Bug 1052096 - Move CPOW targets into the privileged/unprivileged junk scope of the child/parent. r=billm

js/ipc/JavaScriptShared.cpp

@@ -377,31 +377,11 @@ JavaScriptShared::findObjectById(JSContext *cx, uint32_t objId)
         return nullptr;
     }
 
-    // Objects are stored in objects_ unwrapped. We want to wrap the object
-    // before returning it so that all operations happen on Xray wrappers. If
-    // the object is a DOM element, we try to obtain the corresponding
-    // TabChildGlobal and wrap in that.
-    RootedObject global(cx, GetGlobalForObjectCrossCompartment(obj));
-    nsCOMPtr<nsIGlobalObject> nativeGlobal = xpc::GetNativeForGlobal(global);
-    nsCOMPtr<nsIDOMWindow> window = do_QueryInterface(nativeGlobal);
-    if (window) {
-        dom::TabChild *tabChild = dom::TabChild::GetFrom(window);
-        if (tabChild) {
-            nsCOMPtr<nsIContentFrameMessageManager> mm;
-            tabChild->GetMessageManager(getter_AddRefs(mm));
-            nsCOMPtr<nsIGlobalObject> tabChildNativeGlobal = do_QueryInterface(mm);
-            RootedObject tabChildGlobal(cx, tabChildNativeGlobal->GetGlobalJSObject());
-            JSAutoCompartment ac(cx, tabChildGlobal);
-            if (!JS_WrapObject(cx, &obj))
-                return nullptr;
-            return obj;
-        }
-    }
-
-    // If there's no TabChildGlobal, we use the junk scope. In the parent we use
-    // the unprivileged junk scope to prevent security vulnerabilities. In the
-    // child we use the privileged junk scope.
-    JSAutoCompartment ac(cx, defaultScope());
+    // Each process has a dedicated compartment for CPOW targets. All CPOWs
+    // from the other process point to objects in this scope. From there, they
+    // can access objects in other compartments using cross-compartment
+    // wrappers.
+    JSAutoCompartment ac(cx, scopeForTargetObjects());
     if (!JS_WrapObject(cx, &obj))
         return nullptr;
     return obj;