Closed
Bug 307980
Opened 19 years ago
Closed 19 years ago
Security error when using evalInSandbox on http://www.ebay.com/
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: boogs, Assigned: mrbkap)
Details
(Keywords: fixed1.8)
Attachments
(3 files)
2.75 KB,
text/plain
|
Details | |
7.40 KB,
patch
|
Details | Diff | Splinter Review | |
6.12 KB,
patch
|
brendan
:
review+
shaver
:
superreview+
asa
:
approval1.8b5+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 I get a security error when trying to access window.alert through a sandbox with evalInSandbox on ebay.com, but not on other domains. The sandbox's codebase is set to the URL of _content. And I am accessing alert through something like window.alert("hi") where window is sandbox.window = _content. Here it is in code: var box = new Components.utils.Sandbox(url); box.window = _content; Components.utils.evalInSandbox("window.alert('hello from: ' + window.location.href)", box); Reproducible: Always Steps to Reproduce: 1. Drop the attachment into <installdir>/components/ and have Firefox autoregister 2. You should get alerts with the URL of every non-chrome window loaded 3. navigate to http://google.com, note alert 4. navigate to http://yahoo.com, note alert 5. navigate to http://ebay.com, note no alert from ebay.com (the one from doubleclick doesn't count, we're looking for the one from the main page, not the ad iframe). open JS console and note the security error. Actual Results: Security error in JS console: 'Permission denied to get property Window.alert' Expected Results: alert box with: "hello from http://www.ebay.com" I'm putting this as Major because it prevents Greasemonkey from working properly on all sites. Its major to me anyway.
Reporter | ||
Comment 1•19 years ago
|
||
forgot the testcase attachment when i filed the bug
Reporter | ||
Updated•19 years ago
|
Component: General → XPConnect
Product: Firefox → Core
Version: unspecified → 1.8 Branch
Updated•19 years ago
|
Assignee: nobody → dbradley
QA Contact: general → pschwartau
Reporter | ||
Comment 2•19 years ago
|
||
Felt like I should add the entire text of the error from the console incase it's not easy to reproduce using my testcase: Error: [Exception... "Component returned failure code: 0x80004003 (NS_ERROR_INVALID_POINTER) [nsIDOMLocation.replace]" nsresult: "0x80004003 (NS_ERROR_INVALID_POINTER)" location: "JS frame :: file:///C:/PROGRA~1/DEERPA~3/components/ypSandboxTestCase.js :: <TOP_LEVEL> :: line 34" data: no] Source File: file:///C:/PROGRA~1/DEERPA~3/components/ypSandboxTestCase.js Line: 34
Reporter | ||
Comment 3•19 years ago
|
||
Actually, doesn't work on yahoo either - same problem. Looks like yahoo.com also sets it's document.domain property.
Comment 4•19 years ago
|
||
mrbkap, this one looks like yours, at a glance. /be
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 5•19 years ago
|
||
It's currently impossible to do what you want in the face of setting document.domain. To fix this, we're extending the interface of evalInSandbox to allow you to pass a window instead of a URI, which will have all of the right principals on it. That would make the interesting bit in the testcase: var sandbox = new Components.utils.Sandbox(webProgress.DOMWindow); ...
Assignee: dbradley → mrbkap
Flags: blocking1.8b5?
Assignee | ||
Updated•19 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 6•19 years ago
|
||
This allows you to pass a DOMWindow to the Sandbox constructor. diff -w for review in a second.
Reporter | ||
Comment 7•19 years ago
|
||
That solution is totally fine with me.
Assignee | ||
Comment 8•19 years ago
|
||
Attachment #195823 -
Flags: superreview?(shaver)
Attachment #195823 -
Flags: review?(brendan)
Comment 9•19 years ago
|
||
Comment on attachment 195823 [details] [diff] [review] Allow windows too -w r=me if you use do_QueryWrappedNative instead of rolling your own, as you pointed out to me! /be
Attachment #195823 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 10•19 years ago
|
||
Comment on attachment 195823 [details] [diff] [review] Allow windows too -w >+ nsCOMPtr<nsIDOMWindow> win = do_QueryInterface(wrapper->Native()); >+ CallQueryInterface(win, &sop); Note to self: CallQueryInterface isn't null-safe, so this needs to check |win|.
Comment on attachment 195823 [details] [diff] [review] Allow windows too -w sr=shaver
Attachment #195823 -
Flags: superreview?(shaver) → superreview+
Assignee | ||
Comment 12•19 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•19 years ago
|
Attachment #195823 -
Flags: approval1.8b5?
Updated•19 years ago
|
Attachment #195823 -
Flags: approval1.8b5? → approval1.8b5+
Updated•19 years ago
|
Flags: blocking1.8b5? → blocking1.8b5+
You need to log in
before you can comment on or make changes to this bug.
Description
•