Closed Bug 304882 Opened 16 years ago Closed 16 years ago

bookmarklet fails (accessing location.href after document.write())

Categories

(Firefox :: General, defect)

x86
Windows 2000
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: Peter6, Assigned: mrbkap)

References

()

Details

(Keywords: fixed1.8, regression)

Attachments

(2 files, 2 obsolete files)

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b4) Gecko/20050816
Firefox/1.0+ ID:2005081613

1. create bookmarklet (attachment follows)
2. open this bug and press the bookmarklet

expected: the textarea should be filled with text

result JSC error:
Error: uncaught exception: [Exception... "Component returned failure code:
0x80004003 (NS_ERROR_INVALID_POINTER) [nsIDOMLocation.href]"  nsresult:
"0x80004003 (NS_ERROR_INVALID_POINTER)"  location: "JS frame ::
javascript:(function() { var title = document.title; function
htmlEscape(s){return s;}; var
OS=document.getElementById(%22op_sys%22).value.substring(0,3) ;var
PR=document.getElementById(%22product%22).value ;var
comp=document.getElementById(%22component%22).value;if(comp==%22XSLT%22||comp==%22MathML%22||comp==%22XForms%22||comp==%22SVG%22||comp==%22Layout:
Canvas%22||comp==%22Editor%22||comp==%22Build Config%22)
PR=PR+%22:%22+comp;;document.write(%22<form name=f><textarea name=ta cols=120
rows=5></textarea></form>%22); document.close(); document.f.ta.value =
%22[*][url=%22 + location.href + %22]#%22 + /\d+/(title)[0] + %22 [/url][%22 +
PR +%22]-%22+htmlEscape(/-.*/(title)[0].slice(2)) +%22 [%22+OS +%22]%22+ %22%22;
document.f.ta.select(); })() :: anonymous :: line 1"  data: no]

regressionwindow:
http://tinderbox.mozilla.org/bonsai/cvsquery.cgi?treeid=default&module=AviarySuiteBranchTinderbox&branch=MOZILLA_1_8_BRANCH&branchtype=match&filetype=match&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-08-16+11%3A47%3A00&maxdate=2005-08-16+13%3A29%3A00&cvsroot=%2Fcvsroot
I'm guessing this is jst's.
Assignee: nobody → jst
The trunk nightly has this regression as well.
Flags: blocking1.8b4?
A simpler bookmarklet that fails now on the branch but didn't fail with this
morning's branch nightly:

javascript:document.write(); alert(location.href);
Flags: blocking1.8b4? → blocking1.8b4+
Flags: blocking1.8b4+ → blocking1.8b4?
Attached patch the patch + extra changes (obsolete) — Splinter Review
This is fallout from my checkin to the branch earlier today (bug 303267). This
patch switches us to actually doing security checks for accesses to the
location object instead of doing the null-out-docshell dance.

This patch conflicts with my patch for bug 304764, so I'll attach a new one
when I can extract the relevant changes.
Assignee: jst → mrbkap
Status: NEW → ASSIGNED
Comment on attachment 192881 [details] [diff] [review]
the patch + extra changes

+  // object. Parent it to the inner window so that access checks do the Right

Note to self: Parent it to the *outer* window
Attached patch real patch (obsolete) — Splinter Review
This patch should apply directly on top of the patch for bug 304764 (i.e.,
apply that one first, then apply this one).
Attachment #192881 - Attachment is obsolete: true
Attachment #192902 - Flags: review?(jst)
Flags: blocking1.8b4? → blocking1.8b4+
Summary: bookmarklet fails → bookmarklet fails (accessing location.href after document.write())
Comment on attachment 192902 [details] [diff] [review]
real patch

Looks good. Make the changes we talked about (nulling out the docshell in the
window state holders' dtor and asserting in PreCreate() if we don't have a
docshell) and I'll r=...
Attachment #192902 - Flags: review?(jst)
This has the extra listener manager changes in it, but I promise those aren't
part of this bug :-).
Attachment #192902 - Attachment is obsolete: true
Attachment #193008 - Flags: review?(jst)
Comment on attachment 193008 [details] [diff] [review]
null out the docshell when the docshell goes away

r=jst
Attachment #193008 - Flags: review?(jst) → review+
Comment on attachment 193008 [details] [diff] [review]
null out the docshell when the docshell goes away

... and sr=jst too!
Attachment #193008 - Flags: superreview+
*** Bug 305104 has been marked as a duplicate of this bug. ***
Checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment on attachment 193008 [details] [diff] [review]
null out the docshell when the docshell goes away

This fixes window.location to work closer to the way it did before the
splitwinodw landing.
Attachment #193008 - Flags: approval1.8b4?
Attachment #193008 - Flags: approval1.8b4? → approval1.8b4+
I had to back this out because it was turning Txul tests orange.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Depends on: 305236
Status: REOPENED → ASSIGNED
Fix checked into the trunk, though the tree went red before any of the
tinderboxen that went orange the last time had a chance to go green. I'm marking
this FIXED, optimistically. I'll check in on the branch tomorrow.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → FIXED
Whiteboard: [needs branch checkin]
Blocks: 305652
And checked into MOZILLA_1_8_BRANCH. Hopefully it'll have more luck there!
Keywords: fixed1.8
Whiteboard: [needs branch checkin]
*** Bug 305086 has been marked as a duplicate of this bug. ***
Depends on: 338288
This probably caused bug 338288
You need to log in before you can comment on or make changes to this bug.