Closed Bug 1746186 Opened 5 months ago Closed 5 months ago

reportError() / self.onerror does not follow the specification

Categories

(Core :: DOM: Core & HTML, defect)

defect

Tracking

()

RESOLVED FIXED
97 Branch
Tracking Status
firefox95 --- wontfix
firefox96 --- wontfix
firefox97 --- fixed

People

(Reporter: annevk, Assigned: evilpie)

References

(Blocks 1 open bug, Regressed 1 open bug)

Details

Attachments

(1 file)

As per https://html.spec.whatwg.org/#report-the-error we should not allow the message (and other arguments to onerror) be supplied by script, but

self.onerror=(a, b, c, d, e) => console.log(a,b,c,d,e)
self.reportError({lineNumber:1,columnNumber:2,fileName:3,message:'alert\x281\x29'})

shows we do.

Per investigation by Jan it's likely that https://searchfox.org/mozilla-central/rev/dc323d0d9a3b722ca8ff0d1b2b752e5bd00dab9b/js/src/jsexn.cpp#513-523 is the culprit here, hence filing it against the JS component as a start. I suggest that we essentially remove the duck-typing there, at least when it comes to non-chrome code, but ideally we just don't have it.

This came up on Twitter in https://twitter.com/portswiggerres/status/1470746433838059524. (Note that even if the message comes from us this might not completely solve the problem as shown in http://www.thespanner.co.uk/2012/05/01/xss-technique-without-parentheses/, but there's no reason for us to be different from Chrome for the above case. We might want to argue for less implementation-defined messages based on this.)

We should probably investigate if we can remove WithSideEffects completely, considering that devtools handle this stuff themself anyway.

However in this specific case we can just change the callers: https://searchfox.org/mozilla-central/rev/dc323d0d9a3b722ca8ff0d1b2b752e5bd00dab9b/dom/base/nsGlobalWindowInner.cpp#4179 and https://searchfox.org/mozilla-central/rev/dc323d0d9a3b722ca8ff0d1b2b752e5bd00dab9b/dom/workers/WorkerScope.cpp#312

Assignee: nobody → evilpies
Component: JavaScript Engine → DOM: Core & HTML
Severity: -- → S3
Attachment #9255537 - Attachment description: WIP: Bug 1746186 - Don't observablely sniff in reportError() → Bug 1746186 - Don't observablely sniff objects in reportError(). r?smaug
Blocks: 1746427
Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/41fb31da1ab6
Don't observablely sniff objects in reportError(). r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/32144 for changes under testing/web-platform/tests
Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch
Upstream PR merged by moz-wptsync-bot
Regressions: 1749002
You need to log in before you can comment on or make changes to this bug.