There is error in the console while executing the java script

RESOLVED INCOMPLETE

Status

()

Firefox
Security
--
major
RESOLVED INCOMPLETE
10 years ago
9 years ago

People

(Reporter: Kristi, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: close INCOMPLETE if no update by Aug 19, URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16

Error: [Exception... "'Permission denied to call method XMLDocument.createElement' when calling method: [nsIDOMEventListener::handleEvent]"  nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>"  data: no]

Reproducible: Always

Steps to Reproduce:
1.launch the page http://stapo62.us.oracle.com:8988/UIShellTest-UIShellClient-context-root/faces/Client1
2. Click on "openMainTask" link
3. Click on "myButton" Button
see the firefox error console. you will see the error mentioned in the details
Actual Results:  
After clicking on "myButton" you will get 4 alert messages, select ok for all.
In left hand side , text messages are NOT getting updated.
There is an error in the FireFox Error Consel.

Expected Results:  
After clicking on "myButton" you will get 4 alert messages, select ok for all.
In left hand side you will see text messages got updated.

Comment 1

10 years ago
not a security bug.
Group: core-security
well, the "Permission denied" error is a failed security check so it's "security related", but yeah, it's not a security exploit that needs to be hidden.

Your test page appears to be inside your firewall, we can't reach it. Without seeing the testcase there's no way to know what's going on. The error you listed is a legitimate security check that fires when code from one "origin" tries to access properties in another. By itself it's not a bug but perhaps a bug is causing it to fire at the wrong time.

Did this work in the past?

Since this appears to be corporate intranet software, is signed script involved? We made some changes recently that broke lots of pages that use signed scripts that turned out to be taking advantage of a security hole recently identified by Stanford researchers. Ultimately I recommend against using signed code and just having your users install a custom site-specific addon. In the end the permission grant turns out to be equivalent in power to installing software and users understand the implications of installing things much better than what clicking "OK" on a dialog means.
Whiteboard: close INCOMPLETE if no update by Aug 19
The signed-script security bug I referred to is
http://www.mozilla.org/security/announce/2008/mfsa2008-23.html

Comment 4

9 years ago
no response to comment 2, so => incomplete

if you can supply a testcase, please attach file to bug
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.