Bug 1396620 - Part 2: Fix compartment mismatch crash when doing old prototype swizzling for custom element;
MozReview-Commit-ID: GMxikyKJ54A
--- a/dom/base/Element.cpp
+++ b/dom/base/Element.cpp
@@ -519,16 +519,20 @@ Element::WrapObject(JSContext *aCx, JS::
// Custom element prototype swizzling.
CustomElementData* data = GetCustomElementData();
if (data) {
// If this is a registered custom element then fix the prototype.
nsContentUtils::GetCustomPrototype(OwnerDoc(), NodeInfo()->NamespaceID(),
data->GetCustomElementType(), &customProto);
if (customProto &&
NodePrincipal()->SubsumesConsideringDomain(nsContentUtils::ObjectPrincipal(customProto))) {
+ // The custom element prototype could be in different compartment.
+ if (!JS_WrapObject(aCx, &customProto)) {
+ return nullptr;
+ }
// Just go ahead and create with the right proto up front. Set
// customProto to null to flag that we don't need to do any post-facto
// proto fixups here.
givenProto = customProto;
customProto = nullptr;
}
}
}