Closed
Bug 220312
Opened 21 years ago
Closed 18 years ago
stores javascript generated iframe pages in history incorrectly, causing security problems
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 172261
People
(Reporter: CaptainN, Assigned: radha)
References
()
Details
Attachments
(1 file)
5.71 KB,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030827 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030827 If you use a script to generate a page in an iframe using document.open(), and have a script in that generated page that needs to access a function or property of the parent frame, it will work when the page is generated, but not when recalled from the history (after you hit the back button). Reproducible: Always Steps to Reproduce: 1. go to the url I have provided (http://www.unfocus.com/moz-bug-demo.html) 2. follow the instructions on that page. Here is the source code if the page is down for any reason: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Mozilla Bug Demo</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <script language="JavaScript" type="text/javascript"> <!-- i=1; function generate() { elm = window.frames[window.frames.length-1].document; elm.open('text/html'); elm.writeln('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">'); elm.writeln('<html>'); elm.writeln('<head>'); elm.writeln('<title>Generated '+i+' times</title>'); elm.writeln('<body>'); elm.writeln('<scr'+'ipt language="JavaScript" type="text/javascript">'); elm.writeln('parent.make_noise();'); elm.writeln('</scr'+'ipt>'); elm.writeln('Generated '+i+' times'); elm.writeln('</body></html>'); elm.close(); i++; } function make_noise() { alert('If you see this, then the page in the IFrame was able to call the function to make this message box.'); } //--> </script> </head> <body> Click the " Generate New Page" button to generate a new page in the iframe. In that page is a javascript that will call a function located in the iframes parent page (this one), that will create an alert message. The alert will work when the page is first created, but not work when the page if called up from the history (when you press back). The consol will say "Permission denied to get property ..." because the url of the cached page will be different from the container page (and from the originally generated page).<br> <iframe src="_loading.html" width="100" height="100" id="test_frame"></iframe><br> Here is the magic button.<br> <input type="submit" name="Submit" value="Generate New Page" onClick="generate();"> </body> </html> Actual Results: The javascript generated page fails to be able to access the parent's scripts and properties. Expected Results: Mozilla should have allowed access to the parent document's scripts (or Mozilla should have stored the page in the history with a different path associated). If you want a more complicated example of this bug (probably you wouldn't ;-)), check out http://www.unfocus.com/flashNav.html.
Updated•21 years ago
|
Whiteboard: DUPEME
Comment 1•21 years ago
|
||
Error: uncaught exception: Permission denied to get property Window.make_noise is the error I get on JS console. Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20030924
Reporter | ||
Comment 2•21 years ago
|
||
If you open the page from a local drive you also get that error and this one: Security Error: Content at wyciwyg://0/file:///C:/Documents%20and%20Settings/CaptainN/My%20Documents/unFocus.com/moz-bug-demo.html may not load or link to file:///C:/Documents%20and%20Settings/CaptainN/My%20Documents/unFocus.com/moz-bug-demo.html. It's the "wyciwyg://0/" part that seems to mess it up (if I read all those pages on google correctly). I'm not aware of any security problems that can accur from allowing a javascript generated page from executing javascript in the parent frame, especially since Mozilla currently allows you to execute that javascript at least once already.
Comment 3•21 years ago
|
||
wfm Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4.1) Gecko/20030904
Reporter | ||
Comment 4•21 years ago
|
||
I just noticed another related bug (maybe it's the same bug) on http://www.unfocus.com/flashNav.html . The order that the pages appear in the history drop down (the little down facing arrow, next to the back button), appear in the wrong order. The list contains the correct number of pages, but the titles are all the same, except the bottom most one, which contains the title of the most recently generated page. I tried to duplicate this bug on http://www.unfocus.com/moz-bug-demo.html but it didn't work. For whatever reason, setting the value of the title tag doesn't work on the test page, but works on the flashNav page. I tested these in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030827
Reporter | ||
Comment 5•21 years ago
|
||
Mozilla in Win98 and build "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4a) Gecko/20030401" seems to not store any history entries for these javascript generated pages. I upgraded to build "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko/20030624" and it stores the pages in the history, but the problem that the generated pages are not able to access javascript in the parent frame (when called out of the history, not when first generated, which works) still exists. I get this error: "Error: uncaught exception: Permission denied to get property Window.make_noise" If I save the file, then open it from my harddrive I get this error: "Security Error: Content at wyciwyg://0/file:///C:/WINDOWS/Desktop/moz-bug-demo.html may not load or link to file:///C:/WINDOWS/Desktop/moz-bug-demo.html." followed by this error: "Error: uncaught exception: Permission denied to get property Window.make_noise" ..in the javascript console.
Reporter | ||
Comment 6•21 years ago
|
||
I added this page as an attachment, so that I can delete the page from my server (house cleaning).
Reporter | ||
Comment 7•19 years ago
|
||
It seems that many bugs concerning the history have been worked out in Deer Park Alpha 2. Is there any chance that this will get worked out for the release of 1.1? This would be very usefull for creating a history script for AJAX and flash apps (which is exactly what I am trying to create here: http://www.unfocus.com/Projects/HistoryKeeper/ - yeah I know this could be considered a shameless plug, but I'm just trying to demonstrate a use for this kind of functionality). Currently it is possible to do something in IE that can't be done in Mozilla, and that bothers me ;-) Also, what does "DUPEME" mean in the Status Whiteboard?
Reporter | ||
Comment 8•19 years ago
|
||
BTW, this bug is about the fact that javascript is not executed from the history pages in the iframe - it is not about the pages not coming up from the history, which they do.
Reporter | ||
Comment 9•19 years ago
|
||
Is anyone even seeing this? This is not meant to be a threat, so please don't take it as such, but if no one responds to this, I'm going to assume that it isn't being seen by anyone, and will attempt to get it on someone's radar, or at least evaluated, or whatever. Again, I'm not trying to be annoying, I just want to make sure I'm not wasting my breath. It's been a long time since anyone responded to anything I've written here, and very few email addresses have anything sent to them when I make further comments. BTW, this _is_ a bug. Comment #3 says wfm, but it doesn't work. I've tested this on all of the following: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko/20030624 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5) Gecko/20030925 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.5) Gecko/20050302 Firefox/0.9.6 (Netscape 8.0 beta) Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b3) Gecko/20050712 Firefox/1.0+ (Deer Park Alpha 2)
Whiteboard: DUPEME
Reporter | ||
Updated•19 years ago
|
Whiteboard: DUPEME
Comment 10•18 years ago
|
||
Duplicate of bug 172261 (and fixed by the patch I'm posting there).
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Component: History: Session → Document Navigation
QA Contact: chrispetersen → docshell
You need to log in
before you can comment on or make changes to this bug.
Description
•