Closed Bug 304284 Opened 20 years ago Closed 20 years ago

doc.location.href is URL of document currently loaded in doc's tab

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta4

People

(Reporter: jruderman, Assigned: jst)

References

Details

(5 keywords, Whiteboard: (not in 1.7/aviary))

Attachments

(2 files)

demo: tracks URLs loaded in the original tab/window
1.06 KB, text/html
Details
Make location be per inner window (and invalidate it when the inner window is no longer the current inner window).
5.66 KB, patch
mrbkap
: review+
brendan
: superreview+
Details | Diff | Splinter Review
If you hold a reference to |document| and get its location.href after the user has navigated to another page, you can see the URL of the new page. In July 29 builds and earlier, this resulted in a "permission denied" exception. I think it should give the URL of the old document, but throwing an exception is better than giving another URL. This could be a regression from split windows: Firefox 1.0.6 - not vulnerable Trunk, July 10 - not vulnerable Trunk, July 29 - not vulnerable Trunk, July 31 - broken: no error in JS console, crashed once (TB8275556H) Trunk, Aug 2 - vulnerable Trunk, Aug 10 - vulnerable
Flags: blocking1.8b4?
Whiteboard: [sg:fix]
Flags: blocking1.8b4? → blocking1.8b4+
jst, can you take this? If not, brain-dump here and mrbkap or I will. /be
Assignee: general → jst
Ok. I've got a fix for this in my tree. The fix is to make the inner window hold the location object and to null out the docshell in it when the inner is torn down (i.e. when we load a different page). This brings us back to throwing an exception (though not a security exception) when the location object is used off of a document that's no longer loaded. Once I have access to a tree clean enough to create a diff from I'll attach a diff...
OS: MacOS X → All
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8beta4
Comment on attachment 192493 [details] [diff] [review] Make location be per inner window (and invalidate it when the inner window is no longer the current inner window). r=me
Attachment #192493 - Flags: review?(mrbkap) → review+
Comment on attachment 192493 [details] [diff] [review] Make location be per inner window (and invalidate it when the inner window is no longer the current inner window). sr=me Minor thought for later: maybe we should union stuff in nsGlobalWindow.h to save space at some point. /be
Attachment #192493 - Flags: superreview?(brendan) → superreview+
This was fixed by the checkin for bug 303267.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Keywords: fixed1.8
Regression due to split windows, not a problem in aviary/1.7 branches
Keywords: regression
Whiteboard: [sg:fix] → [sg:fix] (not in 1.7/aviary)
Flags: testcase+
Mozilla 1.7.13/20060213 winxp on attachment 192352 [details] _will_ track the first url loaded.
(In reply to comment #9) > Mozilla 1.7.13/20060213 winxp on attachment 192352 [details] [edit] _will_ track the first url > loaded. > Mozilla 1.7.13/20060217 winxp on attachment 192352 [details] _will not_ track the first url loaded.
Group: security
Flags: in-testsuite+ → in-testsuite?
Keywords: csec-disclosure, csec-sop, sec-moderate
Whiteboard: [sg:fix] (not in 1.7/aviary) → (not in 1.7/aviary)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: