Closed Bug 25821 Opened 25 years ago Closed 21 years ago

javascript: URL links with TARGET not processed correctly.

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
Future

People

(Reporter: yamfe, Assigned: mscott)

References

(
URL
)

Details

(Keywords: dom0, helpwanted, Whiteboard: [nsbeta2-][rtm-] r=brendan, sr=mscott)

Attachments

(4 files)

Proposed fix that fixes JS URL's targetted at an existing window.
1.59 KB, patch
Details | Diff | Splinter Review
New patch that only does a FindItemWithName() if a javascript: URL is loaded.
1.59 KB, patch
Details | Diff | Splinter Review
New patch without the long unrelated line of text...
1.45 KB, patch
Details | Diff | Splinter Review
Testcase for the problem described in the summary
187 bytes, text/html
Details 
I am using Mozilla to access an Oracle Application and it
gives out those bugs:

1. There are additional text that are displayed each time tables are
used. The texte are '1x1space'. The text could have been there
for testing purposes only... Just in case. I prefer mentioning that
2. The bottom frames of the application use different colors. The
'green' colour is displayed properly while there is a bug displaying
'blue'

Hope this helps
The problem appears on the third page in this site: click all check marks, click
continue, then continue again.  The "1x1space" appear where spacer gifs named
"1x1space.gif" should be displayed. 
I've had this problem before as well, on sites such as
http://www.browndailyherald.com/.

It seems as though spacer gifs (perhaps spacer images in general? unlikely...)
don't like being rendered. The primary characteristic of spacer gifs is that all
their pixels (no matter what size the image is) are transparent. Perhaps there
is code in Moz which doesn't grok this and falls back by displaying the image name.

After marking all of the checkboxes and hitting the continue button, I'm getting 
a javascript error and nothing happens. I don't know if the html is bad or it is 
a javascript error. Reassigning to Norris.

JavaScript Error: ReferenceError: go_forward is not defined
Assignee: karnaze → norris
Change component to DOM and reassign.
Assignee: norris → vidur
Component: HTMLTables → DOM Level 0
QA Contact: chrisd → desale
Okay, here's the story:

There are two simplest testcases: one is when the image is missing (in the case 
of browndailyherald.com, or my own sample, 
http://www.thirdnipple.com/mozilla/missing_image.html) or when the image is 
broken (in the case of 
http://www.national.com.au:8001/apphloan/bin/g_images/1x1space.gif, which is a 
way to get that image without surfing around).

In other words, I don't believe it's a DOM bug at all. It's more of an 
"indecision" bug -- they didn't want to display the "broken-image" image, and 
didn't want to display nothing at all (which is what NS4 does), so they 
displayed the first part of the filename instead.

All that needs to be done is to come to a decision about what to display if the 
image is busted or missing. Fixing the bug after that should be trivial.
Whiteboard: 2 "simplest" testcases found
The javascript problem that Chris Karnaze mentioned seems to occur because the 
bottom frame of the page has a link with javascript: URL with a TARGET 
attribute. We're currently ignoring the TARGET attribute. I don't know if this 
contributes to the problem reported originally.

I'm going to change the Summary to reflect the javascript: problem.
Status: NEW → ASSIGNED
Summary: Additional text printed in table / backgroung colour in Frames → javascript: URL links with TARGET not processed correctly.
Target Milestone: M16
Vidur, these are two distinct bugs: the javascript bug currently reflected in 
the summary (reported by karnaze) and the broken/missing image bug 
(reported by yamfe@yahoo.com) which I've found testcases for.

Somebody ought to separate these bugs, but I don't know whether there is a 
standard way of doing this...
Nominating nsbeta2. We have to start drawing a line on DOM0 backward 
compatibility; these bugs are supposed to be a high priority for nsbeta2 per the 
beta2 criteria.
Keywords: 4xp, nsbeta2
need to add a "missing image" bug to split off that problem. ekrock, can you do 
this?
Whiteboard: 2 "simplest" testcases found → [nsbeta2-]2 "simplest" testcases found
Tested above testcases tonight.  This bug also shows up on Mac OS build M16-

2000052408.   Perhaps this should be marked as an "All" platform bug?

iMac DV, Mac OS 9.0.4, MRJ 2.2, carbon libs 1.0.4.


The 'broken/missing image problem' has been seperately reported. 
Pls use bug 42364 to continue discussion on that problem .Thnx.
M16 has been out for a while now, these bugs target milestones need to be 
updated.
If we aren't going to fix this for nsbeta2, then this should *** definitely *** 
be an nsbeta3 stopper. b.c. with DOM0 event handling. No brainer that we have to 
fix this before FCS.
Keywords: nsbeta3
Re-assigning to mscott for further analysis as per the decision in our bug 
triage meeting.
Assignee: vidur → mscott
Status: ASSIGNED → NEW
*ahem* unfortunately at the url specified by this url, layout is no longer
laying out the continue button so I can't reproduce the steps karnaze was
following. 
Escalating to P2 as this is high profile backward compatibility. javascript: 
URLs with TARGET for links have been supported since Nav2 IIRC. As such, this is 
eligible for check-in through 9/21. mscott, do you think you could fix by then? 
If so, please accept as [nsbeta3+].
Priority: P3 → P2
comparing priority of this w/other mscott bugs...
Whiteboard: [nsbeta2-]2 "simplest" testcases found → [nsbeta2-][b3 need info]
mscott is overloaded. Can anyone lend a hand with this or suggest another person 
who could? If we don't get this fixed, javascript: URL links with a designated 
TARGET won't be processed correctly for RTM. Bad, as this is JS 1.0 DOM0 
backward compatibility. Help!!! Marking helpwanted. cc:ing folks who might be 
able to help or suggest someone who can.
Keywords: helpwanted, rtm
Anyone, mscott especially: if you make the URL a non-javascript: one, does the 
targeted window or frame load?  If so, what's different about javascript: URL 
handling?  Any pointers to code (LXR links) would be much appreciated.  I have 
not dived into the nsJSProtocolHandler.cpp pool in a while.

/be
Assignee: mscott → brendan
Status: NEW → ASSIGNED
Target Milestone: M16 → M18
Here's the problem Brendan: The docshell evaluates JS urls in a special fashion
before we even invole the uriloader. The act of opening a JS channel actually
forces evaluation of the JS. Warren tried to change this behavior in the
JSProtocolHandler but ran into a whole slew of problems (I don't remember them
now) and was forced to go back to the current behavior.

Before the uriloader is invoked, we create a channel for the URI. In the normal
case, we then pass this channel into the uriloader which opens the channel,
discovers the content type and retargets the output to the correct consumer.
However, the JS Protocol Handler evalues the JS when you create the channel. So
the result has already been determined before the uriloader is even involed. In
fact, we don't involve the loader at all if the result of the channel creation
was: NS_ERROR_DOM_RETVAL_UNDEFINED.

Here's the relevant code in docshell: nsDocShell::DoURILoad

   // open a channel for the url
   nsCOMPtr<nsIChannel> channel;
   nsresult rv;
   rv = NS_OpenURI(getter_AddRefs(channel), aURI, nsnull, loadGroup,
                     NS_STATIC_CAST(nsIInterfaceRequestor*, this));
   if(NS_FAILED(rv))
      {
      if(NS_ERROR_DOM_RETVAL_UNDEFINED == rv) // if causing the channel changed the
         return NS_OK;                        // dom and there is nothing else to do
      else
         return NS_ERROR_FAILURE;
      }

Somehow I got taken off the bug list, cc'ing myself again.
Target Milestone: M18 → M16
Thanks mscott (sorry about not cc'ing you, I took the bug -- hope you don't mind
that ;-).

Without reopening the can of worms that warren closed by having the JS
evaluation take place at channel creation time, I bet we can fix this: don't we
know the TARGET attribute?  In the case of a non-javascript: URL, how does the
URI loader discover that another window is being targeted?

/be
The uriloader has a private method called GetTarget:
http://lxr.mozilla.org/seamonkey/source/uriloader/base/nsURILoader.cpp#509

this method does the work of finding the right window context to open the url
inside of before it calls AsyncRead.

Presumably, this method could be made public and the JS ProtocoolHandler could
attempt to call through it to get the right window context (which can be
GetInterace'd for a docshell) before evaluating the JS.
OS: Windows NT → All
Hardware: PC → All
Target Milestone: M16 → M18
B3 has passed.  Clearing "b3 need info"
Whiteboard: [nsbeta2-][b3 need info] → [nsbeta2-]
Target Milestone: M18 → ---
Seems like this should be rtm-.  Is there an argument that huge numbers of 
people will experience this bug?  It looks like a great thing to get on the 
trunk though.  Please update the status whiteboard to indicate your desire to 
get into RTM or not.
Whiteboard: [nsbeta2-] → [nsbeta2-][need info]
We are having this exact same problem with BuyerXpert 4.0, and if not fixed 
would prevent us from supporting Netscape 6 with our Bx4.0 release on 11/30.  We 
use the target field to update information from our catalog order frame on the 
right to the shopping cart frame on the left.  The left frame does not get 
rendered with the updated information.

Would like priority reset to P1 and severity as blocker
To recreate the problem here's the URL

http://maidstone.red.iplanet.com:9090/NASApp/buyer/Login
enter mercury.com
login as bugsbunny1
password is bugsbunny1
click on buy
click on following links in order general catalog, office furniture, book01
click on first select box
click on add to cart

At this point the left hand frame does not get rendered with the shopping cart 
information that should reflect the item that has been added to the cart.
Tompkins, I followed your instructions and I do get the item in the left frame
when, am I missing something?
Brendan, a real fix for this problem will require a redesign of the way we do
link targetting in the docshell/uriloader, the way it's done today seems just
really really wrong. The problem is that when you click on a link today we tell
the docshell (the one that the link is displayed in) that the link was clicked,
then the docshell does it's URI loading (including mucking with session history
for the docshell where the link is, even if the link has a target!!!), initiates
the URL load and passes the URL load, including the target, off to the
uriloader. Once the uriloader gets a responce from the net/file it looks for the
target for the URL load and if there's no target it opens up a new window and
hands the data off to that window.

The problem with javascript: URL's is that they're actually executed when the
docshell initiates the URL load and thus the context they execute in is always
the one where the link came from.

We can fix part of this problem fairly easily, today the docshell always passes
'this' as the interface requestor to NS_OpenURI(). NS_OpenURI() is where the JS
in javascript: URL's is executed, passing in 'this' in the docshellcauses the JS
to always execute in the initiating window. In stead of passing in 'this' to
NS_OpenURI() we can do a FindItemWithName() in the dochshell and pass in the
other docshell as the interface requestor and the JS will be executed in the
correct window even if there's a target in the link *as long as the target
exists*. If the target window doesn't exist when the link is clicked
FindItemWithName() won't find the window so we'd haveto open the new window at
that time and that could have unknown bad side effects that I don't feel good
about at this stage in the game.

I'll attach a patch that makes targetting of javascript: URL's work as long as
the target window exists when the link is clicked. This is only a bandaid for
hiding the real problem...

Are there security issues we need to consider here, what if someone targets a
javascript: URL at a chrome window, will the normal security checks catch that
or would we need more code to deal with such a case?

Comments? Should we shoot for limbo with this?
Cc'ing mstoltz to comment on the security hazards of your patch.

/be
I just spoke to Rick Potts about this and he thought it would be an acceptable
change for the branch but we decided to special case this for javascript: URL's
since nobody seems to really know exactly what the interface requestor that we
pass into NS_OpenURI() is used for so just to be on the safe side we should only
do the FindItemWithName() if a javascript: URL is loaded. I'll whip that change
into my patch...
Something's wrong with those patches -- there's a reeeeeeeeeally long line of 
text above the added code, that's not a comment.  Also, the second patch looks 
just like the first?

/be
Works for me as well.....using 10-31-00-14-MN6
Oops, my bad, have a look at the latest attachment.
mstoltz: check me here, I think so long as the subject principals used to 
compile and execute (evaluate via an XPCOM proxied call) the script from the 
javascript: URI's path part come from the channel, never from the ifreq, jst's 
change is as secure as before, and fixes the problem that the script doesn't 
evaluate using the target window as scope chain.

Indeed, 
http://lxr.mozilla.org/mozilla/source/dom/src/jsurl/nsJSProtocolHandler.cpp#127 
gets the channel owner and QIs to nsIPrincipal.  So provided the channel for a 
javascript: URI always has as its owner the principal of the document in which 
the URI was embedded as a link (and of course that the QI succeeds), we are ok.

/be
Downloaded 10/31 N6 latest build.  Works for me now, in latest build.

Brendan,
   Yes, this sounds all right to me. This change doesn't affect the assignment
of principals to the channel which happens in docshell.
jst: r=brendan@mozilla.org on your last patch, but keep a bug open on the horrid
strncasecmp that makes the fix a special case for javascript: URIs.  It should
be a general case, on the trunk, by mozilla0.9 I say.

/be
Adding keyword relnoteRTM, since there are lots of URL's with Target could be 
affected.
Keywords: relnoteRTM
I like jst's work around for now until Rick and I fix this for mozilla later on.
I'd also like to petition this for the rtm branch since so many commercial sites
use window targeting with JS urls.

sr=mscott
Whiteboard: [nsbeta2-][need info] → [nsbeta2-][rtm need info]
This has a r= and sr=, and should go to rtm+ asap.
Whiteboard: [nsbeta2-][rtm need info] → [nsbeta2-][rtm need info] r=brendan, sr=mscott
Ok, I'll set [rtm+] (hope I'm not stepping on anyone's toes).

This is yet another DOM level 0 compatibility bug that didn't get enough 
attention (my fault as much as anyone's; I took it from jst's list a while ago 
to "help", then got caught in "higher priority" stuff), and suddenly seemed to 
break important pages late in the game.  Those pages may seem to work without 
the fix, but this is yet another bug that could turn into a Big Compatibility 
Deal fast, next week or next month.

The fix helps greatly for frame targeting, and the only case it doesn't address 
is new-window.  I urge the pdt to take this bug for rtm.

/be
Whiteboard: [nsbeta2-][rtm need info] r=brendan, sr=mscott → [nsbeta2-][rtm+] r=brendan, sr=mscott
Please land it on the trunk and test with BuyerExpert 4.0.  Bring it back when 
we know how it performs.
Whiteboard: [nsbeta2-][rtm+] r=brendan, sr=mscott → [nsbeta2-][rtm need info] r=brendan, sr=mscott
The fix is checked into the trunk now.
jst, you are the man and I am not.  I'll do what I can to help get this rtm++'d 
and in Netscape 6.

/be
Assignee: brendan → jst
Status: ASSIGNED → NEW
jar's radar, at least, ignores NEW bugs.  ASSIGNING for jst.

/be
Status: NEW → ASSIGNED
We don't ignore "NEW bugs.
We do watch for "rtm+" bugs.
Please get info on buyer expert, add to bug, and renominate.
Thanks,
Jim
jar: ah, sorry -- thought I saw my name on your list (I got your mail), and I 
had no [rtm+] bugs (not this [rtm need info] one, which I reassigned to jst).

Buyer Expert 4.0 people have been contacted, looking for positive feedback.

/be
Consider me the BuyerXpert 4.0 contact.  Our original problem related to using 
the javascript target field to rendor in another frame disappeared when we tried 
it on the 10/31 build.   From a BuyerXpert 4.0 perspective we consider our 
original problem (which we equated with this bug) to be resolved.
So this should go back to rtm+ now?

Tested on 11/02 (todays) build as well.  The reason I did this, is I'm 
not sure of your checkin/build policy/system, so am not sure where the 
fix is at the moment.  Is it being built, is it in 11/02 build, or?  
Anyway on 11/02 build, everything still aok for BuyerXpert 4.0 as it relates to 
this bug.
This fix was placed in the trunk so it is in 11/02's build.

This has met all the criteria that the PDT asked for, and it should go back to rtm+.

yes this should be rtm+. The limbo list is getting made right now. Hopefully we
didn't miss it.
Whiteboard: [nsbeta2-][rtm need info] r=brendan, sr=mscott → [nsbeta2-][rtm+] r=brendan, sr=mscott
rtm-, already working for BuyerExpert 4.0 in 10/31 build.
Whiteboard: [nsbeta2-][rtm+] r=brendan, sr=mscott → [nsbeta2-][rtm-] r=brendan, sr=mscott
BuyerXpert 4.0 works with the branch bits as well (using the download link
below).  So our problem seems to be resolved.
ftp://sweetlou/products/client/seamonkey/windows/32bit/x86/2000-11-02-09-MN6
Mark



Dupe of Bug 51237 ?
(Mozilla confuses multiple ports on same machine)
My workaround for this wasn't taken into the rtm branch so I'm reassigning this
to mscott who will fix this the right way on the trunk...
Assignee: jst → mscott
Status: ASSIGNED → NEW
Removing tompkins as cc
Nominating nsbeta1. DOM0 b.c. and we'd like the "fixed the right way" fix to be
included for nsbeta1.
Keywords: nsbeta1
Keywords: dom0
what's up with this bug? looks like we have pantloads of ns6.0 rtm keywords...
is this bug fixed on the trunk? if so, might as well close it...
marking nsbeta1-
Keywords: nsbeta1nsbeta1-
Target Milestone: --- → Future
I think this patch introduced a cross-domain vulnerability: bug 77485, 
"function definition isn't subject to domain checks (exploit involves targeted 
javascript links)".
another reference to see the problem:

http://www.severianoribeiro.com.br/
So what is the bug about at this point?  The testcase worksforme.  What's left
to do?
testcase wfm with Camino nightly build 20040208, Mac OS 10.3.2.
Worksforme in 1.6 -- did something regress?

/be
Huh?  What do you mean?  Nothing seems to have regressed that I can see... then
again, no one seems to be clear on what the right behavior is:

1)  Where should the JS be evaluated?
2)  With what priveleges?
3)  Where should the output be displayed?

At the moment, #3 is the target frame; #1 I'm not sure about (but it's easy to
test), #2 is the nsIPrincipal of the calling document.
bz: sorry, I thought someone was still claiming "broken".  If not, then
shouldn't this be WFM.  Any new problem goes in a new bug.

Regarding your questions:

1)  Where should the JS be evaluated?
2)  With what priveleges?
3)  Where should the output be displayed?

The answers are well-known and documented by various books, and more primarily,
by the MozillaClassic code.

The only wrinkle in the latest testcase not supported back in the old Netscape
Mozilla codebase is the data: URL, but a javascript: URL evaluating to a string
beginning with < would have the same effect (in that case, there would be an
inner javascript: URL in the a href attribute value).  The JS is evaluated when
the link is clicked, in the lower frame.  The privileges of generated documents
come from the generator.  The output goes in the link target.

Why is any of this unclear?  Really, I'm not being snarky -- can you point out
some conflicting spec or implementation?

/be
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WORKSFORME
I wasn't saying that it was unclear what _should_ happen.  Just that it's
unclear to me what we do for #1.  And that's unclear because nsDocShell.cpp is a
bloody undocumented mess.
Yeah, docshell hurts my eyes.  I just reviewed a jst patch that had to touch it
(bug 68215).  It's in need of an enema before mozilla2.0, for sure.

/be
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: