Closed Bug 1746186 Opened 2 years ago Closed 2 years ago

reportError() / self.onerror does not follow the specification

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
97 Branch
Tracking Flags:
Tracking Status
firefox95 --- wontfix
firefox96 --- wontfix
firefox97 --- fixed

People

(Reporter: annevk, Assigned: evilpie)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1746186 - Don't observablely sniff objects in reportError(). r?smaug
48 bytes, text/x-phabricator-request
Details | Review

As per https://html.spec.whatwg.org/#report-the-error we should not allow the message (and other arguments to onerror) be supplied by script, but

self.onerror=(a, b, c, d, e) => console.log(a,b,c,d,e)
self.reportError({lineNumber:1,columnNumber:2,fileName:3,message:'alert\x281\x29'})

shows we do.

Per investigation by Jan it's likely that https://searchfox.org/mozilla-central/rev/dc323d0d9a3b722ca8ff0d1b2b752e5bd00dab9b/js/src/jsexn.cpp#513-523 is the culprit here, hence filing it against the JS component as a start. I suggest that we essentially remove the duck-typing there, at least when it comes to non-chrome code, but ideally we just don't have it.

This came up on Twitter in https://twitter.com/portswiggerres/status/1470746433838059524. (Note that even if the message comes from us this might not completely solve the problem as shown in http://www.thespanner.co.uk/2012/05/01/xss-technique-without-parentheses/, but there's no reason for us to be different from Chrome for the above case. We might want to argue for less implementation-defined messages based on this.)

We should probably investigate if we can remove WithSideEffects completely, considering that devtools handle this stuff themself anyway.

However in this specific case we can just change the callers: https://searchfox.org/mozilla-central/rev/dc323d0d9a3b722ca8ff0d1b2b752e5bd00dab9b/dom/base/nsGlobalWindowInner.cpp#4179 and https://searchfox.org/mozilla-central/rev/dc323d0d9a3b722ca8ff0d1b2b752e5bd00dab9b/dom/workers/WorkerScope.cpp#312

Assignee: nobody → evilpies
Component: JavaScript Engine → DOM: Core & HTML
status-firefox95: --- → affected
status-firefox96: --- → affected
status-firefox97: --- → affected
Depends on: 1722448
Severity: -- → S3
Attachment #9255537 - Attachment description: WIP: Bug 1746186 - Don't observablely sniff in reportError() → Bug 1746186 - Don't observablely sniff objects in reportError(). r?smaug
Blocks: 1746427
Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/41fb31da1ab6
Don't observablely sniff objects in reportError(). r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/32144 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/41fb31da1ab6

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox97: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch
Upstream PR merged by moz-wptsync-bot
Regressions: 1749002
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: