Don't cancel content JS when "navigating" to javascript: URLs
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox70 | --- | wontfix |
| firefox71 | + | verified |
| firefox72 | --- | verified |
People
(Reporter: shoust, Assigned: squib)
References
(Regression)
Details
(Keywords: regression)
Attachments
(2 files)
|
1.75 MB,
image/png
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details | Review |
canvasbug.png
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Steps to reproduce:
"javascript:void(document.title='reset');"
Create the above as a bookmark(without quotes), then find the NETENT slot game "Arcane Reel Chaos", then let the game load, then once loaded, click bookmark you just created.
URL that may show demo if outside UK: https://www.online-slot.co.uk/online-slots/netent-slots/arcane-reel-chaos/
I also have ublock origin and tampermonkey installed if there is trouble reproducing. I'm also on Windows 7.
Actual results:
The tab bar title changes... however the canvas drawing of the slot appears to crash, several "reels" of the slot seem to vanish, this game is the most consistent case I could find, however as I am from UK its hard to find a free play URL to test this on.
If you're outside of the UK, this demo may load from this URL here:
https://www.online-slot.co.uk/online-slots/netent-slots/arcane-reel-chaos/
Picture attached is from a non-free play version of the game.
Expected results:
The drawing of the canvas should be unaffected, the title bar changes to "reset" as it has done normally.
|
||
Comment 1•6 years ago
|
||
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Build ID: 20191104094118
I can confirm that this issue is reproducible on the latest Nightly 72.0a1, Firefox 71 beta 6 and Firefox 70.0.1 - tested on Windows 7.
|
|
||
Comment 2•6 years ago
•
|
||
Hi guys,
I managed to get a regression range for this issue, here are the results:
Thanks, it seems to be connected to the setting dom.ipc.cancel_content_js_when_navigating , when set to false, the page works as expected, no canvas crash
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 4•6 years ago
|
||
Prior to this patch, users entering javascript: URLs in the location bar
(e.g. via a bookmark) would trigger the cancel content JS path for the page
they were on, potentially breaking the site. Since javascript: URLs
(generally) don't navigate to a new page, we should avoid canceling the
current page's JS.
Thanks for the patch, just wondering out of curiousity though, would it still cancel content js if a bookmarklet did happen to navigate away?
Say would a bookmarklet setting a different location.href would work the same way as a script tag setting a different location.href? Either way doesn't affect me btw.
|
|
Assignee | |
Comment 6•6 years ago
|
||
(In reply to Simon from comment #5)
Thanks for the patch, just wondering out of curiousity though, would it still cancel content js if a bookmarklet did happen to navigate away?
No, it wouldn't. It ends up being a catch 22. When we load another page, part of that operation gets put into the page's event queue, so if the event loop stalls (i.e. because the page is busy running some synchronous JS), we normally have to wait for that to finish in order for our load to go through. The "cancel content JS" code works around this by examining the new URL and asking whether it will send us to a new top-level page; if so, we just force-terminate the current page's JS since we know that the page is going to go away in a second.
With this architecture, it's not easy to tell if a javascript: URL would take us to a different page, since we need to run the JS in that URL to figure it out. However, in order to run the JS, we need to perform the full "load" on that javascript: URL, putting the JS code in it into the page's event queue. That gets stalled due to the issue mentioned above. (Obviously, it's easy to tell if we'd navigate to a new page for simple javascript: URLs, but it'd be impossible to tell for more complex cases.)
Say would a bookmarklet setting a different location.href would work the same way as a script tag setting a different location.href? Either way doesn't affect me btw.
That said, this does still work the same way as a <script> tag: if a page's event queue is stalled, then a script setting location.href would end up stuck waiting in the queue, just like a bookmarklet. In both cases, you're effectively just saying, "Please run this JS when you get the chance."
|
||
Comment 8•6 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 9•6 years ago
|
||
Comment on attachment 9106763 [details]
Bug 1592470 - Don't cancel content JS when "navigating" to javascript: URLs; r?smaug
Beta/Release Uplift Approval Request
- User impact if declined: Users who use javascript: bookmarklets to modify pages may see broken pages if the bookmarklet is run while the page has active JS.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This patch just adds an extra conditional to prevent the "cancel content JS" logic from running if the URL to navigate to is a javascript: URL. Since this just prevents Firefox from doing something it shouldn't, there should be minimal risk of fallout.
- String changes made/needed:
|
|
Assignee | |
Comment 10•6 years ago
|
||
To verify this is fixed, you can do the following:
- (Optional) Open devtools and switch to the console
- Navigate to http://mozilla.pettay.fi/moztests/goback.html
- Wait for it to redirect to goback2.html (which contains an infinite JS loop to stall the event queue)
- Enter
javascript:void(0)in the location bar and hit Enter - Hit the back button: you should not go back to the previous page
- (Optional) Type in any URL you like in the location bar and hit Enter: you should go to that page
If you're checking the devtools console output, this is how it should behave: at the end of step (4), you should not see a message like the following. However, you should see it after step (6):
Error: Script terminated by timeout at:
@http://mozilla.pettay.fi/moztests/goback2.html:13:13
goback2.html:13:13
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Comment 11•6 years ago
|
||
Comment on attachment 9106763 [details]
Bug 1592470 - Don't cancel content JS when "navigating" to javascript: URLs; r?smaug
The patch is minimal and has tests, let's have QA verify the fix as well, uplift approved for 71 beta 10, thanks.
|
|
||
Comment 12•6 years ago
|
||
Merge conflicts while grafting 099cebd1bbd7
merging dom/ipc/BrowserChild.cpp
merging dom/ipc/tests/browser.ini
warning: conflicts while merging dom/ipc/tests/browser.ini! (edit, then use 'hg resolve --mark')
|
||
Comment 13•6 years ago
|
||
| bugherder uplift | ||
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
|
||
Comment 14•6 years ago
|
||
Fix verified using the latest Nightly 72.0a1 (2019-11-14) on Windows 10, Ubuntu 18.04, macOS 10.15.
|
||
Comment 15•6 years ago
|
||
Hello,
I can confirm that this issue is fixed on Fx 71.0b10 on Windows 10 x64, macOS 10.13 and Ubuntu 18.04.
|
||
Updated•6 years ago
|
|
||
Updated•4 years ago
|
Description
•