From 7bdd393f19602706944bf91d1a7e85a2f5301e1b Mon Sep 17 00:00:00 2001
From: "Carsten \"Tomcat\" Book" <cbook@mozilla.com>
Date: Wed, 5 Nov 2014 10:04:08 +0100
Subject: [PATCH] Backed out changeset 2dbf8f6bd2aa (bug 1092446) for suspicion
 of adding a hazard

---
 dom/base/test/chrome/cpows_child.js      | 9 ---------
 dom/base/test/chrome/cpows_parent.xul    | 5 +----
 js/xpconnect/wrappers/WrapperFactory.cpp | 9 ++-------
 3 files changed, 3 insertions(+), 20 deletions(-)

diff --git a/dom/base/test/chrome/cpows_child.js b/dom/base/test/chrome/cpows_child.js
index b81a24a6d662..95bdfb9e1f5a 100644
--- a/dom/base/test/chrome/cpows_child.js
+++ b/dom/base/test/chrome/cpows_child.js
@@ -87,15 +87,6 @@ function parent_test()
   addMessageListener("cpows:from_parent", (msg) => {
     let obj = msg.objects.obj;
     ok(obj.a == 1, "correct value from parent");
-
-    // Test that a CPOW reference to a function in the chrome process
-    // is callable from unprivileged content. Greasemonkey uses this
-    // functionality.
-    let func = msg.objects.func;
-    let sb = Cu.Sandbox('http://www.example.com', {});
-    sb.func = func;
-    ok(sb.eval('func()') == 101, "can call parent's function in child");
-
     done_count++;
     if (done_count == 2)
       sendSyncMessage("cpows:done", {});
diff --git a/dom/base/test/chrome/cpows_parent.xul b/dom/base/test/chrome/cpows_parent.xul
index bc69541219fe..78ed01d80bb6 100644
--- a/dom/base/test/chrome/cpows_parent.xul
+++ b/dom/base/test/chrome/cpows_parent.xul
@@ -181,11 +181,8 @@
       let func = message.objects.func;
       let result = func(n => 2*n);
       ok(result == 20, "result == 20");
-      function f() {
-        return 101;
-      }
       let obj = {a:1, __exposedProps__: {"a": "r"}};
-      savedMM.sendAsyncMessage("cpows:from_parent", {}, {obj: obj, func: f});
+      savedMM.sendAsyncMessage("cpows:from_parent", {}, {obj: obj});
     }
 
     // Make sure errors in this file actually hit window.onerror.
diff --git a/js/xpconnect/wrappers/WrapperFactory.cpp b/js/xpconnect/wrappers/WrapperFactory.cpp
index 0d8eee539c75..0792b9a343a9 100644
--- a/js/xpconnect/wrappers/WrapperFactory.cpp
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@@ -16,11 +16,9 @@
 #include "xpcprivate.h"
 #include "XPCMaps.h"
 #include "mozilla/dom/BindingUtils.h"
-#include "JavaScriptParent.h"
 #include "jsfriendapi.h"
 #include "mozilla/Likely.h"
 #include "nsContentUtils.h"
-#include "nsXULAppAPI.h"
 
 using namespace JS;
 using namespace js;
@@ -425,12 +423,9 @@ WrapperFactory::Rewrap(JSContext *cx, HandleObject existing, HandleObject obj,
     }
 
     // If this is a chrome function being exposed to content, we need to allow
-    // call (but nothing else). We allow CPOWs that purport to be function's
-    // here, but only in the content process.
+    // call (but nothing else).
     else if (originIsChrome && !targetIsChrome &&
-             (IdentifyStandardInstance(obj) == JSProto_Function ||
-              (jsipc::IsCPOW(obj) && JS::IsCallable(obj) &&
-               XRE_GetProcessType() == GeckoProcessType_Content)))
+             IdentifyStandardInstance(obj) == JSProto_Function)
     {
         wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, OpaqueWithCall>::singleton;
     }