mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-27 20:25:44 +00:00
c6ad0230b3
The basic problem in the testcase is that one compartment requests same-origin Xrays via wantXrays=true (the default for Sandboxes) while the other does not. The current code only considers the wantXrays flag of the compartment performing the access, so we end up in a situation where we have same-origin compartments, but Xray in one direction and Transparent in the other. This is a problem for crossCompartmentFunction.apply(null, [arg]). If both globals get transparent wrappers, there's obviously no problem. And if both globals get XrayWrappers, then the |apply| happens on the XrayWrapper of the function in the caller's compartment. So the Array is unpacked in the caller's compartment, and again we have no problem. But if the caller gets Transparent and the callee gets Xrays, then we end up invoking |apply| from the callee's side, which then gets an XrayWrapper to the array. This XrayWrapper may do surprising things, leading to the odd situation in the testcase. Same-origin Xrays are kind of broken anyway, but I don't think we'll ever be able to get rid of them. So the most sensible thing to do is probably to honor the flag (if set) from either compartment. This patch does that.
10 lines
454 B
JavaScript
10 lines
454 B
JavaScript
const Cu = Components.utils;
|
|
function run_test() {
|
|
var sb1 = Cu.Sandbox('http://www.example.com', { wantXrays: true });
|
|
var sb2 = Cu.Sandbox('http://www.example.com', { wantXrays: false });
|
|
sb2.f = Cu.evalInSandbox('x => typeof x', sb1);
|
|
do_check_eq(Cu.evalInSandbox('f(dump)', sb2), 'function');
|
|
do_check_eq(Cu.evalInSandbox('f.call(null, dump)', sb2), 'function');
|
|
do_check_eq(Cu.evalInSandbox('f.apply(null, [dump])', sb2), 'function');
|
|
}
|