Showing a blocked popup has chrome privs

RESOLVED FIXED

Status

()

Core
DOM
RESOLVED FIXED
13 years ago
11 years ago

People

(Reporter: Doron Rosenberg (IBM), Assigned: jst)

Tracking

({fixed-aviary1.0.3, fixed1.7.7})

Trunk
x86
All
fixed-aviary1.0.3, fixed1.7.7
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix])

Attachments

(3 attachments)

(Reporter)

Description

13 years ago
window.open("javascript:alert(Components.stack)"); is the testcase :)
(Reporter)

Comment 1

13 years ago
Created attachment 179767 [details]
testcase

Happens on trunk too, Seamonkey and Firefox.

Steps:
  - popup is blocked
  - Showing it (via infobar or statusbar item) will print Components.Stack, a
nono.
I'm positive we had and fixed this bug at one point :-(
(Reporter)

Comment 3

13 years ago
So should we start considering doing a security smoketest for releases?
"start considering"???

You _should_ be doing regression testing of all security fixes. In an automated
fashion, ideally, on every nightly. Preferably as part of the tinderbox tests so
it goes orange when a security thing like this regresses.
(Assignee)

Comment 5

13 years ago
I'm actually not convinced this was fixed. A very similar problem was fixed, but
I think this one simply slipped through the cracks and noone noticed (or at
least told us) until now. Patch coming up.
(Assignee)

Comment 6

13 years ago
Created attachment 179829 [details] [diff] [review]
Push the callee's cx onto the context stack if contentwindow.open() is called from chrome.
(Assignee)

Comment 7

13 years ago
Comment on attachment 179829 [details] [diff] [review]
Push the callee's cx onto the context stack if contentwindow.open() is called from chrome.

r+sr=brendan (in person).
Attachment #179829 - Flags: superreview+
Attachment #179829 - Flags: review+
(Assignee)

Updated

13 years ago
Keywords: fixed-aviary1.0.3
(In reply to comment #5)
> I'm actually not convinced this was fixed. A very similar problem was fixed,

Yes, I was thinking of bug 235457.
Comment on attachment 179829 [details] [diff] [review]
Push the callee's cx onto the context stack if contentwindow.open() is called from chrome.

>+            stack->Push(cx);

stack->Push(cx) is treated as fallible in many of our other calls.  Seems like
we should
early-out if this fails, since we can be in a world of hurt.  (This world of
hurt,
specifically.)
Attachment #179829 - Flags: approval1.7.7+
Attachment #179829 - Flags: approval-aviary1.0.3+
(Assignee)

Comment 10

13 years ago
Created attachment 179901 [details] [diff] [review]
1.7 version of the above diff.
Keywords: fixed1.7.7
Whiteboard: [sg:fix]
Fix released
Group: security
Comment on attachment 179829 [details] [diff] [review]
Push the callee's cx onto the context stack if contentwindow.open() is called from chrome.

applies cleanly, requesting a= for trunk checkin
Attachment #179829 - Flags: approval1.8b2?
Comment on attachment 179829 [details] [diff] [review]
Push the callee's cx onto the context stack if contentwindow.open() is called from chrome.

a=shaver for the trunk.
Attachment #179829 - Flags: approval1.8b2? → approval1.8b2+
Comment on attachment 179829 [details] [diff] [review]
Push the callee's cx onto the context stack if contentwindow.open() is called from chrome.

a=brendan for 1.8b2.

/be
Fixed on trunk.
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED

Comment 16

13 years ago
(In reply to comment #1)
> Created an attachment (id=179767) [edit]
> testcase
> 
> Happens on trunk too, Seamonkey and Firefox.
> 
> Steps:
>   - popup is blocked
>   - Showing it (via infobar or statusbar item) will print Components.Stack, a
> nono.
Hi Doron,

Would you please compose a new test case for mozilla? With this case you
provided here I can't reproduce this bug on mozilla/linux while the os of this
bug is set to all. Please send it to tim.miao@sun.com.
Thanks.

(Reporter)

Comment 17

13 years ago
In Seamonkey, just go to the testcase, right click on the buttom-right (in the
statusbar) icon for the blocked popup, and choose "Show blabla".
Depends on: 296850

Updated

12 years ago
Flags: testcase+

Updated

11 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.