Accessing innerWidth of a tabbrowser contentWindow throws NS_ERROR_XPC_SECURITY_MANAGER_VETO

RESOLVED FIXED

Status

()

RESOLVED FIXED
11 years ago
11 years ago

People

(Reporter: mcsmurf, Assigned: mrbkap)

Tracking

({regression, verified1.8.1.15})

Trunk
x86
Windows XP
regression, verified1.8.1.15
Points:
---
Bug Flags:
blocking1.8.1.15 +
wanted1.8.1.x +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

11 years ago
Accessing innerWidth of a tabbrowser contentWindow throws NS_ERROR_XPC_SECURITY_MANAGER_VETO

To reproduce:
0. Fetch a Firefox(!) trunk build
1. Switch signed.applets.codebase_principal_support to true so that a webpage from content can request privs
2. Open any website in the first tab and https://bugzilla.mozilla.org/attachment.cgi?id=238226 in any other tab, make sure you trust the code from that testcase (it's a drawWindow canvas testcase)
3. Click on Draw to get a preview of the page in tab 1 in the canvas below
4. Observe that you get no preview but instead a error in the Error Console:

Error: uncaught exception: [Exception... "Security Manager vetoed action"  nsresult: "0x80570027 (NS_ERROR_XPC_SECURITY_MANAGER_VETO)"  location: "JS frame :: https://bugzilla.mozilla.org/attachment.cgi?id=238226# :: doFrob :: line 26"  data: no]

Line 26 is a empty line, but by adding some line breaks I found out that it actually seems to mean line 27.

This regressed between 2007-07-05-04 and 2007-07-06-04. Bonsai link: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-07-05+03%3A00&maxdate=2007-07-06+04%3A00&cvsroot=%2Fcvsroot

This points to Bug 384750, but I'm not sure because that's a security bug. It looks like DOMi had a similar problem, see Bug 387053, but that patch was backed out again as Bug 387084 was fixed. So is this now a real bug or a bug in the testcase?
(Reporter)

Comment 1

11 years ago
Blake: Can you comment on this bug if it is a valid bug? I'm not sure if it is...
(Assignee)

Comment 2

11 years ago
Created attachment 275200 [details] [diff] [review]
Fix

Given other bugs, I'm rapidly losing faith in EnsureLegalActivity, but this patch will make it deal for now.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #275200 - Flags: superreview?(bzbarsky)
Attachment #275200 - Flags: review?(bzbarsky)
Comment on attachment 275200 [details] [diff] [review]
Fix

OK, I buy this.
Attachment #275200 - Attachment is private: true
Attachment #275200 - Flags: superreview?(bzbarsky)
Attachment #275200 - Flags: superreview+
Attachment #275200 - Flags: review?(bzbarsky)
Attachment #275200 - Flags: review+
(Assignee)

Updated

11 years ago
Attachment #275200 - Attachment is private: false
Attachment #275200 - Flags: approval1.9?

Updated

11 years ago
Attachment #275200 - Flags: approval1.9? → approval1.9+
(Assignee)

Comment 4

11 years ago
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Don't we need this on branch too?  This breaks code using <xul:iframe> (e.g. in signed script).  See the thread at http://groups.google.com/group/mozilla.dev.security/browse_frm/thread/200083a2d0cb1562#
Blocks: 384750
Flags: blocking1.8.1.15?
Keywords: regression
And this could really use an automated testcase.  Should be simple to mochitest, no?
Flags: in-testsuite?
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.15?
Flags: blocking1.8.1.15+
Duplicate of this bug: 425232
Whiteboard: [needs branch patch]
Comment on attachment 275200 [details] [diff] [review]
Fix

This patch applies to the branch as well, and fixes the bug there too.
Attachment #275200 - Flags: approval1.8.0.15?
Attachment #275200 - Flags: approval1.8.0.15? → approval1.8.1.15?
Comment on attachment 275200 [details] [diff] [review]
Fix

Approved for 1.8.1.15, a=dveditz for release-drivers
Attachment #275200 - Flags: approval1.8.1.15? → approval1.8.1.15+
Fix landed on the branch.
Keywords: fixed1.8.1.15
The mac tinderbox started burning after this bug and bug 418996 and bug 424426 landed on the branch (bm-xserve05). It's failing the Tp2 test:

Running LayoutPerformanceLocalTest test ...
Timeout = 180 seconds.
Begin: Thu Jun  5 18:08:31 2008
cmd = /builds/tinderbox/Fx-Mozilla1.8-Nightly/Darwin_8.7.0_Depend/mozilla/../build/unifox/dist/BonEcho.app/Contents/MacOS/firefox-bin http://localhost/pageload/cycler.html
Process killed. Took 2 seconds to die.
End:   Thu Jun  5 18:11:32 2008
----------- Output from LayoutPerformanceLocalTest ------------- 
----------- End Output from LayoutPerformanceLocalTest --------- 
LayoutPerformanceLocalTest: firefox-bin successfully stayed up for 180 seconds.
TinderboxPrint:Tp2:[CRASH]
LayoutPerformanceLocalTest: test failed

cycler.html is here in mxr:
http://mxr.mozilla.org/seamonkey/source/tools/performance/pageload/cycler.html?raw=1

Several seamonkey boxes are also having issues:
http://tinderbox.mozilla.org/showbuilds.cgi?tree=Mozilla1.8-SeaMonkey&maxdate=1212719731&hours=12

Are these tests broken by the set of changes or has this caught a regression ?
Backed out of branch to see if the orange clears. I'll be watching it over the weekend and will try to reland before Monday.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Keywords: fixed1.8.1.15
Whiteboard: [needs branch patch]
Relanded, all green.
Status: REOPENED → RESOLVED
Last Resolved: 11 years ago11 years ago
Keywords: fixed1.8.1.15
Resolution: --- → FIXED

Comment 14

11 years ago
When can we expect to see this fix in a release version?
Daniel, it's in Firefox 2.0.0.15, which is aimed at the end of June, and has been in Firefox 3.0 since the betas.

Comment 16

11 years ago
(In reply to comment #15)
> Daniel, it's in Firefox 2.0.0.15, which is aimed at the end of June, and has
> been in Firefox 3.0 since the betas.
> 

Thanks.  Looks like it might be a plugin issue on my end instead then.  My bad.

Comment 17

11 years ago
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15pre) Gecko/20080610 BonEcho/2.0.0.15pre

Verified for 1.8.1.15 branch. No error message in console.
Keywords: fixed1.8.1.15 → verified1.8.1.15
You need to log in before you can comment on or make changes to this bug.