reportError() / self.onerror does not follow the specification
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: annevk, Assigned: evilpie)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
As per https://html.spec.whatwg.org/#report-the-error we should not allow the message (and other arguments to onerror) be supplied by script, but
self.onerror=(a, b, c, d, e) => console.log(a,b,c,d,e)
self.reportError({lineNumber:1,columnNumber:2,fileName:3,message:'alert\x281\x29'})
shows we do.
Per investigation by Jan it's likely that https://searchfox.org/mozilla-central/rev/dc323d0d9a3b722ca8ff0d1b2b752e5bd00dab9b/js/src/jsexn.cpp#513-523 is the culprit here, hence filing it against the JS component as a start. I suggest that we essentially remove the duck-typing there, at least when it comes to non-chrome code, but ideally we just don't have it.
This came up on Twitter in https://twitter.com/portswiggerres/status/1470746433838059524. (Note that even if the message comes from us this might not completely solve the problem as shown in http://www.thespanner.co.uk/2012/05/01/xss-technique-without-parentheses/, but there's no reason for us to be different from Chrome for the above case. We might want to argue for less implementation-defined messages based on this.)
Assignee | ||
Comment 1•3 years ago
|
||
We should probably investigate if we can remove WithSideEffects
completely, considering that devtools handle this stuff themself anyway.
However in this specific case we can just change the callers: https://searchfox.org/mozilla-central/rev/dc323d0d9a3b722ca8ff0d1b2b752e5bd00dab9b/dom/base/nsGlobalWindowInner.cpp#4179 and https://searchfox.org/mozilla-central/rev/dc323d0d9a3b722ca8ff0d1b2b752e5bd00dab9b/dom/workers/WorkerScope.cpp#312
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 2•3 years ago
|
||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 5•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Description
•