diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp index bc5f6e896f23..2dd4d1e731b3 100644 --- a/docshell/base/nsDocShell.cpp +++ b/docshell/base/nsDocShell.cpp @@ -11474,7 +11474,7 @@ nsDocShell::AddState(JS::Handle aData, const nsAString& aTitle, nsCOMPtr origPrincipal = origDocument->NodePrincipal(); scContainer = new nsStructuredCloneContainer(); - rv = scContainer->InitFromJSVal(aData); + rv = scContainer->InitFromJSVal(aData, aCx); NS_ENSURE_SUCCESS(rv, rv); nsCOMPtr newDocument = GetDocument(); diff --git a/dom/base/crashtests/crashtests.list b/dom/base/crashtests/crashtests.list index d1005894eeb0..a9161180f818 100644 --- a/dom/base/crashtests/crashtests.list +++ b/dom/base/crashtests/crashtests.list @@ -200,4 +200,5 @@ pref(dom.webcomponents.enabled,true) load 1029710.html HTTP(..) load xhr_abortinprogress.html load xhr_empty_datauri.html load xhr_html_nullresponse.html +load structured_clone_container_throws.html load 1154598.xhtml diff --git a/dom/base/crashtests/structured_clone_container_throws.html b/dom/base/crashtests/structured_clone_container_throws.html new file mode 100644 index 000000000000..c92c6f4ae13f --- /dev/null +++ b/dom/base/crashtests/structured_clone_container_throws.html @@ -0,0 +1,9 @@ + + diff --git a/dom/base/nsStructuredCloneContainer.cpp b/dom/base/nsStructuredCloneContainer.cpp index 90519b1f8c5f..03856e99a7c2 100644 --- a/dom/base/nsStructuredCloneContainer.cpp +++ b/dom/base/nsStructuredCloneContainer.cpp @@ -42,28 +42,19 @@ nsStructuredCloneContainer::~nsStructuredCloneContainer() } nsresult -nsStructuredCloneContainer::InitFromJSVal(JS::Handle aData) +nsStructuredCloneContainer::InitFromJSVal(JS::Handle aData, + JSContext* aCx) { NS_ENSURE_STATE(!mData); uint64_t* jsBytes = nullptr; bool success = false; if (aData.isPrimitive()) { - // |aData| is a primitive, so the structured clone algorithm won't run - // script and we can just use AutoJSAPI. - dom::AutoJSAPI jsapi; - jsapi.Init(); - success = JS_WriteStructuredClone(jsapi.cx(), aData, &jsBytes, &mSize, + success = JS_WriteStructuredClone(aCx, aData, &jsBytes, &mSize, nullptr, nullptr, JS::UndefinedHandleValue); } else { - // |aData| is an object and the structured clone algorithm can run script as - // part of the "own" "deep clone" sub-steps, so we need an AutoEntryScript. - // http://www.whatwg.org/specs/web-apps/current-work/#internal-structured-cloning-algorithm - nsIGlobalObject* nativeGlobal = - xpc::NativeGlobal(js::GetGlobalForObjectCrossCompartment(&aData.toObject())); - dom::AutoEntryScript aes(nativeGlobal); - success = JS_WriteStructuredClone(aes.cx(), aData, &jsBytes, &mSize, + success = JS_WriteStructuredClone(aCx, aData, &jsBytes, &mSize, nullptr, nullptr, JS::UndefinedHandleValue); } diff --git a/dom/interfaces/base/nsIStructuredCloneContainer.idl b/dom/interfaces/base/nsIStructuredCloneContainer.idl index dee370970177..68813be5d781 100644 --- a/dom/interfaces/base/nsIStructuredCloneContainer.idl +++ b/dom/interfaces/base/nsIStructuredCloneContainer.idl @@ -19,7 +19,7 @@ interface nsIDocument; * structured clone algorithm. * * You can copy an object into an nsIStructuredCloneContainer using - * initFromVariant or initFromBase64. It's an error to initialize an + * initFromJSVal or initFromBase64. It's an error to initialize an * nsIStructuredCloneContainer more than once. * * Once you've initialized the container, you can get a copy of the object it @@ -27,14 +27,14 @@ interface nsIDocument; * string containing a copy of the container's serialized data, using * getDataAsBase64. */ -[scriptable, uuid(8144021a-7f8a-483a-a0f1-ca02b761403f)] +[scriptable, uuid(63eeafec-63f5-42c3-aea9-5c04678784e7)] interface nsIStructuredCloneContainer : nsISupports { /** * Initialize this structured clone container so it contains a clone of the * given jsval. */ - [noscript] + [noscript, implicit_jscontext] void initFromJSVal(in jsval aData); /** diff --git a/dom/notification/Notification.cpp b/dom/notification/Notification.cpp index a25ef0547c43..abf5cd8b390f 100644 --- a/dom/notification/Notification.cpp +++ b/dom/notification/Notification.cpp @@ -941,7 +941,7 @@ Notification::InitFromJSVal(JSContext* aCx, JS::Handle aData, return; } mDataObjectContainer = new nsStructuredCloneContainer(); - aRv = mDataObjectContainer->InitFromJSVal(aData); + aRv = mDataObjectContainer->InitFromJSVal(aData, aCx); } void Notification::InitFromBase64(JSContext* aCx, const nsAString& aData, diff --git a/testing/web-platform/meta/html/browsers/history/the-history-interface/001.html.ini b/testing/web-platform/meta/html/browsers/history/the-history-interface/001.html.ini index a0735ee2610c..9209090b1c3e 100644 --- a/testing/web-platform/meta/html/browsers/history/the-history-interface/001.html.ini +++ b/testing/web-platform/meta/html/browsers/history/the-history-interface/001.html.ini @@ -9,9 +9,6 @@ [pushState must remove any tasks queued by the history traversal task source] expected: FAIL - [security errors are expected to be thrown in the context of the document that owns the history object (2)] - expected: FAIL - [history.state should be a separate clone of the object, not a reference to the object passed to the event handler] expected: FAIL diff --git a/testing/web-platform/meta/html/browsers/history/the-history-interface/002.html.ini b/testing/web-platform/meta/html/browsers/history/the-history-interface/002.html.ini index 0cc3c3f35996..3cc7f1b02331 100644 --- a/testing/web-platform/meta/html/browsers/history/the-history-interface/002.html.ini +++ b/testing/web-platform/meta/html/browsers/history/the-history-interface/002.html.ini @@ -12,9 +12,6 @@ [.go must queue a task with the history traversal task source (run asynchronously)] expected: FAIL - [security errors are expected to be thrown in the context of the document that owns the history object (2)] - expected: FAIL - [history.state should be a separate clone of the object, not a reference to the object passed to the event handler] expected: FAIL