From 6698bbf1077dfbbbd9f35c95ada1544eb59aa0f1 Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@gmail.com>
Date: Sat, 17 Mar 2018 14:30:49 +0100
Subject: Bug 1426002. Bail out of document.open if beforeunload tears things
 down. r=mystor

---
 dom/html/nsHTMLDocument.cpp | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'dom/html')

diff --git a/dom/html/nsHTMLDocument.cpp b/dom/html/nsHTMLDocument.cpp
index fea78dc37..be5a34d41 100644
--- a/dom/html/nsHTMLDocument.cpp
+++ b/dom/html/nsHTMLDocument.cpp
@@ -1536,6 +1536,18 @@ nsHTMLDocument::Open(JSContext* cx,
         nsCOMPtr<nsIDocument> ret = this;
         return ret.forget();
       }
+
+      // Now double-check that our invariants still hold.
+      if (!mScriptGlobalObject) {
+        nsCOMPtr<nsIDocument> ret = this;
+        return ret.forget();
+      }
+
+      nsPIDOMWindowOuter* outer = GetWindow();
+      if (!outer || (GetInnerWindow() != outer->GetCurrentInnerWindow())) {
+        nsCOMPtr<nsIDocument> ret = this;
+        return ret.forget();
+      }
     }
 
     nsCOMPtr<nsIWebNavigation> webnav(do_QueryInterface(shell));
-- 
cgit v1.2.3