Closed Bug 491134 Opened 15 years ago Closed 15 years ago

nsDOMOfflineResourceList uses its own (unsafe) way to dispatch events

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: smaug, Assigned: smaug)

References

Details

(4 keywords, Whiteboard: [sg:high?] )

Attachments

(2 files, 1 obsolete file)

For 1.9.1 and 1.9.0
2.34 KB, patch
jst
: review+
jst
: superreview+
dveditz
: approval1.9.0.12+
Details | Diff | Splinter Review
for trunk (includes backout of the branch patch)
70.78 KB, patch
Details | Diff | Splinter Review 
nsDOMOfflineResourceList pushes context to stack before iterating
event listeners and pops it later. But it does not check if event listener
killed cx or anything like that. I believe this may lead to similar problems 
as what XHR had in Bug 460002.

I'll make nsDOMOfflineResourceList to work like any other event target, but
for branches some other fix is needed.
Assignee: nobody → Olli.Pettay
Attached patch for trunk (obsolete) — Splinter Review 
This became quite large, but I really do want all the event dispatching to work the same way. This change allows also simplifications to nsPrivateDOMEvent.

Event handling is moved from nsXHREventTarget to
a new helper class nsDOMEventTargetHelper and static method GetDocumentFromScriptContext from nsXMLHttpRequest.cpp to nsContentUtils.
nsXHREventTarget extends nsDOMEventTargetHelper, and nsDOMOfflineResourceList does that too.
This removes nsDOMOfflineResourceList::NotifyEventListeners, because normal
event handling can be now used with nsDOMOfflineResourceList.

Branches can have simpler change; some kind of CheckInnerWindowCorrectness in
NotifyEventListeners. That is what is done in 1.9.0.x XHR.
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/base/src/nsXMLHttpRequest.cpp&rev=1.248&mark=1046#1018
Attachment #376727 - Flags: superreview?(jst)
Attachment #376727 - Flags: review?(jst)
Would be great to have a testcase here. Something like the testcases in
Bug 460002, but using applicationCache and not XHR.

But even without such testcase the patch is needed for trunk.
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.12?
We may reconsider if the "simpler change" for branches promised in comment 1 ends up not working out.
Flags: blocking1.9.0.12? → blocking1.9.0.12+
Keywords: testcase-wanted
Whiteboard: [sg:high?]
I tried to make a testcase, using the testcase from bug 460002, but I got all kinds of js errors, trying to get something. Probably moz_bug_r_a4@yahoo.com might be able to come up with something, because he understands the testcase from bug 460002 that he wrote (I don't).
OK.  I'll attach an XSS testcase and a crash testcase.  The XSS testcase depends
on bfcache enabled.
With the patch I can't reproduce crashes nor XSS.

        Attachment #377510 -
        Flags: superreview?(jst)

        Attachment #377510 -
        Flags: review?(jst)

    
    

    
  
Blocking 1.9.1 as well.
Flags: blocking1.9.1+

    
    

    
  
Comment on attachment 376727 [details] [diff] [review]
for trunk

- In nsContentUtils::GetDocumentFromScriptContext():

+    nsCOMPtr<nsIDOMDocument> domdoc;
+    window->GetDocument(getter_AddRefs(domdoc));

I wonder if this should use nsPIDOMWindow::GetExtantDocument() to avoid ever creating a document if one doesn't exist yet (or any more) in some odd edgecases here?

r+sr=jst

        Attachment #376727 -
        Flags: superreview?(jst)

        Attachment #376727 -
        Flags: superreview+

        Attachment #376727 -
        Flags: review?(jst)

        Attachment #376727 -
        Flags: review+

        Attachment #377510 -
        Flags: superreview?(jst)

        Attachment #377510 -
        Flags: superreview+

        Attachment #377510 -
        Flags: review?(jst)

        Attachment #377510 -
        Flags: review+

    
    

    
  
(In reply to comment #13)
> I wonder if this should use nsPIDOMWindow::GetExtantDocument() to avoid ever
> creating a document if one doesn't exist yet (or any more) in some odd
> edgecases here?
Yeah, perhaps. I just moved that code out from nsXMLHttpRequest.cpp
Whiteboard: [sg:high?] → [sg:high?] [can land]

    
    

    
  
I'll land the 1.9.1 patch to trunk too, and then after landing it to branches
I can back it out and land the trunk patch.
This way it gets more testing.

        Attachment #377510 -
        Flags: approval1.9.0.12?

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/13b38e2a54ee

Landed the 1.9.1 patch to trunk.
This bug is sort-of-fixed now, at least the security part of it,
but I will land the trunk patch later.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
    

    
  
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/925e366b831b
Keywords: testcase-wantedfixed1.9.1
Whiteboard: [sg:high?] [can land] → [sg:high?]
Keywords: crash, 
          
            testcase

    
    

    
  
Comment on attachment 377510 [details] [diff] [review]
For 1.9.1 and 1.9.0

Approved for 1.9.0.12, a=dveditz for release-drivers

        Attachment #377510 -
        Flags: approval1.9.0.12? → approval1.9.0.12+

    
    

    
  
Checking in dom/src/offline/nsDOMOfflineResourceList.cpp;
/cvsroot/mozilla/dom/src/offline/nsDOMOfflineResourceList.cpp,v  <--  nsDOMOfflineResourceList.cpp
new revision: 1.8; previous revision: 1.7
done
Keywords: fixed1.9.0.12
Blocks: 495764

    
    

    
  
Are these test cases for 1.9.1 and trunk only? I get no alert or crash with 1.9.0.11 with either case on Windows XP.

    
    

    
  
I can reproduce these testcases on 1.9.0.11.  Did you allow Offline App?   On
1.9.0.11, when I loaded a testcase in a background tab, a notification for
offline-app-requested did not appear, thus I needed to reload the testcase to
allow Offline App.

    
    

    
  
I uploaded them to my own web server on the net. The first time I run a case, I get prompted for offline access, which I allow. After that, with either case, when I click on the button, it simply opens a new tab with the case in that tab.

This is on Windows XP with 3.0.11. I wiped my XP virtual machine back to a clean state, reinstalled 3.0.11, and tried again today and had the same results.

I tried the same thing with a new profile on OS X 10.5.7. The behavior was the same. The first time a case is opened, I get the prompt for offline access. I choose "always allow" and then reload the page (I have exited and reloaded the page too). Clicking on the button in either case just loads the case again in a new tab. 

Is there a missing step somewhere for setup or the case?

    
    

    
  
When you uploaded the testcases to your server, did you modify *-opener.html? 
|var u = "?id=...";| is the URI of *-main.html in b.m.o, and you need to change
it to the URI of *-main.html in your server.

    
    

    
  
Ah, yes. I didn't realize that you had hardcoded the URLs to BMO. When we have multi-file testcases, we normally run them off of BMO because we've had problems in the past with the interaction with BMO for some testcases.

When I load them from BMO, they work as you outline and the problems are fixed in the 1.9.0.12pre build: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12pre) Gecko/2009070105 GranParadiso/3.0.12pre (.NET CLR 3.5.30729).
Keywords: fixed1.9.0.12verified1.9.0.12

    
    

    
  
verified FIXED using the attached testcases (and found the expected results matched the actual ones) on builds:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090721
Minefield/3.6a1pre ID:20090721044139

and

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090720
Shiretoko/3.5.1pre ID:20090720042942
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Group: core-security
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.