Using JSPropertyOp means a null shape getter, whereas null means that the shape
uses the class getter. This means that stuff like window.top, which is defined
as a non-configurable |own| property in nsDOMClassInfo, was getting set up with
XPC_WN_Helper_GetProperty as its get operation. But this confused
SandboxProxyHandler, which explicitly avoids rebinding class getters/setters,
which in turn meant that our sandboxPrototype feature was relying on the crazy
prototype-climbing behavior of GetWrappedNativeOfJSObject to make stuff like
|this.top| work. We're removing this behavior, so we need to fix nsDOMClassInfo
here.
Here are some DefineProperty cases that I left with null getters/setters:
* nsDOMClassInfo::ResolveConstructor
* The child window stuff at the bottom of nsWindowSH::NewResolve
* Named item resolution in nsNamedArraySH::NewResolve
* document.all stuff (scary!)
* nsHTMLDocumentSH::NewResolve
* nsHTMLFormElementSH::NewResolve
* nsStorage2SH::NewResolve
Using JSPropertyOp means a null shape getter, whereas null means that the shape
uses the class getter. This means that stuff like window.top, which is defined
as a non-configurable |own| property in nsDOMClassInfo, was getting set up with
XPC_WN_Helper_GetProperty as its get operation. But this confused
SandboxProxyHandler, which explicitly avoids rebinding class getters/setters,
which in turn meant that our sandboxPrototype feature was relying on the crazy
prototype-climbing behavior of GetWrappedNativeOfJSObject to make stuff like
|this.top| work. We're removing this behavior, so we need to fix nsDOMClassInfo
here.
Here are some DefineProperty cases that I left with null getters/setters:
* nsDOMClassInfo::ResolveConstructor
* The child window stuff at the bottom of nsWindowSH::NewResolve
* Named item resolution in nsNamedArraySH::NewResolve
* document.all stuff (scary!)
* nsHTMLDocumentSH::NewResolve
* nsHTMLFormElementSH::NewResolve
* nsStorage2SH::NewResolve
Using JSPropertyOp means a null shape getter, whereas null means that the shape
uses the class getter. This means that stuff like window.top, which is defined
as a non-configurable |own| property in nsDOMClassInfo, was getting set up with
XPC_WN_Helper_GetProperty as its get operation. But this confused
SandboxProxyHandler, which explicitly avoids rebinding class getters/setters,
which in turn meant that our sandboxPrototype feature was relying on the crazy
prototype-climbing behavior of GetWrappedNativeOfJSObject to make stuff like
|this.top| work. We're removing this behavior, so we need to fix nsDOMClassInfo
here.
Here are some DefineProperty cases that I left with null getters/setters:
* nsDOMClassInfo::ResolveConstructor
* The child window stuff at the bottom of nsWindowSH::NewResolve
* Named item resolution in nsNamedArraySH::NewResolve
* document.all stuff (scary!)
* nsHTMLDocumentSH::NewResolve
* nsHTMLFormElementSH::NewResolve
* nsStorage2SH::NewResolve
