Closed
Bug 1253538
Opened 8 years ago
Closed 8 years ago
Window.open() should not reuse an existing window if it's running a different container
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
People
(Reporter: baku, Assigned: baku)
References
(Blocks 1 open bug)
Details
(Whiteboard: btpp-active)
Attachments
(2 files)
3.76 KB,
patch
|
bzbarsky
:
feedback+
|
Details | Diff | Splinter Review |
1.02 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
I wrote a test to check what bz suggested in bug 1249224 comment 9. Here the scenario I want to test: . tabA: userContextId=1 window.name='tab-1' . tabB: userContextId=2 window.name='tab-2' . tabA does: window.open(something, 'tab-2'); What I want to see is that we create a new tabC with userContextId=1 and window.name='tab-2'. In our current code we are actually reusing tabB because it's called 'tab-2' ignoring the fact that its userContextId is different than 1.
Attachment #8726620 -
Flags: feedback?(bzbarsky)
Assignee | ||
Comment 1•8 years ago
|
||
Attachment #8726629 -
Flags: review?(bzbarsky)
Updated•8 years ago
|
Whiteboard: btpp-active
Comment 2•8 years ago
|
||
Comment on attachment 8726620 [details] [diff] [review] test I was trying to figure out why this test is failing, even though my manual tests pass. The answer is that this test is doing the window.open() call from system code. So when we end up in nsDocShell::ValidateOrigin (called from nsDocShell::CanAccessItem) we hit this code block: if (nsContentUtils::GetCurrentJSContext() && nsContentUtils::IsCallerChrome()) { return true; } and the targeting is allowed. If this line in the test: >+ let w = content.window.open(opts.url, 'tab-2'); is changed to: let w = content.window.wrappedJSObject.open(opts.url, 'tab-2'); then the test passes. So I guess an important question here is: do we want chrome code to be able to trigger linking from one user context to another one (in which case the existing setup is fine), or do we want to forbid that, in which case we probably need the actual patch? >+ Cu.import("resource://gre/modules/PromiseUtils.jsm"); Why not just use normal Promises? >+ w.onload = function() { resolve(); } This is a bit annoying because the test failing manifests as a test timeout, but I guess we can live with that... >+ is(browser.contentDocument.nodePrincipal.userContextId, 1, "Tab3 UCI must be 1"); Can we also assert that "browser" is neither "browser1" nor "browser2"?
Attachment #8726620 -
Flags: feedback?(bzbarsky) → feedback+
Comment 3•8 years ago
|
||
Comment on attachment 8726629 [details] [diff] [review] fix.patch r=me assuming we want to prevent the "chrome can allow targeting across user context ids" thing. That said, it looks like now we're checking that GetIsInIsolatedMozBrowserElement() matches, GetAppId() matches, mUserContextId matches. The only parts of OriginAttributes::operator== we're not checking are mAddonId and mSignedPkg. Please file a followup bug to see whether we should be checking those too (and probably needinfo bholley).
Attachment #8726629 -
Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/8511fae8a1cf https://hg.mozilla.org/integration/mozilla-inbound/rev/0c2cf128ceae
Comment 7•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/8511fae8a1cf https://hg.mozilla.org/mozilla-central/rev/0c2cf128ceae https://hg.mozilla.org/mozilla-central/rev/7b9ef8acccce https://hg.mozilla.org/mozilla-central/rev/2f9b726495d1
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•