mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-19 00:05:36 +00:00
Bug 1210570 - Ensure that ToPrimitive(location) is not spoofable. r=bz.
--HG-- extra : commitid : 2rz0SkgNFBy extra : rebase_source : cc7551193fb3a81cb6d7b69535eb152335a6cda4
This commit is contained in:
parent
fbd43ff82a
commit
0fed3b5351
@ -3345,11 +3345,18 @@ def InitUnforgeablePropertiesOnHolder(descriptor, properties, failureCode):
|
||||
"nsContentUtils::ThreadsafeIsCallerChrome()"))
|
||||
|
||||
if descriptor.interface.getExtendedAttribute("Unforgeable"):
|
||||
# We do our undefined toJSON here, not as a regular property
|
||||
# because we don't have a concept of value props anywhere in IDL.
|
||||
# We do our undefined toJSON and toPrimitive here, not as a regular
|
||||
# property because we don't have a concept of value props anywhere in
|
||||
# IDL.
|
||||
unforgeables.append(CGGeneric(fill(
|
||||
"""
|
||||
if (!JS_DefineProperty(aCx, unforgeableHolder, "toJSON", JS::UndefinedHandleValue,
|
||||
JS::RootedId toPrimitive(aCx,
|
||||
SYMBOL_TO_JSID(JS::GetWellKnownSymbol(aCx, JS::SymbolCode::toPrimitive)));
|
||||
if (!JS_DefinePropertyById(aCx, unforgeableHolder, toPrimitive,
|
||||
JS::UndefinedHandleValue,
|
||||
JSPROP_READONLY | JSPROP_PERMANENT) ||
|
||||
!JS_DefineProperty(aCx, unforgeableHolder, "toJSON",
|
||||
JS::UndefinedHandleValue,
|
||||
JSPROP_READONLY | JSPROP_ENUMERATE | JSPROP_PERMANENT)) {
|
||||
$*{failureCode}
|
||||
}
|
||||
|
@ -44,6 +44,9 @@ Object.prototype.valueOf = function() { return 'hah'; };
|
||||
is(({}).valueOf(), 'hah', "Shadowing on Object.prototype works for vanilla objects");
|
||||
is(location.valueOf(), location, "Shadowing on Object.prototype and Location.prototype doesn't for location objects");
|
||||
|
||||
location[Symbol.toPrimitive] = function() { return 'hah'; }
|
||||
is(location + "", location.toString(), "Should't be able to shadow with toPrimitive");
|
||||
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
|
Loading…
Reference in New Issue
Block a user