Closed Bug 1601175 Opened 9 months ago Closed 7 months ago

SetScriptGlobalObject happens before we have properly set up the document (and hence principal!) of the inner window


(Core :: DOM: Core & HTML, defect, P3)




Tracking Status
firefox74 --- fixed


(Reporter: bzbarsky, Assigned: bzbarsky)




(1 file)

I just discovered today that we can end up in error-reporting code, examining an inner window's principal, when that principal is null. The sequence of events is as follows:

  1. We are doing a pageload and land in nsGlobalWindowOuter::SetNewDocument.
  2. We create a new inner window but have not set its mDoc yet.
  3. We call SetScriptGlobalObject on the document.
  4. This grabs CSP violation stuff and tries to report it via nsCSPContext::flushConsoleMessages.
  5. This lands in nsScriptErrorBase::InitializeOnMainThread which tries to examine the principal of the window... but that's still nullptr at this point. It happens to not crash only because nsContentUtils::IsSystemPrincipal is null-safe. But, importantly, it's getting the wrong answers if we reach this code for an actual system-principal window via this path!

I am going to try to see what happens if I change the order around in SetNewDocument so we set up mDoc before calling SetScriptGlobalObject... That seems much saner to me, in terms of not passing partially-initialized inner windows around.

In particular, nsScriptErrorBase::ComputeIsFromPrivateWindow and nsScriptErrorBase::ComputeIsFromChromeContext are the things that will get determined incorrectly.

Priority: -- → P3
Assignee: nobody → bzbarsky
Depends on: 1517588
Pushed by
Make sure the mDoc of an inner window is set before we call SetScriptGlobalObject on the document.  r=peterv
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
Regressions: 1607469
Regressions: 1607347
You need to log in before you can comment on or make changes to this bug.