Closed
Bug 1210293
Opened 9 years ago
Closed 9 years ago
HTMLInputElement::SetUserInput shouldn't check IsCallerChrome
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla44
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | fixed |
People
(Reporter: bholley, Assigned: bholley)
References
Details
Attachments
(1 file)
|
851 bytes,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
It's only accessible over XPIDL.
|
Assignee | |
Comment 1•9 years ago
|
||
See https://crash-stats.mozilla.com/report/index/01e16a7e-0634-4629-809d-fd7d22150927 and similar
|
|
Assignee | |
Comment 2•9 years ago
|
||
Attachment #8668271 -
Flags: review?(bzbarsky)
|
||
Comment 3•9 years ago
|
||
Comment on attachment 8668271 [details] [diff] [review] Remove legacy check from the XPIDL HTMLInputElement::SetUserInput. v1 r=me, but it seems to me like we should make nsIDOMNSEditableElement a non-scriptable interface too. Looks to me like this mostly means removing a bunch of (already silly) QIs from our tests, but also from a few actual code pieces. For now, though, at least mark the methods/attributes on the interface noscript, so it's clear that they're not called from script?
Attachment #8668271 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 4•9 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #3) > Comment on attachment 8668271 [details] [diff] [review] > Remove legacy check from the XPIDL HTMLInputElement::SetUserInput. v1 > > r=me, but it seems to me like we should make nsIDOMNSEditableElement a > non-scriptable interface too. It seems like that might break addons, right? But regardless, this all seems pretty orthogonal to the change being made. It's perfectly fine for these things be called from chrome script over XPIDL, and content script will never see the XPIDL interface, unless there's some risk here I'm missing. Can you explain?
Flags: needinfo?(bzbarsky)
|
|
||
Comment 5•9 years ago
|
||
> It seems like that might break addons, right? Yeah, looks like it would. OK, then. > But regardless, this all seems pretty orthogonal to the change being made. I think the [noscript] is not: it's making it clear that the method is never called from script. > It's perfectly fine for these things be called from chrome script over XPIDL It's not possible for that to happen, because we never create XPCWN for these objects. The noscript on the method will just make that clear to everyone.
Flags: needinfo?(bzbarsky)
|
||
Comment 7•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/da07fd36ebb2
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•