Closed Bug 401549 Opened 12 years ago Closed 11 years ago

getBoxObjectFor(elem).firstChild reveals anonymous scrollbars

Categories

(Core :: Layout, defect, P2)

x86
macOS
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: jruderman, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, verified1.9.1, Whiteboard: [sg:investigate][depends on 475864])

Attachments

(4 files)

Web page scripts can get references to anonymous scrollbar elements using getBoxObjectFor(elem).firstChild.

Split from bug 399411.  Note that bug 251197 has the same impact as this one.
Attached file testcase
I think we should have security checks in the boxobject tree-traversal code....

Then again, the real issue here is that scrollbars are not native-anonymous, right?  Because if they were, the security manager would stop this sort of thing in its tracks.  Perhaps we could just fix that, finally?
Now I get "Permission denied to get property XULElement.tagName".  That's a slight improvement -- I can still get a reference to the element, but I can't do as much with it.
Note that the behavior change from comment 3 has regressed due to quickstubs.  We really need to fix this, imo.
Depends on: 475864
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Whiteboard: [sg:investigate]
Can we get an owner for this?
We must fix bug 475864, so is fixing this really needed?
Ideally, yes...  But it might not be as critical if we fix bug 475864.
While this is undesirable, can anything bad actually happen with content that gets hold of the anonymous scrollbar? You can't do much with it AFAIK.
That depends entirely on what happens with bug 475864.  Right now you can call any quickstubbed method on it.
But anyway, I can take this.
Assignee: nobody → Olli.Pettay
Yes, but what nastiness can you do by messing with the scrollbar via quickstubbed methods?
Remove its kids, for example?
Attached patch possible patchSplinter Review
This is the simple way to fix this. If box object is about to return some
native anonymous element to web page, return null. (BoxObject seems to use null
for error cases.).
The main thing I'm a bit worried about is xulDocument.documentElement.boxObject.firstChild, because that is the default (native anonymous) popupgroup. So I wonder if the nextSibling of that should be actually returned.
Will upload a second patch which does that.
This is pretty ugly. I'm not sure it is worth to even try to do this.
I think I should wait until bug 475864 is fixed, and see what is left to do
after that.
Whiteboard: [sg:investigate] → [sg:investigate][depends on 475864]
Now that bug 475864 is fixed, the testcase gives a security exception.
Is that good enough for 1.9.1? I think it should be.
Marking this then fixed, also on 1.9.1.
Assignee: Olli.Pettay → nobody
Status: NEW → RESOLVED
Closed: 11 years ago
Keywords: fixed1.9.1
Resolution: --- → FIXED
verified FIXED using attached testcases on builds:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090721 Minefield/3.6a1pre ID:20090721031556

and

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.2pre) Gecko/20090721 Shiretoko/3.5.2pre ID:20090721075223
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.