Open Bug 1594984 Opened 6 years ago Updated 8 months ago

MessagePorts sent into other MessagePorts are still firing onmessage events

Categories

(Core :: DOM: postMessage, defect, P3)

Product:
Core
Component:
DOM: postMessage
Platform:
Desktop
All
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox70 --- affected
firefox71 --- affected
firefox72 --- affected

People

(Reporter: robert, Unassigned)

References

Details

(Whiteboard: dom-lws-bugdash-triage)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36

Steps to reproduce:

https://jsbin.com/cotatazova/1/edit?js,console

Open JSBin, and run the following Javascript:

var channelA = new MessageChannel();
var channelB = new MessageChannel();

var a1 = channelA.port1;
var a2 = channelA.port2;
var b1 = channelB.port1;
var b2 = channelB.port2;

a2.onmessage = function(e) {
console.log("a2 onmessage")
}
b2.onmessage = function(e) {
console.log("b2 onmessage");
e.data.innerChannel.onmessage = function(e) {
console.log("inner onmessage")
}
}

a1.postMessage("blah")
b1.postMessage({innerChannel: a2}, [a2])
console.log("sending done")

Actual results:

This was printed to the console:

"sending done"
"a2 onmessage"
"b2 onmessage"

My understanding of the spec (https://html.spec.whatwg.org/multipage/web-messaging.html#port-message-queue) isn't great, but I think I'd expect "a2 onmessage" to not fire? For instance, if a2's firing represented a request that we needed to respond to, we no longer have access to a2.postMessage, since it was sent down b1.

Expected results:

Other browsers tested (Chrome, Safari) printed:

"sending done"
"b2 onmessage"
"inner onmessage"

This seems to hold true for when sending a2 to a web worker instead of another same-thread MessageChannel, which seems concerning, since my understanding is this makes it pretty easy to get race conditions when passing MessageChannels down MessageChannels?

Hello,

I can also reproduce this issue when running the script with the same results on Firefox release 70.0.1, beta 70.0b9 and Nightly 72.0a1 (2019-11-12) on MacOS 10.14, Windows 10 and Ubuntu 16.04.

I will set a component for this issue in order to get the dev teams involved.
If it's not the correct one, feel free to change it to a proper one.

Status: UNCONFIRMED → NEW
status-firefox70: --- → affected
status-firefox71: --- → affected
status-firefox72: --- → affected
Component: Untriaged → DOM: Core & HTML
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → Desktop
Version: 70 Branch → Trunk
Component: DOM: Core & HTML → IPC

I don't understand why this was moved to IPC. This doesn't seem to be a bug in the core IPC code, and ./mach file-info bugzilla-component maps dom/messagechannel/MessagePort.cpp to Core :: DOM: Core & HTML.

Flags: needinfo?(mbrodesser)
Component: IPC → DOM: postMessage
Flags: needinfo?(mbrodesser)

The priority flag is not set for this bug.
:jstutte, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jstutte)
Flags: needinfo?(jstutte)
Priority: -- → P2
Assignee: nobody → sgiesecke
Assignee: sgiesecke → nobody
Severity: normal → S3
Priority: P2 → P3
Whiteboard: dom-lws-bugdash-triage
You need to log in before you can comment on or make changes to this bug.