Bug 1021066. Make named setters work even for non-overridebuiltins bindings over Xrays. r=bholley,jorendorff

2014-07-23 01:06:33 -04:00 · 2014-07-23 01:06:33 -04:00 · eafe8cdc8f
--- a/dom/bindings/Codegen.py
+++ b/dom/bindings/Codegen.py
@ -9680,6 +9680,11 @@ class CGDOMJSProxyHandler_defineProperty(ClassMethod):
                """,
                callSetter=CGProxyIndexedSetter(self.descriptor).define())
        elif self.descriptor.supportsIndexedProperties():
+            # We allow untrusted content to prevent Xrays from setting a
+            # property if that property is an indexed property and we have no
+            # indexed setter.  That's how the object would normally behave if
+            # you tried to set the property on it.  That means we don't need to
+            # do anything special for Xrays here.
            set += fill(
                """
                if (IsArrayIndex(GetArrayIndexFromId(cx, id))) {
@ -9689,6 +9694,9 @@ class CGDOMJSProxyHandler_defineProperty(ClassMethod):
                name=self.descriptor.name)

        if UseHolderForUnforgeable(self.descriptor):
+            # It's OK to do the defineOnUnforgeable thing even in the Xray case,
+            # since in practice it won't let us change anything; we just want
+            # the js_DefineOwnProperty call for error reporting purposes.
            defineOnUnforgeable = ("bool hasUnforgeable;\n"
                                   "if (!JS_HasPropertyById(cx, ${holder}, id, &hasUnforgeable)) {\n"
                                   "  return false;\n"
@ -9717,6 +9725,11 @@ class CGDOMJSProxyHandler_defineProperty(ClassMethod):
                """,
                callSetter=CGProxyNamedSetter(self.descriptor).define())
        else:
+            # We allow untrusted content to prevent Xrays from setting a
+            # property if that property is already a named property on the
+            # object and we have no named setter.  That's how the object would
+            # normally behave if you tried to set the property on it.  That
+            # means we don't need to do anything special for Xrays here.
            if self.descriptor.supportsNamedProperties():
                set += fill(
                    """
--- a/dom/bindings/test/chrome.ini
+++ b/dom/bindings/test/chrome.ini
@ -3,3 +3,4 @@
 [test_bug707564-chrome.html]
 [test_bug775543.html]
 [test_document_location_set_via_xray.html]
+[test_proxies_via_xray.html]
--- a/dom/bindings/test/file_proxies_via_xray.html
+++ b/dom/bindings/test/file_proxies_via_xray.html
@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+  <script>
+    document.x = 5
+  </script>
+  <img id="y" name="y"></div>
+  <img id="z" name="z"></div>
+</html>
--- a/dom/bindings/test/mochitest.ini
+++ b/dom/bindings/test/mochitest.ini
@ -4,6 +4,7 @@ support-files =
  file_bug707564.html
  file_bug775543.html
  file_document_location_set_via_xray.html
+  file_proxies_via_xray.html
  forOf_iframe.html

 [test_ByteString.html]
--- a/dom/bindings/test/test_proxies_via_xray.html
+++ b/dom/bindings/test/test_proxies_via_xray.html
@ -0,0 +1,90 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1021066
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 1021066</title>
+  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1021066">Mozilla Bug 1021066</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+<iframe id="t" src="http://example.org/tests/dom/bindings/test/file_proxies_via_xray.html"></iframe>
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 1021066 **/
+
+function test()
+{
+  "use strict"; // So we'll get exceptions on sets
+  var doc = document.getElementById("t").contentWindow.document;
+  ok(!("x" in doc), "Should have an Xray here");
+  is(doc.x, undefined, "Really should have an Xray here");
+  is(doc.wrappedJSObject.x, 5, "And wrapping the right thing");
+
+  // Test overridebuiltins binding without named setter
+  is(doc.y, doc.getElementById("y"),
+     "Named getter should work on Document");
+  try {
+    doc.z = 5;
+    ok(false, "Should have thrown on set of readonly property on Document");
+  } catch (e) {
+    ok(/read-only/.test(e.message),
+       "Threw the right exception on set of readonly property on Document");
+  }
+
+  doc.w = 5;
+  is(doc.w, 5, "Should be able to set things that are not named props");
+
+  // Test non-overridebuiltins binding without named setter
+  var l = doc.getElementsByTagName("img");
+  is(l.y, doc.getElementById("y"),
+     "Named getter should work on HTMLCollection");
+  try {
+    l.z = 5;
+    ok(false, "Should have thrown on set of readonly property on HTMLCollection");
+  } catch (e) {
+    ok(/read-only/.test(e.message),
+       "Should throw the right exception on set of readonly property on HTMLCollection");
+  }
+  try {
+    l[10] = 5;
+    ok(false, "Should have thrown on set of indexed property on HTMLCollection");
+  } catch (e) {
+    ok(/doesn't have an indexed property setter/.test(e.message),
+       "Should throw the right exception on set of indexed property on HTMLCollection");
+  }
+
+  // Test overridebuiltins binding with named setter
+  var d = doc.documentElement.dataset;
+  d.foo = "bar";
+  // Check that this actually got passed on to the underlying object.
+  is(d.wrappedJSObject.foo, "bar",
+     "Set should get forwarded to the underlying object");
+  is(doc.documentElement.getAttribute("data-foo"), "bar",
+     "Attribute setter should have been called");
+  d.foo = "baz";
+  // Check that this actually got passed on to the underlying object.
+  is(d.wrappedJSObject.foo, "baz",
+     "Set should get forwarded to the underlying object again");
+  is(doc.documentElement.getAttribute("data-foo"), "baz",
+     "Attribute setter should have been called again");
+
+  // XXXbz no way yet to test non-overridebuiltins stuff with named setter
+
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+addLoadEvent(test);
+
+</script>
+</pre>
+</body>
+</html>
--- a/js/src/jsproxy.cpp
+++ b/js/src/jsproxy.cpp
@ -169,7 +169,7 @@ BaseProxyHandler::set(JSContext *cx, HandleObject proxy, HandleObject receiver,
    if (desc.object()) {
        // Check for read-only properties.
        if (desc.isReadonly())
-            return strict ? Throw(cx, id, JSMSG_CANT_REDEFINE_PROP) : true;
+            return strict ? Throw(cx, id, JSMSG_READ_ONLY) : true;
        if (!desc.setter()) {
            // Be wary of the odd explicit undefined setter case possible through
            // Object.defineProperty.
--- a/js/xpconnect/wrappers/XrayWrapper.cpp
+++ b/js/xpconnect/wrappers/XrayWrapper.cpp
@ -2062,9 +2062,6 @@ DOMXrayTraits::defineProperty(JSContext *cx, HandleObject wrapper, HandleId id,
        }
    }

-    if (!existingDesc.object())
-        return true;
-
    JS::Rooted<JSObject*> obj(cx, getTargetObject(wrapper));
    return XrayDefineProperty(cx, wrapper, obj, id, desc, defined);
 }