1355996 - Inspector uses unsafe CPOWs to find CSS selector for node to select

Status: RESOLVED DUPLICATE of bug 1356415

(DevTools :: Inspector, enhancement, P3)

Description

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

We disabled unsafe CPOWs in Firefox code a while ago. However, it looks like devtools code is being counted as an add-on because of bug 1355994. I did a try push to see where unsafe CPOWs are actually being used in devtools, and I only see one place.

In nsContextMenu.js, we pass this.target, which is a CPOW, to inspectNode:
http://searchfox.org/mozilla-central/rev/624d25b2980cf5f83452b040e6d664460f9b7ec5/browser/base/content/nsContextMenu.js#575

That then calls findCssSelector on the node:
http://searchfox.org/mozilla-central/rev/2fc8c8d483d9ec9fd0ec319c6c53807f7fa8e8a2/devtools/client/framework/devtools-browser.js#305

An easy fix for this in the short term would be to store the selector when the context menu is generated. During that time, the CPOW would be considered "safe". A better fix would be to generate the selector in a content script (somewhere around [1]) and send it to the parent.

[1] http://searchfox.org/mozilla-central/rev/2fc8c8d483d9ec9fd0ec319c6c53807f7fa8e8a2/browser/base/content/content.js#190

Comment 1

[Kris Maglione [:kmag]]

We've been planning on including the CSS selector for context menu events for the sake of WebExtensions, anyway, so we should probably just do that and be done with it.

Comment 2

[Patrick Brosset <:pbro>]

DevTools bug triage (filter on CLIMBING SHOES).

Comment 3

[Julian Descottes [:jdescottes]]

I currently have a patch for Bug 1356415 that also fixes this issue. Taking the bug in the meantime.

Comment 4

[Alexandre Poirot [:ochameau]]

It looks like bug 1356415 fixed that.

Comment 5

[Julian Descottes [:jdescottes]]

Thank, forgot to follow up. Closing as duplicate.