Closed
Bug 491134
Opened 14 years ago
Closed 14 years ago
nsDOMOfflineResourceList uses its own (unsafe) way to dispatch events
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: smaug, Assigned: smaug)
References
Details
(4 keywords, Whiteboard: [sg:high?] )
Attachments
(2 files, 1 obsolete file)
2.34 KB,
patch
|
jst
:
review+
jst
:
superreview+
dveditz
:
approval1.9.0.12+
|
Details | Diff | Splinter Review |
70.78 KB,
patch
|
Details | Diff | Splinter Review |
nsDOMOfflineResourceList pushes context to stack before iterating event listeners and pops it later. But it does not check if event listener killed cx or anything like that. I believe this may lead to similar problems as what XHR had in Bug 460002. I'll make nsDOMOfflineResourceList to work like any other event target, but for branches some other fix is needed.
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → Olli.Pettay
Assignee | ||
Comment 1•14 years ago
|
||
This became quite large, but I really do want all the event dispatching to work the same way. This change allows also simplifications to nsPrivateDOMEvent. Event handling is moved from nsXHREventTarget to a new helper class nsDOMEventTargetHelper and static method GetDocumentFromScriptContext from nsXMLHttpRequest.cpp to nsContentUtils. nsXHREventTarget extends nsDOMEventTargetHelper, and nsDOMOfflineResourceList does that too. This removes nsDOMOfflineResourceList::NotifyEventListeners, because normal event handling can be now used with nsDOMOfflineResourceList. Branches can have simpler change; some kind of CheckInnerWindowCorrectness in NotifyEventListeners. That is what is done in 1.9.0.x XHR. http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/base/src/nsXMLHttpRequest.cpp&rev=1.248&mark=1046#1018
Attachment #376727 -
Flags: superreview?(jst)
Attachment #376727 -
Flags: review?(jst)
Assignee | ||
Comment 2•14 years ago
|
||
Would be great to have a testcase here. Something like the testcases in Bug 460002, but using applicationCache and not XHR. But even without such testcase the patch is needed for trunk.
Updated•14 years ago
|
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.12?
Comment 3•14 years ago
|
||
We may reconsider if the "simpler change" for branches promised in comment 1 ends up not working out.
Comment 4•14 years ago
|
||
I tried to make a testcase, using the testcase from bug 460002, but I got all kinds of js errors, trying to get something. Probably moz_bug_r_a4@yahoo.com might be able to come up with something, because he understands the testcase from bug 460002 that he wrote (I don't).
Comment 5•14 years ago
|
||
OK. I'll attach an XSS testcase and a crash testcase. The XSS testcase depends on bfcache enabled.
Assignee | ||
Comment 10•14 years ago
|
||
With the patch I can't reproduce crashes nor XSS.
Assignee | ||
Comment 11•14 years ago
|
||
Attachment #377510 -
Flags: superreview?(jst)
Attachment #377510 -
Flags: review?(jst)
Comment 13•14 years ago
|
||
Comment on attachment 376727 [details] [diff] [review] for trunk - In nsContentUtils::GetDocumentFromScriptContext(): + nsCOMPtr<nsIDOMDocument> domdoc; + window->GetDocument(getter_AddRefs(domdoc)); I wonder if this should use nsPIDOMWindow::GetExtantDocument() to avoid ever creating a document if one doesn't exist yet (or any more) in some odd edgecases here? r+sr=jst
Attachment #376727 -
Flags: superreview?(jst)
Attachment #376727 -
Flags: superreview+
Attachment #376727 -
Flags: review?(jst)
Attachment #376727 -
Flags: review+
Updated•14 years ago
|
Attachment #377510 -
Flags: superreview?(jst)
Attachment #377510 -
Flags: superreview+
Attachment #377510 -
Flags: review?(jst)
Attachment #377510 -
Flags: review+
Assignee | ||
Comment 14•14 years ago
|
||
(In reply to comment #13) > I wonder if this should use nsPIDOMWindow::GetExtantDocument() to avoid ever > creating a document if one doesn't exist yet (or any more) in some odd > edgecases here? Yeah, perhaps. I just moved that code out from nsXMLHttpRequest.cpp
Updated•14 years ago
|
Whiteboard: [sg:high?] → [sg:high?] [can land]
Assignee | ||
Comment 15•14 years ago
|
||
I'll land the 1.9.1 patch to trunk too, and then after landing it to branches I can back it out and land the trunk patch. This way it gets more testing.
Assignee | ||
Updated•14 years ago
|
Attachment #377510 -
Flags: approval1.9.0.12?
Assignee | ||
Comment 16•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/13b38e2a54ee Landed the 1.9.1 patch to trunk. This bug is sort-of-fixed now, at least the security part of it, but I will land the trunk patch later.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 17•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/925e366b831b
Keywords: testcase-wanted → fixed1.9.1
Whiteboard: [sg:high?] [can land] → [sg:high?]
Updated•14 years ago
|
Comment 18•14 years ago
|
||
Comment on attachment 377510 [details] [diff] [review] For 1.9.1 and 1.9.0 Approved for 1.9.0.12, a=dveditz for release-drivers
Attachment #377510 -
Flags: approval1.9.0.12? → approval1.9.0.12+
Assignee | ||
Comment 19•14 years ago
|
||
Checking in dom/src/offline/nsDOMOfflineResourceList.cpp; /cvsroot/mozilla/dom/src/offline/nsDOMOfflineResourceList.cpp,v <-- nsDOMOfflineResourceList.cpp new revision: 1.8; previous revision: 1.7 done
Keywords: fixed1.9.0.12
Assignee | ||
Comment 20•14 years ago
|
||
Attachment #376727 -
Attachment is obsolete: true
Assignee | ||
Comment 21•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/35740f840f78
Comment 22•14 years ago
|
||
Are these test cases for 1.9.1 and trunk only? I get no alert or crash with 1.9.0.11 with either case on Windows XP.
Comment 23•14 years ago
|
||
I can reproduce these testcases on 1.9.0.11. Did you allow Offline App? On 1.9.0.11, when I loaded a testcase in a background tab, a notification for offline-app-requested did not appear, thus I needed to reload the testcase to allow Offline App.
Comment 24•14 years ago
|
||
I uploaded them to my own web server on the net. The first time I run a case, I get prompted for offline access, which I allow. After that, with either case, when I click on the button, it simply opens a new tab with the case in that tab. This is on Windows XP with 3.0.11. I wiped my XP virtual machine back to a clean state, reinstalled 3.0.11, and tried again today and had the same results. I tried the same thing with a new profile on OS X 10.5.7. The behavior was the same. The first time a case is opened, I get the prompt for offline access. I choose "always allow" and then reload the page (I have exited and reloaded the page too). Clicking on the button in either case just loads the case again in a new tab. Is there a missing step somewhere for setup or the case?
Comment 25•14 years ago
|
||
When you uploaded the testcases to your server, did you modify *-opener.html? |var u = "?id=...";| is the URI of *-main.html in b.m.o, and you need to change it to the URI of *-main.html in your server.
Comment 26•14 years ago
|
||
Ah, yes. I didn't realize that you had hardcoded the URLs to BMO. When we have multi-file testcases, we normally run them off of BMO because we've had problems in the past with the interaction with BMO for some testcases. When I load them from BMO, they work as you outline and the problems are fixed in the 1.9.0.12pre build: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12pre) Gecko/2009070105 GranParadiso/3.0.12pre (.NET CLR 3.5.30729).
Keywords: fixed1.9.0.12 → verified1.9.0.12
Comment 27•14 years ago
|
||
verified FIXED using the attached testcases (and found the expected results matched the actual ones) on builds: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090721 Minefield/3.6a1pre ID:20090721044139 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090720 Shiretoko/3.5.1pre ID:20090720042942
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Updated•14 years ago
|
Group: core-security
Updated•4 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•