The default bug view has changed. See this FAQ.

nsDOMOfflineResourceList uses its own (unsafe) way to dispatch events

VERIFIED FIXED

Status

()

Core
DOM
VERIFIED FIXED
8 years ago
8 years ago

People

(Reporter: smaug, Assigned: smaug)

Tracking

(4 keywords)

Trunk
x86
All
crash, testcase, verified1.9.0.12, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
blocking1.9.0.12 +
wanted1.9.0.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high?] )

Attachments

(2 attachments, 1 obsolete attachment)

(Assignee)

Description

8 years ago
nsDOMOfflineResourceList pushes context to stack before iterating
event listeners and pops it later. But it does not check if event listener
killed cx or anything like that. I believe this may lead to similar problems 
as what XHR had in Bug 460002.

I'll make nsDOMOfflineResourceList to work like any other event target, but
for branches some other fix is needed.
(Assignee)

Updated

8 years ago
Assignee: nobody → Olli.Pettay
(Assignee)

Comment 1

8 years ago
Created attachment 376727 [details] [diff] [review]
for trunk

This became quite large, but I really do want all the event dispatching to work the same way. This change allows also simplifications to nsPrivateDOMEvent.

Event handling is moved from nsXHREventTarget to
a new helper class nsDOMEventTargetHelper and static method GetDocumentFromScriptContext from nsXMLHttpRequest.cpp to nsContentUtils.
nsXHREventTarget extends nsDOMEventTargetHelper, and nsDOMOfflineResourceList does that too.
This removes nsDOMOfflineResourceList::NotifyEventListeners, because normal
event handling can be now used with nsDOMOfflineResourceList.

Branches can have simpler change; some kind of CheckInnerWindowCorrectness in
NotifyEventListeners. That is what is done in 1.9.0.x XHR.
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/base/src/nsXMLHttpRequest.cpp&rev=1.248&mark=1046#1018
Attachment #376727 - Flags: superreview?(jst)
Attachment #376727 - Flags: review?(jst)
(Assignee)

Comment 2

8 years ago
Would be great to have a testcase here. Something like the testcases in
Bug 460002, but using applicationCache and not XHR.

But even without such testcase the patch is needed for trunk.
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.12?
We may reconsider if the "simpler change" for branches promised in comment 1 ends up not working out.
Flags: blocking1.9.0.12? → blocking1.9.0.12+
Keywords: testcase-wanted
Whiteboard: [sg:high?]
I tried to make a testcase, using the testcase from bug 460002, but I got all kinds of js errors, trying to get something. Probably moz_bug_r_a4@yahoo.com might be able to come up with something, because he understands the testcase from bug 460002 that he wrote (I don't).

Comment 5

8 years ago
OK.  I'll attach an XSS testcase and a crash testcase.  The XSS testcase depends
on bfcache enabled.
(Assignee)

Comment 10

8 years ago
With the patch I can't reproduce crashes nor XSS.
(Assignee)

Comment 11

8 years ago
Created attachment 377510 [details] [diff] [review]
For 1.9.1 and 1.9.0
Attachment #377510 - Flags: superreview?(jst)
Attachment #377510 - Flags: review?(jst)
Blocking 1.9.1 as well.
Flags: blocking1.9.1+
Comment on attachment 376727 [details] [diff] [review]
for trunk

- In nsContentUtils::GetDocumentFromScriptContext():

+    nsCOMPtr<nsIDOMDocument> domdoc;
+    window->GetDocument(getter_AddRefs(domdoc));

I wonder if this should use nsPIDOMWindow::GetExtantDocument() to avoid ever creating a document if one doesn't exist yet (or any more) in some odd edgecases here?

r+sr=jst
Attachment #376727 - Flags: superreview?(jst)
Attachment #376727 - Flags: superreview+
Attachment #376727 - Flags: review?(jst)
Attachment #376727 - Flags: review+

Updated

8 years ago
Attachment #377510 - Flags: superreview?(jst)
Attachment #377510 - Flags: superreview+
Attachment #377510 - Flags: review?(jst)
Attachment #377510 - Flags: review+
(Assignee)

Comment 14

8 years ago
(In reply to comment #13)
> I wonder if this should use nsPIDOMWindow::GetExtantDocument() to avoid ever
> creating a document if one doesn't exist yet (or any more) in some odd
> edgecases here?
Yeah, perhaps. I just moved that code out from nsXMLHttpRequest.cpp
Whiteboard: [sg:high?] → [sg:high?] [can land]
(Assignee)

Comment 15

8 years ago
I'll land the 1.9.1 patch to trunk too, and then after landing it to branches
I can back it out and land the trunk patch.
This way it gets more testing.
(Assignee)

Updated

8 years ago
Attachment #377510 - Flags: approval1.9.0.12?
(Assignee)

Comment 16

8 years ago
http://hg.mozilla.org/mozilla-central/rev/13b38e2a54ee

Landed the 1.9.1 patch to trunk.
This bug is sort-of-fixed now, at least the security part of it,
but I will land the trunk patch later.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Comment 17

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/925e366b831b
Keywords: testcase-wanted → fixed1.9.1
Whiteboard: [sg:high?] [can land] → [sg:high?]
Keywords: crash, testcase
Comment on attachment 377510 [details] [diff] [review]
For 1.9.1 and 1.9.0

Approved for 1.9.0.12, a=dveditz for release-drivers
Attachment #377510 - Flags: approval1.9.0.12? → approval1.9.0.12+
(Assignee)

Comment 19

8 years ago
Checking in dom/src/offline/nsDOMOfflineResourceList.cpp;
/cvsroot/mozilla/dom/src/offline/nsDOMOfflineResourceList.cpp,v  <--  nsDOMOfflineResourceList.cpp
new revision: 1.8; previous revision: 1.7
done
Keywords: fixed1.9.0.12
(Assignee)

Updated

8 years ago
Blocks: 495764
(Assignee)

Comment 20

8 years ago
Created attachment 383191 [details] [diff] [review]
for trunk (includes backout of the branch patch)
Attachment #376727 - Attachment is obsolete: true
(Assignee)

Comment 21

8 years ago
http://hg.mozilla.org/mozilla-central/rev/35740f840f78
Are these test cases for 1.9.1 and trunk only? I get no alert or crash with 1.9.0.11 with either case on Windows XP.

Comment 23

8 years ago
I can reproduce these testcases on 1.9.0.11.  Did you allow Offline App?   On
1.9.0.11, when I loaded a testcase in a background tab, a notification for
offline-app-requested did not appear, thus I needed to reload the testcase to
allow Offline App.
I uploaded them to my own web server on the net. The first time I run a case, I get prompted for offline access, which I allow. After that, with either case, when I click on the button, it simply opens a new tab with the case in that tab.

This is on Windows XP with 3.0.11. I wiped my XP virtual machine back to a clean state, reinstalled 3.0.11, and tried again today and had the same results.

I tried the same thing with a new profile on OS X 10.5.7. The behavior was the same. The first time a case is opened, I get the prompt for offline access. I choose "always allow" and then reload the page (I have exited and reloaded the page too). Clicking on the button in either case just loads the case again in a new tab. 

Is there a missing step somewhere for setup or the case?

Comment 25

8 years ago
When you uploaded the testcases to your server, did you modify *-opener.html? 
|var u = "?id=...";| is the URI of *-main.html in b.m.o, and you need to change
it to the URI of *-main.html in your server.
Ah, yes. I didn't realize that you had hardcoded the URLs to BMO. When we have multi-file testcases, we normally run them off of BMO because we've had problems in the past with the interaction with BMO for some testcases.

When I load them from BMO, they work as you outline and the problems are fixed in the 1.9.0.12pre build: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12pre) Gecko/2009070105 GranParadiso/3.0.12pre (.NET CLR 3.5.30729).
Keywords: fixed1.9.0.12 → verified1.9.0.12
verified FIXED using the attached testcases (and found the expected results matched the actual ones) on builds:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090721
Minefield/3.6a1pre ID:20090721044139

and

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090720
Shiretoko/3.5.1pre ID:20090720042942
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Group: core-security
You need to log in before you can comment on or make changes to this bug.