Bug 1154366. Pass in a JSContext to StructuredCloneContainer::InitFromJSVal so it will throw its exceptions somewhere where people might see them. r=bholley

2024-11-25 13:51:41 +00:00 · 2015-04-16 13:22:15 -04:00 · 2015-04-16 13:22:15 -04:00 · 9f8de4bfd5
commit 9f8de4bfd5
parent 86b08ed9b5
8 changed files with 19 additions and 24 deletions
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@ -11474,7 +11474,7 @@ nsDocShell::AddState(JS::Handle<JS::Value> aData, const nsAString& aTitle,
    nsCOMPtr<nsIPrincipal> origPrincipal = origDocument->NodePrincipal();

    scContainer = new nsStructuredCloneContainer();
-    rv = scContainer->InitFromJSVal(aData);
+    rv = scContainer->InitFromJSVal(aData, aCx);
    NS_ENSURE_SUCCESS(rv, rv);

    nsCOMPtr<nsIDocument> newDocument = GetDocument();
--- a/dom/base/crashtests/crashtests.list
+++ b/dom/base/crashtests/crashtests.list
@ -200,4 +200,5 @@ pref(dom.webcomponents.enabled,true) load 1029710.html
 HTTP(..) load xhr_abortinprogress.html
 load xhr_empty_datauri.html
 load xhr_html_nullresponse.html
+load structured_clone_container_throws.html
 load 1154598.xhtml
--- a/dom/base/crashtests/structured_clone_container_throws.html
+++ b/dom/base/crashtests/structured_clone_container_throws.html
@ -0,0 +1,9 @@
+<iframe></iframe>
+<script>
+try { frames[0].history.pushState({ dummy: function() {} }, ''); }
+catch (e) {}
+var doc = frames[0].document;
+var s = doc.createElement("script");
+s.textContent = "1";
+doc.body.appendChild(s);
+</script>
--- a/dom/base/nsStructuredCloneContainer.cpp
+++ b/dom/base/nsStructuredCloneContainer.cpp
@ -42,28 +42,19 @@ nsStructuredCloneContainer::~nsStructuredCloneContainer()
 }

 nsresult
-nsStructuredCloneContainer::InitFromJSVal(JS::Handle<JS::Value> aData)
+nsStructuredCloneContainer::InitFromJSVal(JS::Handle<JS::Value> aData,
+                                          JSContext* aCx)
 {
  NS_ENSURE_STATE(!mData);

  uint64_t* jsBytes = nullptr;
  bool success = false;
  if (aData.isPrimitive()) {
-    // |aData| is a primitive, so the structured clone algorithm won't run
-    // script and we can just use AutoJSAPI.
-    dom::AutoJSAPI jsapi;
-    jsapi.Init();
-    success = JS_WriteStructuredClone(jsapi.cx(), aData, &jsBytes, &mSize,
+    success = JS_WriteStructuredClone(aCx, aData, &jsBytes, &mSize,
                                      nullptr, nullptr,
                                      JS::UndefinedHandleValue);
  } else {
-    // |aData| is an object and the structured clone algorithm can run script as
-    // part of the "own" "deep clone" sub-steps, so we need an AutoEntryScript.
-    // http://www.whatwg.org/specs/web-apps/current-work/#internal-structured-cloning-algorithm
-    nsIGlobalObject* nativeGlobal =
-      xpc::NativeGlobal(js::GetGlobalForObjectCrossCompartment(&aData.toObject()));
-    dom::AutoEntryScript aes(nativeGlobal);
-    success = JS_WriteStructuredClone(aes.cx(), aData, &jsBytes, &mSize,
+    success = JS_WriteStructuredClone(aCx, aData, &jsBytes, &mSize,
                                      nullptr, nullptr,
                                      JS::UndefinedHandleValue);
  }
--- a/dom/interfaces/base/nsIStructuredCloneContainer.idl
+++ b/dom/interfaces/base/nsIStructuredCloneContainer.idl
@ -19,7 +19,7 @@ interface nsIDocument;
 * structured clone algorithm.
 *
 * You can copy an object into an nsIStructuredCloneContainer using
- * initFromVariant or initFromBase64.  It's an error to initialize an
+ * initFromJSVal or initFromBase64.  It's an error to initialize an
 * nsIStructuredCloneContainer more than once.
 *
 * Once you've initialized the container, you can get a copy of the object it
@ -27,14 +27,14 @@ interface nsIDocument;
 * string containing a copy of the container's serialized data, using
 * getDataAsBase64.
 */
-[scriptable, uuid(8144021a-7f8a-483a-a0f1-ca02b761403f)]
+[scriptable, uuid(63eeafec-63f5-42c3-aea9-5c04678784e7)]
 interface nsIStructuredCloneContainer : nsISupports
 {
  /**
   * Initialize this structured clone container so it contains a clone of the
   * given jsval.
   */
-  [noscript]
+  [noscript, implicit_jscontext]
  void initFromJSVal(in jsval aData);

  /**
--- a/dom/notification/Notification.cpp
+++ b/dom/notification/Notification.cpp
@ -941,7 +941,7 @@ Notification::InitFromJSVal(JSContext* aCx, JS::Handle<JS::Value> aData,
    return;
  }
  mDataObjectContainer = new nsStructuredCloneContainer();
-  aRv = mDataObjectContainer->InitFromJSVal(aData);
+  aRv = mDataObjectContainer->InitFromJSVal(aData, aCx);
 }

 void Notification::InitFromBase64(JSContext* aCx, const nsAString& aData,
--- a/testing/web-platform/meta/html/browsers/history/the-history-interface/001.html.ini
+++ b/testing/web-platform/meta/html/browsers/history/the-history-interface/001.html.ini
@ -9,9 +9,6 @@
  [pushState must remove any tasks queued by the history traversal task source]
    expected: FAIL

-  [security errors are expected to be thrown in the context of the document that owns the history object (2)]
-    expected: FAIL
-
  [history.state should be a separate clone of the object, not a reference to the object passed to the event handler]
    expected: FAIL

--- a/testing/web-platform/meta/html/browsers/history/the-history-interface/002.html.ini
+++ b/testing/web-platform/meta/html/browsers/history/the-history-interface/002.html.ini
@ -12,9 +12,6 @@
  [.go must queue a task with the history traversal task source (run asynchronously)]
    expected: FAIL

-  [security errors are expected to be thrown in the context of the document that owns the history object (2)]
-    expected: FAIL
-
  [history.state should be a separate clone of the object, not a reference to the object passed to the event handler]
    expected: FAIL