1005806 - Iterating <input> properties throws a security Error because HTMLInputElement.controllers is not chromeonly

Status: VERIFIED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Thor Larholm]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36

Steps to reproduce:

Iterating the properties on an <input> element throws a security Error when accessing the "controllers" property.

This is a recent change in Firefox 29, and I suspect it is a side-effect caused by https://bugzilla.mozilla.org/show_bug.cgi?id=794943




Actual results:

> var input = document.createElement("input");
> typeof input.controllers;

Error: Permission denied for <https://www.google.com> to create wrapper for object of class XULControllers


Expected results:

> var input = document.createElement("input");
> typeof input.controllers

"object" or "undefined"

Comment 1

[Thor Larholm]

Note that the behavior in Firefox 28 was for typeof to return "object".

However, controllers is not defined on HTMLInputElement.

https://developer.mozilla.org/en/docs/Web/API/HTMLInputElement

It is however defined in XUL

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/Property/controllers

Part 3 of the patch in bug 94943 makes the controllers property [ChromeOnly], in which case I would expect it to not be exposed at all to webpages and typeof to return "undefined".

Comment 2

[Boris Zbarsky [:bzbarsky]]

> Part 3 of the patch in bug 94943

I assume you mean bug 794943?

That was for Window.controllers, not HTMLInputElement.controllers.

Bobby, is there a reason the latter is not chromeonly?

Comment 3

[Bobby Holley (:bholley)]

(In reply to Boris Zbarsky [:bz] from comment #2)
> Bobby, is there a reason the latter is not chromeonly?

Not that I know of. Patch coming up.

Comment 4

[Bobby Holley (:bholley)]

Attachment: HTMLInputElement.controllers should be [ChromeOnly]. v1

Comment 5

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 8417445 [details] [diff] [review]
HTMLInputElement.controllers should be [ChromeOnly]. v1

r=me.  We should probably get this backported to aurora/beta too.

Comment 6

[Bobby Holley (:bholley)]

This is a web-visible regression with a simple fix. We should track for branches.

https://tbpl.mozilla.org/?tree=Try&rev=c4e0ccd1fda9

Comment 7

[Bobby Holley (:bholley)]

Comment on attachment 8417445 [details] [diff] [review]
HTMLInputElement.controllers should be [ChromeOnly]. v1

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 794943
User impact if declined: weird gecko-specific exception thrown when iterating properties.
Testing completed (on m-c, etc.): Haven't pushed to m-i because it's closed. Will soon.
Risk to taking this patch (and alternatives if risky): Very low risk. 
String or IDL/UUID changes made by this patch: None

Comment 8

[Bobby Holley (:bholley)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/a4e798884d04

Comment 9

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/a4e798884d04

Comment 10

[Thor Larholm]

Yes I meant bug 794943, that was a typo on my part.

Thank you for the quick acknowledgement and turnaround.

Comment 11

[Boris Zbarsky [:bzbarsky]]

Thor, thank you for reporting the issue, and pinpointing what the problem is!

Comment 12

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/2bd1995be292
https://hg.mozilla.org/releases/mozilla-beta/rev/02e1dd202d67

Comment 13

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/02e1dd202d67

Comment 14

[Bogdan Maris, Desktop Test Engineering]

Reproduced the initial issue using old Nightly (2014-04-30) on Windows 7 64bit, verified as fixed using Firefox 30 beta 3, latest Aurora and latest Nightly on Windows 7 64bit, Mac OS X 10.9.2 and Ubuntu 13.10 32bit.