Closed Bug 490197 Opened 11 years ago Closed 4 years ago

Show a message in console when non-chrome bindings aren't loaded for security reasons

Categories

(Core :: XBL, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: ecfbugzilla, Unassigned)

References

Details

(Keywords: regression)

Attachments

(1 file)

710 bytes, application/vnd.mozilla.xul+xml
Details
Attached file Testcase
This issue broke Adblock Plus unit tests, apparently applying a non-chrome binding in a chrome document is no longer possible. There is no error message, the binding is simply ignored.

Testcase is attached, it tries applying a data: binding to an element. If the binding applies, it should display the text "foo". In non-chrome context this binding will be correctly rejected for security reasons (a message is shown in error console). When opened from chrome: however, the binding should be applied however. This happens in Firefox 3.0.9, not on trunk however (build 20090424) and also not on 1.9.1 branch (build 20090422).

Not quite sure when this test started failing because it was first broken by bug 416942 - and kept failing even when I fixed the issue. Will find a regression range later.
Sorry, just realized that bug 416942 is unrelated - it is simply that before bug 416942 this test didn't try to apply non-chrome bindings. This regression was introduced earlier, it is present in build 20090220090105 as well.
Regression window is 20081113021328 to 20081114021101 but somehow I cannot see what could have caused this issue.
Looks like bug 425153 caused this. I guess that nsContentUtils::GetWrapperSafeScriptFilename() check blocks the load.
Blocks: 425153
CCing jst since he has been blamed
Apparently, this change was made intentionally. I guess it is a WONTFIX then since this doesn't look like a big issue for me - other than the fact that I will have to rewrite my unit test (it will need to start up local server rather than testing on chrome:). Two question however - my bindings don't use scripts. Wouldn't it be possible to allow the bindings to load and just disable the scripts in them, if any? And how about a message in Error Console so that extension author know what is going on?
> Wouldn't it be possible to allow the bindings to load and just disable the
> scripts in them, if any?

Hard to say...  This would be a lot more complicated, especially in the XBL2 world, where the inline event handlers would run with the binding's permissions.

A message to the console might be a good idea.  Want to morph this bug to cover that?  Bug 479839 coves the actual "not loading" issue.
Will this also affect userChrome bindings, i.e. bindings loaded from one's userChrome.css?
(In reply to comment #7)
> Will this also affect userChrome bindings, i.e. bindings loaded from one's
> userChrome.css?

Yes, you won't be able to use data: URLs there any more.

Adblock Plus unit test has been fixed: http://hg.mozdev.org/adblockplus/rev/c7118c84c61c
Summary: Non-chrome bindings no longer apply to chrome → Show a message in console when non-chrome bindings aren't loaded for security reasons
I think that this can be safely resolved as WONTFIX at this point. Whoever used non-chrome XBL bindings adapted a long time ago.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.