Closed Bug 1355996 Opened 4 years ago Closed 4 years ago

Inspector uses unsafe CPOWs to find CSS selector for node to select

Categories

(DevTools :: Inspector, enhancement, P3)

enhancement

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1356415

People

(Reporter: billm, Assigned: jdescottes)

References

Details

We disabled unsafe CPOWs in Firefox code a while ago. However, it looks like devtools code is being counted as an add-on because of bug 1355994. I did a try push to see where unsafe CPOWs are actually being used in devtools, and I only see one place.

In nsContextMenu.js, we pass this.target, which is a CPOW, to inspectNode:
http://searchfox.org/mozilla-central/rev/624d25b2980cf5f83452b040e6d664460f9b7ec5/browser/base/content/nsContextMenu.js#575

That then calls findCssSelector on the node:
http://searchfox.org/mozilla-central/rev/2fc8c8d483d9ec9fd0ec319c6c53807f7fa8e8a2/devtools/client/framework/devtools-browser.js#305

An easy fix for this in the short term would be to store the selector when the context menu is generated. During that time, the CPOW would be considered "safe". A better fix would be to generate the selector in a content script (somewhere around [1]) and send it to the parent.

[1] http://searchfox.org/mozilla-central/rev/2fc8c8d483d9ec9fd0ec319c6c53807f7fa8e8a2/browser/base/content/content.js#190
We've been planning on including the CSS selector for context menu events for the sake of WebExtensions, anyway, so we should probably just do that and be done with it.
Blocks: 1355994
Depends on: 1356415
DevTools bug triage (filter on CLIMBING SHOES).
Priority: -- → P3
I currently have a patch for Bug 1356415 that also fixes this issue. Taking the bug in the meantime.
Assignee: nobody → jdescottes
Status: NEW → ASSIGNED
It looks like bug 1356415 fixed that.
Flags: needinfo?(jdescottes)
Thank, forgot to follow up. Closing as duplicate.
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jdescottes)
Resolution: --- → DUPLICATE
Duplicate of bug: 1356415
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.