Closed Bug 1018892 Opened 11 years ago Closed 10 years ago

Crash in iframe with sandbox without allow-top-navigation

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
b2g-v1.3 --- affected
b2g-v2.0 --- unaffected

People

(Reporter: archil, Unassigned)

Details

(Keywords: crash, Whiteboard: [b2g-crash])

Crash Data

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release) Build ID: 20140506152807 Steps to reproduce: Basically, opening the following HTML content: <iframe src="http://thepiratebay.se/" sandbox=""> </iframe> in B2G's native browser crashes the page. Note that The Pirate Bay tries to change top location but it's forbidden to do so. Actual results: The page crashed. Expected results: The page shouldn't have crashed.
Component: General → Gaia
marking as a crash/b2g-crash for tracking purposes, though it's not a crash with a crash signature.
Component: Gaia → DOM
Keywords: crash
Product: Firefox OS → Core
Whiteboard: [b2g-crash]
Needs a stack before we can do anything.
Keywords: stackwanted
First, let me update the HTML to this: <iframe src="http://thepiratebay.se/" sandbox="allow-scripts"> </iframe> How do I capture the stack trace from a phone? I'm experiencing the crash on Geeksphone Revolution running 1.3.0.0-prerelease. I've used the built-in crash reporter and the data should have already been submitted. By the way I tested the HTML in a simulator 1.3 but it doesn't crash.
The crash doesn't happen on the desktop browser, 29.0.1 http://mzl.la/1kH29Y1 This causes an actual crash on 28.0 : bp-9e2cd4e2-0fe9-49f7-a55c-fc6912140603 https://crash-stats.mozilla.com/report/index/9e2cd4e2-0fe9-49f7-a55c-fc6912140603 Gaia 5bd226b03a2d63dfe9df204f7c0afb9984e8fd42 Gecko https://hg.mozilla.org/releases/mozilla-b2g28_v1_3/rev/57cd741e4d0b BuildID 20140530024008 Version 28.0 ro.build.version.incremental=324 ro.build.date=Thu Dec 19 14:04:55 CST 2013 Buri Does not crash on Flame for : Gaia 4142df90c71abdc1e3a87cd37dff1a22d5e38b34 Gecko https://hg.mozilla.org/mozilla-central/rev/1e712b724d17 BuildID 20140529040201 Version 32.0a1 ro.build.version.incremental=94 ro.build.date=Tue May 20 09:29:20 CST 2014 Flame
Status: UNCONFIRMED → NEW
Crash Signature: [@ mozilla::ipc::SerializeURI(nsIURI*, mozilla::ipc::URIParams&) ]
status-b2g-v1.3: --- → affected
status-b2g-v2.0: --- → unaffected
Ever confirmed: true
Modified script works ( http://mzl.la/U9FJd4 ) fine on Flame build id : 20140529040201 Archil, if you are using the Geeksphone, then it should be sending us the symbols and the crash to our crash-stats server in which case all we need is the crash id. Instructions on getting the crash id can be found here : https://wiki.mozilla.org/B2G/QA/Tips_And_Tricks#command_line_to_get_the_crash_ids
Flags: needinfo?(archil)
We have a user on the support forum who crashed with the signature ( mozilla::ipc::SerializeURI(nsIURI*, mozilla::ipc::URIParams&)). User was downloading a 16GB file via LetitBit and was getting script errors leading up to the crash. Thread is at https://support.mozilla.org/en-US/questions/1004494. All of his crash reports are pointing to this bug. User is using 29.0.1.
moses, I think I see that all his crash reports are showing 28, not 29.0.1 Are you sure he upgraded?
Flags: needinfo?(mbermearios)
Naoki, Interesting. I can't see how I could've missed that huge (Firefox 28.0 Crash Report) at the top. It seems like the user has just dropped out of the thread so we can't have anymore information. I've left a new reply to him and let's see if he will reply. I've also left a link to this bug report so he can reply as I'm going to be taking a "sabbatical" from Mozilla for a few months as I'm going up to Spokane. I've also asked if he could upgrade to 30 and get the latest crash reports from 30 if it does crash. At least we can see if it's affect 30 or 29 and up.
Flags: needinfo?(mbermearios)
I'm sorry. I cannot run adb on my machine. But the bug is always reproducible on my phone.
Flags: needinfo?(archil)
Thank you, moses, for your help. have a safe trip. enjoy your "sabbatical". :) Archil, this is a gecko 28 bug, which means that 1.3 would be affected, so yes. I agree that it will most likely occur on your phone. I am unsure if 1.4 ( gecko 30 ) is affected or not at this time. What this is indicating is either a fix or a code change already has gone into effect and that's why it's not reproducing in the latest. We could probably do a hunt to see if the change is reasonable to push to 1.3/gecko 28. At this point though, I am unsure if we will push to 1.3. We should check 1.4. QAWanted for checking the webpage http://mzl.la/1kH29Y1 to see if it crashes on 1.4
Keywords: qawanted
Naoki Wrote: [ QAWanted for checking the webpage http://mzl.la/1kH29Y1 to see if it crashes on 1.4 ] On v165 Base 1.4 Flame set to 319mb using Full flash, the webpage loads correctly. No crash is seen. Webpage loads correctly. Environmental Variables: Device: Flame 1.4 BuildID: 20140814202332 Gaia: 129211661489feb60bbd6772a44081d23b374f17 Version: 30.0 (1.4) Firmware: v165 User Agent: Mozilla/5.0 (Mobile; rv:30.0) Gecko/30.0 Firefox/30.0
QA Whiteboard: [QAnalyst-Triage?]
Flags: needinfo?(jmitchell)
Keywords: qawanted
QA Whiteboard: [QAnalyst-Triage?] → [QAnalyst-Triage+]
Flags: needinfo?(jmitchell)
I just filed bug 1117337 for a similar crash.
Crash Signature: [@ mozilla::ipc::SerializeURI(nsIURI*, mozilla::ipc::URIParams&) ] → [@ mozilla::ipc::SerializeURI(nsIURI*, mozilla::ipc::URIParams&) ] [@ mozilla::ipc::SerializeURI ]
Okay, as long as newer versions doesn't crash, let's close this bug.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.