There are really two questions to be asked: is the caller chrome, and does the
caller subsume the callee. We have other, more precise ways of asking both of
these questions.
We currently set this for system globals and anything whose parent
chain leads to a system global. Maybe this was relevant before, but
with CPG this is just equivalent to asking whether the object is in
a system compartment. And the only place where we _check_ this bit
is immediately after checking for a system compartment, in
WrapperFactory. So AFAICT this can go away entirely.
WouldReuseInnerWindow also returns true if the new window is same-origin with
the old one about:blank document.
This condition exists in order to handle some sloppiness with respect to the
principals on initial about:blank documents. Chrome callers sometimes parent
chrome windows (with XUL document) to content windows. But this parenting causes
us to push the cx of the content window during window creation, meaning that
the subsequent load of chrome://foo.xul blows away the old inner window and any
expandos on it. We can handle this case more precisely by skipping the cx push
for type="chrome" windows.
Furthermore, this was also necessary to prevent the inner window from being
blown away in the call to SetOpenerScriptPrincipal once nsWindowWatcher gets
the window back from the window creator (and after it's already told consumers
about the window via "domwindowcreated"). But we fixed this nastiness in the
previous patches.
So we can remove this case. By doing so, we can prevent inner windows from ever
changing origins, which is very important for compartment security invariants.
There's no reason it has to fail if there's no mDoc, since any document is promptly
blown away with the new about:blank document.
The indempotence is important because we want to be able to call this method
unconditionally in OpenJSWindowInternal (since we may not have gone through
RegisterTopLevelWindow) without worrying about whether we've called it already.
We can remove the fallback to the principal of aParent because we already push the
cx for aParent (callerContextGuard) whenever we're concerned about using its principal.
This doesn't change any functionality in the code. Note that the name is currently
a bit of a misnomer, but we change that in the next patch when we rip out the
arguments.
This makes our builds a bit more reproducible. Without it when processing
#include "IPC/IPCMessageUtils.h
we end up in
#include "ShadowLayers.h"
which in the final XUL translates into the symbol (run nm -a to see it):
- 00 0000 SOL ../../../../gfx/layers/IPC/ShadowLayers.h
now when some file in gfx/layers/ipc does
#include "ShadowLayres.h"
the file found is the local one with the lowercase directory name and we end up
with
- 00 0000 SOL ../../../../gfx/layers/ipc/ShadowLayers.h
--HG--
extra : rebase_source : 96c68f6a3448eedaa280039960df911a9c707cac