Combination of XUL document and onunload/onpagehide event handler causes a browser window to become transparent

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
11 years ago
6 years ago

People

(Reporter: moz_bug_r_a4, Assigned: dveditz)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(6 attachments)

(Reporter)

Description

11 years ago
Please see bug 327014.

It's possible to make a browser UI invisible by using a XUL document that has
no background, and an onunload/onpagehide event handler that changes the layout
of the page.

1. Load a XUL document that has no background specified.
2. Load another document.
3. In an onunload/onpagehide event handler, change the layout of the page.

The browser window becomes invisible, and the XUL document's content elements
are displayed on the invisible browser UI.

Unlike bug 327014, regardless of whether bfcache is enabled or not, the browser
window becomes invisible.

Trunk, fx2.0.0.x and fx1.5.0.x are affected.  I can reproduce this only on
Windows XP.  (On Linux, content area becomes transparent, but the browser
window does not.)

There are some differences between the trunk and branches:
* On trunk, it is necessary to call alert() in the onunload/onpagehide event
  handler, otherwise the XUL document's content elements disappear.
* On branches, it is necessary to use onpagehide event handler, not onunload
  event handler, otherwise the XUL document's content elements disappear.
* On branches, if bfcache is disabled, the XUL document's content elements
  disappear.
(Reporter)

Comment 1

11 years ago
Created attachment 263256 [details]
testcase 1 - main xul
(Reporter)

Comment 2

11 years ago
Created attachment 263257 [details]
testcase 1 - this is used to open "main xul"
(Reporter)

Comment 3

11 years ago
Created attachment 263258 [details]
testcase 2 - simple testcase
(Reporter)

Comment 4

11 years ago
Created attachment 263259 [details]
screenshot
(Reporter)

Comment 5

11 years ago
> There are some differences between the trunk and branches:
> * On trunk, it is necessary to call alert() in the onunload/onpagehide event
>   handler, otherwise the XUL document's content elements disappear.
> * On branches, it is necessary to use onpagehide event handler, not onunload
>   event handler, otherwise the XUL document's content elements disappear.
> * On branches, if bfcache is disabled, the XUL document's content elements
>   disappear.

I was wrong.  alert() is not needed, if XUL content elements are displayed from
the start (i.e. not using "visibility: hidden").  And, a PoC can work
regardless of whether bfcache is used or not, by not using
absolute/fixed/relative positioning.  I'll attach a new testcase, which uses
onunload event handler, to demonstrate that disabling bfcache is not a
workaround.
(Reporter)

Comment 6

11 years ago
Created attachment 263574 [details]
testcase 3 - main xul
(Reporter)

Comment 7

11 years ago
Created attachment 263575 [details]
testcase 3 - this is used to open "main xul"
(Reporter)

Comment 8

11 years ago
This seems to be fixed on trunk.  By bug 322074?

fx-3.0b3pre-2008-01-09-04: affected
fx-3.0b3pre-2008-01-10-05: not affected

http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2008-01-09+04&maxdate=2008-01-10+05
sounds right
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Depends on: 322074
Group: core-security
You need to log in before you can comment on or make changes to this bug.