Currently we have a hack in SJOW to sever the stack. This is specifically to prevent an attack where arguments.callee.caller.caller eventually reaches a more-privileged object. In the case of content reaching up to Greasemonkey scripts, .caller.caller eventually reaches an object which has the same principals, but from which too-powerful Greasemonkey APIs are reachable. So a principals check in function.caller would be insufficient. Instead, we should put Greasemonkey in a separate compartment (bug 568885) and make .caller return null rather than return a function object from another compartment.

Abso-freaking-lutely -- how did we live with this for so long? f.caller was censored in the old days of Netscape 4 signed scripts/applets. Great to see this getting fixed. /be

Like so. But since Gecko does not actually put objects with different principals in different compartments yet, this patch is not yet safe to land.

Comment on attachment 453889 [details] [diff] [review] v1 Actually, um -- can we land this now? I think the security check has been redundant for some time. The stack-severing code in SJOW is sufficient for now, and the new check added here will be sufficient when Gecko is properly compartmentalized.

Comment on attachment 453889 [details] [diff] [review] v1 Yeah, we should be able to land this now.