Closed
Bug 1469045
Opened 6 years ago
Closed 2 years ago
postMessage doesn't keep true "isTrusted" value
Categories
(Core :: DOM: postMessage, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1502801
People
(Reporter: gasper, Unassigned)
Details
Attachments
(1 file)
353 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Steps to reproduce: 1) create a sandboxed iframe with a button inside 2) on button click, send a message to the parent window with postMessage() 3) on "message" event call window.open See attached file for an example. Also available at https://codepen.io/gasper_k/pen/xzXWeN. Actual results: Firefox popup blocker blocks opening of the window. Expected results: Firefox should open the window. The message was initiated with a user interaction.
Comment 2•6 years ago
|
||
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 (20180619220118) I've tested this report on Windows 10 & OS X 10.14 using latest Nightly, Beta and Firefox release build. When navigating to https://codepen.io/gasper_k/pen/xzXWeN and click on the window.open button, the browser prevented the site from opening a popup window. Chrome and Safari do not block the popup from opening. In Edge and IE the window.open button is not displayed. Based on other similar reports I think the proper component would be Core:DOM:Core&HTML. Please change if this is not the correct component.
Status: UNCONFIRMED → NEW
status-firefox60:
--- → affected
status-firefox61:
--- → affected
status-firefox62:
--- → affected
status-firefox-esr52:
--- → affected
status-firefox-esr60:
--- → affected
Component: Untriaged → DOM: Core & HTML
Ever confirmed: true
Product: Firefox → Core
http://1.kozak.si/outer.html also works on IE. Tested on IE10 (Win8) and IE11 (Win7). Both block the popup.
Updated•6 years ago
|
Priority: -- → P3
Comment hidden (obsolete) |
Comment hidden (obsolete) |
Comment 6•6 years ago
|
||
Now I'm lost. What has the initial comment to do with comment 4 and 5. popup blocking something totally different to event dispatch. To fix _this_ bug we either need to propagate user activation flag via postMessage or implement something close to what Google has proposed for a new model for user activation. MessageEvent-trusted.html shows an issue in https://searchfox.org/mozilla-central/rev/9cb3e241502a2d47e2d5057ca771324a446b6695/dom/base/PostMessageEvent.cpp#201 Apparently other browsers consider postMessage as trusted operation. I guess we should just always pass true there.
Flags: needinfo?(bugs)
Comment hidden (obsolete) |
Updated•6 years ago
|
No longer blocks: wpt.fyi-firefox-fails
Updated•3 years ago
|
Component: DOM: Core & HTML → DOM: postMessage
Comment 8•2 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #6)
MessageEvent-trusted.html shows an issue in
https://searchfox.org/mozilla-central/rev/
9cb3e241502a2d47e2d5057ca771324a446b6695/dom/base/PostMessageEvent.cpp#201
Apparently other browsers consider postMessage as trusted operation.
I guess we should just always pass true there.
Anne, can you confirm?
Flags: needinfo?(annevk)
Comment 9•2 years ago
|
||
The model the specification has for isTrusted
is unrelated to user activation. isTrusted
is set to true when the user agent dispatches the event. If PostMessageEvent::Dispatch
doesn't have (direct) public callers (e.g., window.dispatchEvent(...)
) always passing true seems like the right thing.
Flags: needinfo?(annevk)
Comment 10•2 years ago
|
||
And we already did this in bug 1502801. Sorry for the noise and thanks!
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Updated•2 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•