If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

javascript exception: Permission denied to get property "HTML.Document.forms"




16 years ago
15 years ago


(Reporter: Squeak Man 2k1, Assigned: Mitchell Stoltz (not reading bugmail))



Firefox Tracking Flags

(Not tracked)



(1 attachment)



16 years ago
I get this error when running a smart-bookmarklet script in galeon (but it's
reproducable in mozilla as well):

"Permission denied to get property

This is an example script:
alert(frames[2].document.forms[0]."any property".value);
note: this errors because i can't reference document.forms w/o getting security
exception :(

This is what's unclear:
How can they (the website) deny me access to a property when the script
is being run on my machine on a page that I have loaded locally? I could
see if I were submitting it like cgi or something. Shouldn't I be able to do
anything to any page loaded on my machine. It's up to their website to verify
form data, right? If not, is their at least some preference i can set to turn
this protection off?

As an aside, the reason I was using the script was to make my browsing easier by
automatically entering the same note on a form on one of those online
communities to eliminate cut & paste, but using the script to set the form
values (form.SUBJECT.value, form.MESSAGE.value), and then submitting the form
(form.submit ()). i can't get a reference to the form without getting that
error. i was using 2 different sites (that
are based on the same engine - they look the same, only differ in name). they
have the same number of frames, layout, etc. i get the error on only _one_ of
the sites. this also confused me.

i doubt if anyone is interested in trying this out because you'd have to sign up
for a stupid website but if you tell me any commands to run to make mozilla give
more verbose errors or something i could do it.

i hope that what i've said actually makes sense. thanx for making a great browser.
Bookmarklets run in the javascript environment of the current page.  This is not
the page denying access.  This is Mozilla denying permission for an untrusted
script running on a page in one domain to access a page in a different domain.

Running bookmarklets with chrome privileges is also an unacceptable security
risk, since chrome can perform fairly arbitrary operations (open files on your
disk and write to them, eg) and bookmarklets are so easy to create by just
dragging a link from a random page.

If you could attach the source of the frameset in question using
http://bugzilla.mozilla.org/attachment.cgi?bugid=111889&action=enter and say in
the bug what its url is, that would make it clear whether the documents really
are in different domains or whether Mozilla is screwing up somehow....
Assignee: rogerl → mstoltz
Component: Javascript Engine → Security: General
QA Contact: pschwartau → bsharma

Comment 2

16 years ago
Created attachment 59137 [details]
the frameset source from the page that exhibits the bug

http://www.migente.com/Members/ is the actual url of page.
u have to be a member though.
setting status to NEW since nothing here should obviously be triggering that
security exception
Ever confirmed: true

Comment 4

16 years ago
I'm guessing the frameset and frames[2] are coming from different hosts. Is this
the case? The bookmarklet runs with the permissions of the frameset, so it can't
access frames[2].document.forms[0] if frames[2] comes from a different host.
That's the expected behavior.

I'll take a closer look, but this is probably a wontfix.

Comment 5

16 years ago
well, is there anyway to select the frame that i want to run the bookmarklet
on then. maybe a context menu like "run bookmarklet on this frame". otherwise
it's not possible to do what i want which is bad because i won't have my way :)

note: i tried in internet explorer and the same security exception was thrown. so
this is probably is the expected behavior. but maybe in 1.1 the context menu
could be added (or some other way). or in 1.0 if there's nothing else to do :)

Comment 6

15 years ago
Well, no one has stepped forward to add the feature you suggest, so I'm going to
mark this wontfix. I'm sorry your bookmarklet doesn't work as expected, but
security has to come first.
Last Resolved: 15 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.