be a WindowProxy, a
   * Window, or a Location.
   */
-  static bool IsPlatformObjectSameOrigin(JSContext* cx,
-                                         JS::Handle<JSObject*> obj);
+  static bool IsPlatformObjectSameOrigin(JSContext* cx, JSObject* obj);

+ protected:
  /**
   * Implementation of
   * <https://html.spec.whatwg.org/multipage/browsers.html#crossorigingetownpropertyhelper-(-o,-p-)>.
--- a/js/xpconnect/wrappers/WrapperFactory.cpp
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@ -19,6 +19,7 @@
 #include "mozilla/jsipc/CrossProcessObjectWrappers.h"
 #include "mozilla/Likely.h"
 #include "mozilla/dom/ScriptSettings.h"
+#include "mozilla/dom/MaybeCrossOriginObject.h"
 #include "nsContentUtils.h"
 #include "nsXULAppAPI.h"

@ -363,6 +364,15 @@ static void DEBUG_CheckUnwrapSafety(HandleObject obj,

 const CrossOriginObjectWrapper CrossOriginObjectWrapper::singleton;

+bool CrossOriginObjectWrapper::dynamicCheckedUnwrapAllowed(
+    HandleObject obj, JSContext* cx) const {
+  MOZ_ASSERT(js::GetProxyHandler(obj) == this,
+             "Why are we getting called for some random object?");
+  JSObject* target = wrappedObject(obj);
+  return dom::MaybeCrossOriginObjectMixins::IsPlatformObjectSameOrigin(cx,
+                                                                       target);
+}
+
 static const Wrapper* SelectWrapper(bool securityWrapper, XrayType xrayType,
                                    bool waiveXrays, JSObject* obj) {
  // Waived Xray uses a modified CCW that has transparent behavior but
--- a/js/xpconnect/wrappers/WrapperFactory.h
+++ b/js/xpconnect/wrappers/WrapperFactory.h
@ -38,6 +38,9 @@ class CrossOriginObjectWrapper : public js::Wrapper {
      : js::Wrapper(CROSS_COMPARTMENT, /* aHasPrototype = */ false,
                    /* aHasSecurityPolicy = */ true) {}

+  bool dynamicCheckedUnwrapAllowed(JS::HandleObject obj,
+                                   JSContext* cx) const override;
+
  static const CrossOriginObjectWrapper singleton;
 };