Closed
Bug 401549
Opened 17 years ago
Closed 16 years ago
getBoxObjectFor(elem).firstChild reveals anonymous scrollbars
Categories
(Core :: Layout, defect, P2)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: testcase, verified1.9.1, Whiteboard: [sg:investigate][depends on 475864])
Attachments
(4 files)
|
325 bytes,
text/html
|
Details | |
|
555 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
|
6.38 KB,
patch
|
Details | Diff | Splinter Review | |
|
7.55 KB,
patch
|
Details | Diff | Splinter Review |
Web page scripts can get references to anonymous scrollbar elements using getBoxObjectFor(elem).firstChild.
Split from bug 399411. Note that bug 251197 has the same impact as this one.
|
Reporter | |
Comment 1•17 years ago
|
||
|
||
Comment 2•17 years ago
|
||
I think we should have security checks in the boxobject tree-traversal code....
Then again, the real issue here is that scrollbars are not native-anonymous, right? Because if they were, the security manager would stop this sort of thing in its tracks. Perhaps we could just fix that, finally?
|
|
Reporter | |
Comment 3•17 years ago
|
||
Now I get "Permission denied to get property XULElement.tagName". That's a slight improvement -- I can still get a reference to the element, but I can't do as much with it.
|
|
||
Comment 4•16 years ago
|
||
Note that the behavior change from comment 3 has regressed due to quickstubs. We really need to fix this, imo.
|
|
||
Updated•16 years ago
|
Flags: blocking1.9.1?
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Whiteboard: [sg:investigate]
|
||
Comment 5•16 years ago
|
||
Can we get an owner for this?
|
||
Comment 6•16 years ago
|
||
We must fix bug 475864, so is fixing this really needed?
|
|
||
Comment 7•16 years ago
|
||
Ideally, yes... But it might not be as critical if we fix bug 475864.
While this is undesirable, can anything bad actually happen with content that gets hold of the anonymous scrollbar? You can't do much with it AFAIK.
|
|
||
Comment 9•16 years ago
|
||
That depends entirely on what happens with bug 475864. Right now you can call any quickstubbed method on it.
Yes, but what nastiness can you do by messing with the scrollbar via quickstubbed methods?
|
|
||
Comment 12•16 years ago
|
||
Remove its kids, for example?
|
|
||
Comment 13•16 years ago
|
||
|
|
||
Comment 14•16 years ago
|
||
This is the simple way to fix this. If box object is about to return some
native anonymous element to web page, return null. (BoxObject seems to use null
for error cases.).
The main thing I'm a bit worried about is xulDocument.documentElement.boxObject.firstChild, because that is the default (native anonymous) popupgroup. So I wonder if the nextSibling of that should be actually returned.
Will upload a second patch which does that.
|
|
||
Comment 15•16 years ago
|
||
This is pretty ugly. I'm not sure it is worth to even try to do this.
I think I should wait until bug 475864 is fixed, and see what is left to do
after that.
Whiteboard: [sg:investigate] → [sg:investigate][depends on 475864]
|
|
||
Comment 16•16 years ago
|
||
Now that bug 475864 is fixed, the testcase gives a security exception.
Is that good enough for 1.9.1? I think it should be.
|
|
||
Comment 17•16 years ago
|
||
That's fine, yeah.
|
|
||
Comment 18•16 years ago
|
||
Marking this then fixed, also on 1.9.1.
Assignee: Olli.Pettay → nobody
Status: NEW → RESOLVED
Closed: 16 years ago
Keywords: fixed1.9.1
Resolution: --- → FIXED
|
||
Comment 19•16 years ago
|
||
verified FIXED using attached testcases on builds:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090721 Minefield/3.6a1pre ID:20090721031556
and
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.2pre) Gecko/20090721 Shiretoko/3.5.2pre ID:20090721075223
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•