Implement cross-origin wrappers

[Ms2ger]

We'll need to port XOWs from XPConnect.

@bholley suggested waiting until https://bugzilla.mozilla.org/show_bug.cgi?id=965898 lands.

[KiChjang]

The bugfix has landed on bugzilla.

[bholley]

FWIW, the spec for this is still being finalized (and is actually moving, after stalling for several years). So I might still wait a bit longer, or at least coordinate with @annevk.

[annevk]

See whatwg/html#638 for progress on that. I guess there should also go some thought into whether Servo wants the Gecko or the Chromium setup. While the latter is not safe in the face of document.domain, it's vastly simpler.

[bholley]

Given that Servo is using SpiderMonkey, I would recommend the Gecko setup for access checks. The Chromium setup relies on a bunch of pretty-fragile invariants to make its simplifications. The SpiderMonkey people are unlikely to be paying as close attention to those details, because the wrapper/membrane setup makes Gecko safe by default.

Then there's the question of how to obtain the "clean view per-origin". Chromium uses Separate Worlds, which get tricky if you cache the reflector on the DOM object the way Gecko and Servo do (not sure what Chromium does there, exactly). Servo doesn't need the fully-general Xray setup that Gecko has, but may need some sort wrapper that gives the same behavior as CrossOriginXrayWrapper.

[jdm]

Relevant work:

• https://github.com/Ms2ger/servo/tree/xows
• https://github.com/jdm/servo/tree/postmessage (includes a super hacky implementation of cross-origin window.parent to support cross-origin postMessage; merely for investigative/exploratory purposes)

[Ms2ger]

We should now be able to implement this from the spec: https://html.spec.whatwg.org/multipage/#cross-origin-objects.

[avadacatavra]

I chatted with @bholley and @jdm--if it's ok, I'll start working on this.

Other relevant work:

• Test for cross origin behavior: https://github.com/w3c/web-platform-tests/tree/master/html/browsers/origin/cross-origin-objects
• Gecko implementation: http://searchfox.org/mozilla-central/source/js/xpconnect/wrappers/FilteringWrapper.h#64 (supports stuff that we don't need too)

[avadacatavra]

Pretty sure this is blocked on the various promises PRs

[jdm]

Promises are working; anything that is not should be filed with a testcase.

[asajeffrey]

Some IRC chat: http://logs.glob.uno/?c=mozilla%23servo&s=4+Oct+2016&e=4+Oct+2016#c534539

TL;DR: we may have issues with XOWs in the case that the window is off in another process; this will probably require implementing a WindowProxy in Servo that tracks a pipeline id, so can implement Parent, Top, etc. but for most methods checks to see if the pipeline id is local, and throws a SecuityError if not.

@Ms2ger pointed me to the docs for SM WindowProxy: http://searchfox.org/mozilla-central/source/js/src/jsfriendapi.h#2845