Closed Bug 300499 Opened 19 years ago Closed 19 years ago

HTML page inside of xul:browser uses parent.location.href to clobber XP App

Categories

(SeaMonkey :: UI Design, defect)

Product:
SeaMonkey
Component:
UI Design
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: nicholas, Assigned: jag+mozilla)

References

(
URL
)

Details

(Keywords: testcase)

Attachments

(2 files)

A webpage containing the offending JavaScript code.
505 bytes, text/html
Details
Minimized testcase XUL application.
423 bytes, application/vnd.mozilla.xul+xml
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Debian/1.7.8-1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Debian/1.7.8-1

I have a chrome XUL application which contains an xul:browser. I have set type
to "content-primary". When I tell it to load an HTML URL whose source includes
"parent.location.href = location.href;", the XUL application window is replaced
with the HTML page.

Reproducible: Always

Steps to Reproduce:

  

  



    
    

    
  


  

  

  



    
    

    
  
The testcase won't work unless you download both files to a directory and visit
bug.xul.

My understanding, from
http://xulplanet.com/references/elemref/ref_browser.html#attr_type is that
setting type="content-primary" ... to quote "The content that is loaded inside
the browser is not allowed to access the chrome above it."

This bug was originally found in the wild at http://www.ryerson.ca/ .


  

  


URL: http://www.ryerson.ca/

    
  
Keywords: testcase

    
    

    
  
> I have a chrome XUL application

How are you running this application?

  

  



    
    

    
  
By viewing it as a page in the browser. The problem doesn't occur if it's chrome.

It occurs to me that this was probably by design and definition of content-primary that there can be only one, and it's the browser not my xul:browser within the browser. If so, you can close this bug if you like, but there still ought to be a way for a non-chrome XUL page to safely embed foreign content. That could be a separate wishlist item.

  

  



    
    

    
  
Yeah, you're in a content window yourself, so the content subframe can clobber you...'

It might indeed make sense to provide a mechanism to prevent that; worth a separate bug (probably on docshell:embedding apis).

  

  


Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: