Closed Bug 1611374 Opened 1 year ago Closed 1 year ago

Refuse nested `Document.execCommand()` calls by default in Nightly channel and early Beta

Categories

(Core :: DOM: Core & HTML, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla75
Tracking Status
firefox75 --- fixed

People

(Reporter: masayuki, Assigned: masayuki)

References

()

Details

Attachments

(1 file)

Chrome does not allow nested execCommand calls.
https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/core/editing/commands/document_exec_command.cc;l=75;drc=301e5d079a1b4c29c5b17574d0470e6db7370acc

Although Safari allows it, I think that we don't need to support nested execCommand calls for security and that must cause backward compatibility issue rarely.

(But I guess that we should keep supporting it with a pref for fuzzing team.)

WDYT, smaug?

Flags: needinfo?(bugs)

Oh, interesting. If Chrome doesn't support it, I guess we could try that. It is unlikely that any web site relies on the nested behavior.

Flags: needinfo?(bugs)

Chrome does not allow nested Document.execCommand() calls:
https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/core/editing/commands/document_exec_command.cc;l=75;drc=301e5d079a1b4c29c5b17574d0470e6db7370acc

On the other hand, Safari (and Firefox) allows it. However, it's worthwhile to
follow Chrome's behavior.

This patch makes Document::ExecCommand() return false when it's called
while running another Document::ExecCommand() call on Nightly and early Beta.
This is exactly same behavior, and we should watch broken web apps reports
for a while before riding this on the train.

And this patch sets the pref to true when all crash tests under
editor/libeditor/crashtests which depend on nested calls of execCommand run
since same things may be reproducible with other DOM APIs.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Summary: Refuse nested `Document.execCommand()` calls by default → Refuse nested `Document.execCommand()` calls by default in Nightly channel and early Beta
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/eaf48f8ba83f
Disallow nested `Document.execCommand()` calls in Nightly and early Beta r=smaug
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
You need to log in before you can comment on or make changes to this bug.