Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

13 files changed, 4536 insertions, 0 deletions

diff --git a/js/xpconnect/wrappers/AccessCheck.cpp b/js/xpconnect/wrappers/AccessCheck.cpp
new file mode 100644
index 0000000000..a38ae5bb13
--- /dev/null
+++ b/js/xpconnect/wrappers/AccessCheck.cpp
@@ -0,0 +1,172 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "AccessCheck.h"
+
+#include "nsJSPrincipals.h"
+#include "nsGlobalWindow.h"
+
+#include "XPCWrapper.h"
+#include "XrayWrapper.h"
+#include "FilteringWrapper.h"
+
+#include "jsfriendapi.h"
+#include "js/Object.h"  // JS::GetClass, JS::GetCompartment
+#include "mozilla/BasePrincipal.h"
+#include "mozilla/ErrorResult.h"
+#include "mozilla/dom/BindingUtils.h"
+#include "mozilla/dom/LocationBinding.h"
+#include "mozilla/dom/WindowBinding.h"
+#include "nsJSUtils.h"
+#include "xpcprivate.h"
+
+using namespace mozilla;
+using namespace JS;
+using namespace js;
+
+namespace xpc {
+
+BasePrincipal* GetRealmPrincipal(JS::Realm* realm) {
+  return BasePrincipal::Cast(
+      nsJSPrincipals::get(JS::GetRealmPrincipals(realm)));
+}
+
+nsIPrincipal* GetObjectPrincipal(JSObject* obj) {
+  return GetRealmPrincipal(js::GetNonCCWObjectRealm(obj));
+}
+
+bool AccessCheck::subsumes(JSObject* a, JSObject* b) {
+  return CompartmentOriginInfo::Subsumes(JS::GetCompartment(a),
+                                         JS::GetCompartment(b));
+}
+
+// Same as above, but considering document.domain.
+bool AccessCheck::subsumesConsideringDomain(JS::Realm* a, JS::Realm* b) {
+  MOZ_ASSERT(OriginAttributes::IsRestrictOpenerAccessForFPI());
+  BasePrincipal* aprin = GetRealmPrincipal(a);
+  BasePrincipal* bprin = GetRealmPrincipal(b);
+  return aprin->FastSubsumesConsideringDomain(bprin);
+}
+
+bool AccessCheck::subsumesConsideringDomainIgnoringFPD(JS::Realm* a,
+                                                       JS::Realm* b) {
+  MOZ_ASSERT(!OriginAttributes::IsRestrictOpenerAccessForFPI());
+  BasePrincipal* aprin = GetRealmPrincipal(a);
+  BasePrincipal* bprin = GetRealmPrincipal(b);
+  return aprin->FastSubsumesConsideringDomainIgnoringFPD(bprin);
+}
+
+// Does the compartment of the wrapper subsumes the compartment of the wrappee?
+bool AccessCheck::wrapperSubsumes(JSObject* wrapper) {
+  MOZ_ASSERT(js::IsWrapper(wrapper));
+  JSObject* wrapped = js::UncheckedUnwrap(wrapper);
+  return CompartmentOriginInfo::Subsumes(JS::GetCompartment(wrapper),
+                                         JS::GetCompartment(wrapped));
+}
+
+bool AccessCheck::isChrome(JS::Compartment* compartment) {
+  return js::IsSystemCompartment(compartment);
+}
+
+bool AccessCheck::isChrome(JS::Realm* realm) {
+  return isChrome(JS::GetCompartmentForRealm(realm));
+}
+
+bool AccessCheck::isChrome(JSObject* obj) {
+  return isChrome(JS::GetCompartment(obj));
+}
+
+bool IsCrossOriginAccessibleObject(JSObject* obj) {
+  obj = js::UncheckedUnwrap(obj, /* stopAtWindowProxy = */ false);
+  const JSClass* clasp = JS::GetClass(obj);
+
+  return (clasp->name[0] == 'L' && !strcmp(clasp->name, "Location")) ||
+         (clasp->name[0] == 'W' && !strcmp(clasp->name, "Window"));
+}
+
+bool AccessCheck::checkPassToPrivilegedCode(JSContext* cx, HandleObject wrapper,
+                                            HandleValue v) {
+  // Primitives are fine.
+  if (!v.isObject()) {
+    return true;
+  }
+  RootedObject obj(cx, &v.toObject());
+
+  // Non-wrappers are fine.
+  if (!js::IsWrapper(obj)) {
+    return true;
+  }
+
+  // Same-origin wrappers are fine.
+  if (AccessCheck::wrapperSubsumes(obj)) {
+    return true;
+  }
+
+  // Badness.
+  JS_ReportErrorASCII(cx,
+                      "Permission denied to pass object to privileged code");
+  return false;
+}
+
+bool AccessCheck::checkPassToPrivilegedCode(JSContext* cx, HandleObject wrapper,
+                                            const CallArgs& args) {
+  if (!checkPassToPrivilegedCode(cx, wrapper, args.thisv())) {
+    return false;
+  }
+  for (size_t i = 0; i < args.length(); ++i) {
+    if (!checkPassToPrivilegedCode(cx, wrapper, args[i])) {
+      return false;
+    }
+  }
+  return true;
+}
+
+void AccessCheck::reportCrossOriginDenial(JSContext* cx, JS::HandleId id,
+                                          const nsACString& accessType) {
+  // This function exists because we want to report DOM SecurityErrors, not JS
+  // Errors, when denying access on cross-origin DOM objects.  It's
+  // conceptually pretty similar to
+  // AutoEnterPolicy::reportErrorIfExceptionIsNotPending.
+  if (JS_IsExceptionPending(cx)) {
+    return;
+  }
+
+  nsAutoCString message;
+  if (id.isVoid()) {
+    message = "Permission denied to access object"_ns;
+  } else {
+    // We want to use JS_ValueToSource here, because that most closely
+    // matches what AutoEnterPolicy::reportErrorIfExceptionIsNotPending
+    // does.
+    JS::RootedValue idVal(cx, js::IdToValue(id));
+    nsAutoJSString propName;
+    JS::RootedString idStr(cx, JS_ValueToSource(cx, idVal));
+    if (!idStr || !propName.init(cx, idStr)) {
+      return;
+    }
+    message = "Permission denied to "_ns + accessType + " property "_ns +
+              NS_ConvertUTF16toUTF8(propName) + " on cross-origin object"_ns;
+  }
+  ErrorResult rv;
+  rv.ThrowSecurityError(message);
+  MOZ_ALWAYS_TRUE(rv.MaybeSetPendingException(cx));
+}
+
+bool OpaqueWithSilentFailing::deny(JSContext* cx, js::Wrapper::Action act,
+                                   HandleId id, bool mayThrow) {
+  // Fail silently for GET, ENUMERATE, and GET_PROPERTY_DESCRIPTOR.
+  if (act == js::Wrapper::GET || act == js::Wrapper::ENUMERATE ||
+      act == js::Wrapper::GET_PROPERTY_DESCRIPTOR) {
+    // Note that ReportWrapperDenial doesn't do any _exception_ reporting,
+    // so we want to do this regardless of the value of mayThrow.
+    return ReportWrapperDenial(cx, id, WrapperDenialForCOW,
+                               "Access to privileged JS object not permitted");
+  }
+
+  return false;
+}
+
+}  // namespace xpc
diff --git a/js/xpconnect/wrappers/AccessCheck.h b/js/xpconnect/wrappers/AccessCheck.h
new file mode 100644
index 0000000000..c42e56ea02
--- /dev/null
+++ b/js/xpconnect/wrappers/AccessCheck.h
@@ -0,0 +1,115 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __AccessCheck_h__
+#define __AccessCheck_h__
+
+#include "js/Id.h"
+#include "js/Wrapper.h"
+#include "nsString.h"
+
+#ifdef XP_MACOSX
+// AssertMacros.h defines 'check' which conflicts with the method declarations
+// in this file.
+#  undef check
+#endif
+
+namespace xpc {
+
+class AccessCheck {
+ public:
+  static bool subsumes(JSObject* a, JSObject* b);
+  static bool wrapperSubsumes(JSObject* wrapper);
+  static bool subsumesConsideringDomain(JS::Realm* a, JS::Realm* b);
+  static bool subsumesConsideringDomainIgnoringFPD(JS::Realm* a, JS::Realm* b);
+  static bool isChrome(JS::Compartment* compartment);
+  static bool isChrome(JS::Realm* realm);
+  static bool isChrome(JSObject* obj);
+  static bool checkPassToPrivilegedCode(JSContext* cx, JS::HandleObject wrapper,
+                                        JS::HandleValue value);
+  static bool checkPassToPrivilegedCode(JSContext* cx, JS::HandleObject wrapper,
+                                        const JS::CallArgs& args);
+  // Called to report the correct sort of exception when our policy denies and
+  // should throw.  The accessType argument should be one of "access",
+  // "define", "delete", depending on which operation is being denied.
+  static void reportCrossOriginDenial(JSContext* cx, JS::HandleId id,
+                                      const nsACString& accessType);
+};
+
+/**
+ * Returns true if the given object (which is expected to be stripped of
+ * cross-compartment wrappers in practice, but this function doesn't assume
+ * that) is a WindowProxy or Location object, which need special wrapping
+ * behavior due to being usable cross-origin in limited ways.
+ */
+bool IsCrossOriginAccessibleObject(JSObject* obj);
+
+struct Policy {
+  static bool checkCall(JSContext* cx, JS::HandleObject wrapper,
+                        const JS::CallArgs& args) {
+    MOZ_CRASH("As a rule, filtering wrappers are non-callable");
+  }
+};
+
+// This policy allows no interaction with the underlying callable. Everything
+// throws.
+struct Opaque : public Policy {
+  static bool check(JSContext* cx, JSObject* wrapper, jsid id,
+                    js::Wrapper::Action act) {
+    return false;
+  }
+  static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id,
+                   bool mayThrow) {
+    return false;
+  }
+  static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test,
+                              JS::NativeImpl impl) {
+    return false;
+  }
+};
+
+// Like the above, but allows CALL.
+struct OpaqueWithCall : public Policy {
+  static bool check(JSContext* cx, JSObject* wrapper, jsid id,
+                    js::Wrapper::Action act) {
+    return act == js::Wrapper::CALL;
+  }
+  static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id,
+                   bool mayThrow) {
+    return false;
+  }
+  static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test,
+                              JS::NativeImpl impl) {
+    return false;
+  }
+  static bool checkCall(JSContext* cx, JS::HandleObject wrapper,
+                        const JS::CallArgs& args) {
+    return AccessCheck::checkPassToPrivilegedCode(cx, wrapper, args);
+  }
+};
+
+// This class used to support permitting access to properties if they
+// appeared in an access list on the object, but now it acts like an
+// Opaque wrapper, with the exception that it fails silently for GET,
+// ENUMERATE, and GET_PROPERTY_DESCRIPTOR. This is done for backwards
+// compatibility. See bug 1397513.
+struct OpaqueWithSilentFailing : public Policy {
+  static bool check(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+                    js::Wrapper::Action act) {
+    return false;
+  }
+
+  static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id,
+                   bool mayThrow);
+  static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test,
+                              JS::NativeImpl impl) {
+    return false;
+  }
+};
+
+}  // namespace xpc
+
+#endif /* __AccessCheck_h__ */
diff --git a/js/xpconnect/wrappers/ChromeObjectWrapper.cpp b/js/xpconnect/wrappers/ChromeObjectWrapper.cpp
new file mode 100644
index 0000000000..28ea3d2c02
--- /dev/null
+++ b/js/xpconnect/wrappers/ChromeObjectWrapper.cpp
@@ -0,0 +1,41 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "ChromeObjectWrapper.h"
+#include "WrapperFactory.h"
+#include "AccessCheck.h"
+#include "xpcprivate.h"
+#include "jsapi.h"
+#include "js/Wrapper.h"
+#include "nsXULAppAPI.h"
+
+using namespace JS;
+
+namespace xpc {
+
+const ChromeObjectWrapper ChromeObjectWrapper::singleton;
+
+bool ChromeObjectWrapper::defineProperty(JSContext* cx, HandleObject wrapper,
+                                         HandleId id,
+                                         Handle<PropertyDescriptor> desc,
+                                         ObjectOpResult& result) const {
+  if (desc.hasValue() &&
+      !AccessCheck::checkPassToPrivilegedCode(cx, wrapper, desc.value())) {
+    return false;
+  }
+  return ChromeObjectWrapperBase::defineProperty(cx, wrapper, id, desc, result);
+}
+
+bool ChromeObjectWrapper::set(JSContext* cx, HandleObject wrapper, HandleId id,
+                              HandleValue v, HandleValue receiver,
+                              ObjectOpResult& result) const {
+  if (!AccessCheck::checkPassToPrivilegedCode(cx, wrapper, v)) {
+    return false;
+  }
+  return ChromeObjectWrapperBase::set(cx, wrapper, id, v, receiver, result);
+}
+
+}  // namespace xpc
diff --git a/js/xpconnect/wrappers/ChromeObjectWrapper.h b/js/xpconnect/wrappers/ChromeObjectWrapper.h
new file mode 100644
index 0000000000..49ce4fc139
--- /dev/null
+++ b/js/xpconnect/wrappers/ChromeObjectWrapper.h
@@ -0,0 +1,42 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __ChromeObjectWrapper_h__
+#define __ChromeObjectWrapper_h__
+
+#include "mozilla/Attributes.h"
+
+#include "FilteringWrapper.h"
+
+namespace xpc {
+
+struct OpaqueWithSilentFailing;
+
+// When a vanilla chrome JS object is exposed to content, we use a wrapper that
+// fails silently on GET, ENUMERATE, and GET_PROPERTY_DESCRIPTOR for legacy
+// reasons. For extra security, we override the traps that allow content to pass
+// an object to chrome, and perform extra security checks on them.
+#define ChromeObjectWrapperBase \
+  FilteringWrapper<js::CrossCompartmentSecurityWrapper, OpaqueWithSilentFailing>
+
+class ChromeObjectWrapper : public ChromeObjectWrapperBase {
+ public:
+  constexpr ChromeObjectWrapper() : ChromeObjectWrapperBase(0) {}
+
+  virtual bool defineProperty(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                              JS::Handle<jsid> id,
+                              JS::Handle<JS::PropertyDescriptor> desc,
+                              JS::ObjectOpResult& result) const override;
+  virtual bool set(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+                   JS::HandleValue v, JS::HandleValue receiver,
+                   JS::ObjectOpResult& result) const override;
+
+  static const ChromeObjectWrapper singleton;
+};
+
+} /* namespace xpc */
+
+#endif /* __ChromeObjectWrapper_h__ */
diff --git a/js/xpconnect/wrappers/FilteringWrapper.cpp b/js/xpconnect/wrappers/FilteringWrapper.cpp
new file mode 100644
index 0000000000..f4812e04ba
--- /dev/null
+++ b/js/xpconnect/wrappers/FilteringWrapper.cpp
@@ -0,0 +1,172 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "FilteringWrapper.h"
+#include "AccessCheck.h"
+#include "ChromeObjectWrapper.h"
+#include "XrayWrapper.h"
+#include "nsJSUtils.h"
+#include "mozilla/ErrorResult.h"
+#include "xpcpublic.h"
+#include "xpcprivate.h"
+
+#include "jsapi.h"
+#include "js/Symbol.h"
+
+using namespace JS;
+using namespace js;
+
+namespace xpc {
+
+static JS::SymbolCode sCrossOriginWhitelistedSymbolCodes[] = {
+    JS::SymbolCode::toStringTag, JS::SymbolCode::hasInstance,
+    JS::SymbolCode::isConcatSpreadable};
+
+static bool IsCrossOriginWhitelistedSymbol(JSContext* cx, JS::HandleId id) {
+  if (!id.isSymbol()) {
+    return false;
+  }
+
+  JS::Symbol* symbol = id.toSymbol();
+  for (auto code : sCrossOriginWhitelistedSymbolCodes) {
+    if (symbol == JS::GetWellKnownSymbol(cx, code)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+bool IsCrossOriginWhitelistedProp(JSContext* cx, JS::HandleId id) {
+  return id == GetJSIDByIndex(cx, XPCJSContext::IDX_THEN) ||
+         IsCrossOriginWhitelistedSymbol(cx, id);
+}
+
+bool AppendCrossOriginWhitelistedPropNames(JSContext* cx,
+                                           JS::MutableHandleIdVector props) {
+  // Add "then" if it's not already in the list.
+  RootedIdVector thenProp(cx);
+  if (!thenProp.append(GetJSIDByIndex(cx, XPCJSContext::IDX_THEN))) {
+    return false;
+  }
+
+  if (!AppendUnique(cx, props, thenProp)) {
+    return false;
+  }
+
+  // Now add the three symbol-named props cross-origin objects have.
+#ifdef DEBUG
+  for (size_t n = 0; n < props.length(); ++n) {
+    MOZ_ASSERT(!props[n].isSymbol(), "Unexpected existing symbol-name prop");
+  }
+#endif
+  if (!props.reserve(
+          props.length() +
+          mozilla::ArrayLength(sCrossOriginWhitelistedSymbolCodes))) {
+    return false;
+  }
+
+  for (auto code : sCrossOriginWhitelistedSymbolCodes) {
+    props.infallibleAppend(JS::GetWellKnownSymbolKey(cx, code));
+  }
+
+  return true;
+}
+
+// Note: Previously, FilteringWrapper supported complex access policies where
+// certain properties on an object were accessible and others weren't. Today,
+// the only supported policies are Opaque and OpaqueWithCall, none of which need
+// that. So we just stub out the unreachable paths.
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::getOwnPropertyDescriptor(
+    JSContext* cx, HandleObject wrapper, HandleId id,
+    MutableHandle<mozilla::Maybe<PropertyDescriptor>> desc) const {
+  MOZ_CRASH("FilteringWrappers are now always opaque");
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::ownPropertyKeys(
+    JSContext* cx, HandleObject wrapper, MutableHandleIdVector props) const {
+  MOZ_CRASH("FilteringWrappers are now always opaque");
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::getOwnEnumerablePropertyKeys(
+    JSContext* cx, HandleObject wrapper, MutableHandleIdVector props) const {
+  MOZ_CRASH("FilteringWrappers are now always opaque");
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::enumerate(
+    JSContext* cx, HandleObject wrapper,
+    JS::MutableHandleIdVector props) const {
+  MOZ_CRASH("FilteringWrappers are now always opaque");
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::call(JSContext* cx,
+                                          JS::Handle<JSObject*> wrapper,
+                                          const JS::CallArgs& args) const {
+  if (!Policy::checkCall(cx, wrapper, args)) {
+    return false;
+  }
+  return Base::call(cx, wrapper, args);
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::construct(JSContext* cx,
+                                               JS::Handle<JSObject*> wrapper,
+                                               const JS::CallArgs& args) const {
+  if (!Policy::checkCall(cx, wrapper, args)) {
+    return false;
+  }
+  return Base::construct(cx, wrapper, args);
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::nativeCall(
+    JSContext* cx, JS::IsAcceptableThis test, JS::NativeImpl impl,
+    const JS::CallArgs& args) const {
+  if (Policy::allowNativeCall(cx, test, impl)) {
+    return Base::Permissive::nativeCall(cx, test, impl, args);
+  }
+  return Base::Restrictive::nativeCall(cx, test, impl, args);
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::getPrototype(
+    JSContext* cx, JS::HandleObject wrapper,
+    JS::MutableHandleObject protop) const {
+  // Filtering wrappers do not allow access to the prototype.
+  protop.set(nullptr);
+  return true;
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::enter(JSContext* cx, HandleObject wrapper,
+                                           HandleId id, Wrapper::Action act,
+                                           bool mayThrow, bool* bp) const {
+  if (!Policy::check(cx, wrapper, id, act)) {
+    *bp =
+        JS_IsExceptionPending(cx) ? false : Policy::deny(cx, act, id, mayThrow);
+    return false;
+  }
+  *bp = true;
+  return true;
+}
+
+#define NNXOW FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>
+#define NNXOWC FilteringWrapper<CrossCompartmentSecurityWrapper, OpaqueWithCall>
+
+template <>
+const NNXOW NNXOW::singleton(0);
+template <>
+const NNXOWC NNXOWC::singleton(0);
+
+template class NNXOW;
+template class NNXOWC;
+template class ChromeObjectWrapperBase;
+}  // namespace xpc
diff --git a/js/xpconnect/wrappers/FilteringWrapper.h b/js/xpconnect/wrappers/FilteringWrapper.h
new file mode 100644
index 0000000000..620837cc1b
--- /dev/null
+++ b/js/xpconnect/wrappers/FilteringWrapper.h
@@ -0,0 +1,57 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __FilteringWrapper_h__
+#define __FilteringWrapper_h__
+
+#include "XrayWrapper.h"
+#include "mozilla/Attributes.h"
+#include "mozilla/Maybe.h"
+#include "js/CallNonGenericMethod.h"
+#include "js/Wrapper.h"
+
+namespace xpc {
+
+template <typename Base, typename Policy>
+class FilteringWrapper : public Base {
+ public:
+  constexpr explicit FilteringWrapper(unsigned flags) : Base(flags) {}
+
+  virtual bool enter(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                     JS::Handle<jsid> id, js::Wrapper::Action act,
+                     bool mayThrow, bool* bp) const override;
+
+  virtual bool getOwnPropertyDescriptor(
+      JSContext* cx, JS::Handle<JSObject*> wrapper, JS::Handle<jsid> id,
+      JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc)
+      const override;
+  virtual bool ownPropertyKeys(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                               JS::MutableHandleIdVector props) const override;
+
+  virtual bool getOwnEnumerablePropertyKeys(
+      JSContext* cx, JS::Handle<JSObject*> wrapper,
+      JS::MutableHandleIdVector props) const override;
+  virtual bool enumerate(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                         JS::MutableHandleIdVector props) const override;
+
+  virtual bool call(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                    const JS::CallArgs& args) const override;
+  virtual bool construct(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                         const JS::CallArgs& args) const override;
+
+  virtual bool nativeCall(JSContext* cx, JS::IsAcceptableThis test,
+                          JS::NativeImpl impl,
+                          const JS::CallArgs& args) const override;
+
+  virtual bool getPrototype(JSContext* cx, JS::HandleObject wrapper,
+                            JS::MutableHandleObject protop) const override;
+
+  static const FilteringWrapper singleton;
+};
+
+}  // namespace xpc
+
+#endif /* __FilteringWrapper_h__ */
diff --git a/js/xpconnect/wrappers/WaiveXrayWrapper.cpp b/js/xpconnect/wrappers/WaiveXrayWrapper.cpp
new file mode 100644
index 0000000000..17c273a5e0
--- /dev/null
+++ b/js/xpconnect/wrappers/WaiveXrayWrapper.cpp
@@ -0,0 +1,95 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "WaiveXrayWrapper.h"
+#include "WrapperFactory.h"
+#include "jsapi.h"
+#include "js/CallAndConstruct.h"  // JS::IsCallable
+
+using namespace JS;
+
+namespace xpc {
+
+bool WaiveXrayWrapper::getOwnPropertyDescriptor(
+    JSContext* cx, HandleObject wrapper, HandleId id,
+    MutableHandle<mozilla::Maybe<PropertyDescriptor>> desc) const {
+  if (!CrossCompartmentWrapper::getOwnPropertyDescriptor(cx, wrapper, id,
+                                                         desc)) {
+    return false;
+  }
+
+  if (desc.isNothing()) {
+    return true;
+  }
+
+  Rooted<PropertyDescriptor> desc_(cx, *desc);
+  if (desc_.hasValue()) {
+    if (!WrapperFactory::WaiveXrayAndWrap(cx, desc_.value())) {
+      return false;
+    }
+  }
+  if (desc_.hasGetter() && desc_.getter()) {
+    RootedValue v(cx, JS::ObjectValue(*desc_.getter()));
+    if (!WrapperFactory::WaiveXrayAndWrap(cx, &v)) {
+      return false;
+    }
+    desc_.setGetter(&v.toObject());
+  }
+  if (desc_.hasSetter() && desc_.setter()) {
+    RootedValue v(cx, JS::ObjectValue(*desc_.setter()));
+    if (!WrapperFactory::WaiveXrayAndWrap(cx, &v)) {
+      return false;
+    }
+    desc_.setSetter(&v.toObject());
+  }
+
+  desc.set(mozilla::Some(desc_.get()));
+  return true;
+}
+
+bool WaiveXrayWrapper::get(JSContext* cx, HandleObject wrapper,
+                           HandleValue receiver, HandleId id,
+                           MutableHandleValue vp) const {
+  return CrossCompartmentWrapper::get(cx, wrapper, receiver, id, vp) &&
+         WrapperFactory::WaiveXrayAndWrap(cx, vp);
+}
+
+bool WaiveXrayWrapper::call(JSContext* cx, HandleObject wrapper,
+                            const JS::CallArgs& args) const {
+  return CrossCompartmentWrapper::call(cx, wrapper, args) &&
+         WrapperFactory::WaiveXrayAndWrap(cx, args.rval());
+}
+
+bool WaiveXrayWrapper::construct(JSContext* cx, HandleObject wrapper,
+                                 const JS::CallArgs& args) const {
+  return CrossCompartmentWrapper::construct(cx, wrapper, args) &&
+         WrapperFactory::WaiveXrayAndWrap(cx, args.rval());
+}
+
+// NB: This is important as the other side of a handshake with FieldGetter. See
+// nsXBLProtoImplField.cpp.
+bool WaiveXrayWrapper::nativeCall(JSContext* cx, JS::IsAcceptableThis test,
+                                  JS::NativeImpl impl,
+                                  const JS::CallArgs& args) const {
+  return CrossCompartmentWrapper::nativeCall(cx, test, impl, args) &&
+         WrapperFactory::WaiveXrayAndWrap(cx, args.rval());
+}
+
+bool WaiveXrayWrapper::getPrototype(JSContext* cx, HandleObject wrapper,
+                                    MutableHandleObject protop) const {
+  return CrossCompartmentWrapper::getPrototype(cx, wrapper, protop) &&
+         (!protop || WrapperFactory::WaiveXrayAndWrap(cx, protop));
+}
+
+bool WaiveXrayWrapper::getPrototypeIfOrdinary(
+    JSContext* cx, HandleObject wrapper, bool* isOrdinary,
+    MutableHandleObject protop) const {
+  return CrossCompartmentWrapper::getPrototypeIfOrdinary(cx, wrapper,
+                                                         isOrdinary, protop) &&
+         (!protop || WrapperFactory::WaiveXrayAndWrap(cx, protop));
+}
+
+}  // namespace xpc
diff --git a/js/xpconnect/wrappers/WaiveXrayWrapper.h b/js/xpconnect/wrappers/WaiveXrayWrapper.h
new file mode 100644
index 0000000000..02784fdd8f
--- /dev/null
+++ b/js/xpconnect/wrappers/WaiveXrayWrapper.h
@@ -0,0 +1,48 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __CrossOriginWrapper_h__
+#define __CrossOriginWrapper_h__
+
+#include "mozilla/Attributes.h"
+#include "mozilla/Maybe.h"
+
+#include "js/Wrapper.h"
+
+namespace xpc {
+
+class WaiveXrayWrapper : public js::CrossCompartmentWrapper {
+ public:
+  explicit constexpr WaiveXrayWrapper(unsigned flags)
+      : js::CrossCompartmentWrapper(flags) {}
+
+  virtual bool getOwnPropertyDescriptor(
+      JSContext* cx, JS::Handle<JSObject*> wrapper, JS::Handle<jsid> id,
+      JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc)
+      const override;
+  virtual bool getPrototype(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                            JS::MutableHandle<JSObject*> protop) const override;
+  virtual bool getPrototypeIfOrdinary(
+      JSContext* cx, JS::Handle<JSObject*> wrapper, bool* isOrdinary,
+      JS::MutableHandle<JSObject*> protop) const override;
+  virtual bool get(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                   JS::Handle<JS::Value> receiver, JS::Handle<jsid> id,
+                   JS::MutableHandle<JS::Value> vp) const override;
+  virtual bool call(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                    const JS::CallArgs& args) const override;
+  virtual bool construct(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                         const JS::CallArgs& args) const override;
+
+  virtual bool nativeCall(JSContext* cx, JS::IsAcceptableThis test,
+                          JS::NativeImpl impl,
+                          const JS::CallArgs& args) const override;
+
+  static const WaiveXrayWrapper singleton;
+};
+
+}  // namespace xpc
+
+#endif
diff --git a/js/xpconnect/wrappers/WrapperFactory.cpp b/js/xpconnect/wrappers/WrapperFactory.cpp
new file mode 100644
index 0000000000..9faf636388
--- /dev/null
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@@ -0,0 +1,818 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "WaiveXrayWrapper.h"
+#include "FilteringWrapper.h"
+#include "XrayWrapper.h"
+#include "AccessCheck.h"
+#include "XPCWrapper.h"
+#include "ChromeObjectWrapper.h"
+#include "WrapperFactory.h"
+
+#include "xpcprivate.h"
+#include "XPCMaps.h"
+#include "mozilla/dom/BindingUtils.h"
+#include "jsfriendapi.h"
+#include "js/friend/WindowProxy.h"  // js::IsWindow, js::IsWindowProxy
+#include "js/Object.h"              // JS::GetPrivate, JS::GetCompartment
+#include "mozilla/Likely.h"
+#include "mozilla/dom/ScriptSettings.h"
+#include "mozilla/dom/MaybeCrossOriginObject.h"
+#include "nsContentUtils.h"
+#include "nsXULAppAPI.h"
+
+using namespace JS;
+using namespace js;
+using namespace mozilla;
+
+namespace xpc {
+
+#ifndef MOZ_UNIFIED_BUILD
+extern template class FilteringWrapper<js::CrossCompartmentSecurityWrapper,
+                                       Opaque>;
+extern template class FilteringWrapper<js::CrossCompartmentSecurityWrapper,
+                                       OpaqueWithCall>;
+#endif
+
+// When chrome pulls a naked property across the membrane using
+// .wrappedJSObject, we want it to cross the membrane into the
+// chrome compartment without automatically being wrapped into an
+// X-ray wrapper. We achieve this by wrapping it into a special
+// transparent wrapper in the origin (non-chrome) compartment. When
+// an object with that special wrapper applied crosses into chrome,
+// we know to not apply an X-ray wrapper.
+const Wrapper XrayWaiver(WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG);
+
+// When objects for which we waived the X-ray wrapper cross into
+// chrome, we wrap them into a special cross-compartment wrapper
+// that transitively extends the waiver to all properties we get
+// off it.
+const WaiveXrayWrapper WaiveXrayWrapper::singleton(0);
+
+bool WrapperFactory::IsOpaqueWrapper(JSObject* obj) {
+  return IsWrapper(obj) &&
+         Wrapper::wrapperHandler(obj) == &PermissiveXrayOpaque::singleton;
+}
+
+bool WrapperFactory::IsCOW(JSObject* obj) {
+  return IsWrapper(obj) &&
+         Wrapper::wrapperHandler(obj) == &ChromeObjectWrapper::singleton;
+}
+
+JSObject* WrapperFactory::GetXrayWaiver(HandleObject obj) {
+  // Object should come fully unwrapped but outerized.
+  MOZ_ASSERT(obj == UncheckedUnwrap(obj));
+  MOZ_ASSERT(!js::IsWindow(obj));
+  XPCWrappedNativeScope* scope = ObjectScope(obj);
+  MOZ_ASSERT(scope);
+
+  if (!scope->mWaiverWrapperMap) {
+    return nullptr;
+  }
+
+  return scope->mWaiverWrapperMap->Find(obj);
+}
+
+JSObject* WrapperFactory::CreateXrayWaiver(JSContext* cx, HandleObject obj,
+                                           bool allowExisting) {
+  // The caller is required to have already done a lookup, unless it's
+  // trying to replace an existing waiver.
+  // NB: This implictly performs the assertions of GetXrayWaiver.
+  MOZ_ASSERT(bool(GetXrayWaiver(obj)) == allowExisting);
+  XPCWrappedNativeScope* scope = ObjectScope(obj);
+
+  JSAutoRealm ar(cx, obj);
+  JSObject* waiver = Wrapper::New(cx, obj, &XrayWaiver);
+  if (!waiver) {
+    return nullptr;
+  }
+
+  // Add the new waiver to the map. It's important that we only ever have
+  // one waiver for the lifetime of the target object.
+  if (!scope->mWaiverWrapperMap) {
+    scope->mWaiverWrapperMap = mozilla::MakeUnique<JSObject2JSObjectMap>();
+  }
+  if (!scope->mWaiverWrapperMap->Add(cx, obj, waiver)) {
+    return nullptr;
+  }
+  return waiver;
+}
+
+JSObject* WrapperFactory::WaiveXray(JSContext* cx, JSObject* objArg) {
+  RootedObject obj(cx, objArg);
+  obj = UncheckedUnwrap(obj);
+  MOZ_ASSERT(!js::IsWindow(obj));
+
+  JSObject* waiver = GetXrayWaiver(obj);
+  if (!waiver) {
+    waiver = CreateXrayWaiver(cx, obj);
+  }
+  JS::AssertObjectIsNotGray(waiver);
+  return waiver;
+}
+
+/* static */
+bool WrapperFactory::AllowWaiver(JS::Compartment* target,
+                                 JS::Compartment* origin) {
+  return CompartmentPrivate::Get(target)->allowWaivers &&
+         CompartmentOriginInfo::Subsumes(target, origin);
+}
+
+/* static */
+bool WrapperFactory::AllowWaiver(JSObject* wrapper) {
+  MOZ_ASSERT(js::IsCrossCompartmentWrapper(wrapper));
+  return AllowWaiver(JS::GetCompartment(wrapper),
+                     JS::GetCompartment(js::UncheckedUnwrap(wrapper)));
+}
+
+inline bool ShouldWaiveXray(JSContext* cx, JSObject* originalObj) {
+  unsigned flags;
+  (void)js::UncheckedUnwrap(originalObj, /* stopAtWindowProxy = */ true,
+                            &flags);
+
+  // If the original object did not point through an Xray waiver, we're done.
+  if (!(flags & WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG)) {
+    return false;
+  }
+
+  // If the original object was not a cross-compartment wrapper, that means
+  // that the caller explicitly created a waiver. Preserve it so that things
+  // like WaiveXrayAndWrap work.
+  if (!(flags & Wrapper::CROSS_COMPARTMENT)) {
+    return true;
+  }
+
+  // Otherwise, this is a case of explicitly passing a wrapper across a
+  // compartment boundary. In that case, we only want to preserve waivers
+  // in transactions between same-origin compartments.
+  JS::Compartment* oldCompartment = JS::GetCompartment(originalObj);
+  JS::Compartment* newCompartment = js::GetContextCompartment(cx);
+  bool sameOrigin = false;
+  if (OriginAttributes::IsRestrictOpenerAccessForFPI()) {
+    sameOrigin =
+        CompartmentOriginInfo::Subsumes(oldCompartment, newCompartment) &&
+        CompartmentOriginInfo::Subsumes(newCompartment, oldCompartment);
+  } else {
+    sameOrigin = CompartmentOriginInfo::SubsumesIgnoringFPD(oldCompartment,
+                                                            newCompartment) &&
+                 CompartmentOriginInfo::SubsumesIgnoringFPD(newCompartment,
+                                                            oldCompartment);
+  }
+  return sameOrigin;
+}
+
+// Special handling is needed when wrapping local and remote window proxies.
+// This function returns true if it found a window proxy and dealt with it.
+static bool MaybeWrapWindowProxy(JSContext* cx, HandleObject origObj,
+                                 HandleObject obj, MutableHandleObject retObj) {
+  bool isWindowProxy = js::IsWindowProxy(obj);
+
+  if (!isWindowProxy &&
+      !dom::IsRemoteObjectProxy(obj, dom::prototypes::id::Window)) {
+    return false;
+  }
+
+  dom::BrowsingContext* bc = nullptr;
+  if (isWindowProxy) {
+    nsGlobalWindowInner* win =
+        WindowOrNull(js::UncheckedUnwrap(obj, /* stopAtWindowProxy = */ false));
+    if (win && win->GetOuterWindow()) {
+      bc = win->GetOuterWindow()->GetBrowsingContext();
+    }
+    if (!bc) {
+      retObj.set(obj);
+      return true;
+    }
+  } else {
+    bc = dom::GetBrowsingContext(obj);
+    MOZ_ASSERT(bc);
+  }
+
+  // We should only have a remote window proxy if bc is in a state where we
+  // expect remote window proxies. Otherwise, they should have been cleaned up
+  // by a call to CleanUpDanglingRemoteOuterWindowProxies().
+  MOZ_RELEASE_ASSERT(isWindowProxy || bc->CanHaveRemoteOuterProxies());
+
+  if (bc->IsInProcess()) {
+    retObj.set(obj);
+  } else {
+    // If bc is not in process, then use a remote window proxy, whether or not
+    // obj is one already.
+    if (!dom::GetRemoteOuterWindowProxy(cx, bc, origObj, retObj)) {
+      MOZ_CRASH("GetRemoteOuterWindowProxy failed");
+    }
+  }
+
+  return true;
+}
+
+void WrapperFactory::PrepareForWrapping(JSContext* cx, HandleObject scope,
+                                        HandleObject origObj,
+                                        HandleObject objArg,
+                                        HandleObject objectPassedToWrap,
+                                        MutableHandleObject retObj) {
+  // The JS engine calls ToWindowProxyIfWindow and deals with dead wrappers.
+  MOZ_ASSERT(!js::IsWindow(objArg));
+  MOZ_ASSERT(!JS_IsDeadWrapper(objArg));
+
+  bool waive = ShouldWaiveXray(cx, objectPassedToWrap);
+  RootedObject obj(cx, objArg);
+  retObj.set(nullptr);
+
+  // There are a few cases related to window proxies that are handled first to
+  // allow us to assert against wrappers below.
+  if (MaybeWrapWindowProxy(cx, origObj, obj, retObj)) {
+    if (waive) {
+      // We don't put remote window proxies in a waiving wrapper.
+      MOZ_ASSERT(js::IsWindowProxy(obj));
+      retObj.set(WaiveXray(cx, retObj));
+    }
+    return;
+  }
+
+  // Here are the rules for wrapping:
+  // We should never get a proxy here (the JS engine unwraps those for us).
+  MOZ_ASSERT(!IsWrapper(obj));
+
+  // Now, our object is ready to be wrapped, but several objects (notably
+  // nsJSIIDs) have a wrapper per scope. If we are about to wrap one of
+  // those objects in a security wrapper, then we need to hand back the
+  // wrapper for the new scope instead. Also, global objects don't move
+  // between scopes so for those we also want to return the wrapper. So...
+  if (!IsWrappedNativeReflector(obj) || JS_IsGlobalObject(obj)) {
+    retObj.set(waive ? WaiveXray(cx, obj) : obj);
+    return;
+  }
+
+  XPCWrappedNative* wn = XPCWrappedNative::Get(obj);
+
+  JSAutoRealm ar(cx, obj);
+  XPCCallContext ccx(cx, obj);
+  RootedObject wrapScope(cx, scope);
+
+  if (ccx.GetScriptable() && ccx.GetScriptable()->WantPreCreate()) {
+    // We have a precreate hook. This object might enforce that we only
+    // ever create JS object for it.
+
+    // Note: this penalizes objects that only have one wrapper, but are
+    // being accessed across compartments. We would really prefer to
+    // replace the above code with a test that says "do you only have one
+    // wrapper?"
+    nsresult rv = wn->GetScriptable()->PreCreate(wn->Native(), cx, scope,
+                                                 wrapScope.address());
+    if (NS_FAILED(rv)) {
+      retObj.set(waive ? WaiveXray(cx, obj) : obj);
+      return;
+    }
+
+    // If the handed back scope differs from the passed-in scope and is in
+    // a separate compartment, then this object is explicitly requesting
+    // that we don't create a second JS object for it: create a security
+    // wrapper.
+    //
+    // Note: The only two objects that still use PreCreate are BackstagePass
+    // and Components, both of which unconditionally request their canonical
+    // scope. Since SpiderMonkey only invokes the prewrap callback in
+    // situations where the object is nominally cross-compartment, we should
+    // always get a different scope here.
+    MOZ_RELEASE_ASSERT(JS::GetCompartment(scope) !=
+                       JS::GetCompartment(wrapScope));
+    retObj.set(waive ? WaiveXray(cx, obj) : obj);
+    return;
+  }
+
+  // This public WrapNativeToJSVal API enters the compartment of 'wrapScope'
+  // so we don't have to.
+  RootedValue v(cx);
+  nsresult rv = nsXPConnect::XPConnect()->WrapNativeToJSVal(
+      cx, wrapScope, wn->Native(), nullptr, &NS_GET_IID(nsISupports), false,
+      &v);
+  if (NS_FAILED(rv)) {
+    return;
+  }
+
+  obj.set(&v.toObject());
+  MOZ_ASSERT(IsWrappedNativeReflector(obj), "bad object");
+  JS::AssertObjectIsNotGray(obj);  // We should never return gray reflectors.
+
+  // Because the underlying native didn't have a PreCreate hook, we had
+  // to a new (or possibly pre-existing) XPCWN in our compartment.
+  // This could be a problem for chrome code that passes XPCOM objects
+  // across compartments, because the effects of QI would disappear across
+  // compartments.
+  //
+  // So whenever we pull an XPCWN across compartments in this manner, we
+  // give the destination object the union of the two native sets. We try
+  // to do this cleverly in the common case to avoid too much overhead.
+  XPCWrappedNative* newwn = XPCWrappedNative::Get(obj);
+  RefPtr<XPCNativeSet> unionSet =
+      XPCNativeSet::GetNewOrUsed(cx, newwn->GetSet(), wn->GetSet(), false);
+  if (!unionSet) {
+    return;
+  }
+  newwn->SetSet(unionSet.forget());
+
+  retObj.set(waive ? WaiveXray(cx, obj) : obj);
+}
+
+// This check is completely symmetric, so we don't need to keep track of origin
+// vs target here.  Two compartments may have had transparent CCWs between them
+// only if they are same-origin (ignoring document.domain) or have both had
+// document.domain set at some point and are same-site.  In either case they
+// will have the same SiteIdentifier, so check that first.
+static bool CompartmentsMayHaveHadTransparentCCWs(
+    CompartmentPrivate* private1, CompartmentPrivate* private2) {
+  auto& info1 = private1->originInfo;
+  auto& info2 = private2->originInfo;
+
+  if (!info1.SiteRef().Equals(info2.SiteRef())) {
+    return false;
+  }
+
+  return info1.GetPrincipalIgnoringDocumentDomain()->FastEquals(
+             info2.GetPrincipalIgnoringDocumentDomain()) ||
+         (info1.HasChangedDocumentDomain() && info2.HasChangedDocumentDomain());
+}
+
+#ifdef DEBUG
+static void DEBUG_CheckUnwrapSafety(HandleObject obj,
+                                    const js::Wrapper* handler,
+                                    JS::Realm* origin, JS::Realm* target) {
+  JS::Compartment* targetCompartment = JS::GetCompartmentForRealm(target);
+  if (!js::AllowNewWrapper(targetCompartment, obj)) {
+    // The JS engine should have returned a dead wrapper in this case and we
+    // shouldn't even get here.
+    MOZ_ASSERT_UNREACHABLE("CheckUnwrapSafety called for a dead wrapper");
+  } else if (AccessCheck::isChrome(targetCompartment)) {
+    // If the caller is chrome (or effectively so), unwrap should always be
+    // allowed, but we might have a CrossOriginObjectWrapper here which allows
+    // it dynamically.
+    MOZ_ASSERT(!handler->hasSecurityPolicy() ||
+               handler == &CrossOriginObjectWrapper::singleton);
+  } else {
+    // Otherwise, it should depend on whether the target subsumes the origin.
+    bool subsumes =
+        (OriginAttributes::IsRestrictOpenerAccessForFPI()
+             ? AccessCheck::subsumesConsideringDomain(target, origin)
+             : AccessCheck::subsumesConsideringDomainIgnoringFPD(target,
+                                                                 origin));
+    if (!subsumes) {
+      // If the target (which is where the wrapper lives) does not subsume the
+      // origin (which is where the wrapped object lives), then we should
+      // generally have a security check on the wrapper here.  There is one
+      // exception, though: things that used to be same-origin and then stopped
+      // due to document.domain changes.  In that case we will have a
+      // transparent cross-compartment wrapper here even though "subsumes" is no
+      // longer true.
+      CompartmentPrivate* originCompartmentPrivate =
+          CompartmentPrivate::Get(origin);
+      CompartmentPrivate* targetCompartmentPrivate =
+          CompartmentPrivate::Get(target);
+      if (!originCompartmentPrivate->wantXrays &&
+          !targetCompartmentPrivate->wantXrays &&
+          CompartmentsMayHaveHadTransparentCCWs(originCompartmentPrivate,
+                                                targetCompartmentPrivate)) {
+        // We should have a transparent CCW, unless we have a cross-origin
+        // object, in which case it will be a CrossOriginObjectWrapper.
+        MOZ_ASSERT(handler == &CrossCompartmentWrapper::singleton ||
+                   handler == &CrossOriginObjectWrapper::singleton);
+      } else {
+        MOZ_ASSERT(handler->hasSecurityPolicy());
+      }
+    } else {
+      // Even if target subsumes origin, we might have a wrapper with a security
+      // policy here, if it happens to be a CrossOriginObjectWrapper.
+      MOZ_ASSERT(!handler->hasSecurityPolicy() ||
+                 handler == &CrossOriginObjectWrapper::singleton);
+    }
+  }
+}
+#else
+#  define DEBUG_CheckUnwrapSafety(obj, handler, origin, target) \
+    {}
+#endif
+
+const CrossOriginObjectWrapper CrossOriginObjectWrapper::singleton;
+
+bool CrossOriginObjectWrapper::dynamicCheckedUnwrapAllowed(
+    HandleObject obj, JSContext* cx) const {
+  MOZ_ASSERT(js::GetProxyHandler(obj) == this,
+             "Why are we getting called for some random object?");
+  JSObject* target = wrappedObject(obj);
+  return dom::MaybeCrossOriginObjectMixins::IsPlatformObjectSameOrigin(cx,
+                                                                       target);
+}
+
+static const Wrapper* SelectWrapper(bool securityWrapper, XrayType xrayType,
+                                    bool waiveXrays, JSObject* obj) {
+  // Waived Xray uses a modified CCW that has transparent behavior but
+  // transitively waives Xrays on arguments.
+  if (waiveXrays) {
+    MOZ_ASSERT(!securityWrapper);
+    return &WaiveXrayWrapper::singleton;
+  }
+
+  // If we don't want or can't use Xrays, select a wrapper that's either
+  // entirely transparent or entirely opaque.
+  if (xrayType == NotXray) {
+    if (!securityWrapper) {
+      return &CrossCompartmentWrapper::singleton;
+    }
+    return &FilteringWrapper<CrossCompartmentSecurityWrapper,
+                             Opaque>::singleton;
+  }
+
+  // Ok, we're using Xray. If this isn't a security wrapper, use the permissive
+  // version and skip the filter.
+  if (!securityWrapper) {
+    if (xrayType == XrayForDOMObject) {
+      return &PermissiveXrayDOM::singleton;
+    } else if (xrayType == XrayForJSObject) {
+      return &PermissiveXrayJS::singleton;
+    }
+    MOZ_ASSERT(xrayType == XrayForOpaqueObject);
+    return &PermissiveXrayOpaque::singleton;
+  }
+
+  // There's never any reason to expose other objects to non-subsuming actors.
+  // Just use an opaque wrapper in these cases.
+  return &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
+}
+
+JSObject* WrapperFactory::Rewrap(JSContext* cx, HandleObject existing,
+                                 HandleObject obj) {
+  MOZ_ASSERT(!IsWrapper(obj) || GetProxyHandler(obj) == &XrayWaiver ||
+                 js::IsWindowProxy(obj),
+             "wrapped object passed to rewrap");
+  MOZ_ASSERT(!js::IsWindow(obj));
+  MOZ_ASSERT(dom::IsJSAPIActive());
+
+  // Compute the information we need to select the right wrapper.
+  JS::Realm* origin = js::GetNonCCWObjectRealm(obj);
+  JS::Realm* target = js::GetContextRealm(cx);
+  MOZ_ASSERT(target, "Why is our JSContext not in a Realm?");
+  bool originIsChrome = AccessCheck::isChrome(origin);
+  bool targetIsChrome = AccessCheck::isChrome(target);
+  bool originSubsumesTarget =
+      OriginAttributes::IsRestrictOpenerAccessForFPI()
+          ? AccessCheck::subsumesConsideringDomain(origin, target)
+          : AccessCheck::subsumesConsideringDomainIgnoringFPD(origin, target);
+  bool targetSubsumesOrigin =
+      OriginAttributes::IsRestrictOpenerAccessForFPI()
+          ? AccessCheck::subsumesConsideringDomain(target, origin)
+          : AccessCheck::subsumesConsideringDomainIgnoringFPD(target, origin);
+  bool sameOrigin = targetSubsumesOrigin && originSubsumesTarget;
+
+  const Wrapper* wrapper;
+
+  CompartmentPrivate* originCompartmentPrivate =
+      CompartmentPrivate::Get(origin);
+  CompartmentPrivate* targetCompartmentPrivate =
+      CompartmentPrivate::Get(target);
+
+  // Track whether we decided to use a transparent wrapper because of
+  // document.domain usage, so we don't override that decision.
+  bool isTransparentWrapperDueToDocumentDomain = false;
+
+  //
+  // First, handle the special cases.
+  //
+
+  // Special handling for chrome objects being exposed to content.
+  if (originIsChrome && !targetIsChrome) {
+    // If this is a chrome function being exposed to content, we need to allow
+    // call (but nothing else).
+    JSProtoKey key = IdentifyStandardInstance(obj);
+    if (key == JSProto_Function || key == JSProto_BoundFunction) {
+      wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
+                                  OpaqueWithCall>::singleton;
+    }
+
+    // For vanilla JSObjects exposed from chrome to content, we use a wrapper
+    // that fails silently in a few cases. We'd like to get rid of this
+    // eventually, but in their current form they don't cause much trouble.
+    else if (key == JSProto_Object) {
+      wrapper = &ChromeObjectWrapper::singleton;
+    }
+
+    // Otherwise we get an opaque wrapper.
+    else {
+      wrapper =
+          &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
+    }
+  }
+
+  // Special handling for the web's cross-origin objects (WindowProxy and
+  // Location).  We only need or want to do this in web-like contexts, where all
+  // security relationships are symmetric and there are no forced Xrays.
+  else if (originSubsumesTarget == targetSubsumesOrigin &&
+           // Check for the more rare case of cross-origin objects before doing
+           // the more-likely-to-pass checks for wantXrays.
+           IsCrossOriginAccessibleObject(obj) &&
+           (!targetSubsumesOrigin || (!originCompartmentPrivate->wantXrays &&
+                                      !targetCompartmentPrivate->wantXrays))) {
+    wrapper = &CrossOriginObjectWrapper::singleton;
+  }
+
+  // Special handling for other web objects.  Again, we only want this in
+  // web-like contexts (symmetric security relationships, no forced Xrays).  In
+  // this situation, if the two compartments may ever have had transparent CCWs
+  // between them, we want to keep using transparent CCWs.
+  else if (originSubsumesTarget == targetSubsumesOrigin &&
+           !originCompartmentPrivate->wantXrays &&
+           !targetCompartmentPrivate->wantXrays &&
+           CompartmentsMayHaveHadTransparentCCWs(originCompartmentPrivate,
+                                                 targetCompartmentPrivate)) {
+    isTransparentWrapperDueToDocumentDomain = true;
+    wrapper = &CrossCompartmentWrapper::singleton;
+  }
+
+  //
+  // Now, handle the regular cases.
+  //
+  // These are wrappers we can compute using a rule-based approach. In order
+  // to do so, we need to compute some parameters.
+  //
+  else {
+    // The wrapper is a security wrapper (protecting the wrappee) if and
+    // only if the target does not subsume the origin.
+    bool securityWrapper = !targetSubsumesOrigin;
+
+    // Xrays are warranted if either the target or the origin don't trust
+    // each other. This is generally the case, unless the two are same-origin
+    // and the caller has not requested same-origin Xrays.
+    //
+    // Xrays are a bidirectional protection, since it affords clarity to the
+    // caller and privacy to the callee.
+    bool sameOriginXrays = originCompartmentPrivate->wantXrays ||
+                           targetCompartmentPrivate->wantXrays;
+    bool wantXrays = !sameOrigin || sameOriginXrays;
+
+    XrayType xrayType = wantXrays ? GetXrayType(obj) : NotXray;
+
+    // If Xrays are warranted, the caller may waive them for non-security
+    // wrappers (unless explicitly forbidden from doing so).
+    bool waiveXrays = wantXrays && !securityWrapper &&
+                      targetCompartmentPrivate->allowWaivers &&
+                      HasWaiveXrayFlag(obj);
+
+    wrapper = SelectWrapper(securityWrapper, xrayType, waiveXrays, obj);
+  }
+
+  if (!targetSubsumesOrigin && !isTransparentWrapperDueToDocumentDomain) {
+    // Do a belt-and-suspenders check against exposing eval()/Function() to
+    // non-subsuming content.
+    if (JSFunction* fun = JS_GetObjectFunction(obj)) {
+      if (JS_IsBuiltinEvalFunction(fun) ||
+          JS_IsBuiltinFunctionConstructor(fun)) {
+        NS_WARNING(
+            "Trying to expose eval or Function to non-subsuming content!");
+        wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
+                                    Opaque>::singleton;
+      }
+    }
+  }
+
+  DEBUG_CheckUnwrapSafety(obj, wrapper, origin, target);
+
+  if (existing) {
+    return Wrapper::Renew(existing, obj, wrapper);
+  }
+
+  return Wrapper::New(cx, obj, wrapper);
+}
+
+// Call WaiveXrayAndWrap when you have a JS object that you don't want to be
+// wrapped in an Xray wrapper. cx->compartment is the compartment that will be
+// using the returned object. If the object to be wrapped is already in the
+// correct compartment, then this returns the unwrapped object.
+bool WrapperFactory::WaiveXrayAndWrap(JSContext* cx, MutableHandleValue vp) {
+  if (vp.isPrimitive()) {
+    return JS_WrapValue(cx, vp);
+  }
+
+  RootedObject obj(cx, &vp.toObject());
+  if (!WaiveXrayAndWrap(cx, &obj)) {
+    return false;
+  }
+
+  vp.setObject(*obj);
+  return true;
+}
+
+bool WrapperFactory::WaiveXrayAndWrap(JSContext* cx,
+                                      MutableHandleObject argObj) {
+  MOZ_ASSERT(argObj);
+  RootedObject obj(cx, js::UncheckedUnwrap(argObj));
+  MOZ_ASSERT(!js::IsWindow(obj));
+  if (js::IsObjectInContextCompartment(obj, cx)) {
+    argObj.set(obj);
+    return true;
+  }
+
+  // Even though waivers have no effect on access by scopes that don't subsume
+  // the underlying object, good defense-in-depth dictates that we should avoid
+  // handing out waivers to callers that can't use them. The transitive waiving
+  // machinery unconditionally calls WaiveXrayAndWrap on return values from
+  // waived functions, even though the return value might be not be same-origin
+  // with the function. So if we find ourselves trying to create a waiver for
+  // |cx|, we should check whether the caller has any business with waivers
+  // to things in |obj|'s compartment.
+  JS::Compartment* target = js::GetContextCompartment(cx);
+  JS::Compartment* origin = JS::GetCompartment(obj);
+  obj = AllowWaiver(target, origin) ? WaiveXray(cx, obj) : obj;
+  if (!obj) {
+    return false;
+  }
+
+  if (!JS_WrapObject(cx, &obj)) {
+    return false;
+  }
+  argObj.set(obj);
+  return true;
+}
+
+/*
+ * Calls to JS_TransplantObject* should go through these helpers here so that
+ * waivers get fixed up properly.
+ */
+
+static bool FixWaiverAfterTransplant(JSContext* cx, HandleObject oldWaiver,
+                                     HandleObject newobj,
+                                     bool crossCompartmentTransplant) {
+  MOZ_ASSERT(Wrapper::wrapperHandler(oldWaiver) == &XrayWaiver);
+  MOZ_ASSERT(!js::IsCrossCompartmentWrapper(newobj));
+
+  if (crossCompartmentTransplant) {
+    // If the new compartment has a CCW for oldWaiver, nuke this CCW. This
+    // prevents confusing RemapAllWrappersForObject: it would call RemapWrapper
+    // with two same-compartment objects (the CCW and the new waiver).
+    //
+    // This can happen when loading a chrome page in a content frame and there
+    // exists a CCW from the chrome compartment to oldWaiver wrapping the window
+    // we just transplanted:
+    //
+    // Compartment 1  |  Compartment 2
+    // ----------------------------------------
+    // CCW1 -----------> oldWaiver --> CCW2 --+
+    // newWaiver                              |
+    // WindowProxy <--------------------------+
+    js::NukeCrossCompartmentWrapperIfExists(cx, JS::GetCompartment(newobj),
+                                            oldWaiver);
+  } else {
+    // We kept the same object identity, so the waiver should be a
+    // waiver for our object, just in the wrong Realm.
+    MOZ_ASSERT(newobj == Wrapper::wrappedObject(oldWaiver));
+  }
+
+  // Create a waiver in the new compartment. We know there's not one already in
+  // the crossCompartmentTransplant case because we _just_ transplanted, which
+  // means that |newobj| was either created from scratch, or was previously
+  // cross-compartment wrapper (which should have no waiver). On the other hand,
+  // in the !crossCompartmentTransplant case we know one already exists.
+  // CreateXrayWaiver asserts all this.
+  RootedObject newWaiver(
+      cx, WrapperFactory::CreateXrayWaiver(
+              cx, newobj, /* allowExisting = */ !crossCompartmentTransplant));
+  if (!newWaiver) {
+    return false;
+  }
+
+  if (!crossCompartmentTransplant) {
+    // CreateXrayWaiver should have updated the map to point to the new waiver.
+    MOZ_ASSERT(WrapperFactory::GetXrayWaiver(newobj) == newWaiver);
+  }
+
+  // Update all the cross-compartment references to oldWaiver to point to
+  // newWaiver.
+  if (!js::RemapAllWrappersForObject(cx, oldWaiver, newWaiver)) {
+    return false;
+  }
+
+  if (crossCompartmentTransplant) {
+    // There should be no same-compartment references to oldWaiver, and we
+    // just remapped all cross-compartment references. It's dead, so we can
+    // remove it from the map.
+    XPCWrappedNativeScope* scope = ObjectScope(oldWaiver);
+    JSObject* key = Wrapper::wrappedObject(oldWaiver);
+    MOZ_ASSERT(scope->mWaiverWrapperMap->Find(key));
+    scope->mWaiverWrapperMap->Remove(key);
+  }
+
+  return true;
+}
+
+JSObject* TransplantObject(JSContext* cx, JS::HandleObject origobj,
+                           JS::HandleObject target) {
+  RootedObject oldWaiver(cx, WrapperFactory::GetXrayWaiver(origobj));
+  MOZ_ASSERT_IF(oldWaiver, GetNonCCWObjectRealm(oldWaiver) ==
+                               GetNonCCWObjectRealm(origobj));
+  RootedObject newIdentity(cx, JS_TransplantObject(cx, origobj, target));
+  if (!newIdentity || !oldWaiver) {
+    return newIdentity;
+  }
+
+  bool crossCompartmentTransplant = (newIdentity != origobj);
+  if (!crossCompartmentTransplant) {
+    // We might still have been transplanted across realms within a single
+    // compartment.
+    if (GetNonCCWObjectRealm(oldWaiver) == GetNonCCWObjectRealm(newIdentity)) {
+      // The old waiver is same-realm with the new object; nothing else to do
+      // here.
+      return newIdentity;
+    }
+  }
+
+  if (!FixWaiverAfterTransplant(cx, oldWaiver, newIdentity,
+                                crossCompartmentTransplant)) {
+    return nullptr;
+  }
+  return newIdentity;
+}
+
+JSObject* TransplantObjectRetainingXrayExpandos(JSContext* cx,
+                                                JS::HandleObject origobj,
+                                                JS::HandleObject target) {
+  // Save the chain of objects that carry origobj's Xray expando properties
+  // (from all compartments). TransplantObject will blow this away; we'll
+  // restore it manually afterwards.
+  RootedObject expandoChain(
+      cx, GetXrayTraits(origobj)->detachExpandoChain(origobj));
+
+  RootedObject newIdentity(cx, TransplantObject(cx, origobj, target));
+
+  // Copy Xray expando properties to the new wrapper.
+  if (!GetXrayTraits(newIdentity)
+           ->cloneExpandoChain(cx, newIdentity, expandoChain)) {
+    // Failure here means some expandos were not copied over. The object graph
+    // and the Xray machinery are left in a consistent state, but mysteriously
+    // losing these expandos is too weird to allow.
+    MOZ_CRASH();
+  }
+
+  return newIdentity;
+}
+
+static void NukeXrayWaiver(JSContext* cx, JS::HandleObject obj) {
+  RootedObject waiver(cx, WrapperFactory::GetXrayWaiver(obj));
+  if (!waiver) {
+    return;
+  }
+
+  XPCWrappedNativeScope* scope = ObjectScope(waiver);
+  JSObject* key = Wrapper::wrappedObject(waiver);
+  MOZ_ASSERT(scope->mWaiverWrapperMap->Find(key));
+  scope->mWaiverWrapperMap->Remove(key);
+
+  js::NukeNonCCWProxy(cx, waiver);
+
+  // Get rid of any CCWs the waiver may have had.
+  if (!JS_RefreshCrossCompartmentWrappers(cx, waiver)) {
+    MOZ_CRASH();
+  }
+}
+
+JSObject* TransplantObjectNukingXrayWaiver(JSContext* cx,
+                                           JS::HandleObject origObj,
+                                           JS::HandleObject target) {
+  NukeXrayWaiver(cx, origObj);
+  return JS_TransplantObject(cx, origObj, target);
+}
+
+nsIGlobalObject* NativeGlobal(JSObject* obj) {
+  obj = JS::GetNonCCWObjectGlobal(obj);
+
+  // Every global needs to hold a native as its first reserved slot or be a
+  // WebIDL object with an nsISupports DOM object.
+  MOZ_ASSERT(JS::GetClass(obj)->slot0IsISupports() ||
+             dom::UnwrapDOMObjectToISupports(obj));
+
+  nsISupports* native = dom::UnwrapDOMObjectToISupports(obj);
+  if (!native) {
+    native = JS::GetObjectISupports<nsISupports>(obj);
+    MOZ_ASSERT(native);
+
+    // In some cases (like for windows) it is a wrapped native,
+    // in other cases (sandboxes, backstage passes) it's just
+    // a direct pointer to the native. If it's a wrapped native
+    // let's unwrap it first.
+    if (nsCOMPtr<nsIXPConnectWrappedNative> wn = do_QueryInterface(native)) {
+      native = wn->Native();
+    }
+  }
+
+  nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(native);
+  MOZ_ASSERT(global,
+             "Native held by global needs to implement nsIGlobalObject!");
+
+  return global;
+}
+
+nsIGlobalObject* CurrentNativeGlobal(JSContext* cx) {
+  return xpc::NativeGlobal(JS::CurrentGlobalOrNull(cx));
+}
+
+}  // namespace xpc
diff --git a/js/xpconnect/wrappers/WrapperFactory.h b/js/xpconnect/wrappers/WrapperFactory.h
new file mode 100644
index 0000000000..f1200bf765
--- /dev/null
+++ b/js/xpconnect/wrappers/WrapperFactory.h
@@ -0,0 +1,114 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _xpc_WRAPPERFACTORY_H
+#define _xpc_WRAPPERFACTORY_H
+
+#include "js/Wrapper.h"
+
+namespace xpc {
+
+/**
+ * A wrapper that's only used for cross-origin objects. This should be
+ * just like a CrossCompartmentWrapper but (as an implementation
+ * detail) doesn't actually do any compartment-entering and (as an
+ * implementation detail) delegates all the security decisions and
+ * compartment-entering to the target object, which is always a
+ * proxy.
+ *
+ * We could also inherit from CrossCompartmentWrapper but then we
+ * would need to override all the proxy hooks to avoid the
+ * compartment-entering bits.
+ */
+class CrossOriginObjectWrapper : public js::Wrapper {
+ public:
+  // We want to claim to have a security policy, so code doesn't just
+  // CheckedUnwrap us willy-nilly.  But we're OK with the BaseProxyHandler
+  // implementation of enter(), which allows entering.  Our target is what
+  // really does the security checks.
+  //
+  // We don't want to inherit from CrossCompartmentWrapper, because we don't
+  // want the compartment-entering behavior it has.  But we do want to set the
+  // CROSS_COMPARTMENT flag on js::Wrapper so that we test true for
+  // is<js::CrossCompartmentWrapperObject> and so forth.
+  constexpr explicit CrossOriginObjectWrapper()
+      : js::Wrapper(CROSS_COMPARTMENT, /* aHasPrototype = */ false,
+                    /* aHasSecurityPolicy = */ true) {}
+
+  bool dynamicCheckedUnwrapAllowed(JS::Handle<JSObject*> obj,
+                                   JSContext* cx) const override;
+
+  // Cross origin objects should not participate in private fields.
+  virtual bool throwOnPrivateField() const override { return true; }
+
+  static const CrossOriginObjectWrapper singleton;
+};
+
+class WrapperFactory {
+ public:
+  enum {
+    WAIVE_XRAY_WRAPPER_FLAG = js::Wrapper::LAST_USED_FLAG << 1,
+    IS_XRAY_WRAPPER_FLAG = WAIVE_XRAY_WRAPPER_FLAG << 1
+  };
+
+  // Return true if any of any of the nested wrappers have the flag set.
+  static bool HasWrapperFlag(JSObject* wrapper, unsigned flag) {
+    unsigned flags = 0;
+    js::UncheckedUnwrap(wrapper, true, &flags);
+    return !!(flags & flag);
+  }
+
+  static bool IsXrayWrapper(JSObject* wrapper) {
+    return HasWrapperFlag(wrapper, IS_XRAY_WRAPPER_FLAG);
+  }
+
+  static bool IsCrossOriginWrapper(JSObject* obj) {
+    return (js::IsProxy(obj) &&
+            js::GetProxyHandler(obj) == &CrossOriginObjectWrapper::singleton);
+  }
+
+  static bool IsOpaqueWrapper(JSObject* obj);
+
+  static bool HasWaiveXrayFlag(JSObject* wrapper) {
+    return HasWrapperFlag(wrapper, WAIVE_XRAY_WRAPPER_FLAG);
+  }
+
+  static bool IsCOW(JSObject* wrapper);
+
+  static JSObject* GetXrayWaiver(JS::Handle<JSObject*> obj);
+  // If allowExisting is true, there is an existing waiver for obj in
+  // its scope, but we want to replace it with the new one.
+  static JSObject* CreateXrayWaiver(JSContext* cx, JS::Handle<JSObject*> obj,
+                                    bool allowExisting = false);
+  static JSObject* WaiveXray(JSContext* cx, JSObject* obj);
+
+  // Computes whether we should allow the creation of an Xray waiver from
+  // |target| to |origin|.
+  static bool AllowWaiver(JS::Compartment* target, JS::Compartment* origin);
+
+  // Convenience method for the above, operating on a wrapper.
+  static bool AllowWaiver(JSObject* wrapper);
+
+  // Prepare a given object for wrapping in a new compartment.
+  static void PrepareForWrapping(JSContext* cx, JS::Handle<JSObject*> scope,
+                                 JS::Handle<JSObject*> origObj,
+                                 JS::Handle<JSObject*> obj,
+                                 JS::Handle<JSObject*> objectPassedToWrap,
+                                 JS::MutableHandle<JSObject*> retObj);
+
+  // Rewrap an object that is about to cross compartment boundaries.
+  static JSObject* Rewrap(JSContext* cx, JS::Handle<JSObject*> existing,
+                          JS::Handle<JSObject*> obj);
+
+  // Wrap wrapped object into a waiver wrapper and then re-wrap it.
+  static bool WaiveXrayAndWrap(JSContext* cx, JS::MutableHandle<JS::Value> vp);
+  static bool WaiveXrayAndWrap(JSContext* cx,
+                               JS::MutableHandle<JSObject*> object);
+};
+
+}  // namespace xpc
+
+#endif /* _xpc_WRAPPERFACTORY_H */
diff --git a/js/xpconnect/wrappers/XrayWrapper.cpp b/js/xpconnect/wrappers/XrayWrapper.cpp
new file mode 100644
index 0000000000..6051e1c6e5
--- /dev/null
+++ b/js/xpconnect/wrappers/XrayWrapper.cpp
@@ -0,0 +1,2335 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "XrayWrapper.h"
+#include "AccessCheck.h"
+#include "WrapperFactory.h"
+
+#include "nsDependentString.h"
+#include "nsIConsoleService.h"
+#include "nsIScriptError.h"
+
+#include "xpcprivate.h"
+
+#include "jsapi.h"
+#include "js/CallAndConstruct.h"  // JS::Call, JS::Construct, JS::IsCallable
+#include "js/experimental/TypedData.h"  // JS_GetTypedArrayLength
+#include "js/friend/WindowProxy.h"      // js::IsWindowProxy
+#include "js/friend/XrayJitInfo.h"      // JS::XrayJitInfo
+#include "js/Object.h"  // JS::GetClass, JS::GetCompartment, JS::GetReservedSlot, JS::SetReservedSlot
+#include "js/PropertyAndElement.h"  // JS_AlreadyHasOwnPropertyById, JS_DefineProperty, JS_DefinePropertyById, JS_DeleteProperty, JS_DeletePropertyById, JS_HasProperty, JS_HasPropertyById
+#include "js/PropertyDescriptor.h"  // JS::PropertyDescriptor, JS_GetOwnPropertyDescriptorById, JS_GetPropertyDescriptorById
+#include "js/PropertySpec.h"
+#include "nsJSUtils.h"
+#include "nsPrintfCString.h"
+
+#include "mozilla/FloatingPoint.h"
+#include "mozilla/dom/BindingUtils.h"
+#include "mozilla/dom/ProxyHandlerUtils.h"
+#include "mozilla/dom/WindowProxyHolder.h"
+#include "mozilla/dom/XrayExpandoClass.h"
+
+using namespace mozilla::dom;
+using namespace JS;
+using namespace mozilla;
+
+using js::BaseProxyHandler;
+using js::CheckedUnwrapStatic;
+using js::IsCrossCompartmentWrapper;
+using js::UncheckedUnwrap;
+using js::Wrapper;
+
+namespace xpc {
+
+#define Between(x, a, b) (a <= x && x <= b)
+
+static_assert(JSProto_URIError - JSProto_Error == 8,
+              "New prototype added in error object range");
+#define AssertErrorObjectKeyInBounds(key)                      \
+  static_assert(Between(key, JSProto_Error, JSProto_URIError), \
+                "We depend on js/ProtoKey.h ordering here");
+MOZ_FOR_EACH(AssertErrorObjectKeyInBounds, (),
+             (JSProto_Error, JSProto_InternalError, JSProto_AggregateError,
+              JSProto_EvalError, JSProto_RangeError, JSProto_ReferenceError,
+              JSProto_SyntaxError, JSProto_TypeError, JSProto_URIError));
+
+static_assert(JSProto_Uint8ClampedArray - JSProto_Int8Array == 8,
+              "New prototype added in typed array range");
+#define AssertTypedArrayKeyInBounds(key)                                    \
+  static_assert(Between(key, JSProto_Int8Array, JSProto_Uint8ClampedArray), \
+                "We depend on js/ProtoKey.h ordering here");
+MOZ_FOR_EACH(AssertTypedArrayKeyInBounds, (),
+             (JSProto_Int8Array, JSProto_Uint8Array, JSProto_Int16Array,
+              JSProto_Uint16Array, JSProto_Int32Array, JSProto_Uint32Array,
+              JSProto_Float32Array, JSProto_Float64Array,
+              JSProto_Uint8ClampedArray));
+
+#undef Between
+
+inline bool IsErrorObjectKey(JSProtoKey key) {
+  return key >= JSProto_Error && key <= JSProto_URIError;
+}
+
+inline bool IsTypedArrayKey(JSProtoKey key) {
+  return key >= JSProto_Int8Array && key <= JSProto_Uint8ClampedArray;
+}
+
+// Whitelist for the standard ES classes we can Xray to.
+static bool IsJSXraySupported(JSProtoKey key) {
+  if (IsTypedArrayKey(key)) {
+    return true;
+  }
+  if (IsErrorObjectKey(key)) {
+    return true;
+  }
+  switch (key) {
+    case JSProto_Date:
+    case JSProto_DataView:
+    case JSProto_Object:
+    case JSProto_Array:
+    case JSProto_Function:
+    case JSProto_BoundFunction:
+    case JSProto_TypedArray:
+    case JSProto_SavedFrame:
+    case JSProto_RegExp:
+    case JSProto_Promise:
+    case JSProto_ArrayBuffer:
+    case JSProto_SharedArrayBuffer:
+    case JSProto_Map:
+    case JSProto_Set:
+    case JSProto_WeakMap:
+    case JSProto_WeakSet:
+      return true;
+    default:
+      return false;
+  }
+}
+
+XrayType GetXrayType(JSObject* obj) {
+  obj = js::UncheckedUnwrap(obj, /* stopAtWindowProxy = */ false);
+  if (mozilla::dom::UseDOMXray(obj)) {
+    return XrayForDOMObject;
+  }
+
+  MOZ_ASSERT(!js::IsWindowProxy(obj));
+
+  JSProtoKey standardProto = IdentifyStandardInstanceOrPrototype(obj);
+  if (IsJSXraySupported(standardProto)) {
+    return XrayForJSObject;
+  }
+
+  // Modulo a few exceptions, everything else counts as an XrayWrapper to an
+  // opaque object, which means that more-privileged code sees nothing from
+  // the underlying object. This is very important for security. In some cases
+  // though, we need to make an exception for compatibility.
+  if (IsSandbox(obj)) {
+    return NotXray;
+  }
+
+  return XrayForOpaqueObject;
+}
+
+JSObject* XrayAwareCalleeGlobal(JSObject* fun) {
+  MOZ_ASSERT(js::IsFunctionObject(fun));
+
+  if (!js::FunctionHasNativeReserved(fun)) {
+    // Just a normal function, no Xrays involved.
+    return JS::GetNonCCWObjectGlobal(fun);
+  }
+
+  // The functions we expect here have the Xray wrapper they're associated with
+  // in their XRAY_DOM_FUNCTION_PARENT_WRAPPER_SLOT and, in a debug build,
+  // themselves in their XRAY_DOM_FUNCTION_NATIVE_SLOT_FOR_SELF.  Assert that
+  // last bit.
+  MOZ_ASSERT(&js::GetFunctionNativeReserved(
+                  fun, XRAY_DOM_FUNCTION_NATIVE_SLOT_FOR_SELF)
+                  .toObject() == fun);
+
+  Value v =
+      js::GetFunctionNativeReserved(fun, XRAY_DOM_FUNCTION_PARENT_WRAPPER_SLOT);
+  MOZ_ASSERT(IsXrayWrapper(&v.toObject()));
+
+  JSObject* xrayTarget = js::UncheckedUnwrap(&v.toObject());
+  return JS::GetNonCCWObjectGlobal(xrayTarget);
+}
+
+JSObject* XrayTraits::getExpandoChain(HandleObject obj) {
+  return ObjectScope(obj)->GetExpandoChain(obj);
+}
+
+JSObject* XrayTraits::detachExpandoChain(HandleObject obj) {
+  return ObjectScope(obj)->DetachExpandoChain(obj);
+}
+
+bool XrayTraits::setExpandoChain(JSContext* cx, HandleObject obj,
+                                 HandleObject chain) {
+  return ObjectScope(obj)->SetExpandoChain(cx, obj, chain);
+}
+
+const JSClass XrayTraits::HolderClass = {
+    "XrayHolder", JSCLASS_HAS_RESERVED_SLOTS(HOLDER_SHARED_SLOT_COUNT)};
+
+const JSClass JSXrayTraits::HolderClass = {
+    "JSXrayHolder", JSCLASS_HAS_RESERVED_SLOTS(SLOT_COUNT)};
+
+bool OpaqueXrayTraits::resolveOwnProperty(
+    JSContext* cx, HandleObject wrapper, HandleObject target,
+    HandleObject holder, HandleId id,
+    MutableHandle<Maybe<PropertyDescriptor>> desc) {
+  bool ok =
+      XrayTraits::resolveOwnProperty(cx, wrapper, target, holder, id, desc);
+  if (!ok || desc.isSome()) {
+    return ok;
+  }
+
+  return ReportWrapperDenial(cx, id, WrapperDenialForXray,
+                             "object is not safely Xrayable");
+}
+
+bool ReportWrapperDenial(JSContext* cx, HandleId id, WrapperDenialType type,
+                         const char* reason) {
+  RealmPrivate* priv = RealmPrivate::Get(CurrentGlobalOrNull(cx));
+  bool alreadyWarnedOnce = priv->wrapperDenialWarnings[type];
+  priv->wrapperDenialWarnings[type] = true;
+
+  // The browser console warning is only emitted for the first violation,
+  // whereas the (debug-only) NS_WARNING is emitted for each violation.
+#ifndef DEBUG
+  if (alreadyWarnedOnce) {
+    return true;
+  }
+#endif
+
+  nsAutoJSString propertyName;
+  RootedValue idval(cx);
+  if (!JS_IdToValue(cx, id, &idval)) {
+    return false;
+  }
+  JSString* str = JS_ValueToSource(cx, idval);
+  if (!str) {
+    return false;
+  }
+  if (!propertyName.init(cx, str)) {
+    return false;
+  }
+  AutoFilename filename;
+  unsigned line = 0, column = 0;
+  DescribeScriptedCaller(cx, &filename, &line, &column);
+
+  // Warn to the terminal for the logs.
+  NS_WARNING(
+      nsPrintfCString("Silently denied access to property %s: %s (@%s:%u:%u)",
+                      NS_LossyConvertUTF16toASCII(propertyName).get(), reason,
+                      filename.get(), line, column)
+          .get());
+
+  // If this isn't the first warning on this topic for this global, we've
+  // already bailed out in opt builds. Now that the NS_WARNING is done, bail
+  // out in debug builds as well.
+  if (alreadyWarnedOnce) {
+    return true;
+  }
+
+  //
+  // Log a message to the console service.
+  //
+
+  // Grab the pieces.
+  nsCOMPtr<nsIConsoleService> consoleService =
+      do_GetService(NS_CONSOLESERVICE_CONTRACTID);
+  NS_ENSURE_TRUE(consoleService, true);
+  nsCOMPtr<nsIScriptError> errorObject =
+      do_CreateInstance(NS_SCRIPTERROR_CONTRACTID);
+  NS_ENSURE_TRUE(errorObject, true);
+
+  // Compute the current window id if any.
+  uint64_t windowId = 0;
+  if (nsGlobalWindowInner* win = CurrentWindowOrNull(cx)) {
+    windowId = win->WindowID();
+  }
+
+  Maybe<nsPrintfCString> errorMessage;
+  if (type == WrapperDenialForXray) {
+    errorMessage.emplace(
+        "XrayWrapper denied access to property %s (reason: %s). "
+        "See https://developer.mozilla.org/en-US/docs/Xray_vision "
+        "for more information. Note that only the first denied "
+        "property access from a given global object will be reported.",
+        NS_LossyConvertUTF16toASCII(propertyName).get(), reason);
+  } else {
+    MOZ_ASSERT(type == WrapperDenialForCOW);
+    errorMessage.emplace(
+        "Security wrapper denied access to property %s on privileged "
+        "Javascript object. Note that only the first denied property "
+        "access from a given global object will be reported.",
+        NS_LossyConvertUTF16toASCII(propertyName).get());
+  }
+  nsString filenameStr(NS_ConvertASCIItoUTF16(filename.get()));
+  nsresult rv = errorObject->InitWithWindowID(
+      NS_ConvertASCIItoUTF16(errorMessage.ref()), filenameStr, u""_ns, line,
+      column, nsIScriptError::warningFlag, "XPConnect", windowId);
+  NS_ENSURE_SUCCESS(rv, true);
+  rv = consoleService->LogMessage(errorObject);
+  NS_ENSURE_SUCCESS(rv, true);
+
+  return true;
+}
+
+bool JSXrayTraits::getOwnPropertyFromWrapperIfSafe(
+    JSContext* cx, HandleObject wrapper, HandleId id,
+    MutableHandle<Maybe<PropertyDescriptor>> outDesc) {
+  MOZ_ASSERT(js::IsObjectInContextCompartment(wrapper, cx));
+  RootedObject target(cx, getTargetObject(wrapper));
+  RootedObject wrapperGlobal(cx, JS::CurrentGlobalOrNull(cx));
+  {
+    JSAutoRealm ar(cx, target);
+    JS_MarkCrossZoneId(cx, id);
+    if (!getOwnPropertyFromTargetIfSafe(cx, target, wrapper, wrapperGlobal, id,
+                                        outDesc)) {
+      return false;
+    }
+  }
+  return JS_WrapPropertyDescriptor(cx, outDesc);
+}
+
+bool JSXrayTraits::getOwnPropertyFromTargetIfSafe(
+    JSContext* cx, HandleObject target, HandleObject wrapper,
+    HandleObject wrapperGlobal, HandleId id,
+    MutableHandle<Maybe<PropertyDescriptor>> outDesc) {
+  // Note - This function operates in the target compartment, because it
+  // avoids a bunch of back-and-forth wrapping in enumerateNames.
+  MOZ_ASSERT(getTargetObject(wrapper) == target);
+  MOZ_ASSERT(js::IsObjectInContextCompartment(target, cx));
+  MOZ_ASSERT(WrapperFactory::IsXrayWrapper(wrapper));
+  MOZ_ASSERT(JS_IsGlobalObject(wrapperGlobal));
+  js::AssertSameCompartment(wrapper, wrapperGlobal);
+  MOZ_ASSERT(outDesc.isNothing());
+
+  Rooted<Maybe<PropertyDescriptor>> desc(cx);
+  if (!JS_GetOwnPropertyDescriptorById(cx, target, id, &desc)) {
+    return false;
+  }
+
+  // If the property doesn't exist at all, we're done.
+  if (desc.isNothing()) {
+    return true;
+  }
+
+  // Disallow accessor properties.
+  if (desc->isAccessorDescriptor()) {
+    JSAutoRealm ar(cx, wrapperGlobal);
+    JS_MarkCrossZoneId(cx, id);
+    return ReportWrapperDenial(cx, id, WrapperDenialForXray,
+                               "property has accessor");
+  }
+
+  // Apply extra scrutiny to objects.
+  if (desc->value().isObject()) {
+    RootedObject propObj(cx, js::UncheckedUnwrap(&desc->value().toObject()));
+    JSAutoRealm ar(cx, propObj);
+
+    // Disallow non-subsumed objects.
+    if (!AccessCheck::subsumes(target, propObj)) {
+      JSAutoRealm ar(cx, wrapperGlobal);
+      JS_MarkCrossZoneId(cx, id);
+      return ReportWrapperDenial(cx, id, WrapperDenialForXray,
+                                 "value not same-origin with target");
+    }
+
+    // Disallow non-Xrayable objects.
+    XrayType xrayType = GetXrayType(propObj);
+    if (xrayType == NotXray || xrayType == XrayForOpaqueObject) {
+      JSAutoRealm ar(cx, wrapperGlobal);
+      JS_MarkCrossZoneId(cx, id);
+      return ReportWrapperDenial(cx, id, WrapperDenialForXray,
+                                 "value not Xrayable");
+    }
+
+    // Disallow callables.
+    if (JS::IsCallable(propObj)) {
+      JSAutoRealm ar(cx, wrapperGlobal);
+      JS_MarkCrossZoneId(cx, id);
+      return ReportWrapperDenial(cx, id, WrapperDenialForXray,
+                                 "value is callable");
+    }
+  }
+
+  // Disallow any property that shadows something on its (Xrayed)
+  // prototype chain.
+  JSAutoRealm ar2(cx, wrapperGlobal);
+  JS_MarkCrossZoneId(cx, id);
+  RootedObject proto(cx);
+  bool foundOnProto = false;
+  if (!JS_GetPrototype(cx, wrapper, &proto) ||
+      (proto && !JS_HasPropertyById(cx, proto, id, &foundOnProto))) {
+    return false;
+  }
+  if (foundOnProto) {
+    return ReportWrapperDenial(
+        cx, id, WrapperDenialForXray,
+        "value shadows a property on the standard prototype");
+  }
+
+  // We made it! Assign over the descriptor, and don't forget to wrap.
+  outDesc.set(desc);
+  return true;
+}
+
+// Returns true on success (in the JSAPI sense), false on failure.  If true is
+// returned, desc.object() will indicate whether we actually resolved
+// the property.
+//
+// id is the property id we're looking for.
+// holder is the object to define the property on.
+// fs is the relevant JSFunctionSpec*.
+// ps is the relevant JSPropertySpec*.
+// desc is the descriptor we're resolving into.
+static bool TryResolvePropertyFromSpecs(
+    JSContext* cx, HandleId id, HandleObject holder, const JSFunctionSpec* fs,
+    const JSPropertySpec* ps, MutableHandle<Maybe<PropertyDescriptor>> desc) {
+  // Scan through the functions.
+  const JSFunctionSpec* fsMatch = nullptr;
+  for (; fs && fs->name; ++fs) {
+    if (PropertySpecNameEqualsId(fs->name, id)) {
+      fsMatch = fs;
+      break;
+    }
+  }
+  if (fsMatch) {
+    // Generate an Xrayed version of the method.
+    RootedFunction fun(cx, JS::NewFunctionFromSpec(cx, fsMatch, id));
+    if (!fun) {
+      return false;
+    }
+
+    // The generic Xray machinery only defines non-own properties of the target
+    // on the holder. This is broken, and will be fixed at some point, but for
+    // now we need to cache the value explicitly. See the corresponding call to
+    // JS_GetOwnPropertyDescriptorById at the top of
+    // JSXrayTraits::resolveOwnProperty.
+    RootedObject funObj(cx, JS_GetFunctionObject(fun));
+    return JS_DefinePropertyById(cx, holder, id, funObj, 0) &&
+           JS_GetOwnPropertyDescriptorById(cx, holder, id, desc);
+  }
+
+  // Scan through the properties.
+  const JSPropertySpec* psMatch = nullptr;
+  for (; ps && ps->name; ++ps) {
+    if (PropertySpecNameEqualsId(ps->name, id)) {
+      psMatch = ps;
+      break;
+    }
+  }
+  if (psMatch) {
+    // The generic Xray machinery only defines non-own properties on the holder.
+    // This is broken, and will be fixed at some point, but for now we need to
+    // cache the value explicitly. See the corresponding call to
+    // JS_GetPropertyById at the top of JSXrayTraits::resolveOwnProperty.
+    //
+    // Note also that the public-facing API here doesn't give us a way to
+    // pass along JITInfo. It's probably ok though, since Xrays are already
+    // pretty slow.
+
+    unsigned attrs = psMatch->attributes();
+    if (psMatch->isAccessor()) {
+      if (psMatch->isSelfHosted()) {
+        JSFunction* getterFun = JS::GetSelfHostedFunction(
+            cx, psMatch->u.accessors.getter.selfHosted.funname, id, 0);
+        if (!getterFun) {
+          return false;
+        }
+        RootedObject getterObj(cx, JS_GetFunctionObject(getterFun));
+        RootedObject setterObj(cx);
+        if (psMatch->u.accessors.setter.selfHosted.funname) {
+          JSFunction* setterFun = JS::GetSelfHostedFunction(
+              cx, psMatch->u.accessors.setter.selfHosted.funname, id, 0);
+          if (!setterFun) {
+            return false;
+          }
+          setterObj = JS_GetFunctionObject(setterFun);
+        }
+        if (!JS_DefinePropertyById(cx, holder, id, getterObj, setterObj,
+                                   attrs)) {
+          return false;
+        }
+      } else {
+        if (!JS_DefinePropertyById(
+                cx, holder, id, psMatch->u.accessors.getter.native.op,
+                psMatch->u.accessors.setter.native.op, attrs)) {
+          return false;
+        }
+      }
+    } else {
+      RootedValue v(cx);
+      if (!psMatch->getValue(cx, &v)) {
+        return false;
+      }
+      if (!JS_DefinePropertyById(cx, holder, id, v, attrs)) {
+        return false;
+      }
+    }
+
+    return JS_GetOwnPropertyDescriptorById(cx, holder, id, desc);
+  }
+
+  return true;
+}
+
+static bool ShouldResolvePrototypeProperty(JSProtoKey key) {
+  // Proxy constructors have no "prototype" property.
+  return key != JSProto_Proxy;
+}
+
+static bool ShouldResolveStaticProperties(JSProtoKey key) {
+  if (!IsJSXraySupported(key)) {
+    // If we can't Xray this ES class, then we can't resolve statics on it.
+    return false;
+  }
+
+  // Don't try to resolve static properties on RegExp, because they
+  // have issues.  In particular, some of them grab state off the
+  // global of the RegExp constructor that describes the last regexp
+  // evaluation in that global, which is not a useful thing to do
+  // over Xrays.
+  return key != JSProto_RegExp;
+}
+
+bool JSXrayTraits::resolveOwnProperty(
+    JSContext* cx, HandleObject wrapper, HandleObject target,
+    HandleObject holder, HandleId id,
+    MutableHandle<Maybe<PropertyDescriptor>> desc) {
+  // Call the common code.
+  bool ok =
+      XrayTraits::resolveOwnProperty(cx, wrapper, target, holder, id, desc);
+  if (!ok || desc.isSome()) {
+    return ok;
+  }
+
+  // The non-HasPrototypes semantics implemented by traditional Xrays are kind
+  // of broken with respect to |own|-ness and the holder. The common code
+  // muddles through by only checking the holder for non-|own| lookups, but
+  // that doesn't work for us. So we do an explicit holder check here, and hope
+  // that this mess gets fixed up soon.
+  if (!JS_GetOwnPropertyDescriptorById(cx, holder, id, desc)) {
+    return false;
+  }
+  if (desc.isSome()) {
+    return true;
+  }
+
+  JSProtoKey key = getProtoKey(holder);
+  if (!isPrototype(holder)) {
+    // For Object and Array instances, we expose some properties from the
+    // underlying object, but only after filtering them carefully.
+    //
+    // Note that, as far as JS observables go, Arrays are just Objects with
+    // a different prototype and a magic (own, non-configurable) |.length| that
+    // serves as a non-tight upper bound on |own| indexed properties. So while
+    // it's tempting to try to impose some sort of structure on what Arrays
+    // "should" look like over Xrays, the underlying object is squishy enough
+    // that it makes sense to just treat them like Objects for Xray purposes.
+    if (key == JSProto_Object || key == JSProto_Array) {
+      return getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc);
+    }
+    if (IsTypedArrayKey(key)) {
+      if (IsArrayIndex(GetArrayIndexFromId(id))) {
+        // WebExtensions can't use cloneInto(), so we just let them do
+        // the slow thing to maximize compatibility.
+        if (CompartmentPrivate::Get(CurrentGlobalOrNull(cx))
+                ->isWebExtensionContentScript) {
+          Rooted<Maybe<PropertyDescriptor>> innerDesc(cx);
+          {
+            JSAutoRealm ar(cx, target);
+            JS_MarkCrossZoneId(cx, id);
+            if (!JS_GetOwnPropertyDescriptorById(cx, target, id, &innerDesc)) {
+              return false;
+            }
+          }
+          if (innerDesc.isSome() && innerDesc->isDataDescriptor() &&
+              innerDesc->value().isNumber()) {
+            desc.set(innerDesc);
+          }
+          return true;
+        }
+        JS_ReportErrorASCII(
+            cx,
+            "Accessing TypedArray data over Xrays is slow, and forbidden "
+            "in order to encourage performant code. To copy TypedArrays "
+            "across origin boundaries, consider using "
+            "Components.utils.cloneInto().");
+        return false;
+      }
+    } else if (key == JSProto_Function) {
+      if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_LENGTH)) {
+        uint16_t length;
+        RootedFunction fun(cx, JS_GetObjectFunction(target));
+        {
+          JSAutoRealm ar(cx, target);
+          if (!JS_GetFunctionLength(cx, fun, &length)) {
+            return false;
+          }
+        }
+        desc.set(Some(PropertyDescriptor::Data(NumberValue(length), {})));
+        return true;
+      }
+      if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_NAME)) {
+        RootedString fname(cx, JS_GetFunctionId(JS_GetObjectFunction(target)));
+        if (fname) {
+          JS_MarkCrossZoneIdValue(cx, StringValue(fname));
+        }
+        desc.set(Some(PropertyDescriptor::Data(
+            fname ? StringValue(fname) : JS_GetEmptyStringValue(cx), {})));
+      } else {
+        // Look for various static properties/methods and the
+        // 'prototype' property.
+        JSProtoKey standardConstructor = constructorFor(holder);
+        if (standardConstructor != JSProto_Null) {
+          // Handle the 'prototype' property to make
+          // xrayedGlobal.StandardClass.prototype work.
+          if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_PROTOTYPE) &&
+              ShouldResolvePrototypeProperty(standardConstructor)) {
+            RootedObject standardProto(cx);
+            {
+              JSAutoRealm ar(cx, target);
+              if (!JS_GetClassPrototype(cx, standardConstructor,
+                                        &standardProto)) {
+                return false;
+              }
+              MOZ_ASSERT(standardProto);
+            }
+
+            if (!JS_WrapObject(cx, &standardProto)) {
+              return false;
+            }
+            desc.set(Some(
+                PropertyDescriptor::Data(ObjectValue(*standardProto), {})));
+            return true;
+          }
+
+          if (ShouldResolveStaticProperties(standardConstructor)) {
+            const JSClass* clasp = js::ProtoKeyToClass(standardConstructor);
+            MOZ_ASSERT(clasp->specDefined());
+
+            if (!TryResolvePropertyFromSpecs(
+                    cx, id, holder, clasp->specConstructorFunctions(),
+                    clasp->specConstructorProperties(), desc)) {
+              return false;
+            }
+
+            if (desc.isSome()) {
+              return true;
+            }
+          }
+        }
+      }
+    } else if (IsErrorObjectKey(key)) {
+      // The useful state of error objects (except for .stack) is
+      // (unfortunately) represented as own data properties per-spec. This
+      // means that we can't have a a clean representation of the data
+      // (free from tampering) without doubling the slots of Error
+      // objects, which isn't great. So we forward these properties to the
+      // underlying object and then just censor any values with the wrong
+      // type. This limits the ability of content to do anything all that
+      // confusing.
+      bool isErrorIntProperty =
+          id == GetJSIDByIndex(cx, XPCJSContext::IDX_LINENUMBER) ||
+          id == GetJSIDByIndex(cx, XPCJSContext::IDX_COLUMNNUMBER);
+      bool isErrorStringProperty =
+          id == GetJSIDByIndex(cx, XPCJSContext::IDX_FILENAME) ||
+          id == GetJSIDByIndex(cx, XPCJSContext::IDX_MESSAGE);
+      if (isErrorIntProperty || isErrorStringProperty) {
+        RootedObject waiver(cx, wrapper);
+        if (!WrapperFactory::WaiveXrayAndWrap(cx, &waiver)) {
+          return false;
+        }
+        if (!JS_GetOwnPropertyDescriptorById(cx, waiver, id, desc)) {
+          return false;
+        }
+        if (desc.isSome()) {
+          // Make sure the property has the expected type.
+          if (!desc->isDataDescriptor() ||
+              (isErrorIntProperty && !desc->value().isInt32()) ||
+              (isErrorStringProperty && !desc->value().isString())) {
+            desc.reset();
+          }
+        }
+        return true;
+      }
+
+#if defined(NIGHTLY_BUILD)
+      // The optional .cause property can have any value.
+      if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_CAUSE)) {
+        return getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc);
+      }
+#endif
+
+      if (key == JSProto_AggregateError &&
+          id == GetJSIDByIndex(cx, XPCJSContext::IDX_ERRORS)) {
+        return getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc);
+      }
+    } else if (key == JSProto_RegExp) {
+      if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_LASTINDEX)) {
+        return getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc);
+      }
+    } else if (key == JSProto_BoundFunction) {
+      // Bound functions have configurable .name and .length own data
+      // properties. Only support string values for .name and number values for
+      // .length.
+      if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_NAME)) {
+        if (!getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc)) {
+          return false;
+        }
+        if (desc.isSome() &&
+            (!desc->isDataDescriptor() || !desc->value().isString())) {
+          desc.reset();
+        }
+        return true;
+      }
+      if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_LENGTH)) {
+        if (!getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc)) {
+          return false;
+        }
+        if (desc.isSome() &&
+            (!desc->isDataDescriptor() || !desc->value().isNumber())) {
+          desc.reset();
+        }
+        return true;
+      }
+    }
+
+    // The rest of this function applies only to prototypes.
+    return true;
+  }
+
+  // Handle the 'constructor' property.
+  if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_CONSTRUCTOR)) {
+    RootedObject constructor(cx);
+    {
+      JSAutoRealm ar(cx, target);
+      if (!JS_GetClassObject(cx, key, &constructor)) {
+        return false;
+      }
+    }
+    if (!JS_WrapObject(cx, &constructor)) {
+      return false;
+    }
+    desc.set(Some(PropertyDescriptor::Data(
+        ObjectValue(*constructor),
+        {PropertyAttribute::Configurable, PropertyAttribute::Writable})));
+    return true;
+  }
+
+  if (ShouldIgnorePropertyDefinition(cx, key, id)) {
+    MOZ_ASSERT(desc.isNothing());
+    return true;
+  }
+
+  // Grab the JSClass. We require all Xrayable classes to have a ClassSpec.
+  const JSClass* clasp = JS::GetClass(target);
+  MOZ_ASSERT(clasp->specDefined());
+
+  // Indexed array properties are handled above, so we can just work with the
+  // class spec here.
+  return TryResolvePropertyFromSpecs(cx, id, holder,
+                                     clasp->specPrototypeFunctions(),
+                                     clasp->specPrototypeProperties(), desc);
+}
+
+bool JSXrayTraits::delete_(JSContext* cx, HandleObject wrapper, HandleId id,
+                           ObjectOpResult& result) {
+  MOZ_ASSERT(js::IsObjectInContextCompartment(wrapper, cx));
+
+  RootedObject holder(cx, ensureHolder(cx, wrapper));
+  if (!holder) {
+    return false;
+  }
+
+  // If we're using Object Xrays, we allow callers to attempt to delete any
+  // property from the underlying object that they are able to resolve. Note
+  // that this deleting may fail if the property is non-configurable.
+  JSProtoKey key = getProtoKey(holder);
+  bool isObjectOrArrayInstance =
+      (key == JSProto_Object || key == JSProto_Array) && !isPrototype(holder);
+  if (isObjectOrArrayInstance) {
+    RootedObject wrapperGlobal(cx, JS::CurrentGlobalOrNull(cx));
+    RootedObject target(cx, getTargetObject(wrapper));
+    JSAutoRealm ar(cx, target);
+    JS_MarkCrossZoneId(cx, id);
+    Rooted<Maybe<PropertyDescriptor>> desc(cx);
+    if (!getOwnPropertyFromTargetIfSafe(cx, target, wrapper, wrapperGlobal, id,
+                                        &desc)) {
+      return false;
+    }
+    if (desc.isSome()) {
+      return JS_DeletePropertyById(cx, target, id, result);
+    }
+  }
+  return result.succeed();
+}
+
+bool JSXrayTraits::defineProperty(
+    JSContext* cx, HandleObject wrapper, HandleId id,
+    Handle<PropertyDescriptor> desc,
+    Handle<Maybe<PropertyDescriptor>> existingDesc,
+    Handle<JSObject*> existingHolder, ObjectOpResult& result, bool* defined) {
+  *defined = false;
+  RootedObject holder(cx, ensureHolder(cx, wrapper));
+  if (!holder) {
+    return false;
+  }
+
+  // Object and Array instances are special. For those cases, we forward
+  // property definitions to the underlying object if the following
+  // conditions are met:
+  // * The property being defined is a value-prop.
+  // * The property being defined is either a primitive or subsumed by the
+  //   target.
+  // * As seen from the Xray, any existing property that we would overwrite
+  //   is an |own| value-prop.
+  //
+  // To avoid confusion, we disallow expandos on Object and Array instances, and
+  // therefore raise an exception here if the above conditions aren't met.
+  JSProtoKey key = getProtoKey(holder);
+  bool isInstance = !isPrototype(holder);
+  bool isObjectOrArray = (key == JSProto_Object || key == JSProto_Array);
+  if (isObjectOrArray && isInstance) {
+    RootedObject target(cx, getTargetObject(wrapper));
+    if (desc.isAccessorDescriptor()) {
+      JS_ReportErrorASCII(cx,
+                          "Not allowed to define accessor property on [Object] "
+                          "or [Array] XrayWrapper");
+      return false;
+    }
+    if (desc.value().isObject() &&
+        !AccessCheck::subsumes(target,
+                               js::UncheckedUnwrap(&desc.value().toObject()))) {
+      JS_ReportErrorASCII(cx,
+                          "Not allowed to define cross-origin object as "
+                          "property on [Object] or [Array] XrayWrapper");
+      return false;
+    }
+    if (existingDesc.isSome()) {
+      if (existingDesc->isAccessorDescriptor()) {
+        JS_ReportErrorASCII(cx,
+                            "Not allowed to overwrite accessor property on "
+                            "[Object] or [Array] XrayWrapper");
+        return false;
+      }
+      if (existingHolder != wrapper) {
+        JS_ReportErrorASCII(cx,
+                            "Not allowed to shadow non-own Xray-resolved "
+                            "property on [Object] or [Array] XrayWrapper");
+        return false;
+      }
+    }
+
+    Rooted<PropertyDescriptor> wrappedDesc(cx, desc);
+    JSAutoRealm ar(cx, target);
+    JS_MarkCrossZoneId(cx, id);
+    if (!JS_WrapPropertyDescriptor(cx, &wrappedDesc) ||
+        !JS_DefinePropertyById(cx, target, id, wrappedDesc, result)) {
+      return false;
+    }
+    *defined = true;
+    return true;
+  }
+
+  // For WebExtensions content scripts, we forward the definition of indexed
+  // properties. By validating that the key and value are both numbers, we can
+  // avoid doing any wrapping.
+  if (isInstance && IsTypedArrayKey(key) &&
+      CompartmentPrivate::Get(JS::CurrentGlobalOrNull(cx))
+          ->isWebExtensionContentScript &&
+      desc.isDataDescriptor() &&
+      (desc.value().isNumber() || desc.value().isUndefined()) &&
+      IsArrayIndex(GetArrayIndexFromId(id))) {
+    RootedObject target(cx, getTargetObject(wrapper));
+    JSAutoRealm ar(cx, target);
+    JS_MarkCrossZoneId(cx, id);
+    if (!JS_DefinePropertyById(cx, target, id, desc, result)) {
+      return false;
+    }
+    *defined = true;
+    return true;
+  }
+
+  return true;
+}
+
+static bool MaybeAppend(jsid id, unsigned flags, MutableHandleIdVector props) {
+  MOZ_ASSERT(!(flags & JSITER_SYMBOLSONLY));
+  if (!(flags & JSITER_SYMBOLS) && id.isSymbol()) {
+    return true;
+  }
+  return props.append(id);
+}
+
+// Append the names from the given function and property specs to props.
+static bool AppendNamesFromFunctionAndPropertySpecs(
+    JSContext* cx, JSProtoKey key, const JSFunctionSpec* fs,
+    const JSPropertySpec* ps, unsigned flags, MutableHandleIdVector props) {
+  // Convert the method and property names to jsids and pass them to the caller.
+  for (; fs && fs->name; ++fs) {
+    jsid id;
+    if (!PropertySpecNameToPermanentId(cx, fs->name, &id)) {
+      return false;
+    }
+    if (!js::ShouldIgnorePropertyDefinition(cx, key, id)) {
+      if (!MaybeAppend(id, flags, props)) {
+        return false;
+      }
+    }
+  }
+  for (; ps && ps->name; ++ps) {
+    jsid id;
+    if (!PropertySpecNameToPermanentId(cx, ps->name, &id)) {
+      return false;
+    }
+    if (!js::ShouldIgnorePropertyDefinition(cx, key, id)) {
+      if (!MaybeAppend(id, flags, props)) {
+        return false;
+      }
+    }
+  }
+
+  return true;
+}
+
+bool JSXrayTraits::enumerateNames(JSContext* cx, HandleObject wrapper,
+                                  unsigned flags, MutableHandleIdVector props) {
+  MOZ_ASSERT(js::IsObjectInContextCompartment(wrapper, cx));
+
+  RootedObject target(cx, getTargetObject(wrapper));
+  RootedObject holder(cx, ensureHolder(cx, wrapper));
+  if (!holder) {
+    return false;
+  }
+
+  JSProtoKey key = getProtoKey(holder);
+  if (!isPrototype(holder)) {
+    // For Object and Array instances, we expose some properties from the
+    // underlying object, but only after filtering them carefully.
+    if (key == JSProto_Object || key == JSProto_Array) {
+      MOZ_ASSERT(props.empty());
+      RootedObject wrapperGlobal(cx, JS::CurrentGlobalOrNull(cx));
+      {
+        JSAutoRealm ar(cx, target);
+        RootedIdVector targetProps(cx);
+        if (!js::GetPropertyKeys(cx, target, flags | JSITER_OWNONLY,
+                                 &targetProps)) {
+          return false;
+        }
+        // Loop over the properties, and only pass along the ones that
+        // we determine to be safe.
+        if (!props.reserve(targetProps.length())) {
+          return false;
+        }
+        for (size_t i = 0; i < targetProps.length(); ++i) {
+          Rooted<Maybe<PropertyDescriptor>> desc(cx);
+          RootedId id(cx, targetProps[i]);
+          if (!getOwnPropertyFromTargetIfSafe(cx, target, wrapper,
+                                              wrapperGlobal, id, &desc)) {
+            return false;
+          }
+          if (desc.isSome()) {
+            props.infallibleAppend(id);
+          }
+        }
+      }
+      for (size_t i = 0; i < props.length(); ++i) {
+        JS_MarkCrossZoneId(cx, props[i]);
+      }
+      return true;
+    }
+    if (IsTypedArrayKey(key)) {
+      size_t length = JS_GetTypedArrayLength(target);
+      // TypedArrays enumerate every indexed property in range, but
+      // |length| is a getter that lives on the proto, like it should be.
+
+      // Fail early if the typed array is enormous, because this will be very
+      // slow and will likely report OOM. This also means we don't need to
+      // handle indices greater than PropertyKey::IntMax in the loop below.
+      static_assert(PropertyKey::IntMax >= INT32_MAX);
+      if (length > INT32_MAX) {
+        JS_ReportOutOfMemory(cx);
+        return false;
+      }
+
+      if (!props.reserve(length)) {
+        return false;
+      }
+      for (int32_t i = 0; i < int32_t(length); ++i) {
+        props.infallibleAppend(PropertyKey::Int(i));
+      }
+    } else if (key == JSProto_Function) {
+      if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_LENGTH))) {
+        return false;
+      }
+      if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_NAME))) {
+        return false;
+      }
+      // Handle the .prototype property and static properties on standard
+      // constructors.
+      JSProtoKey standardConstructor = constructorFor(holder);
+      if (standardConstructor != JSProto_Null) {
+        if (ShouldResolvePrototypeProperty(standardConstructor)) {
+          if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_PROTOTYPE))) {
+            return false;
+          }
+        }
+
+        if (ShouldResolveStaticProperties(standardConstructor)) {
+          const JSClass* clasp = js::ProtoKeyToClass(standardConstructor);
+          MOZ_ASSERT(clasp->specDefined());
+
+          if (!AppendNamesFromFunctionAndPropertySpecs(
+                  cx, key, clasp->specConstructorFunctions(),
+                  clasp->specConstructorProperties(), flags, props)) {
+            return false;
+          }
+        }
+      }
+    } else if (IsErrorObjectKey(key)) {
+      if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_FILENAME)) ||
+          !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_LINENUMBER)) ||
+          !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_COLUMNNUMBER)) ||
+          !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_STACK)) ||
+          !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_MESSAGE))) {
+        return false;
+      }
+    } else if (key == JSProto_RegExp) {
+      if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_LASTINDEX))) {
+        return false;
+      }
+    } else if (key == JSProto_BoundFunction) {
+      if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_LENGTH)) ||
+          !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_NAME))) {
+        return false;
+      }
+    }
+
+    // The rest of this function applies only to prototypes.
+    return true;
+  }
+
+  // Add the 'constructor' property.
+  if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_CONSTRUCTOR))) {
+    return false;
+  }
+
+  // Grab the JSClass. We require all Xrayable classes to have a ClassSpec.
+  const JSClass* clasp = JS::GetClass(target);
+  MOZ_ASSERT(clasp->specDefined());
+
+  return AppendNamesFromFunctionAndPropertySpecs(
+      cx, key, clasp->specPrototypeFunctions(),
+      clasp->specPrototypeProperties(), flags, props);
+}
+
+bool JSXrayTraits::construct(JSContext* cx, HandleObject wrapper,
+                             const JS::CallArgs& args,
+                             const js::Wrapper& baseInstance) {
+  JSXrayTraits& self = JSXrayTraits::singleton;
+  JS::RootedObject holder(cx, self.ensureHolder(cx, wrapper));
+  if (!holder) {
+    return false;
+  }
+
+  const JSProtoKey key = xpc::JSXrayTraits::getProtoKey(holder);
+  if (key == JSProto_Function) {
+    JSProtoKey standardConstructor = constructorFor(holder);
+    if (standardConstructor == JSProto_Null) {
+      return baseInstance.construct(cx, wrapper, args);
+    }
+
+    const JSClass* clasp = js::ProtoKeyToClass(standardConstructor);
+    MOZ_ASSERT(clasp);
+    if (!(clasp->flags & JSCLASS_HAS_XRAYED_CONSTRUCTOR)) {
+      return baseInstance.construct(cx, wrapper, args);
+    }
+
+    // If the JSCLASS_HAS_XRAYED_CONSTRUCTOR flag is set on the Class,
+    // we don't use the constructor at hand. Instead, we retrieve the
+    // equivalent standard constructor in the xray compartment and run
+    // it in that compartment. The newTarget isn't unwrapped, and the
+    // constructor has to be able to detect and handle this situation.
+    // See the comments in js/public/Class.h and PromiseConstructor for
+    // details and an example.
+    RootedObject ctor(cx);
+    if (!JS_GetClassObject(cx, standardConstructor, &ctor)) {
+      return false;
+    }
+
+    RootedValue ctorVal(cx, ObjectValue(*ctor));
+    HandleValueArray vals(args);
+    RootedObject result(cx);
+    if (!JS::Construct(cx, ctorVal, wrapper, vals, &result)) {
+      return false;
+    }
+    AssertSameCompartment(cx, result);
+    args.rval().setObject(*result);
+    return true;
+  }
+  if (key == JSProto_BoundFunction) {
+    return baseInstance.construct(cx, wrapper, args);
+  }
+
+  JS::RootedValue v(cx, JS::ObjectValue(*wrapper));
+  js::ReportIsNotFunction(cx, v);
+  return false;
+}
+
+JSObject* JSXrayTraits::createHolder(JSContext* cx, JSObject* wrapper) {
+  RootedObject target(cx, getTargetObject(wrapper));
+  RootedObject holder(cx,
+                      JS_NewObjectWithGivenProto(cx, &HolderClass, nullptr));
+  if (!holder) {
+    return nullptr;
+  }
+
+  // Compute information about the target.
+  bool isPrototype = false;
+  JSProtoKey key = IdentifyStandardInstance(target);
+  if (key == JSProto_Null) {
+    isPrototype = true;
+    key = IdentifyStandardPrototype(target);
+  }
+  MOZ_ASSERT(key != JSProto_Null);
+
+  // Special case: pretend Arguments objects are arrays for Xrays.
+  //
+  // Arguments objects are strange beasts - they inherit Object.prototype,
+  // and implement iteration by defining an |own| property for
+  // Symbol.iterator. Since this value is callable, Array/Object Xrays will
+  // filter it out, causing the Xray view to be non-iterable, which in turn
+  // breaks consumers.
+  //
+  // We can't trust the iterator value from the content compartment,
+  // but the generic one on Array.prototype works well enough. So we force
+  // the Xray view of Arguments objects to inherit Array.prototype, which
+  // in turn allows iteration via the inherited
+  // Array.prototype[Symbol.iterator]. This doesn't emulate any of the weird
+  // semantics of Arguments iterators, but is probably good enough.
+  //
+  // Note that there are various Xray traps that do other special behavior for
+  // JSProto_Array, but they also provide that special behavior for
+  // JSProto_Object, and since Arguments would otherwise get JSProto_Object,
+  // this does not cause any behavior change at those sites.
+  if (key == JSProto_Object && js::IsArgumentsObject(target)) {
+    key = JSProto_Array;
+  }
+
+  // Store it on the holder.
+  RootedValue v(cx);
+  v.setNumber(static_cast<uint32_t>(key));
+  JS::SetReservedSlot(holder, SLOT_PROTOKEY, v);
+  v.setBoolean(isPrototype);
+  JS::SetReservedSlot(holder, SLOT_ISPROTOTYPE, v);
+
+  // If this is a function, also compute whether it serves as a constructor
+  // for a standard class.
+  if (key == JSProto_Function) {
+    v.setNumber(static_cast<uint32_t>(IdentifyStandardConstructor(target)));
+    JS::SetReservedSlot(holder, SLOT_CONSTRUCTOR_FOR, v);
+  }
+
+  return holder;
+}
+
+DOMXrayTraits DOMXrayTraits::singleton;
+JSXrayTraits JSXrayTraits::singleton;
+OpaqueXrayTraits OpaqueXrayTraits::singleton;
+
+XrayTraits* GetXrayTraits(JSObject* obj) {
+  switch (GetXrayType(obj)) {
+    case XrayForDOMObject:
+      return &DOMXrayTraits::singleton;
+    case XrayForJSObject:
+      return &JSXrayTraits::singleton;
+    case XrayForOpaqueObject:
+      return &OpaqueXrayTraits::singleton;
+    default:
+      return nullptr;
+  }
+}
+
+/*
+ * Xray expando handling.
+ *
+ * We hang expandos for Xray wrappers off a reserved slot on the target object
+ * so that same-origin compartments can share expandos for a given object. We
+ * have a linked list of expando objects, one per origin. The properties on
+ * these objects are generally wrappers pointing back to the compartment that
+ * applied them.
+ *
+ * The expando objects should _never_ be exposed to script. The fact that they
+ * live in the target compartment is a detail of the implementation, and does
+ * not imply that code in the target compartment should be allowed to inspect
+ * them. They are private to the origin that placed them.
+ */
+
+// Certain compartments do not share expandos with other compartments. Xrays in
+// these compartments cache expandos on the wrapper's holder, as there is only
+// one such wrapper which can create or access the expando. This allows for
+// faster access to the expando, including through JIT inline caches.
+static inline bool CompartmentHasExclusiveExpandos(JSObject* obj) {
+  JS::Compartment* comp = JS::GetCompartment(obj);
+  CompartmentPrivate* priv = CompartmentPrivate::Get(comp);
+  return priv && priv->hasExclusiveExpandos;
+}
+
+static inline JSObject* GetCachedXrayExpando(JSObject* wrapper);
+
+static inline void SetCachedXrayExpando(JSObject* holder,
+                                        JSObject* expandoWrapper);
+
+static nsIPrincipal* WrapperPrincipal(JSObject* obj) {
+  // Use the principal stored in CompartmentOriginInfo. That works because
+  // consumers are only interested in the origin-ignoring-document.domain.
+  // See expandoObjectMatchesConsumer.
+  MOZ_ASSERT(IsXrayWrapper(obj));
+  JS::Compartment* comp = JS::GetCompartment(obj);
+  CompartmentPrivate* priv = CompartmentPrivate::Get(comp);
+  return priv->originInfo.GetPrincipalIgnoringDocumentDomain();
+}
+
+static nsIPrincipal* GetExpandoObjectPrincipal(JSObject* expandoObject) {
+  Value v = JS::GetReservedSlot(expandoObject, JSSLOT_EXPANDO_ORIGIN);
+  return static_cast<nsIPrincipal*>(v.toPrivate());
+}
+
+static void ExpandoObjectFinalize(JS::GCContext* gcx, JSObject* obj) {
+  // Release the principal.
+  nsIPrincipal* principal = GetExpandoObjectPrincipal(obj);
+  NS_RELEASE(principal);
+}
+
+const JSClassOps XrayExpandoObjectClassOps = {
+    nullptr,                // addProperty
+    nullptr,                // delProperty
+    nullptr,                // enumerate
+    nullptr,                // newEnumerate
+    nullptr,                // resolve
+    nullptr,                // mayResolve
+    ExpandoObjectFinalize,  // finalize
+    nullptr,                // call
+    nullptr,                // construct
+    nullptr,                // trace
+};
+
+bool XrayTraits::expandoObjectMatchesConsumer(JSContext* cx,
+                                              HandleObject expandoObject,
+                                              nsIPrincipal* consumerOrigin) {
+  MOZ_ASSERT(js::IsObjectInContextCompartment(expandoObject, cx));
+
+  // First, compare the principals.
+  nsIPrincipal* o = GetExpandoObjectPrincipal(expandoObject);
+  // Note that it's very important here to ignore document.domain. We
+  // pull the principal for the expando object off of the first consumer
+  // for a given origin, and freely share the expandos amongst multiple
+  // same-origin consumers afterwards. However, this means that we have
+  // no way to know whether _all_ consumers have opted in to collaboration
+  // by explicitly setting document.domain. So we just mandate that expando
+  // sharing is unaffected by it.
+  if (!consumerOrigin->Equals(o)) {
+    return false;
+  }
+
+  // Certain globals exclusively own the associated expandos, in which case
+  // the caller should have used the cached expando on the wrapper instead.
+  JSObject* owner = JS::GetReservedSlot(expandoObject,
+                                        JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER)
+                        .toObjectOrNull();
+  return owner == nullptr;
+}
+
+bool XrayTraits::getExpandoObjectInternal(JSContext* cx, JSObject* expandoChain,
+                                          HandleObject exclusiveWrapper,
+                                          nsIPrincipal* origin,
+                                          MutableHandleObject expandoObject) {
+  MOZ_ASSERT(!JS_IsExceptionPending(cx));
+  expandoObject.set(nullptr);
+
+  // Use the cached expando if this wrapper has exclusive access to it.
+  if (exclusiveWrapper) {
+    JSObject* expandoWrapper = GetCachedXrayExpando(exclusiveWrapper);
+    expandoObject.set(expandoWrapper ? UncheckedUnwrap(expandoWrapper)
+                                     : nullptr);
+#ifdef DEBUG
+    // Make sure the expando we found is on the target's chain. While we
+    // don't use this chain to look up expandos for the wrapper,
+    // the expando still needs to be on the chain to keep the wrapper and
+    // expando alive.
+    if (expandoObject) {
+      JSObject* head = expandoChain;
+      while (head && head != expandoObject) {
+        head = JS::GetReservedSlot(head, JSSLOT_EXPANDO_NEXT).toObjectOrNull();
+      }
+      MOZ_ASSERT(head == expandoObject);
+    }
+#endif
+    return true;
+  }
+
+  // The expando object lives in the compartment of the target, so all our
+  // work needs to happen there.
+  RootedObject head(cx, expandoChain);
+  JSAutoRealm ar(cx, head);
+
+  // Iterate through the chain, looking for a same-origin object.
+  while (head) {
+    if (expandoObjectMatchesConsumer(cx, head, origin)) {
+      expandoObject.set(head);
+      return true;
+    }
+    head = JS::GetReservedSlot(head, JSSLOT_EXPANDO_NEXT).toObjectOrNull();
+  }
+
+  // Not found.
+  return true;
+}
+
+bool XrayTraits::getExpandoObject(JSContext* cx, HandleObject target,
+                                  HandleObject consumer,
+                                  MutableHandleObject expandoObject) {
+  // Return early if no expando object has ever been attached, which is
+  // usually the case.
+  JSObject* chain = getExpandoChain(target);
+  if (!chain) {
+    return true;
+  }
+
+  bool isExclusive = CompartmentHasExclusiveExpandos(consumer);
+  return getExpandoObjectInternal(cx, chain, isExclusive ? consumer : nullptr,
+                                  WrapperPrincipal(consumer), expandoObject);
+}
+
+// Wrappers which have exclusive access to the expando on their target object
+// need to be kept alive as long as the target object exists. This is done by
+// keeping the expando in the expando chain on the target (even though it will
+// not be used while looking up the expando for the wrapper), and keeping a
+// strong reference from that expando to the wrapper itself, via the
+// JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER reserved slot. This slot does not
+// point to the wrapper itself, because it is a cross compartment edge and we
+// can't create a wrapper for a wrapper. Instead, the slot points to an
+// instance of the holder class below in the wrapper's compartment, and the
+// wrapper is held via this holder object's reserved slot.
+static const JSClass gWrapperHolderClass = {"XrayExpandoWrapperHolder",
+                                            JSCLASS_HAS_RESERVED_SLOTS(1)};
+static const size_t JSSLOT_WRAPPER_HOLDER_CONTENTS = 0;
+
+JSObject* XrayTraits::attachExpandoObject(JSContext* cx, HandleObject target,
+                                          HandleObject exclusiveWrapper,
+                                          HandleObject exclusiveWrapperGlobal,
+                                          nsIPrincipal* origin) {
+  // Make sure the compartments are sane.
+  MOZ_ASSERT(js::IsObjectInContextCompartment(target, cx));
+  if (exclusiveWrapper) {
+    MOZ_ASSERT(!js::IsObjectInContextCompartment(exclusiveWrapper, cx));
+    MOZ_ASSERT(JS_IsGlobalObject(exclusiveWrapperGlobal));
+    js::AssertSameCompartment(exclusiveWrapper, exclusiveWrapperGlobal);
+  }
+
+  // No duplicates allowed.
+#ifdef DEBUG
+  {
+    JSObject* chain = getExpandoChain(target);
+    if (chain) {
+      RootedObject existingExpandoObject(cx);
+      if (getExpandoObjectInternal(cx, chain, exclusiveWrapper, origin,
+                                   &existingExpandoObject)) {
+        MOZ_ASSERT(!existingExpandoObject);
+      } else {
+        JS_ClearPendingException(cx);
+      }
+    }
+  }
+#endif
+
+  // Create the expando object.
+  const JSClass* expandoClass = getExpandoClass(cx, target);
+  MOZ_ASSERT(!strcmp(expandoClass->name, "XrayExpandoObject"));
+  RootedObject expandoObject(
+      cx, JS_NewObjectWithGivenProto(cx, expandoClass, nullptr));
+  if (!expandoObject) {
+    return nullptr;
+  }
+
+  // AddRef and store the principal.
+  NS_ADDREF(origin);
+  JS_SetReservedSlot(expandoObject, JSSLOT_EXPANDO_ORIGIN,
+                     JS::PrivateValue(origin));
+
+  // Note the exclusive wrapper, if there is one.
+  RootedObject wrapperHolder(cx);
+  if (exclusiveWrapper) {
+    JSAutoRealm ar(cx, exclusiveWrapperGlobal);
+    wrapperHolder =
+        JS_NewObjectWithGivenProto(cx, &gWrapperHolderClass, nullptr);
+    if (!wrapperHolder) {
+      return nullptr;
+    }
+    JS_SetReservedSlot(wrapperHolder, JSSLOT_WRAPPER_HOLDER_CONTENTS,
+                       ObjectValue(*exclusiveWrapper));
+  }
+  if (!JS_WrapObject(cx, &wrapperHolder)) {
+    return nullptr;
+  }
+  JS_SetReservedSlot(expandoObject, JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER,
+                     ObjectOrNullValue(wrapperHolder));
+
+  // Store it on the exclusive wrapper, if there is one.
+  if (exclusiveWrapper) {
+    RootedObject cachedExpandoObject(cx, expandoObject);
+    JSAutoRealm ar(cx, exclusiveWrapperGlobal);
+    if (!JS_WrapObject(cx, &cachedExpandoObject)) {
+      return nullptr;
+    }
+    JSObject* holder = ensureHolder(cx, exclusiveWrapper);
+    if (!holder) {
+      return nullptr;
+    }
+    SetCachedXrayExpando(holder, cachedExpandoObject);
+  }
+
+  // If this is our first expando object, take the opportunity to preserve
+  // the wrapper. This keeps our expandos alive even if the Xray wrapper gets
+  // collected.
+  RootedObject chain(cx, getExpandoChain(target));
+  if (!chain) {
+    preserveWrapper(target);
+  }
+
+  // Insert it at the front of the chain.
+  JS_SetReservedSlot(expandoObject, JSSLOT_EXPANDO_NEXT,
+                     ObjectOrNullValue(chain));
+  setExpandoChain(cx, target, expandoObject);
+
+  return expandoObject;
+}
+
+JSObject* XrayTraits::ensureExpandoObject(JSContext* cx, HandleObject wrapper,
+                                          HandleObject target) {
+  MOZ_ASSERT(js::IsObjectInContextCompartment(wrapper, cx));
+  RootedObject wrapperGlobal(cx, JS::CurrentGlobalOrNull(cx));
+
+  // Expando objects live in the target compartment.
+  JSAutoRealm ar(cx, target);
+  RootedObject expandoObject(cx);
+  if (!getExpandoObject(cx, target, wrapper, &expandoObject)) {
+    return nullptr;
+  }
+  if (!expandoObject) {
+    bool isExclusive = CompartmentHasExclusiveExpandos(wrapper);
+    expandoObject =
+        attachExpandoObject(cx, target, isExclusive ? wrapper : nullptr,
+                            wrapperGlobal, WrapperPrincipal(wrapper));
+  }
+  return expandoObject;
+}
+
+bool XrayTraits::cloneExpandoChain(JSContext* cx, HandleObject dst,
+                                   HandleObject srcChain) {
+  MOZ_ASSERT(js::IsObjectInContextCompartment(dst, cx));
+  MOZ_ASSERT(getExpandoChain(dst) == nullptr);
+
+  RootedObject oldHead(cx, srcChain);
+  while (oldHead) {
+    // If movingIntoXrayCompartment is true, then our new reflector is in a
+    // compartment that used to have an Xray-with-expandos to the old reflector
+    // and we should copy the expandos to the new reflector directly.
+    bool movingIntoXrayCompartment;
+
+    // exclusiveWrapper is only used if movingIntoXrayCompartment ends up true.
+    RootedObject exclusiveWrapper(cx);
+    RootedObject exclusiveWrapperGlobal(cx);
+    RootedObject wrapperHolder(
+        cx,
+        JS::GetReservedSlot(oldHead, JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER)
+            .toObjectOrNull());
+    if (wrapperHolder) {
+      RootedObject unwrappedHolder(cx, UncheckedUnwrap(wrapperHolder));
+      // unwrappedHolder is the compartment of the relevant Xray, so check
+      // whether that matches the compartment of cx (which matches the
+      // compartment of dst).
+      movingIntoXrayCompartment =
+          js::IsObjectInContextCompartment(unwrappedHolder, cx);
+
+      if (!movingIntoXrayCompartment) {
+        // The global containing this wrapper holder has an xray for |src|
+        // with expandos. Create an xray in the global for |dst| which
+        // will be associated with a clone of |src|'s expando object.
+        JSAutoRealm ar(cx, unwrappedHolder);
+        exclusiveWrapper = dst;
+        if (!JS_WrapObject(cx, &exclusiveWrapper)) {
+          return false;
+        }
+        exclusiveWrapperGlobal = JS::CurrentGlobalOrNull(cx);
+      }
+    } else {
+      JSAutoRealm ar(cx, oldHead);
+      movingIntoXrayCompartment =
+          expandoObjectMatchesConsumer(cx, oldHead, GetObjectPrincipal(dst));
+    }
+
+    if (movingIntoXrayCompartment) {
+      // Just copy properties directly onto dst.
+      if (!JS_CopyOwnPropertiesAndPrivateFields(cx, dst, oldHead)) {
+        return false;
+      }
+    } else {
+      // Create a new expando object in the compartment of dst to replace
+      // oldHead.
+      RootedObject newHead(
+          cx,
+          attachExpandoObject(cx, dst, exclusiveWrapper, exclusiveWrapperGlobal,
+                              GetExpandoObjectPrincipal(oldHead)));
+      if (!JS_CopyOwnPropertiesAndPrivateFields(cx, newHead, oldHead)) {
+        return false;
+      }
+    }
+    oldHead =
+        JS::GetReservedSlot(oldHead, JSSLOT_EXPANDO_NEXT).toObjectOrNull();
+  }
+  return true;
+}
+
+void ClearXrayExpandoSlots(JSObject* target, size_t slotIndex) {
+  if (!NS_IsMainThread()) {
+    // No Xrays
+    return;
+  }
+
+  MOZ_ASSERT(slotIndex != JSSLOT_EXPANDO_NEXT);
+  MOZ_ASSERT(slotIndex != JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER);
+  MOZ_ASSERT(GetXrayTraits(target) == &DOMXrayTraits::singleton);
+  RootingContext* rootingCx = RootingCx();
+  RootedObject rootedTarget(rootingCx, target);
+  RootedObject head(rootingCx,
+                    DOMXrayTraits::singleton.getExpandoChain(rootedTarget));
+  while (head) {
+    MOZ_ASSERT(JSCLASS_RESERVED_SLOTS(JS::GetClass(head)) > slotIndex);
+    JS::SetReservedSlot(head, slotIndex, UndefinedValue());
+    head = JS::GetReservedSlot(head, JSSLOT_EXPANDO_NEXT).toObjectOrNull();
+  }
+}
+
+JSObject* EnsureXrayExpandoObject(JSContext* cx, JS::HandleObject wrapper) {
+  MOZ_ASSERT(NS_IsMainThread());
+  MOZ_ASSERT(GetXrayTraits(wrapper) == &DOMXrayTraits::singleton);
+  MOZ_ASSERT(IsXrayWrapper(wrapper));
+
+  RootedObject target(cx, DOMXrayTraits::getTargetObject(wrapper));
+  return DOMXrayTraits::singleton.ensureExpandoObject(cx, wrapper, target);
+}
+
+const JSClass* XrayTraits::getExpandoClass(JSContext* cx,
+                                           HandleObject target) const {
+  return &DefaultXrayExpandoObjectClass;
+}
+
+static const size_t JSSLOT_XRAY_HOLDER = 0;
+
+/* static */
+JSObject* XrayTraits::getHolder(JSObject* wrapper) {
+  MOZ_ASSERT(WrapperFactory::IsXrayWrapper(wrapper));
+  JS::Value v = js::GetProxyReservedSlot(wrapper, JSSLOT_XRAY_HOLDER);
+  return v.isObject() ? &v.toObject() : nullptr;
+}
+
+JSObject* XrayTraits::ensureHolder(JSContext* cx, HandleObject wrapper) {
+  RootedObject holder(cx, getHolder(wrapper));
+  if (holder) {
+    return holder;
+  }
+  holder = createHolder(cx, wrapper);  // virtual trap.
+  if (holder) {
+    js::SetProxyReservedSlot(wrapper, JSSLOT_XRAY_HOLDER, ObjectValue(*holder));
+  }
+  return holder;
+}
+
+static inline JSObject* GetCachedXrayExpando(JSObject* wrapper) {
+  JSObject* holder = XrayTraits::getHolder(wrapper);
+  if (!holder) {
+    return nullptr;
+  }
+  Value v = JS::GetReservedSlot(holder, XrayTraits::HOLDER_SLOT_EXPANDO);
+  return v.isObject() ? &v.toObject() : nullptr;
+}
+
+static inline void SetCachedXrayExpando(JSObject* holder,
+                                        JSObject* expandoWrapper) {
+  MOZ_ASSERT(JS::GetCompartment(holder) == JS::GetCompartment(expandoWrapper));
+  JS_SetReservedSlot(holder, XrayTraits::HOLDER_SLOT_EXPANDO,
+                     ObjectValue(*expandoWrapper));
+}
+
+static nsGlobalWindowInner* AsWindow(JSContext* cx, JSObject* wrapper) {
+  // We want to use our target object here, since we don't want to be
+  // doing a security check while unwrapping.
+  JSObject* target = XrayTraits::getTargetObject(wrapper);
+  return WindowOrNull(target);
+}
+
+static bool IsWindow(JSContext* cx, JSObject* wrapper) {
+  return !!AsWindow(cx, wrapper);
+}
+
+static bool wrappedJSObject_getter(JSContext* cx, unsigned argc, Value* vp) {
+  CallArgs args = CallArgsFromVp(argc, vp);
+  if (!args.thisv().isObject()) {
+    JS_ReportErrorASCII(cx, "This value not an object");
+    return false;
+  }
+  RootedObject wrapper(cx, &args.thisv().toObject());
+  if (!IsWrapper(wrapper) || !WrapperFactory::IsXrayWrapper(wrapper) ||
+      !WrapperFactory::AllowWaiver(wrapper)) {
+    JS_ReportErrorASCII(cx, "Unexpected object");
+    return false;
+  }
+
+  args.rval().setObject(*wrapper);
+
+  return WrapperFactory::WaiveXrayAndWrap(cx, args.rval());
+}
+
+bool XrayTraits::resolveOwnProperty(
+    JSContext* cx, HandleObject wrapper, HandleObject target,
+    HandleObject holder, HandleId id,
+    MutableHandle<Maybe<PropertyDescriptor>> desc) {
+  desc.reset();
+
+  RootedObject expando(cx);
+  if (!getExpandoObject(cx, target, wrapper, &expando)) {
+    return false;
+  }
+
+  // Check for expando properties first. Note that the expando object lives
+  // in the target compartment.
+  if (expando) {
+    JSAutoRealm ar(cx, expando);
+    JS_MarkCrossZoneId(cx, id);
+    if (!JS_GetOwnPropertyDescriptorById(cx, expando, id, desc)) {
+      return false;
+    }
+  }
+
+  // Next, check for ES builtins.
+  if (!desc.isSome() && JS_IsGlobalObject(target)) {
+    JSProtoKey key = JS_IdToProtoKey(cx, id);
+    JSAutoRealm ar(cx, target);
+    if (key != JSProto_Null) {
+      MOZ_ASSERT(key < JSProto_LIMIT);
+      RootedObject constructor(cx);
+      if (!JS_GetClassObject(cx, key, &constructor)) {
+        return false;
+      }
+      MOZ_ASSERT(constructor);
+
+      desc.set(Some(PropertyDescriptor::Data(
+          ObjectValue(*constructor),
+          {PropertyAttribute::Configurable, PropertyAttribute::Writable})));
+    } else if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_EVAL)) {
+      RootedObject eval(cx);
+      if (!js::GetRealmOriginalEval(cx, &eval)) {
+        return false;
+      }
+      desc.set(Some(PropertyDescriptor::Data(
+          ObjectValue(*eval),
+          {PropertyAttribute::Configurable, PropertyAttribute::Writable})));
+    } else if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_INFINITY)) {
+      desc.set(Some(PropertyDescriptor::Data(
+          DoubleValue(PositiveInfinity<double>()), {})));
+    } else if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_NAN)) {
+      desc.set(Some(PropertyDescriptor::Data(NaNValue(), {})));
+    }
+  }
+
+  if (desc.isSome()) {
+    return JS_WrapPropertyDescriptor(cx, desc);
+  }
+
+  // Handle .wrappedJSObject for subsuming callers. This should move once we
+  // sort out own-ness for the holder.
+  if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_WRAPPED_JSOBJECT) &&
+      WrapperFactory::AllowWaiver(wrapper)) {
+    bool found = false;
+    if (!JS_AlreadyHasOwnPropertyById(cx, holder, id, &found)) {
+      return false;
+    }
+    if (!found && !JS_DefinePropertyById(cx, holder, id, wrappedJSObject_getter,
+                                         nullptr, JSPROP_ENUMERATE)) {
+      return false;
+    }
+    return JS_GetOwnPropertyDescriptorById(cx, holder, id, desc);
+  }
+
+  return true;
+}
+
+bool DOMXrayTraits::resolveOwnProperty(
+    JSContext* cx, HandleObject wrapper, HandleObject target,
+    HandleObject holder, HandleId id,
+    MutableHandle<Maybe<PropertyDescriptor>> desc) {
+  // Call the common code.
+  bool ok =
+      XrayTraits::resolveOwnProperty(cx, wrapper, target, holder, id, desc);
+  if (!ok || desc.isSome()) {
+    return ok;
+  }
+
+  // Check for indexed access on a window.
+  uint32_t index = GetArrayIndexFromId(id);
+  if (IsArrayIndex(index)) {
+    nsGlobalWindowInner* win = AsWindow(cx, wrapper);
+    // Note: As() unwraps outer windows to get to the inner window.
+    if (win) {
+      Nullable<WindowProxyHolder> subframe = win->IndexedGetter(index);
+      if (!subframe.IsNull()) {
+        Rooted<Value> value(cx);
+        if (MOZ_UNLIKELY(!WrapObject(cx, subframe.Value(), &value))) {
+          // It's gone?
+          return xpc::Throw(cx, NS_ERROR_FAILURE);
+        }
+        desc.set(Some(PropertyDescriptor::Data(
+            value,
+            {PropertyAttribute::Configurable, PropertyAttribute::Enumerable})));
+        return JS_WrapPropertyDescriptor(cx, desc);
+      }
+    }
+  }
+
+  if (!JS_GetOwnPropertyDescriptorById(cx, holder, id, desc)) {
+    return false;
+  }
+  if (desc.isSome()) {
+    return true;
+  }
+
+  bool cacheOnHolder;
+  if (!XrayResolveOwnProperty(cx, wrapper, target, id, desc, cacheOnHolder)) {
+    return false;
+  }
+
+  if (desc.isNothing() || !cacheOnHolder) {
+    return true;
+  }
+
+  Rooted<PropertyDescriptor> defineDesc(cx, *desc);
+  return JS_DefinePropertyById(cx, holder, id, defineDesc) &&
+         JS_GetOwnPropertyDescriptorById(cx, holder, id, desc);
+}
+
+bool DOMXrayTraits::delete_(JSContext* cx, JS::HandleObject wrapper,
+                            JS::HandleId id, JS::ObjectOpResult& result) {
+  RootedObject target(cx, getTargetObject(wrapper));
+  return XrayDeleteNamedProperty(cx, wrapper, target, id, result);
+}
+
+bool DOMXrayTraits::defineProperty(
+    JSContext* cx, HandleObject wrapper, HandleId id,
+    Handle<PropertyDescriptor> desc,
+    Handle<Maybe<PropertyDescriptor>> existingDesc,
+    Handle<JSObject*> existingHolder, JS::ObjectOpResult& result, bool* done) {
+  // Check for an indexed property on a Window.  If that's happening, do
+  // nothing but set done to true so it won't get added as an expando.
+  if (IsWindow(cx, wrapper)) {
+    if (IsArrayIndex(GetArrayIndexFromId(id))) {
+      *done = true;
+      return result.succeed();
+    }
+  }
+
+  JS::Rooted<JSObject*> obj(cx, getTargetObject(wrapper));
+  return XrayDefineProperty(cx, wrapper, obj, id, desc, result, done);
+}
+
+bool DOMXrayTraits::enumerateNames(JSContext* cx, HandleObject wrapper,
+                                   unsigned flags,
+                                   MutableHandleIdVector props) {
+  // Put the indexed properties for a window first.
+  nsGlobalWindowInner* win = AsWindow(cx, wrapper);
+  if (win) {
+    uint32_t length = win->Length();
+    if (!props.reserve(props.length() + length)) {
+      return false;
+    }
+    JS::RootedId indexId(cx);
+    for (uint32_t i = 0; i < length; ++i) {
+      if (!JS_IndexToId(cx, i, &indexId)) {
+        return false;
+      }
+      props.infallibleAppend(indexId);
+    }
+  }
+
+  JS::Rooted<JSObject*> obj(cx, getTargetObject(wrapper));
+  if (JS_IsGlobalObject(obj)) {
+    // We could do this in a shared enumerateNames with JSXrayTraits, but we
+    // don't really have globals we expose via those.
+    JSAutoRealm ar(cx, obj);
+    if (!JS_NewEnumerateStandardClassesIncludingResolved(
+            cx, obj, props, !(flags & JSITER_HIDDEN))) {
+      return false;
+    }
+  }
+  return XrayOwnPropertyKeys(cx, wrapper, obj, flags, props);
+}
+
+bool DOMXrayTraits::call(JSContext* cx, HandleObject wrapper,
+                         const JS::CallArgs& args,
+                         const js::Wrapper& baseInstance) {
+  RootedObject obj(cx, getTargetObject(wrapper));
+  const JSClass* clasp = JS::GetClass(obj);
+  // What we have is either a WebIDL interface object, a WebIDL prototype
+  // object, or a WebIDL instance object.  WebIDL prototype objects never have
+  // a clasp->call.  WebIDL interface objects we want to invoke on the xray
+  // compartment.  WebIDL instance objects either don't have a clasp->call or
+  // are using "legacycaller".  At this time for all the legacycaller users it
+  // makes more sense to invoke on the xray compartment, so we just go ahead
+  // and do that for everything.
+  if (JSNative call = clasp->getCall()) {
+    // call it on the Xray compartment
+    return call(cx, args.length(), args.base());
+  }
+
+  RootedValue v(cx, ObjectValue(*wrapper));
+  js::ReportIsNotFunction(cx, v);
+  return false;
+}
+
+bool DOMXrayTraits::construct(JSContext* cx, HandleObject wrapper,
+                              const JS::CallArgs& args,
+                              const js::Wrapper& baseInstance) {
+  RootedObject obj(cx, getTargetObject(wrapper));
+  MOZ_ASSERT(mozilla::dom::HasConstructor(obj));
+  const JSClass* clasp = JS::GetClass(obj);
+  // See comments in DOMXrayTraits::call() explaining what's going on here.
+  if (clasp->flags & JSCLASS_IS_DOMIFACEANDPROTOJSCLASS) {
+    if (JSNative construct = clasp->getConstruct()) {
+      if (!construct(cx, args.length(), args.base())) {
+        return false;
+      }
+    } else {
+      RootedValue v(cx, ObjectValue(*wrapper));
+      js::ReportIsNotFunction(cx, v);
+      return false;
+    }
+  } else {
+    if (!baseInstance.construct(cx, wrapper, args)) {
+      return false;
+    }
+  }
+  if (!args.rval().isObject() || !JS_WrapValue(cx, args.rval())) {
+    return false;
+  }
+  return true;
+}
+
+bool DOMXrayTraits::getPrototype(JSContext* cx, JS::HandleObject wrapper,
+                                 JS::HandleObject target,
+                                 JS::MutableHandleObject protop) {
+  return mozilla::dom::XrayGetNativeProto(cx, target, protop);
+}
+
+void DOMXrayTraits::preserveWrapper(JSObject* target) {
+  nsISupports* identity = mozilla::dom::UnwrapDOMObjectToISupports(target);
+  if (!identity) {
+    return;
+  }
+  nsWrapperCache* cache = nullptr;
+  CallQueryInterface(identity, &cache);
+  if (cache) {
+    cache->PreserveWrapper(identity);
+  }
+}
+
+JSObject* DOMXrayTraits::createHolder(JSContext* cx, JSObject* wrapper) {
+  return JS_NewObjectWithGivenProto(cx, &HolderClass, nullptr);
+}
+
+const JSClass* DOMXrayTraits::getExpandoClass(JSContext* cx,
+                                              HandleObject target) const {
+  return XrayGetExpandoClass(cx, target);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::preventExtensions(
+    JSContext* cx, HandleObject wrapper, ObjectOpResult& result) const {
+  // Xray wrappers are supposed to provide a clean view of the target
+  // reflector, hiding any modifications by script in the target scope.  So
+  // even if that script freezes the reflector, we don't want to make that
+  // visible to the caller. DOM reflectors are always extensible by default,
+  // so we can just return failure here.
+  return result.failCantPreventExtensions();
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::isExtensible(JSContext* cx,
+                                             JS::Handle<JSObject*> wrapper,
+                                             bool* extensible) const {
+  // See above.
+  *extensible = true;
+  return true;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::getOwnPropertyDescriptor(
+    JSContext* cx, HandleObject wrapper, HandleId id,
+    MutableHandle<Maybe<PropertyDescriptor>> desc) const {
+  assertEnteredPolicy(cx, wrapper, id,
+                      BaseProxyHandler::GET | BaseProxyHandler::SET |
+                          BaseProxyHandler::GET_PROPERTY_DESCRIPTOR);
+  RootedObject target(cx, Traits::getTargetObject(wrapper));
+  RootedObject holder(cx, Traits::singleton.ensureHolder(cx, wrapper));
+  if (!holder) {
+    return false;
+  }
+
+  return Traits::singleton.resolveOwnProperty(cx, wrapper, target, holder, id,
+                                              desc);
+}
+
+// Consider what happens when chrome does |xray.expando = xray.wrappedJSObject|.
+//
+// Since the expando comes from the target compartment, wrapping it back into
+// the target compartment to define it on the expando object ends up stripping
+// off the Xray waiver that gives |xray| and |xray.wrappedJSObject| different
+// identities. This is generally the right thing to do when wrapping across
+// compartments, but is incorrect in the special case of the Xray expando
+// object. Manually re-apply Xrays if necessary.
+//
+// NB: In order to satisfy the invariants of WaiveXray, we need to pass
+// in an object sans security wrapper, which means we need to strip off any
+// potential same-compartment security wrapper that may have been applied
+// to the content object. This is ok, because the the expando object is only
+// ever accessed by code across the compartment boundary.
+static bool RecreateLostWaivers(JSContext* cx, const PropertyDescriptor* orig,
+                                MutableHandle<PropertyDescriptor> wrapped) {
+  // Compute whether the original objects were waived, and implicitly, whether
+  // they were objects at all.
+  bool valueWasWaived =
+      orig->hasValue() && orig->value().isObject() &&
+      WrapperFactory::HasWaiveXrayFlag(&orig->value().toObject());
+  bool getterWasWaived = orig->hasGetter() && orig->getter() &&
+                         WrapperFactory::HasWaiveXrayFlag(orig->getter());
+  bool setterWasWaived = orig->hasSetter() && orig->setter() &&
+                         WrapperFactory::HasWaiveXrayFlag(orig->setter());
+
+  // Recreate waivers. Note that for value, we need an extra UncheckedUnwrap
+  // to handle same-compartment security wrappers (see above). This should
+  // never happen for getters/setters.
+
+  RootedObject rewaived(cx);
+  if (valueWasWaived &&
+      !IsCrossCompartmentWrapper(&wrapped.value().toObject())) {
+    rewaived = &wrapped.value().toObject();
+    rewaived = WrapperFactory::WaiveXray(cx, UncheckedUnwrap(rewaived));
+    NS_ENSURE_TRUE(rewaived, false);
+    wrapped.value().set(ObjectValue(*rewaived));
+  }
+  if (getterWasWaived && !IsCrossCompartmentWrapper(wrapped.getter())) {
+    // We can't end up with WindowProxy or Location as getters.
+    MOZ_ASSERT(CheckedUnwrapStatic(wrapped.getter()));
+    rewaived = WrapperFactory::WaiveXray(cx, wrapped.getter());
+    NS_ENSURE_TRUE(rewaived, false);
+    wrapped.setGetter(rewaived);
+  }
+  if (setterWasWaived && !IsCrossCompartmentWrapper(wrapped.setter())) {
+    // We can't end up with WindowProxy or Location as setters.
+    MOZ_ASSERT(CheckedUnwrapStatic(wrapped.setter()));
+    rewaived = WrapperFactory::WaiveXray(cx, wrapped.setter());
+    NS_ENSURE_TRUE(rewaived, false);
+    wrapped.setSetter(rewaived);
+  }
+
+  return true;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::defineProperty(JSContext* cx,
+                                               HandleObject wrapper,
+                                               HandleId id,
+                                               Handle<PropertyDescriptor> desc,
+                                               ObjectOpResult& result) const {
+  assertEnteredPolicy(cx, wrapper, id, BaseProxyHandler::SET);
+
+  Rooted<Maybe<PropertyDescriptor>> existingDesc(cx);
+  Rooted<JSObject*> existingHolder(cx);
+  if (!JS_GetPropertyDescriptorById(cx, wrapper, id, &existingDesc,
+                                    &existingHolder)) {
+    return false;
+  }
+
+  // Note that the check here is intended to differentiate between own and
+  // non-own properties, since the above lookup is not limited to own
+  // properties. At present, this may not always do the right thing because
+  // we often lie (sloppily) about where we found properties and set
+  // existingHolder to |wrapper|. Once we fully fix our Xray prototype
+  // semantics, this should work as intended.
+  if (existingDesc.isSome() && existingHolder == wrapper &&
+      !existingDesc->configurable()) {
+    // We have a non-configurable property. See if the caller is trying to
+    // re-configure it in any way other than making it non-writable.
+    if (existingDesc->isAccessorDescriptor() || desc.isAccessorDescriptor() ||
+        (desc.hasEnumerable() &&
+         existingDesc->enumerable() != desc.enumerable()) ||
+        (desc.hasWritable() && !existingDesc->writable() && desc.writable())) {
+      // We should technically report non-configurability in strict mode, but
+      // doing that via JSAPI used to be a lot of trouble. See bug 1135997.
+      return result.succeed();
+    }
+    if (!existingDesc->writable()) {
+      // Same as the above for non-writability.
+      return result.succeed();
+    }
+  }
+
+  bool done = false;
+  if (!Traits::singleton.defineProperty(cx, wrapper, id, desc, existingDesc,
+                                        existingHolder, result, &done)) {
+    return false;
+  }
+  if (done) {
+    return true;
+  }
+
+  // Grab the relevant expando object.
+  RootedObject target(cx, Traits::getTargetObject(wrapper));
+  RootedObject expandoObject(
+      cx, Traits::singleton.ensureExpandoObject(cx, wrapper, target));
+  if (!expandoObject) {
+    return false;
+  }
+
+  // We're placing an expando. The expando objects live in the target
+  // compartment, so we need to enter it.
+  JSAutoRealm ar(cx, target);
+  JS_MarkCrossZoneId(cx, id);
+
+  // Wrap the property descriptor for the target compartment.
+  Rooted<PropertyDescriptor> wrappedDesc(cx, desc);
+  if (!JS_WrapPropertyDescriptor(cx, &wrappedDesc)) {
+    return false;
+  }
+
+  // Fix up Xray waivers.
+  if (!RecreateLostWaivers(cx, desc.address(), &wrappedDesc)) {
+    return false;
+  }
+
+  return JS_DefinePropertyById(cx, expandoObject, id, wrappedDesc, result);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::ownPropertyKeys(
+    JSContext* cx, HandleObject wrapper, MutableHandleIdVector props) const {
+  assertEnteredPolicy(cx, wrapper, JS::PropertyKey::Void(),
+                      BaseProxyHandler::ENUMERATE);
+  return getPropertyKeys(
+      cx, wrapper, JSITER_OWNONLY | JSITER_HIDDEN | JSITER_SYMBOLS, props);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::delete_(JSContext* cx, HandleObject wrapper,
+                                        HandleId id,
+                                        ObjectOpResult& result) const {
+  assertEnteredPolicy(cx, wrapper, id, BaseProxyHandler::SET);
+
+  // Check the expando object.
+  RootedObject target(cx, Traits::getTargetObject(wrapper));
+  RootedObject expando(cx);
+  if (!Traits::singleton.getExpandoObject(cx, target, wrapper, &expando)) {
+    return false;
+  }
+
+  if (expando) {
+    JSAutoRealm ar(cx, expando);
+    JS_MarkCrossZoneId(cx, id);
+    bool hasProp;
+    if (!JS_HasPropertyById(cx, expando, id, &hasProp)) {
+      return false;
+    }
+    if (hasProp) {
+      return JS_DeletePropertyById(cx, expando, id, result);
+    }
+  }
+
+  return Traits::singleton.delete_(cx, wrapper, id, result);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::get(JSContext* cx, HandleObject wrapper,
+                                    HandleValue receiver, HandleId id,
+                                    MutableHandleValue vp) const {
+  // This is called by Proxy::get, but since we return true for hasPrototype()
+  // it's only called for properties that hasOwn() claims we have as own
+  // properties.  Since we only need to worry about own properties, we can use
+  // getOwnPropertyDescriptor here.
+  Rooted<Maybe<PropertyDescriptor>> desc(cx);
+  if (!getOwnPropertyDescriptor(cx, wrapper, id, &desc)) {
+    return false;
+  }
+
+  MOZ_ASSERT(desc.isSome(),
+             "hasOwn() claimed we have this property, so why would we not get "
+             "a descriptor here?");
+  desc->assertComplete();
+
+  // Everything after here follows [[Get]] for ordinary objects.
+  if (desc->isDataDescriptor()) {
+    vp.set(desc->value());
+    return true;
+  }
+
+  MOZ_ASSERT(desc->isAccessorDescriptor());
+  RootedObject getter(cx, desc->getter());
+
+  if (!getter) {
+    vp.setUndefined();
+    return true;
+  }
+
+  return Call(cx, receiver, getter, HandleValueArray::empty(), vp);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::set(JSContext* cx, HandleObject wrapper,
+                                    HandleId id, HandleValue v,
+                                    HandleValue receiver,
+                                    ObjectOpResult& result) const {
+  MOZ_CRASH("Shouldn't be called: we return true for hasPrototype()");
+  return false;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::has(JSContext* cx, HandleObject wrapper,
+                                    HandleId id, bool* bp) const {
+  MOZ_CRASH("Shouldn't be called: we return true for hasPrototype()");
+  return false;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::hasOwn(JSContext* cx, HandleObject wrapper,
+                                       HandleId id, bool* bp) const {
+  // Skip our Base if it isn't already ProxyHandler.
+  return js::BaseProxyHandler::hasOwn(cx, wrapper, id, bp);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::getOwnEnumerablePropertyKeys(
+    JSContext* cx, HandleObject wrapper, MutableHandleIdVector props) const {
+  // Skip our Base if it isn't already ProxyHandler.
+  return js::BaseProxyHandler::getOwnEnumerablePropertyKeys(cx, wrapper, props);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::enumerate(
+    JSContext* cx, HandleObject wrapper,
+    JS::MutableHandleIdVector props) const {
+  MOZ_CRASH("Shouldn't be called: we return true for hasPrototype()");
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::call(JSContext* cx, HandleObject wrapper,
+                                     const JS::CallArgs& args) const {
+  assertEnteredPolicy(cx, wrapper, JS::PropertyKey::Void(),
+                      BaseProxyHandler::CALL);
+  // Hard cast the singleton since SecurityWrapper doesn't have one.
+  return Traits::call(cx, wrapper, args, Base::singleton);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::construct(JSContext* cx, HandleObject wrapper,
+                                          const JS::CallArgs& args) const {
+  assertEnteredPolicy(cx, wrapper, JS::PropertyKey::Void(),
+                      BaseProxyHandler::CALL);
+  // Hard cast the singleton since SecurityWrapper doesn't have one.
+  return Traits::construct(cx, wrapper, args, Base::singleton);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::getBuiltinClass(JSContext* cx,
+                                                JS::HandleObject wrapper,
+                                                js::ESClass* cls) const {
+  return Traits::getBuiltinClass(cx, wrapper, Base::singleton, cls);
+}
+
+template <typename Base, typename Traits>
+const char* XrayWrapper<Base, Traits>::className(JSContext* cx,
+                                                 HandleObject wrapper) const {
+  return Traits::className(cx, wrapper, Base::singleton);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::getPrototype(
+    JSContext* cx, JS::HandleObject wrapper,
+    JS::MutableHandleObject protop) const {
+  // We really only want this override for non-SecurityWrapper-inheriting
+  // |Base|. But doing that statically with templates requires partial method
+  // specializations (and therefore a helper class), which is all more trouble
+  // than it's worth. Do a dynamic check.
+  if (Base::hasSecurityPolicy()) {
+    return Base::getPrototype(cx, wrapper, protop);
+  }
+
+  RootedObject target(cx, Traits::getTargetObject(wrapper));
+  RootedObject expando(cx);
+  if (!Traits::singleton.getExpandoObject(cx, target, wrapper, &expando)) {
+    return false;
+  }
+
+  // We want to keep the Xray's prototype distinct from that of content, but
+  // only if there's been a set. If there's not an expando, or the expando
+  // slot is |undefined|, hand back the default proto, appropriately wrapped.
+
+  if (expando) {
+    RootedValue v(cx);
+    {  // Scope for JSAutoRealm
+      JSAutoRealm ar(cx, expando);
+      v = JS::GetReservedSlot(expando, JSSLOT_EXPANDO_PROTOTYPE);
+    }
+    if (!v.isUndefined()) {
+      protop.set(v.toObjectOrNull());
+      return JS_WrapObject(cx, protop);
+    }
+  }
+
+  // Check our holder, and cache there if we don't have it cached already.
+  RootedObject holder(cx, Traits::singleton.ensureHolder(cx, wrapper));
+  if (!holder) {
+    return false;
+  }
+
+  Value cached = JS::GetReservedSlot(holder, Traits::HOLDER_SLOT_CACHED_PROTO);
+  if (cached.isUndefined()) {
+    if (!Traits::singleton.getPrototype(cx, wrapper, target, protop)) {
+      return false;
+    }
+
+    JS::SetReservedSlot(holder, Traits::HOLDER_SLOT_CACHED_PROTO,
+                        ObjectOrNullValue(protop));
+  } else {
+    protop.set(cached.toObjectOrNull());
+  }
+  return true;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::setPrototype(JSContext* cx,
+                                             JS::HandleObject wrapper,
+                                             JS::HandleObject proto,
+                                             JS::ObjectOpResult& result) const {
+  // Do this only for non-SecurityWrapper-inheriting |Base|. See the comment
+  // in getPrototype().
+  if (Base::hasSecurityPolicy()) {
+    return Base::setPrototype(cx, wrapper, proto, result);
+  }
+
+  RootedObject target(cx, Traits::getTargetObject(wrapper));
+  RootedObject expando(
+      cx, Traits::singleton.ensureExpandoObject(cx, wrapper, target));
+  if (!expando) {
+    return false;
+  }
+
+  // The expando lives in the target's realm, so do our installation there.
+  JSAutoRealm ar(cx, target);
+
+  RootedValue v(cx, ObjectOrNullValue(proto));
+  if (!JS_WrapValue(cx, &v)) {
+    return false;
+  }
+  JS_SetReservedSlot(expando, JSSLOT_EXPANDO_PROTOTYPE, v);
+  return result.succeed();
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::getPrototypeIfOrdinary(
+    JSContext* cx, JS::HandleObject wrapper, bool* isOrdinary,
+    JS::MutableHandleObject protop) const {
+  // We want to keep the Xray's prototype distinct from that of content, but
+  // only if there's been a set.  This different-prototype-over-time behavior
+  // means that the [[GetPrototypeOf]] trap *can't* be ECMAScript's ordinary
+  // [[GetPrototypeOf]].  This also covers cross-origin Window behavior that
+  // per
+  // <https://html.spec.whatwg.org/multipage/browsers.html#windowproxy-getprototypeof>
+  // must be non-ordinary.
+  *isOrdinary = false;
+  return true;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::setImmutablePrototype(JSContext* cx,
+                                                      JS::HandleObject wrapper,
+                                                      bool* succeeded) const {
+  // For now, lacking an obvious place to store a bit, prohibit making an
+  // Xray's [[Prototype]] immutable.  We can revisit this (or maybe give all
+  // Xrays immutable [[Prototype]], because who does this, really?) later if
+  // necessary.
+  *succeeded = false;
+  return true;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::getPropertyKeys(
+    JSContext* cx, HandleObject wrapper, unsigned flags,
+    MutableHandleIdVector props) const {
+  assertEnteredPolicy(cx, wrapper, JS::PropertyKey::Void(),
+                      BaseProxyHandler::ENUMERATE);
+
+  // Enumerate expando properties first. Note that the expando object lives
+  // in the target compartment.
+  RootedObject target(cx, Traits::getTargetObject(wrapper));
+  RootedObject expando(cx);
+  if (!Traits::singleton.getExpandoObject(cx, target, wrapper, &expando)) {
+    return false;
+  }
+
+  if (expando) {
+    JSAutoRealm ar(cx, expando);
+    if (!js::GetPropertyKeys(cx, expando, flags, props)) {
+      return false;
+    }
+  }
+  for (size_t i = 0; i < props.length(); ++i) {
+    JS_MarkCrossZoneId(cx, props[i]);
+  }
+
+  return Traits::singleton.enumerateNames(cx, wrapper, flags, props);
+}
+
+/*
+ * The Permissive / Security variants should be used depending on whether the
+ * compartment of the wrapper is guranteed to subsume the compartment of the
+ * wrapped object (i.e. - whether it is safe from a security perspective to
+ * unwrap the wrapper).
+ */
+
+template <typename Base, typename Traits>
+const xpc::XrayWrapper<Base, Traits> xpc::XrayWrapper<Base, Traits>::singleton(
+    0);
+
+template class PermissiveXrayDOM;
+template class PermissiveXrayJS;
+template class PermissiveXrayOpaque;
+
+/*
+ * This callback is used by the JS engine to test if a proxy handler is for a
+ * cross compartment xray with no security requirements.
+ */
+static bool IsCrossCompartmentXrayCallback(
+    const js::BaseProxyHandler* handler) {
+  return handler == &PermissiveXrayDOM::singleton;
+}
+
+JS::XrayJitInfo gXrayJitInfo = {
+    IsCrossCompartmentXrayCallback, CompartmentHasExclusiveExpandos,
+    JSSLOT_XRAY_HOLDER, XrayTraits::HOLDER_SLOT_EXPANDO,
+    JSSLOT_EXPANDO_PROTOTYPE};
+
+}  // namespace xpc
diff --git a/js/xpconnect/wrappers/XrayWrapper.h b/js/xpconnect/wrappers/XrayWrapper.h
new file mode 100644
index 0000000000..fb0c8b36c6
--- /dev/null
+++ b/js/xpconnect/wrappers/XrayWrapper.h
@@ -0,0 +1,495 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef XrayWrapper_h
+#define XrayWrapper_h
+
+#include "mozilla/Maybe.h"
+
+#include "WrapperFactory.h"
+
+#include "jsapi.h"
+#include "jsfriendapi.h"
+#include "js/friend/XrayJitInfo.h"  // JS::XrayJitInfo
+#include "js/Object.h"              // JS::GetReservedSlot
+#include "js/Proxy.h"
+#include "js/Wrapper.h"
+
+// Slot where Xray functions for Web IDL methods store a pointer to
+// the Xray wrapper they're associated with.
+#define XRAY_DOM_FUNCTION_PARENT_WRAPPER_SLOT 0
+// Slot where in debug builds Xray functions for Web IDL methods store
+// a pointer to their themselves, just so we can assert that they're the
+// sort of functions we expect.
+#define XRAY_DOM_FUNCTION_NATIVE_SLOT_FOR_SELF 1
+
+// Xray wrappers re-resolve the original native properties on the native
+// object and always directly access to those properties.
+// Because they work so differently from the rest of the wrapper hierarchy,
+// we pull them out of the Wrapper inheritance hierarchy and create a
+// little world around them.
+
+class nsIPrincipal;
+
+namespace xpc {
+
+enum XrayType {
+  XrayForDOMObject,
+  XrayForJSObject,
+  XrayForOpaqueObject,
+  NotXray
+};
+
+class XrayTraits {
+ public:
+  constexpr XrayTraits() = default;
+
+  static JSObject* getTargetObject(JSObject* wrapper) {
+    JSObject* target =
+        js::UncheckedUnwrap(wrapper, /* stopAtWindowProxy = */ false);
+    if (target) {
+      JS::ExposeObjectToActiveJS(target);
+    }
+    return target;
+  }
+
+  // NB: resolveOwnProperty may decide whether or not to cache what it finds
+  // on the holder. If the result is not cached, the lookup will happen afresh
+  // for each access, which is the right thing for things like dynamic NodeList
+  // properties.
+  virtual bool resolveOwnProperty(
+      JSContext* cx, JS::HandleObject wrapper, JS::HandleObject target,
+      JS::HandleObject holder, JS::HandleId id,
+      JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc);
+
+  bool delete_(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+               JS::ObjectOpResult& result) {
+    return result.succeed();
+  }
+
+  static bool getBuiltinClass(JSContext* cx, JS::HandleObject wrapper,
+                              const js::Wrapper& baseInstance,
+                              js::ESClass* cls) {
+    return baseInstance.getBuiltinClass(cx, wrapper, cls);
+  }
+
+  static const char* className(JSContext* cx, JS::HandleObject wrapper,
+                               const js::Wrapper& baseInstance) {
+    return baseInstance.className(cx, wrapper);
+  }
+
+  virtual void preserveWrapper(JSObject* target) = 0;
+
+  bool getExpandoObject(JSContext* cx, JS::HandleObject target,
+                        JS::HandleObject consumer,
+                        JS::MutableHandleObject expandObject);
+  JSObject* ensureExpandoObject(JSContext* cx, JS::HandleObject wrapper,
+                                JS::HandleObject target);
+
+  // Slots for holder objects.
+  enum {
+    HOLDER_SLOT_CACHED_PROTO = 0,
+    HOLDER_SLOT_EXPANDO = 1,
+    HOLDER_SHARED_SLOT_COUNT
+  };
+
+  static JSObject* getHolder(JSObject* wrapper);
+  JSObject* ensureHolder(JSContext* cx, JS::HandleObject wrapper);
+  virtual JSObject* createHolder(JSContext* cx, JSObject* wrapper) = 0;
+
+  JSObject* getExpandoChain(JS::HandleObject obj);
+  JSObject* detachExpandoChain(JS::HandleObject obj);
+  bool setExpandoChain(JSContext* cx, JS::HandleObject obj,
+                       JS::HandleObject chain);
+  bool cloneExpandoChain(JSContext* cx, JS::HandleObject dst,
+                         JS::HandleObject srcChain);
+
+ protected:
+  static const JSClass HolderClass;
+
+  // Get the JSClass we should use for our expando object.
+  virtual const JSClass* getExpandoClass(JSContext* cx,
+                                         JS::HandleObject target) const;
+
+ private:
+  bool expandoObjectMatchesConsumer(JSContext* cx,
+                                    JS::HandleObject expandoObject,
+                                    nsIPrincipal* consumerOrigin);
+
+  // |expandoChain| is the expando chain in the wrapped object's compartment.
+  // |exclusiveWrapper| is any xray that has exclusive use of the expando.
+  // |cx| may be in any compartment.
+  bool getExpandoObjectInternal(JSContext* cx, JSObject* expandoChain,
+                                JS::HandleObject exclusiveWrapper,
+                                nsIPrincipal* origin,
+                                JS::MutableHandleObject expandoObject);
+
+  // |cx| is in the target's compartment, and |exclusiveWrapper| is any xray
+  // that has exclusive use of the expando. |exclusiveWrapperGlobal| is the
+  // caller's global and must be same-compartment with |exclusiveWrapper|.
+  JSObject* attachExpandoObject(JSContext* cx, JS::HandleObject target,
+                                JS::HandleObject exclusiveWrapper,
+                                JS::HandleObject exclusiveWrapperGlobal,
+                                nsIPrincipal* origin);
+
+  XrayTraits(XrayTraits&) = delete;
+  const XrayTraits& operator=(XrayTraits&) = delete;
+};
+
+class DOMXrayTraits : public XrayTraits {
+ public:
+  constexpr DOMXrayTraits() = default;
+
+  static const XrayType Type = XrayForDOMObject;
+
+  virtual bool resolveOwnProperty(
+      JSContext* cx, JS::HandleObject wrapper, JS::HandleObject target,
+      JS::HandleObject holder, JS::HandleId id,
+      JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc) override;
+
+  bool delete_(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+               JS::ObjectOpResult& result);
+
+  bool defineProperty(
+      JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+      JS::Handle<JS::PropertyDescriptor> desc,
+      JS::Handle<mozilla::Maybe<JS::PropertyDescriptor>> existingDesc,
+      JS::Handle<JSObject*> existingHolder, JS::ObjectOpResult& result,
+      bool* done);
+  virtual bool enumerateNames(JSContext* cx, JS::HandleObject wrapper,
+                              unsigned flags, JS::MutableHandleIdVector props);
+  static bool call(JSContext* cx, JS::HandleObject wrapper,
+                   const JS::CallArgs& args, const js::Wrapper& baseInstance);
+  static bool construct(JSContext* cx, JS::HandleObject wrapper,
+                        const JS::CallArgs& args,
+                        const js::Wrapper& baseInstance);
+
+  static bool getPrototype(JSContext* cx, JS::HandleObject wrapper,
+                           JS::HandleObject target,
+                           JS::MutableHandleObject protop);
+
+  virtual void preserveWrapper(JSObject* target) override;
+
+  virtual JSObject* createHolder(JSContext* cx, JSObject* wrapper) override;
+
+  static DOMXrayTraits singleton;
+
+ protected:
+  virtual const JSClass* getExpandoClass(
+      JSContext* cx, JS::HandleObject target) const override;
+};
+
+class JSXrayTraits : public XrayTraits {
+ public:
+  static const XrayType Type = XrayForJSObject;
+
+  virtual bool resolveOwnProperty(
+      JSContext* cx, JS::HandleObject wrapper, JS::HandleObject target,
+      JS::HandleObject holder, JS::HandleId id,
+      JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc) override;
+
+  bool delete_(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+               JS::ObjectOpResult& result);
+
+  bool defineProperty(
+      JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+      JS::Handle<JS::PropertyDescriptor> desc,
+      JS::Handle<mozilla::Maybe<JS::PropertyDescriptor>> existingDesc,
+      JS::Handle<JSObject*> existingHolder, JS::ObjectOpResult& result,
+      bool* defined);
+
+  virtual bool enumerateNames(JSContext* cx, JS::HandleObject wrapper,
+                              unsigned flags, JS::MutableHandleIdVector props);
+
+  static bool call(JSContext* cx, JS::HandleObject wrapper,
+                   const JS::CallArgs& args, const js::Wrapper& baseInstance) {
+    JSXrayTraits& self = JSXrayTraits::singleton;
+    JS::RootedObject holder(cx, self.ensureHolder(cx, wrapper));
+    if (!holder) {
+      return false;
+    }
+    JSProtoKey key = xpc::JSXrayTraits::getProtoKey(holder);
+    if (key == JSProto_Function || key == JSProto_BoundFunction) {
+      return baseInstance.call(cx, wrapper, args);
+    }
+
+    JS::RootedValue v(cx, JS::ObjectValue(*wrapper));
+    js::ReportIsNotFunction(cx, v);
+    return false;
+  }
+
+  static bool construct(JSContext* cx, JS::HandleObject wrapper,
+                        const JS::CallArgs& args,
+                        const js::Wrapper& baseInstance);
+
+  bool getPrototype(JSContext* cx, JS::HandleObject wrapper,
+                    JS::HandleObject target, JS::MutableHandleObject protop) {
+    JS::RootedObject holder(cx, ensureHolder(cx, wrapper));
+    if (!holder) {
+      return false;
+    }
+    JSProtoKey key = getProtoKey(holder);
+    if (isPrototype(holder)) {
+      JSProtoKey protoKey = js::InheritanceProtoKeyForStandardClass(key);
+      if (protoKey == JSProto_Null) {
+        protop.set(nullptr);
+        return true;
+      }
+      key = protoKey;
+    }
+
+    {
+      JSAutoRealm ar(cx, target);
+      if (!JS_GetClassPrototype(cx, key, protop)) {
+        return false;
+      }
+    }
+    return JS_WrapObject(cx, protop);
+  }
+
+  virtual void preserveWrapper(JSObject* target) override {
+    // In the case of pure JS objects, there is no underlying object, and
+    // the target is the canonical representation of state. If it gets
+    // collected, then expandos and such should be collected too. So there's
+    // nothing to do here.
+  }
+
+  enum {
+    SLOT_PROTOKEY = HOLDER_SHARED_SLOT_COUNT,
+    SLOT_ISPROTOTYPE,
+    SLOT_CONSTRUCTOR_FOR,
+    SLOT_COUNT
+  };
+  virtual JSObject* createHolder(JSContext* cx, JSObject* wrapper) override;
+
+  static JSProtoKey getProtoKey(JSObject* holder) {
+    int32_t key = JS::GetReservedSlot(holder, SLOT_PROTOKEY).toInt32();
+    return static_cast<JSProtoKey>(key);
+  }
+
+  static bool isPrototype(JSObject* holder) {
+    return JS::GetReservedSlot(holder, SLOT_ISPROTOTYPE).toBoolean();
+  }
+
+  static JSProtoKey constructorFor(JSObject* holder) {
+    int32_t key = JS::GetReservedSlot(holder, SLOT_CONSTRUCTOR_FOR).toInt32();
+    return static_cast<JSProtoKey>(key);
+  }
+
+  // Operates in the wrapper compartment.
+  static bool getOwnPropertyFromWrapperIfSafe(
+      JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+      JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc);
+
+  // Like the above, but operates in the target compartment. wrapperGlobal is
+  // the caller's global (must be in the wrapper compartment).
+  static bool getOwnPropertyFromTargetIfSafe(
+      JSContext* cx, JS::HandleObject target, JS::HandleObject wrapper,
+      JS::HandleObject wrapperGlobal, JS::HandleId id,
+      JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc);
+
+  static const JSClass HolderClass;
+  static JSXrayTraits singleton;
+};
+
+// These traits are used when the target is not Xrayable and we therefore want
+// to make it opaque modulo the usual Xray machinery (like expandos and
+// .wrappedJSObject).
+class OpaqueXrayTraits : public XrayTraits {
+ public:
+  static const XrayType Type = XrayForOpaqueObject;
+
+  virtual bool resolveOwnProperty(
+      JSContext* cx, JS::HandleObject wrapper, JS::HandleObject target,
+      JS::HandleObject holder, JS::HandleId id,
+      JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc) override;
+
+  bool defineProperty(
+      JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+      JS::Handle<JS::PropertyDescriptor> desc,
+      JS::Handle<mozilla::Maybe<JS::PropertyDescriptor>> existingDesc,
+      JS::Handle<JSObject*> existingHolder, JS::ObjectOpResult& result,
+      bool* defined) {
+    *defined = false;
+    return true;
+  }
+
+  virtual bool enumerateNames(JSContext* cx, JS::HandleObject wrapper,
+                              unsigned flags, JS::MutableHandleIdVector props) {
+    return true;
+  }
+
+  static bool call(JSContext* cx, JS::HandleObject wrapper,
+                   const JS::CallArgs& args, const js::Wrapper& baseInstance) {
+    JS::RootedValue v(cx, JS::ObjectValue(*wrapper));
+    js::ReportIsNotFunction(cx, v);
+    return false;
+  }
+
+  static bool construct(JSContext* cx, JS::HandleObject wrapper,
+                        const JS::CallArgs& args,
+                        const js::Wrapper& baseInstance) {
+    JS::RootedValue v(cx, JS::ObjectValue(*wrapper));
+    js::ReportIsNotFunction(cx, v);
+    return false;
+  }
+
+  bool getPrototype(JSContext* cx, JS::HandleObject wrapper,
+                    JS::HandleObject target, JS::MutableHandleObject protop) {
+    // Opaque wrappers just get targetGlobal.Object.prototype as their
+    // prototype. This is preferable to using a null prototype because it
+    // lets things like |toString| and |__proto__| work.
+    {
+      JSAutoRealm ar(cx, target);
+      if (!JS_GetClassPrototype(cx, JSProto_Object, protop)) {
+        return false;
+      }
+    }
+    return JS_WrapObject(cx, protop);
+  }
+
+  static bool getBuiltinClass(JSContext* cx, JS::HandleObject wrapper,
+                              const js::Wrapper& baseInstance,
+                              js::ESClass* cls) {
+    *cls = js::ESClass::Other;
+    return true;
+  }
+
+  static const char* className(JSContext* cx, JS::HandleObject wrapper,
+                               const js::Wrapper& baseInstance) {
+    return "Opaque";
+  }
+
+  virtual void preserveWrapper(JSObject* target) override {}
+
+  virtual JSObject* createHolder(JSContext* cx, JSObject* wrapper) override {
+    return JS_NewObjectWithGivenProto(cx, &HolderClass, nullptr);
+  }
+
+  static OpaqueXrayTraits singleton;
+};
+
+XrayType GetXrayType(JSObject* obj);
+XrayTraits* GetXrayTraits(JSObject* obj);
+
+template <typename Base, typename Traits>
+class XrayWrapper : public Base {
+  static_assert(std::is_base_of_v<js::BaseProxyHandler, Base>,
+                "Base *must* derive from js::BaseProxyHandler");
+
+ public:
+  constexpr explicit XrayWrapper(unsigned flags)
+      : Base(flags | WrapperFactory::IS_XRAY_WRAPPER_FLAG,
+             /* aHasPrototype = */ true){};
+
+  /* Standard internal methods. */
+  virtual bool getOwnPropertyDescriptor(
+      JSContext* cx, JS::Handle<JSObject*> wrapper, JS::Handle<jsid> id,
+      JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc)
+      const override;
+  virtual bool defineProperty(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                              JS::Handle<jsid> id,
+                              JS::Handle<JS::PropertyDescriptor> desc,
+                              JS::ObjectOpResult& result) const override;
+  virtual bool ownPropertyKeys(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                               JS::MutableHandleIdVector props) const override;
+  virtual bool delete_(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                       JS::Handle<jsid> id,
+                       JS::ObjectOpResult& result) const override;
+  virtual bool enumerate(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                         JS::MutableHandleIdVector props) const override;
+  virtual bool getPrototype(JSContext* cx, JS::HandleObject wrapper,
+                            JS::MutableHandleObject protop) const override;
+  virtual bool setPrototype(JSContext* cx, JS::HandleObject wrapper,
+                            JS::HandleObject proto,
+                            JS::ObjectOpResult& result) const override;
+  virtual bool getPrototypeIfOrdinary(
+      JSContext* cx, JS::HandleObject wrapper, bool* isOrdinary,
+      JS::MutableHandleObject protop) const override;
+  virtual bool setImmutablePrototype(JSContext* cx, JS::HandleObject wrapper,
+                                     bool* succeeded) const override;
+  virtual bool preventExtensions(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                                 JS::ObjectOpResult& result) const override;
+  virtual bool isExtensible(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                            bool* extensible) const override;
+  virtual bool has(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                   JS::Handle<jsid> id, bool* bp) const override;
+  virtual bool get(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                   JS::HandleValue receiver, JS::Handle<jsid> id,
+                   JS::MutableHandle<JS::Value> vp) const override;
+  virtual bool set(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                   JS::Handle<jsid> id, JS::Handle<JS::Value> v,
+                   JS::Handle<JS::Value> receiver,
+                   JS::ObjectOpResult& result) const override;
+  virtual bool call(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                    const JS::CallArgs& args) const override;
+  virtual bool construct(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                         const JS::CallArgs& args) const override;
+
+  /* SpiderMonkey extensions. */
+  virtual bool hasOwn(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                      JS::Handle<jsid> id, bool* bp) const override;
+  virtual bool getOwnEnumerablePropertyKeys(
+      JSContext* cx, JS::Handle<JSObject*> wrapper,
+      JS::MutableHandleIdVector props) const override;
+
+  virtual bool getBuiltinClass(JSContext* cx, JS::HandleObject wapper,
+                               js::ESClass* cls) const override;
+  virtual const char* className(JSContext* cx,
+                                JS::HandleObject proxy) const override;
+
+  static const XrayWrapper singleton;
+
+ protected:
+  bool getPropertyKeys(JSContext* cx, JS::Handle<JSObject*> wrapper,
+                       unsigned flags, JS::MutableHandleIdVector props) const;
+};
+
+#define PermissiveXrayDOM \
+  xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>
+#define PermissiveXrayJS \
+  xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::JSXrayTraits>
+#define PermissiveXrayOpaque \
+  xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::OpaqueXrayTraits>
+
+extern template class PermissiveXrayDOM;
+extern template class PermissiveXrayJS;
+extern template class PermissiveXrayOpaque;
+
+/*
+ * Slots for Xray expando objects.  See comments in XrayWrapper.cpp for details
+ * of how these get used; we mostly want the value of JSSLOT_EXPANDO_COUNT here.
+ */
+enum ExpandoSlots {
+  JSSLOT_EXPANDO_NEXT = 0,
+  JSSLOT_EXPANDO_ORIGIN,
+  JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER,
+  JSSLOT_EXPANDO_PROTOTYPE,
+  JSSLOT_EXPANDO_COUNT
+};
+
+extern const JSClassOps XrayExpandoObjectClassOps;
+
+/*
+ * Clear the given slot on all Xray expandos for the given object.
+ *
+ * No-op when called on non-main threads (where Xrays don't exist).
+ */
+void ClearXrayExpandoSlots(JSObject* target, size_t slotIndex);
+
+/*
+ * Ensure the given wrapper has an expando object and return it.  This can
+ * return null on failure.  Will only be called when "wrapper" is an Xray for a
+ * DOM object.
+ */
+JSObject* EnsureXrayExpandoObject(JSContext* cx, JS::HandleObject wrapper);
+
+// Information about xrays for use by the JITs.
+extern JS::XrayJitInfo gXrayJitInfo;
+
+}  // namespace xpc
+
+#endif
diff --git a/js/xpconnect/wrappers/moz.build b/js/xpconnect/wrappers/moz.build
new file mode 100644
index 0000000000..fcf07a0181
--- /dev/null
+++ b/js/xpconnect/wrappers/moz.build
@@ -0,0 +1,32 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+EXPORTS += [
+    "WrapperFactory.h",
+]
+
+UNIFIED_SOURCES += [
+    "AccessCheck.cpp",
+    "ChromeObjectWrapper.cpp",
+    "FilteringWrapper.cpp",
+    "WaiveXrayWrapper.cpp",
+    "WrapperFactory.cpp",
+]
+
+# XrayWrapper needs to be built separately because of template instantiations.
+SOURCES += [
+    "XrayWrapper.cpp",
+]
+
+include("/ipc/chromium/chromium-config.mozbuild")
+
+FINAL_LIBRARY = "xul"
+
+LOCAL_INCLUDES += [
+    "../../../dom/base",
+    "../src",
+    "/caps",
+]