Closed
Bug 393669
Opened 18 years ago
Closed 18 years ago
Calling a function on a XOW doesn't call the original function (calls the one that overwrote it)
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
People
(Reporter: Waldo, Assigned: mrbkap)
References
()
Details
(Whiteboard: [sg:high?] probably few sites vulnerable, is "moderate" more appropriate?)
Attachments
(1 file)
|
1.29 KB,
patch
|
jst
:
review+
jst
:
superreview+
jst
:
approval1.9+
|
Details | Diff | Splinter Review |
Calling an allAccess function on a window that's not same-origin with the caller calls the function that other window defined on itself, not the original. In other words, a window which redefines window.blur can screw with the expectations (maybe do worse) of any other window that blurs it, or the same for any other allAccess method, most likely.
I ran into this while working on the patch for bug 387706.
|
Reporter | |
Comment 1•18 years ago
|
||
Er, this happens in Firefox 2 as well. It doesn't happen in Safari, so it's not some web-compat idiocy I just don't know about, either.
|
Assignee | |
Comment 2•18 years ago
|
||
I don't know how I missed this before, but we really can't forward when resolving for a XOW. This seems like the easiest way to do it.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #278207 -
Flags: superreview?(jst)
Attachment #278207 -
Flags: review?(jst)
|
||
Comment 3•18 years ago
|
||
Comment on attachment 278207 [details] [diff] [review]
Fix
This will also make it so that if someone uses an object with an outer window as the objects prototype, we won't be forwarding resolves etc in that case either. Not sure we care. r+sr=jst if you think we don't.
Attachment #278207 -
Flags: superreview?(jst)
Attachment #278207 -
Flags: superreview+
Attachment #278207 -
Flags: review?(jst)
Attachment #278207 -
Flags: review+
Attachment #278207 -
Flags: approval1.9+
|
|
Assignee | |
Comment 4•18 years ago
|
||
Actually, I don't think that's the case. Looking at the code in js_LookupPropertyWithFlags, it looks like we pass the 'current' objet when looking up the property. This contrasts sharply with the get/set property hooks, which take the original object and call the derived hook's method.
|
|
Assignee | |
Comment 5•18 years ago
|
||
Fix checked into trunk. (Thanks for the approval jst, I totally forgot about it ;-)).
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
||
Comment 6•18 years ago
|
||
We'll want this on the 2.0 branch when we take XOW
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.7?
Whiteboard: [sg:high?] probably few sites vulnerable, is "moderate" more appropriate?
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.8? → blocking1.8.1.9?
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.12? → blocking1.8.1.13?
|
|
Reporter | |
Comment 7•17 years ago
|
||
This is tested by one of the tests in the recently-landed support for window.postMessage via bug 387706.
Flags: in-testsuite+
|
|
||
Updated•17 years ago
|
Flags: blocking1.8.1.13?
|
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•