Closed Bug 1058921 Opened 10 years ago Closed 9 years ago

Disable unsafe Window APIs in prerendering

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37

People

(Reporter: rvid, Assigned: rvid)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

1058921.patch
10.55 KB, patch
jst
: review-
Details | Diff | Splinter Review 
close, focus, open, alert, confirm, prompt, print, showModalDialog, moveTo, moveBy, resizeTo, resizeBy, back, forward, home, maximize, minimize, restore, sizeToContent, fullscreen, find
Blocks: prerendering
Summary: Disable some Window APIs in prerendering → Disable unsafe Window APIs in prerendering
Attached patch 1058921.patchSplinter Review 
Assignee: nobody → roshanvid

    
  

        Attachment #8483800 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 8483800 [details] [diff] [review]
1058921.patch

These changes all look good, but we should also flag innerWidth, innerHeight, outerWidth, outerHeight. Though for those we probably only want to flag the setters... do we have support for that already?

r- to deal with those additional properties.

        Attachment #8483800 -
        Flags: review?(jst) → review-

    
    

    
  
Oh, forgot to mention that those properties are disabled by default, but can be enabled per site, so we may want to do the checking in the implementation of those rather than using webidl annotations.

    
    

    
  
I filed bug 1117876 as a follow-up to this to blacklist those setters as well.  We probably want to do that in the implementation which is why I'm breaking that up into its own bug.

https://hg.mozilla.org/integration/mozilla-inbound/rev/c7fdb9bfb672

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/c7fdb9bfb672
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: