Closed Bug 159424 Opened 22 years ago Closed 21 years ago

Objects cannot be passed between windows. Scope for objects seems to be changed.

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mdaskalo, Assigned: security-bugs)

References

Details

(Keywords: helpwanted, regression, testcase, Whiteboard: [ETA 4/28])

Attachments

(3 files, 2 obsolete files)

Testcase which worked with older builds, IE, NS4 but not with recent Mozillas. Unzip and open form.html
1.03 KB, application/x-compressed
Details
This works is a testcase to see the expected behaviour of the previous one.
1.03 KB, application/x-compressed
Details
Patch 3 - addresses review comments
5.97 KB, patch
hjtoi-bugzilla
: review+
jst
: superreview+
asa
: approval1.4b+
Details | Diff | Splinter Review 
Hi, 
I cannot be sure this is a bug, or correct behaviour, but a form with Javascript
that previously worked now doesn't work.
See testcases that I will upload soon.

Last it worked with nightly builds before Jul,16 (this is not exact date when it
stopped working), and doesn't work with Mozilla 1.1b.
For sure it worked with 2002053012 build
and 2002070608 nightly build.
The first build I noticed the problem in was 2002071608.
So it broke somewhere between 7th and 16th of July.

This might be a security enhancement or something else. If this is the case
sorry for the spam but I couldn't find anything similar in bugzilla.

Not the description of the problem:
If I declare a variable in javascript in a document and then open a window,
the from the newly opened window I cannot directly access the variable defined
in the opener.
This is breaking a lot of scripts.
The variable defined can still be accessed as opener.variable, but not as
variable, or top.variable.
In previous builds, and also in NS4 and IE4-IE6 this was possible.

Someone more knowledgable about JavaScript,ECMA etc. standards please check this.

I will upload a testcase where it works (with opener), and one where it doesn't
(without any prefix).
Browser, not engine ---> DOM Level 0.
Nice testcases!

Confirming bug with Mozilla trunk binary 20020723xx. When I try
the first testcase in this build, I get the following error in
the JS Console from clicking links in the child window "lov.html":


Error: top.ifield1 has no properties
Source File: 
file:///C:/WINNT/Profiles/pschwartau/Desktop/159424/moz_testcase/lov.html
Line: 11


The identifier |ifield1| is defined in the parent window "form.html":


<script type="text/javascript">
var ifield1;
var ifield2;
var chooser;

function choose_value()
{
  ifield1 = document.forms[0].realvalue; 
  ifield2 = document.forms[0].display_value;

  chooser = window.open('lov.html','chooser',
  'toolbar=no,menubar=no,scrollbars=yes,resizable=yes,width=500,height=200');

  chooser.ifield1 = ifield1; 
  chooser.ifield2 = ifield2;
  return true;
}
</script>


<form METHOD=GET>
<table>
<tr>
<td width="80%">
<input type="HIDDEN" name=realvalue value="">    <<<----- the "realvalue" elt
              
            etc.
            etc.



When I try the same steps with a build from July 1, I get no errors
and everything works as expected -
Assignee: rogerl → jst
Status: UNCONFIRMED → NEW
Component: JavaScript Engine → DOM Level 0
Ever confirmed: true
QA Contact: pschwartau → desale
Summary: Objects cannot be passed between windows. Scope for objects seems to be changed. → Objects cannot be passed between windows. Scope for objects seems to be changed.
Here is the code from testcase #1, that used to work but now is erroring:

function select(f,v)
{
  top.ifield1.value = f;
  top.ifield2.value = v;
  top.close();
  return true;
}


Here is the code from testcase #2 (that is not erroring):

function select(f,v)
{
  opener.ifield1.value = f;
  opener.ifield2.value = v;
  top.close();
  return true;
}
Actually I don't know which way it should work, and cannot determine where is
the problem. It might be two things.

<script type="text/javascript">
var ifield1; (is this the variable that allows you assigning "1" to the hidden
input using opener.ifield1.value=f)
var ifield2; 
var chooser;

function choose_value()
{
  ifield1 = document.forms[0].realvalue; 
  ifield2 = document.forms[0].display_value;

  chooser = window.open('lov.html','chooser',
  'toolbar=no,menubar=no,scrollbars=yes,resizable=yes,width=500,height=200');

  chooser.ifield1 = ifield1; (I think the should create a variable visible in
the default scope in lov.html, so that it could be used as ifield1.value=f;)
  chooser.ifield2 = ifield2;
  return true;
}
</script>


1. chooser.ifield1 = ifield1 doesn't create ifield1 visible in chooser.

or

2. var ifield1; doesn't create a variable which is accessible as top.ifield1


The 1. situation seems more probable to me.

Regards
Peter, could you investigate please?
Assignee: jst → peterv
Hi, this bug is breaking a lot of applications,
for example WEBMIN - Web Administration package,
many other web pages where you have LOV functionality,
including Oracle's Business Components for Java JSP pages.

Any idea what is causing this?
Can this be something related to 
BUG 154930
and similar to 
BUG 160339


http://bugzilla.mozilla.org/show_bug.cgi?id=160339
http://bugzilla.mozilla.org/show_bug.cgi?id=154930

I noticed that the time of fix of 154930 is somewhere around jul,15th so it
could be that fixing bug 154930 caused bug 159424

I don't think bug 154930 caused this bug since bug 154930 has been fixed on
branch and trunk and the test case for this bug wfm in 1.0.1/20020801/win2k but
does not work in 1.1b/20020803/win2k
I created a new much simpler testcase which definitly points where the problem is.

if you do
chooser = window.open('lov.html',  'chooser');
then
chooser.passed_value = something
doesn't work.

it is available on http://217.75.131.39:7070/mozilla_demo/form.html.

I lookup on NSGlobalWindow.cpp in lxr but couldn't definitly find out what
caused the problem.
I even don't have any idea.
But for sure this is causing problems with various applications.

Using Mozilla 1.0-branch binary 20020806xx on WinNT.
Interesting:

When I try the testcase http://217.75.131.39:7070/mozilla_demo/form.html,
I get this error in the JS Console:

         Error: uncaught exception:
         Permission denied to set property Window.passed_value

This causes subsequent errors like

         Error: passed_value is not defined
         Source File: http://217.75.131.39:7070/mozilla_demo/lov.html
         Line: 11

         etc.

BUT: when I save both form.html and lov.html locally, the testcase
works perfectly without any errors. 

So this looks like some sort of security issue -(?).
cc'ing mstoltz, bzbarsky to find out -
Very strange. Now http://217.75.131.39:7070/mozilla_demo/form.html
works for me, using the same build as in my last comment! It only
failed that once. 

However, with a trunk build from 2002-08-05, the testcase fails
consistently for me . Note, however, I do not get the "Permission denied"
error first in this build, just "passed_value is not defined" errors.

Something very strange going on here -
Hmm... Could the problem here be that we are setting the value before the
document in the other window has loaded?  And then the document load clobbers
the value?
Sounds possible.
Very strange behaviour.
When debugging through Javascript debugger averything works just fine!!!!
This is in build 2002081204

Without debugging it doesn't work.

I step through the code which does 
chooser.passed_value = document.forms[0].i;
I have downloaded the source code through cvs last night 01:00 GMT, and managed
to compile it on a SuSE Linux 7.2 box, with the only option in .mozconfig 
"ac_add_options --enable-crypto".
I run the build and enabled Javascript Strict warning. Then when I got to
http://217.75.131.39:7070/mozilla_demo/form.html 
after when opening the second window I see the following on the console:

----------------------------------------------------------------------------
Document http://esrv2.technologica.bg/mozilla_demo/form.html loaded successfully
JavaScript strict warning: 
http://esrv2.technologica.bg/mozilla_demo/form.html line 13: assignment to
undeclared variable chooser

we don't handle eBorderStyle_close yet... please fix me
WEBSHELL+ = 4
WEBSHELL+ = 5
Document http://esrv2.technologica.bg/mozilla_demo/lov.html loaded successfully
----------------------------------------------------------------------------

And it still doesn't work.
Is this a DOM problem, or Javascript Engine problem?
Or both?

If I run it again this message disappears. I mean if I press the "Open second
window" button again, reloading the page and pressing the button again,
go to another URL, and then return back and press the button again.

Somehow I managed to get this message again without restarting the browser,
but I couldn't reproduce it.

Turning on JavaScript strict warnings will show you a lot of
extra messages that are not errors: just warnings.

When I go to http://217.75.131.39:7070/mozilla_demo/form.html
with JavaScript strict warnings on, I never get any warnings.

I tried looking at line 13 in the code for the warning you
got at http://esrv2.technologica.bg/mozilla_demo/form.html,
but I cannot access that site. The browser says:

      esrv2.technologica.bg could not be found. 
      Please check the name and try again

The code at http://217.75.131.39:7070/mozilla_demo/form.html
does seem to have a var declaration for |chooser|, so I can't see
why you would ever get that warning -
meanwhile I changed the code, thats why you don't see it now.
There was a stupid typo, but correcting it doesn't help.

Any advices how to debug, or which newsgroup to use for asking questions.

Unfortunately I don't have access to IRC   :-( 
Some more testcases which I don't know why, but they work ...

see 
http://217.75.131.39:7070/mozilla_demo/f2.html
and 
http://217.75.131.39:7070/mozilla_demo/f4.html

they both open f3.html in another window, passing two values to the window.
The second value is always succesfully passed, and the first one is only passed
in f4.html.
The f2.html is unable to pass the value, and f4.html is able to do it.

The difference is that in
f2.html I've put the following line
alert(x.document); // this makes it not work

and in f4.html I've put the following line
// this makes it work alert(x.document);


This shows it has something similar to Boris's comment 13
but it's rather the opposite !?

I would suppose when I have alert(x.document) this to allow for more time for
the document to load, but it's rather the opposite.
I can't say what's going on.
Something else, almost proving comment 13
save the files locally and start f4.html.

When you click the check button you'll see that it initially displays the passed
value, and then in a while it disappears, and then it's just not there.

I cannot see this behavious through http protocol
This is my experience with build 2002081204 on Windows NT,
and with cvs build on linux from today.
Blocks: advocacybugs
Is the patch for bug 134315 causing this?
The patch for 134315 was commited around the time the problem started.
I am happy to see that this bug doesn't exist in 1.0 branch build ID: 2002082106
on Window NT

adding a few keywords (nominations for fix in the next Netscape release -
primarily).
Keywords: 4xp, helpwanted, nsbeta1, nsenterprise, regression, testcase
This is definitely caused by the fix for bug 134315.
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.2alpha
*** Bug 165861 has been marked as a duplicate of this bug. ***
*** Bug 166224 has been marked as a duplicate of this bug. ***
Target Milestone: mozilla1.2alpha → mozilla1.2beta
While there are apparently some site authors wo depend on being able to set
variables on a window object as it's opening, and having those values available
after a URL has loaded in that window, I think allowing that in all cases could
be dangerous. A malicious page could do something like this:
w = window.open("http://some site where the victim has a login cookie");
w.ImportantVar= "new value which changes the behavior of the page";

or redefine the String class to a class that leaks sensitive information to the
attacker.

I think we should do a same-origin check here, like so:
When window.open is called, save the principal of the calling script in a
variable on the window being opened. Then, when content arrives and
SetNewDocument is called, compare the cached principal to the principal of the
document being loaded. If they match, don't clear the scope. Otherwise, proceed
with the existing behavior.

I can implement this when I get the time, so I'm reassigning the bug to me.
Peter, if you have the time and desire to fix this sooner, feel free to take it
back.
Assignee: peterv → mstoltz
Status: ASSIGNED → NEW
Is there chance to get this in Mozilla 1.2 release?
*** Bug 181301 has been marked as a duplicate of this bug. ***
*** Bug 192869 has been marked as a duplicate of this bug. ***
Clearing milestone for now.
Target Milestone: mozilla1.2beta → ---
Flags: blocking1.4a?
Flags: blocking1.4a? → blocking1.4a-
as 1.4 will replace the 1.0 branch as a stable release I think this bug should
be fixed by 1.4b.

This bug is not present in the Mozilla 1.0 branch.
Flags: blocking1.4b?
adt: nsbeta1-
Keywords: nsbeta1nsbeta1-
mitch, drivers would like to get this for the long-lived 1.4 branch. Will you be
able to get to it for 1.4?
Flags: blocking1.4b? → blocking1.4b+
I will try to have a patch tomorow.
Status: NEW → ASSIGNED
Whiteboard: [ETA 4/28]
in NSGlobalWindow::SetNewDocument, I need to get the principal of the new
document being loaded, but the new document is not passed in here. I could add
a parameter for that, but I'm not sure that's the best solution. Look for
'//XXX Problem' in the patch above.
Attached patch Patch - this one works. (obsolete) — Splinter Review 
As a bonus, this patch also makes window.opener settable only to null, which
will avoid some problems down the road.
Attachment #122232 - Attachment is obsolete: true
Attachment #122266 - Flags: superreview?(jst)
Attachment #122266 - Flags: review?(heikki)
Comment on attachment 122266 [details] [diff] [review]
Patch - this one works.

>Index: src/base/nsGlobalWindow.cpp
>===================================================================

>+        NS_ASSERTION(sSecMan, "No Security Manager Found!");
>+        nsCOMPtr<nsIPrincipal> principal;
>+        sSecMan->GetSubjectPrincipal(getter_AddRefs(principal));

This assertion doesn't really help. Either assert and avoid the crash, or let
it crash without the assertion.
Attachment #122266 - Flags: review?(heikki) → review+
Comment on attachment 122266 [details] [diff] [review]
Patch - this one works.

- In GlobalWindowImpl::SetOpener():

+  if (aOpener) {
+    // check if we were called from a privileged chrome script.
+    // If not, opener is settable only to null.
+    NS_ENSURE_TRUE(sSecMan, NS_ERROR_FAILURE);
+    PRBool inChrome;
+    nsresult rv = sSecMan->SubjectPrincipalIsSystem(&inChrome);
+    if (NS_FAILED(rv) || !inChrome) {
+      return NS_OK;
+    }
+  }

You could simplyfie that by ising the helper IsCallerChrome(), i.e.

+  // check if we were called from a privileged chrome script.
+  // If not, opener is settable only to null.
+  if (aOpener && !IsCallerChrome()) {
+    return NS_OK;
+  }

Other than that, sr=jst.
Attachment #122266 - Flags: superreview?(jst)
Attachment #122266 - Flags: superreview+
Attachment #122266 - Flags: review?(heikki)
Attachment #122266 - Flags: review+
Attachment #122266 - Attachment is obsolete: true
Comment on attachment 122330 [details] [diff] [review]
Patch 3 - addresses review comments

Requesting 1.4b approval. This patch slightly relaxes the rules for when global
object scope is cleared when a new window is opened. As this makes security
slightly more permissive, the chance of regression is low. At worst, in case of
unforseen error, this code defaults to the previous existing behavior (clearing
the scope) causing a few scripts to fail.
Attachment #122330 - Flags: approval1.4b?
Comment on attachment 122266 [details] [diff] [review]
Patch - this one works.

Johnny cleared my r=, adding it back.
Attachment #122266 - Flags: review?(heikki) → review+
Comment on attachment 122330 [details] [diff] [review]
Patch 3 - addresses review comments

do heikki's and jst's reviews carry over to this patch?

this one is setting off my potential-regression-radar

can you give me examples of websites that this will fix?
According to Comment #37 bug 184618 will be fixed with this patch.
Depends on: 184618
Comment on attachment 122330 [details] [diff] [review]
Patch 3 - addresses review comments

Yes, this also has r=heikki
Attachment #122330 - Flags: review+
Seth,
   I don't know which sites this fixes, but I assume drivers do since they
marked this as blocking1.4b.
Comment on attachment 122330 [details] [diff] [review]
Patch 3 - addresses review comments

a=asa (on behalf of drivers) for checkin to 1.4b.
Attachment #122330 - Flags: approval1.4b? → approval1.4b+
Attachment #122330 - Flags: superreview+
An example on a popular commerce site is http://www.travelocity.com/ -- click
open the calendar popup and try to use the date widget. It's broken.
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
This fix may have caused a regression for bug 206317.
This fix may have caused the regression in bug 211719
Having backed out this bug's patch locally it does get rid of the regression in
bug 211719
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: