From 0fed3b53512730f48d4f3f11baf402123234735e Mon Sep 17 00:00:00 2001
From: Jason Orendorff <jorendorff@mozilla.com>
Date: Tue, 6 Oct 2015 10:42:17 -0500
Subject: [PATCH] Bug 1210570 - Ensure that ToPrimitive(location) is not
 spoofable. r=bz.

--HG--
extra : commitid : 2rz0SkgNFBy
extra : rebase_source : cc7551193fb3a81cb6d7b69535eb152335a6cda4
---
 dom/bindings/Codegen.py                          | 13 ++++++++++---
 js/xpconnect/tests/mochitest/test_bug793969.html |  3 +++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/dom/bindings/Codegen.py b/dom/bindings/Codegen.py
index a3cec7ceb3ae..19ec7816b860 100644
--- a/dom/bindings/Codegen.py
+++ b/dom/bindings/Codegen.py
@@ -3345,11 +3345,18 @@ def InitUnforgeablePropertiesOnHolder(descriptor, properties, failureCode):
                             "nsContentUtils::ThreadsafeIsCallerChrome()"))
 
     if descriptor.interface.getExtendedAttribute("Unforgeable"):
-        # We do our undefined toJSON here, not as a regular property
-        # because we don't have a concept of value props anywhere in IDL.
+        # We do our undefined toJSON and toPrimitive here, not as a regular
+        # property because we don't have a concept of value props anywhere in
+        # IDL.
         unforgeables.append(CGGeneric(fill(
             """
-            if (!JS_DefineProperty(aCx, unforgeableHolder, "toJSON", JS::UndefinedHandleValue,
+            JS::RootedId toPrimitive(aCx,
+              SYMBOL_TO_JSID(JS::GetWellKnownSymbol(aCx, JS::SymbolCode::toPrimitive)));
+            if (!JS_DefinePropertyById(aCx, unforgeableHolder, toPrimitive,
+                                       JS::UndefinedHandleValue,
+                                       JSPROP_READONLY | JSPROP_PERMANENT) ||
+                !JS_DefineProperty(aCx, unforgeableHolder, "toJSON",
+                                   JS::UndefinedHandleValue,
                                    JSPROP_READONLY | JSPROP_ENUMERATE | JSPROP_PERMANENT)) {
               $*{failureCode}
             }
diff --git a/js/xpconnect/tests/mochitest/test_bug793969.html b/js/xpconnect/tests/mochitest/test_bug793969.html
index 9d016f80841a..0936967bd20a 100644
--- a/js/xpconnect/tests/mochitest/test_bug793969.html
+++ b/js/xpconnect/tests/mochitest/test_bug793969.html
@@ -44,6 +44,9 @@ Object.prototype.valueOf = function() { return 'hah'; };
 is(({}).valueOf(), 'hah', "Shadowing on Object.prototype works for vanilla objects");
 is(location.valueOf(), location, "Shadowing on Object.prototype and Location.prototype doesn't for location objects");
 
+location[Symbol.toPrimitive] = function() { return 'hah'; }
+is(location + "", location.toString(), "Should't be able to shadow with toPrimitive");
+
 </script>
 </pre>
 </body>