Closed Bug 1469045 Opened 6 years ago Closed 2 years ago

postMessage doesn't keep true "isTrusted" value

Categories

(Core :: DOM: postMessage, defect, P3)

Product:
Core
Component:
DOM: postMessage
Version:
60 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1502801
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix

People

(Reporter: gasper, Unassigned)

Details

Attachments

(1 file)

postMessage-window-open.html
353 bytes, text/html
Details 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Steps to reproduce:

1) create a sandboxed iframe with a button inside
2) on button click, send a message to the parent window with postMessage()
3) on "message" event call window.open

See attached file for an example. Also available at https://codepen.io/gasper_k/pen/xzXWeN.


Actual results:

Firefox popup blocker blocks opening of the window.


Expected results:

Firefox should open the window. The message was initiated with a user interaction.
Works in Chrome and Safari, they report isTrusted=true.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 (20180619220118)

I've tested this report on Windows 10 & OS X 10.14 using latest Nightly, Beta and Firefox release build. When navigating to https://codepen.io/gasper_k/pen/xzXWeN and click on the window.open button, the browser prevented the site from opening a popup window. 

Chrome and Safari do not block the popup from opening.
In Edge and IE the window.open button is not displayed.

Based on other similar reports I think the proper component would be Core:DOM:Core&HTML. Please change if this is not the correct component.
Status: UNCONFIRMED → NEW
status-firefox60: --- → affected
status-firefox61: --- → affected
status-firefox62: --- → affected
status-firefox-esr52: --- → affected
status-firefox-esr60: --- → affected
Component: Untriaged → DOM: Core & HTML
Ever confirmed: true
Product: Firefox → Core
http://1.kozak.si/outer.html also works on IE. Tested on IE10 (Win8) and IE11 (Win7). Both block the popup.
Priority: -- → P3
Now I'm lost. What has the initial comment to do with comment 4 and 5.
popup blocking something totally different to event dispatch.

To fix _this_ bug we either need to propagate user activation flag via postMessage or implement something close to what Google has proposed for a new model for user activation.


MessageEvent-trusted.html shows an issue in 
https://searchfox.org/mozilla-central/rev/9cb3e241502a2d47e2d5057ca771324a446b6695/dom/base/PostMessageEvent.cpp#201
Apparently other browsers consider postMessage as trusted operation.
I guess we should just always pass true there.
Flags: needinfo?(bugs)
No longer blocks: wpt.fyi-firefox-fails
Component: DOM: Core & HTML → DOM: postMessage

(In reply to Olli Pettay [:smaug] from comment #6)

MessageEvent-trusted.html shows an issue in
https://searchfox.org/mozilla-central/rev/
9cb3e241502a2d47e2d5057ca771324a446b6695/dom/base/PostMessageEvent.cpp#201
Apparently other browsers consider postMessage as trusted operation.
I guess we should just always pass true there.

Anne, can you confirm?

Flags: needinfo?(annevk)

The model the specification has for isTrusted is unrelated to user activation. isTrusted is set to true when the user agent dispatches the event. If PostMessageEvent::Dispatch doesn't have (direct) public callers (e.g., window.dispatchEvent(...)) always passing true seems like the right thing.

Flags: needinfo?(annevk)

And we already did this in bug 1502801. Sorry for the noise and thanks!

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: