Closed
Bug 163645
Opened 23 years ago
Closed 22 years ago
User defined properties of Javascript navigator object are not remembered when a new page is loaded.
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
People
(Reporter: aniapte, Assigned: caillon)
References
Details
(Keywords: dataloss, regression)
Attachments
(3 files, 1 obsolete file)
|
658 bytes,
text/html
|
Details | |
|
470 bytes,
text/html
|
Details | |
|
18.11 KB,
patch
|
security-bugs
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.1a) Gecko/20020611
Build Identifier: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.1b) Gecko/20020818
I am trying to create user defined properties in the navigator object such as
navigator.id = 1122334455. This property should be retained when I load a new
page and should be accessible from it. Trying to access the property from the
newly loaded page returns undefined.
This works on 1.1a on Windows but not on 1.1b and the nightly of August18 2002.
Testing on Warpzilla (Mozilla for OS/2) looks like this...
1.1b - fails
1.1a - works
1.0 - works
rc3 - works
rc2 - fails
rc1 - fails
This behavior works correctly on IE also.
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
|
Reporter | |
Comment 1•23 years ago
|
||
|
|
Reporter | |
Comment 2•23 years ago
|
||
|
|
Reporter | |
Updated•23 years ago
|
Attachment #96013 -
Attachment description: First load this. → Testcase file 1. Download both the testcase files to the same directory and then load file 1.
|
|
Reporter | |
Updated•23 years ago
|
Attachment #96014 -
Attachment description: Open this attachment after the first one has been loaded. → Testcase file 2 - Open this attachment after the first one has been loaded.
|
|
Reporter | |
Comment 3•23 years ago
|
||
HOW TO RECREATE: Load the 1st attachment
http://bugzilla.mozilla.org/attachment.cgi?id=96013&action=view
This creates a navigator object property, navigator.id and sets it to 1122334455
Now, in the same window load the second attachment
http://bugzilla.mozilla.org/attachment.cgi?id=96014&action=view
Clicking on the button shows an alert with the value of navigator.id
If bug exists, value of navigator.id will be undefined, else, it should say
1122334455.
|
||
Comment 4•23 years ago
|
||
Confirming. This appears to be a regression from bug 150087. Commenting out the
NS_RELEASE(mNavigator) in nsGlobalWindow.cpp makes the testcase work.
Seems like dataloss to me, adding keywords and upping severity. We should get to
this ASAP.
|
Assignee | |
Comment 7•22 years ago
|
||
Rather than delete the whole navigator object, just delete what we want to be
recreated. This works against the testcase provided, and bug 150087 doesn't
seem to work for me with or without the patch...
|
||
Comment 9•22 years ago
|
||
This is a big one for one of our customers. Very small change...
I believe jst had issues with the patch, and it seems like fixing this bug would
cause a security hole as well, so the probable solution seems to be wontfix at
this point...
|
|
||
Comment 11•22 years ago
|
||
Can you be more specific? This is a pretty big regression for us, so we took
this fix and put it in our IBM Web Browser.
We have a huge customer that depends on this behavior...
|
|
Assignee | |
Comment 12•22 years ago
|
||
From my conversation with jst, this won't work all of the time. If I remember
correctly JS will cause a GC to happen after like 2-3 seconds or something, and
the fix won't work after that. I don't remember discussing a security issue
with him.
|
||
Comment 13•22 years ago
|
||
The problem with the patch is that the JS wrapper for the navigator object is
unrooted when we go from page to page, and if no script in the new page grabs a
reference to the navigator object before we run GC (~2s after we leave a page)
the JS wrapper will go away.
Other than that, there's more problems here too. This patch, even if the above
issue was fixed, only fixes part of the original problem. Real issue here is
that NS4x had only one navigator object and all windows had access to that. That
introduces security problems (such as bug 141969), and I don't think doing that
is a good idea (that behaviour was never intended in NS4x, to my knowledge).
Now IE doesn't behave exactly like that, IE does what this patch tried to do,
and while that's less insecure than what NS4x does, I can't say I like that very
much either. However, if that behaviour is absolutely needed, this patch, with
the above issue fixed, would make us behave like IE does.
Mike, is IE's behaviour what you're looking for?
|
|
||
Comment 14•22 years ago
|
||
I believe it is IE's behavior.
The customer here is using a navigator.foo variable to store the state of their
application, so when the user hits reload, they know not to go back to the
server and reinitialize the whole application.
|
|
Assignee | |
Comment 15•22 years ago
|
||
Okay after talking with jst, I think I have a handle on how to properly fix
this. Taking since I'm working on the patch.
Assignee: dom_bugs → caillon
|
|
Assignee | |
Comment 16•22 years ago
|
||
Okay, this should do the right thing. On top of the changes for this bug, I
needed to modify a few things in caps to ensure that the security checks I
added will work properly across domains when we don't have any code on the JS
stack, and are in process of switching pages. That is included in this patch.
|
|
Assignee | |
Updated•22 years ago
|
Attachment #124476 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•22 years ago
|
Attachment #125859 -
Flags: superreview?(jst)
Attachment #125859 -
Flags: review?(mstoltz)
|
||
Comment 17•22 years ago
|
||
Comment on attachment 125859 [details] [diff] [review]
Better fix
The patch looks good.
Chris or Johnny, is it OK to release mDocumentPrincipal in SetNewDocument? Are
we using the cached principal for anything else later?
Let me know, but r=mstoltz anyway.
Attachment #125859 -
Flags: review?(mstoltz) → review+
|
|
Assignee | |
Comment 18•22 years ago
|
||
Mitch, we don't use it later on. Also, note that we already were releasing it
in the same case earlier on in the function. I just held on to it a bit longer
before releasing it for good so I could run my same origin checks on it.
|
|
||
Comment 19•22 years ago
|
||
Comment on attachment 125859 [details] [diff] [review]
Better fix
+ if (mNavigator) {
+ // Loading a new document. Compare it's principal against the
+ // old principal to see whether we are allowed to keep the old
+ // navigator object.
Only need to do that if mNavigator && mDocumentPrincipal, shouldn't ever have a
navigator and no old principal, but you never know in this codebase...
+ if (mNavigator && aDocument) {
+ // Make our JS wrapper hold on to the navigator object so
+ // that it doesn't go away when transitioning from page to
+ // page. We do this by just asking for the navigator
+ // property on the global object. That causes the global
+ // object's resolve hook to cache the property on the
+ // global, and thus root it which prevents GC from getting
+ // rid of the object.
+
+ jsval dummy;
+ ::JS_GetProperty(cx, mJSObject, "navigator", &dummy);
+ }
This code is now inside an if (mDocument) check, so aDocument will never be
non-null. This code needs to go further down inside the if (mContext &&
aDocument) check.
- In nsGlobalWindow.h:
+ // XXX We need mNavigatorHolder because we make two SetNewDocument()
+ // calls when transitioning from page to page. This keeps a reference
+ // to the JSObject holder for the navigator object in between
+ // SetNewDocument() calls so that its root doesn't get garbage
+ // collected in between these calls.
Make that "... so that the JSObject doesn't get garbage collected..."
sr=jst with those changes.
Attachment #125859 -
Flags: superreview?(jst) → superreview+
|
|
Assignee | |
Comment 20•22 years ago
|
||
Fix checked in with the same origin check discussed. Mkaply, could you verify
this now works?
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Summary: User defined properties of Javascript navigator object are not remembered wneh a new page is loaded. → User defined properties of Javascript navigator object are not remembered when a new page is loaded.
|
|
Assignee | |
Comment 21•22 years ago
|
||
Just to clarify what this patch does:
It will keep the user-defined properties of window.navigator if moving in
between pages in the same origin. Once the window moves to a different origin
however, the properties of navigator are "forgotten".
|
||
Comment 22•22 years ago
|
||
This patch caused bug 209946 (copying text fails)
|
||
Comment 23•22 years ago
|
||
caillon, please check all consumers of
nsScriptSecurityManager::CheckSameOriginPrincipal before marking this solved.
This regressed all XSLT security checks for chrome URLs, too, filed bug 210601.
Makes me wonder if p3p is broken these days.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 24•22 years ago
|
||
Dude this is fixed. If you file a new bug, there is no need to reopen this one.
This bug should only get reopened if this patch gets backed out, which it won't.
Fixed again.
Status: REOPENED → RESOLVED
Closed: 22 years ago → 22 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 25•21 years ago
|
||
*** Bug 50753 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•