Closed
Bug 178291
Opened 22 years ago
Closed 14 years ago
using window.fullScreen causes scripts to stop
Categories
(SeaMonkey :: Preferences, defect, P4)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: cokaw, Assigned: caillon)
Details
Attachments
(1 file, 1 obsolete file)
1.54 KB,
patch
|
security-bugs
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
Using the following code, which works across the whole IE range, and NS 4.xx and NS 6, Netscape 7 refuses to handle the following code. It produces the error message :- Error: uncaught exception: Permission denied to set property Window.fullScreen Basically it spawns a new window that is fullscreen, and places some HTML in the current window. <html> <head> <title>Redirecting to full screen</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF- 8"/> <script language="JavaScript> function fullScreen() { var location = "home.html"; var wf = ""; var fullWin = ""; window.name = "PAGE_FULLSCREEN"; if (screen.availWidth<800) { location = "error_resolution.html"; window.location.href=location; } else { window.location.href = "fullscreen.html"; var wf = ""; wf = "width="+window.screen.availWidth+",height="+window.screen.availHeight+"',resi zable=no,scrollbars=auto,menubar=no," +"fullscreen=yes,toolbar=no,directories=no,location=no,status=no," +"top="+window.screen.availTop+",left="+window.screen.availLeft; fullWin = window.open(location,"NewFullScren",wf); fullWin.focus(); } } </script> </head> <body onLoad="fullScreen();"> <P>Opening fullscreen</P> </body> </html>
Comment 2•22 years ago
|
||
Browser, not engine ---> Browser-General Kevin: in your Mozilla directory, check for a file named either "all.js", "user.js", or "prefs.js". Do you have a line like this? pref("capability.policy.default.Window.fullScreen", "noAccess"); If so, that is what's causing the warning. Changing this to "allAccess" should make the problem go away -
Assignee: rogerl → asa
Component: JavaScript Engine → Browser-General
QA Contact: pschwartau → asa
Reporter | ||
Comment 3•22 years ago
|
||
Hi yes, I've looked into this and have seen it mentioned somewhere else that this is set by default to noAccess ? This is a freshly installed version of NS 7 that I have downloaded in order to test my site. Therefore I would assume that other people who come to the site will experience the same problem. Is there a javascript command I can use to remedy this problem in order to ensure that browsers can view the site, as this appears to be a problem with the permissions of the browser?
Comment 4•22 years ago
|
||
Reassigning to Prefs component for the time being. Kevin: 1. Did you in fact have that line in your prefs files somewhere? pref("capability.policy.default.Window.fullScreen", "noAccess"); Because if you don't, we have a different problem that needs looking into. 2. Did you install Netscape 7 on top of a previous installation? If so, older preferences are preserved and may have included this one. People in the Prefs component or the Installer component will know more about that than I -
Assignee: asa → ben
Component: Browser-General → Preferences
QA Contact: asa → sairuh
Comment 5•22 years ago
|
||
> I've looked into this and have seen it mentioned somewhere else that
> this is set by default to noAccess ?
Good point. Regardless of previous installations, if the default value
of |capability.policy.default.Window.fullScreen| is "noAccess", that will
cause a problem for your site.
The Prefs component can answer that -
Comment 6•22 years ago
|
||
Fullscreen mode is disabled from being used by websites because of some security issues with it. One simple solution from the scripter's viewpoint is to wrap the window.fullScreen access in a try/catch (unfortunately, that would make the script not run in NS4, which does not support try/catch). Another solution is not to not open the window fullscreen (at least in Gecko browsers). That said, just using the fullscreen=yes option should not be triggering the error you are seeing, should it? Are you actually assigning to window.fullScreen somewhere?
Assignee | ||
Comment 7•22 years ago
|
||
This was a conscious decision -- see bug 127405. However, one of the downsides of using caps to do this sort of thing is that it stops script execution instead of no-oping the offending call. The only security issue is that it hides the lock icon. So users have no way of knowing whether or not they are on a secure site. This is a _major_ issue for many of our consumers though, banks in particular.
Assignee | ||
Comment 8•22 years ago
|
||
Also, note that the function (in the global scope) is called fullScreen. So I wonder if just having a function fullScreen is causing caps to complain.... We should probably have a dom.disable_window_fullscreen pref, like we do for other things. I can take this on, if we decide to do that. Other points: Should this have a UI? If we do have a configurable UI, what do we want the default to be? What do we want the UI text to say?
Assignee: ben → caillon
Summary: Javascript problem using Netscape 7. → using window.fullScreen causes scripts to stop
Comment 9•22 years ago
|
||
Oh, duh! Trying to define a function called "fullScreen" will attempt to write to window.fullScreen (to bind the function) and caps will stop it cold. So Kevin, just renaming the function will fix this issue for you.....
Comment 10•22 years ago
|
||
We've really got to stop naming new window properties with initial alphas, there's always a good chance someone, somewhere, has a variable of that name on an existing site that we'll conflict with. I'd say this is confirmed, no?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•22 years ago
|
QA Contact: sairuh → claudius
Reporter | ||
Comment 11•22 years ago
|
||
Found that renaming the function name to something else eliminates the problem. Sorted, thanks
Comment 12•22 years ago
|
||
anything left to do in this bug, or can this be resolved per comment 11?
Assignee | ||
Comment 13•22 years ago
|
||
I know that renaming the function works. But see comment 8. Others can encounter this and we should not hurt them too. I should have a patch shortly.
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → mozilla1.3alpha
Assignee | ||
Comment 14•22 years ago
|
||
I wish that CAPS would not throw exceptions for things like this, but since it does, we should do something like this.... This adds a hidden pref to stop scripts from messing with fullScreen settings, though I left reading them alone which I think is harmless for a site to read (does anyone disagree? Should I patch GetFullScreen as well?).
Assignee | ||
Updated•22 years ago
|
Attachment #107511 -
Flags: superreview?(jst)
Attachment #107511 -
Flags: review?(mstoltz)
Comment 15•22 years ago
|
||
Comment on attachment 107511 [details] [diff] [review] Backend patch I'd rather you used a new caps pref instead of a "dom" pref. Take a look at NavigatorImpl::Preference() in nsGlobalWindow.cpp for an example of how to do this. That way, caps can do the IsCallerChrome check implicitly, and also check for other special cases as appropriate.
Attachment #107511 -
Flags: review?(mstoltz) → review-
Comment 16•22 years ago
|
||
I don't think we want fullScreen to be allAccess -- there's no need for other domains to be able to touch it. And I don't know why you want a pref to disable/enable scripts to do it -- it's just a problem, if it's not chrome don't allow it.
Assignee | ||
Comment 17•22 years ago
|
||
Comment on attachment 107511 [details] [diff] [review] Backend patch Ahh. hmm, interesting.. looking into that then.
Attachment #107511 -
Flags: superreview?(jst)
Comment 18•22 years ago
|
||
Shouldn't we make fullScreen sameOrigin which is the default? IOW, just remove the capabilities entry from prefs.js for it and add the code that checks if the method is called from chrome or if the special pref (which's suggested name was fine with me, it goes nicely along the line we've started for other similar methohds). I'd sr the attached patch if you'd simply take out the capabilities pref in the patch.
Assignee | ||
Comment 19•22 years ago
|
||
I'm not sure I like the CAPS pref idea. It seems like an awful lot of work to do for setting fullscreen mode, which is already doing quite a bit of work. So for now, I'll leave it alone, and just make a patch without the pref. I chose the dom pref because that's what we've done in the past, and it seemed to fit in. But this should do the job of not throwing if someone tries to set fullScreen from js.
Attachment #107511 -
Attachment is obsolete: true
Assignee | ||
Updated•22 years ago
|
Attachment #107549 -
Attachment description: No pref. Just block if caller is chrome. → No pref. Just block if caller is not chrome.
Attachment #107549 -
Flags: superreview?(jst)
Attachment #107549 -
Flags: review?(mstoltz)
Comment 20•22 years ago
|
||
Comment on attachment 107549 [details] [diff] [review] No pref. Just block if caller is not chrome. sr=jst
Attachment #107549 -
Flags: superreview?(jst) → superreview+
Comment 21•22 years ago
|
||
Comment on attachment 107549 [details] [diff] [review] No pref. Just block if caller is not chrome. Using a CAPS pref and a "fullScreenInternal" security check would allow for more flexibility down the line, such as allowing Mozilla embeddors or users to grant the fullScreen ability to particular hosts or signers. A simple check for IsCallerChrome doesn't allow any of this flexibility - content will never be able to use fullscreen mode. If by "a lot of work" you mean you're concerned about performance, the impact should be negligible - the security check is quite fast. I would prefer we use a CAPS security check, but I won't insist on it; the choice is up to you. r=mstoltz on the current patch.
Attachment #107549 -
Flags: review?(mstoltz) → review+
Assignee | ||
Updated•21 years ago
|
Target Milestone: mozilla1.3alpha → mozilla1.5beta
Updated•20 years ago
|
Target Milestone: mozilla1.5beta → ---
Updated•20 years ago
|
Priority: P2 → P4
QA Contact: claudius → ian
Updated•20 years ago
|
Product: Browser → Seamonkey
Comment 22•16 years ago
|
||
Christopher, Are you still working on this ?
Comment 23•14 years ago
|
||
no reply, so incomplete.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•