Bug 860494 - Check for native properties before checking named children on XOWs. r=bz

js/xpconnect/wrappers/AccessCheck.cpp

@@ -209,7 +209,7 @@ IsWindow(const char *name)
 }
 
 bool
-AccessCheck::isCrossOriginAccessPermitted(JSContext *cx, JSObject *wrapper, jsid id,
+AccessCheck::isCrossOriginAccessPermitted(JSContext *cx, JSObject *wrapperArg, jsid idArg,
                                           Wrapper::Action act)
 {
     if (!XPCWrapper::GetSecurityManager())
@@ -218,7 +218,9 @@ AccessCheck::isCrossOriginAccessPermitted(JSContext *cx, JSObject *wrapper, jsid
     if (act == Wrapper::CALL)
         return true;
 
-    JSObject *obj = Wrapper::wrappedObject(wrapper);
+    RootedId id(cx, idArg);
+    RootedObject wrapper(cx, wrapperArg);
+    RootedObject obj(cx, Wrapper::wrappedObject(wrapper));
 
     const char *name;
     js::Class *clasp = js::GetObjectClass(obj);
@@ -233,7 +235,20 @@ AccessCheck::isCrossOriginAccessPermitted(JSContext *cx, JSObject *wrapper, jsid
             return true;
     }
 
-    return IsWindow(name) && IsFrameId(cx, obj, id);
+    // Check for frame IDs. If we're resolving named frames, make sure to only
+    // resolve ones that don't shadow native properties. See bug 860494.
+    if (IsWindow(name)) {
+        if (JSID_IS_STRING(id) && !XrayUtils::IsXrayResolving(cx, wrapper, id)) {
+            bool wouldShadow = false;
+            if (!XrayUtils::HasNativeProperty(cx, wrapper, id, &wouldShadow) ||
+                wouldShadow)
+            {
+                return false;
+            }
+        }
+        return IsFrameId(cx, obj, id);
+    }
+    return false;
 }
 
 bool

js/xpconnect/wrappers/XrayWrapper.cpp

@@ -27,6 +27,7 @@
 
 using namespace mozilla::dom;
 using namespace JS;
+using namespace mozilla;
 
 using js::PropertyDescriptor;
 using js::Wrapper;
@@ -1350,6 +1351,45 @@ IsXrayResolving(JSContext *cx, HandleObject wrapper, HandleId id)
     return XPCWrappedNativeXrayTraits::isResolving(cx, holder, id);
 }
 
+bool
+HasNativeProperty(JSContext *cx, HandleObject wrapper, HandleId id, bool *hasProp)
+{
+    MOZ_ASSERT(WrapperFactory::IsXrayWrapper(wrapper));
+    XrayTraits *traits = GetXrayTraits(wrapper);
+    MOZ_ASSERT(traits);
+    RootedObject holder(cx, traits->ensureHolder(cx, wrapper));
+    NS_ENSURE_TRUE(holder, false);
+    *hasProp = false;
+    JSPropertyDescriptor desc;
+    Wrapper *handler = Wrapper::wrapperHandler(wrapper);
+
+    // Try resolveOwnProperty.
+    Maybe<ResolvingId> resolvingId;
+    if (traits == &XPCWrappedNativeXrayTraits::singleton)
+        resolvingId.construct(wrapper, id);
+    if (!traits->resolveOwnProperty(cx, *handler, wrapper, holder, id, &desc, 0))
+        return false;
+    if (desc.obj) {
+        *hasProp = true;
+        return true;
+    }
+
+    // Try the holder.
+    JSBool found = false;
+    if (!JS_AlreadyHasOwnPropertyById(cx, holder, id, &found))
+        return false;
+    if (found) {
+        *hasProp = true;
+        return true;
+    }
+
+    // Try resolveNativeProperty.
+    if (!traits->resolveNativeProperty(cx, wrapper, holder, id, &desc, 0))
+        return false;
+    *hasProp = !!desc.obj;
+    return true;
+}
+
 } // namespace XrayUtils
 
 static JSBool

js/xpconnect/wrappers/XrayWrapper.h

@@ -41,6 +41,9 @@ GetNativePropertiesObject(JSContext *cx, JSObject *wrapper);
 bool
 IsXrayResolving(JSContext *cx, JSHandleObject wrapper, JSHandleId id);
 
+bool
+HasNativeProperty(JSContext *cx, JSHandleObject wrapper, JSHandleId id,
+                  bool *hasProp);
 }
 
 class XrayTraits;