User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199) Gecko/20080702 Firefox/188.8.131.52 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:184.108.40.206) Gecko/20080702 Firefox/220.127.116.11 Error: [Exception... "'Permission denied to call method XMLDocument.createElement' when calling method: [nsIDOMEventListener::handleEvent]" nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "<unknown>" data: no] Reproducible: Always Steps to Reproduce: 1.launch the page http://stapo62.us.oracle.com:8988/UIShellTest-UIShellClient-context-root/faces/Client1 2. Click on "openMainTask" link 3. Click on "myButton" Button see the firefox error console. you will see the error mentioned in the details Actual Results: After clicking on "myButton" you will get 4 alert messages, select ok for all. In left hand side , text messages are NOT getting updated. There is an error in the FireFox Error Consel. Expected Results: After clicking on "myButton" you will get 4 alert messages, select ok for all. In left hand side you will see text messages got updated.
not a security bug.
well, the "Permission denied" error is a failed security check so it's "security related", but yeah, it's not a security exploit that needs to be hidden. Your test page appears to be inside your firewall, we can't reach it. Without seeing the testcase there's no way to know what's going on. The error you listed is a legitimate security check that fires when code from one "origin" tries to access properties in another. By itself it's not a bug but perhaps a bug is causing it to fire at the wrong time. Did this work in the past? Since this appears to be corporate intranet software, is signed script involved? We made some changes recently that broke lots of pages that use signed scripts that turned out to be taking advantage of a security hole recently identified by Stanford researchers. Ultimately I recommend against using signed code and just having your users install a custom site-specific addon. In the end the permission grant turns out to be equivalent in power to installing software and users understand the implications of installing things much better than what clicking "OK" on a dialog means.
The signed-script security bug I referred to is http://www.mozilla.org/security/announce/2008/mfsa2008-23.html
no response to comment 2, so => incomplete if you can supply a testcase, please attach file to bug