Closed Bug 304886 Opened 19 years ago Closed 19 years ago

[FIXr]content can still shadow real DOM properties from chrome with <img name="links"> etc.

Categories

(Core :: DOM: Core & HTML, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla1.8beta4

People

(Reporter: jst, Assigned: bzbarsky)

References

Details

(Keywords: fixed1.8, Whiteboard: [sg:fix])

Attachments

(3 files, 2 obsolete files)

In bug 296967 we made XPCNativeWrapper call into the scriptable helper hooks on our DOM nodes to make an XPCNativeWrapped DOM look more like an unwrapped one, but this opens up ways for content code to hide things from chrome again. If a page contains <img name="links">, document.links will not be the collection of links that it should be, it'll be the image named links. Some options that were thrown around on IRC were to not expose things by name on document and forms etc, or to reorder things in XPCNativeWrapper so that any time a property that is defined in IDL is accessed we'd return that w/o even calling the hooks... Both have their ups and downs...
Let's not regress from 1.0.x here. /be
Flags: blocking1.8b4+
Blocks: 281988
Attached file Testcase
This tests various XPCNativeWrapper stuff, but I added tests for this bug explicitly -- the typeof() == 'function' ones.
Attached file Clearer testcase
Attached patch patch (obsolete) — Splinter Review
Attached patch Same as diff -w (obsolete) — Splinter Review
Attachment #193028 - Flags: superreview?(jst)
Attachment #193028 - Flags: review?(jst)
Priority: -- → P1
Summary: content can still shadow real DOM properties from chrome with <img name="links"> etc. → [FIX]content can still shadow real DOM properties from chrome with <img name="links"> etc.
Target Milestone: --- → mozilla1.8beta4
Comment on attachment 193028 [details] [diff] [review] Same as diff -w Yeah, looks good. r+sr=jst
Attachment #193028 - Flags: superreview?(jst)
Attachment #193028 - Flags: superreview+
Attachment #193028 - Flags: review?(jst)
Attachment #193028 - Flags: review+
Comment on attachment 193028 [details] [diff] [review] Same as diff -w We need this on branch. Risk is low, I think, and I've updated the XPCNativeWrapper documentation accordingly.
Attachment #193028 - Flags: approval1.8b4?
Summary: [FIX]content can still shadow real DOM properties from chrome with <img name="links"> etc. → [FIXr]content can still shadow real DOM properties from chrome with <img name="links"> etc.
Attached patch Updated to tipSplinter Review
Attachment #193027 - Attachment is obsolete: true
Attachment #193028 - Attachment is obsolete: true
Attachment #193028 - Flags: approval1.8b4? → approval1.8b4+
Fixed, trunk and branch.
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Should this bug be made public now?
Whiteboard: [sg:fix]
I missed a case; filed bug 310069 on that.
Flags: testcase+
Group: security
Flags: in-testsuite+ → in-testsuite?
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: