Closed Bug 42482 Opened 24 years ago Closed 24 years ago

window.alert() causing exceptions

Categories

(Core :: XUL, defect, P3)

Product:
Core
Component:
XUL
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 42076

People

(Reporter: dan, Assigned: security-bugs)

Details

Attachments

(1 file)

save as c:\alerttest.xul
741 bytes, text/plain
Details 
see attached .xul for a sample window.alert.

- save as c:\alerttest.xul
- run: mozilla -console -chrome file://c:\alerttest.xul

press the "press me" button. instead of an alert, an exception
is generated.

file:///C:/Workspace/eng/vib/research/tools/export/mpbuilder/chrome/vib/content/
alerttest.xul line 19:

JavaScript error:
 line 0: uncaught exception: [Exception... "Failure"  code: "-2147467259" nsresu
lt: "0x80004005 (NS_ERROR_FAILURE)"  location: "file:///C:/Workspace/eng/vib/res
earch/tools/export/mpbuilder/chrome/vib/content/alerttest.xul Line: 19"]

    
    

    
  
XUL?
Assignee: don → ben
Component: XP Apps → XP Toolkit/Widgets: XUL
QA Contact: sairuh → jrgm

    
    

    
  
confirming. same js error shows up for me
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  
Why was this assigned to Ben?

Assignee: ben → trudelle

    
    

    
  
I assume this is a CAPS issue: the example will throw an exception when 
launched as './mozilla -chrome file:///foo.xul', but will work without 
error when either (1) loaded as browser content, or (2) loaded with 
'./mozilla -chrome chrome://navigator/content/foo.xul'

    
    

    
  
giving to danm for triage, cc mstoltz for possible CAPS involvement
Assignee: trudelle → danm

    
    

    
  
  This is totally a security issue. The problem is, the JS Alert() window is, 
internally, turned into a chrome url. CAPS disallows a document loaded from a 
file protocol from accessing a document using the chrome protocol.
  I'm not a security maven. I think there are situations where scripts are 
legitimately disallowed from throwing alerts. Whether this is one of them, I 
don't know. If not, we're going to have to come up with some clever scheme to 
distinguish CommonDialog chrome URLs from run-of-the-mill chrome URLs. Turning 
over to mstoltz for comment.

Assignee: danm → mstoltz

    
    

    
  
This is a known issue, and I have a temporary fix ready to go in until we can
come up with a sensible chrome security policy.

*** This bug has been marked as a duplicate of 42076 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE

    
    

    
  
verified duplicate.
Status: RESOLVED → VERIFIED

    
  
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: jrgmorrison → xptoolkit.widgets

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: