The default bug view has changed. See this FAQ.

"ASSERTION: This is unsafe" with <iframe>, XBL




7 years ago
7 years ago


(Reporter: Jesse Ruderman, Assigned: smaug)


(Blocks: 1 bug, 4 keywords)

Mac OS X
assertion, fixed1.9.0.20, testcase, verified1.9.2
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 beta1+, blocking1.9.2 .7+, status1.9.2 .7-fixed, blocking1.9.1 .11+, status1.9.1 .11-fixed)


(Whiteboard: [sg:critical?])


(4 attachments, 2 obsolete attachments)



7 years ago
Created attachment 418470 [details]

###!!! ASSERTION: This is unsafe!: 'Error', file /Users/jruderman/mozilla-central/content/events/src/nsEventDispatcher.cpp, line 485

This is the assertion just added in bug 531176.

I'm not sure why I need the setTimeout.

Comment 1

7 years ago
Created attachment 418471 [details]
stack trace
So nsBrowserStatusFilter::OnStateChange calls some JS code which end up to
progressmeter.xml which dispatches ValueChange.

In this particular case I wonder why we even call OnStateChange.
I believe the document is already loaded but
#21 0x00007f82d1f3e2ec in nsDocument::BlockOnload (this=0x261b070) at /home/smaug/mozilla/mozilla_cvs/hg/src/content/base/src/nsDocument.cpp:7037
#22 0x00007f82d20e85c8 in nsBindingManager::AddToAttachedQueue (this=0x2158530, aBinding=0x226a5e0)
    at /home/smaug/mozilla/mozilla_cvs/hg/src/content/xbl/src/nsBindingManager.cpp:955
adds new request to load group which triggers the method call.

But still, I think we can't easily prevent progress listeners to dispatch
Hmm.  We should avoid calling progress listeners for BlockOnload calls if we can do it...

Maybe we should stop faking the loadgroup thing and just directly have BlockOnload/UnblockOnload poke the docloader or something?

Comment 5

7 years ago
An example of this assertion can be seen on Windows 1.9.3 at least at


7 years ago
Whiteboard: [sg:critical?]
Not sure if this is sg:critical (at least when using the testcase).
That is happening in chrome, and during time we might get dom modifications anyway.
I wonder if, at least for now, the assertion should fire only if the
target of the event is in content.
Repeating this:
> Not sure if this is sg:critical (at least when using the testcase).
> That is happening in chrome, and during time we might get dom modifications
> anyway.

What in this bug makes this sg:critical ?

Comment 9

7 years ago
I only marked it as sg:critical because the assertion was added in an sg:critical bug.  If this bug isn't a security bug, let's unmark the whiteboard and make it public.
Well, I wouldn't remove the security flag from this bug, but
this just may not be sg:critical.


7 years ago
Assignee: nobody → jonas
blocking2.0: --- → beta1
Olli, if this only results in events being fired at chrome windows, then why not remove the security flag?
Olli, any more thoughts on whether this needs to be sg:critical, or if it's even a security bug any more?
comment 4 says what should be done here, I think.

I think this doesn't need to be sg:critical, since there is no clear evidence
that content can trigger anything bad - unless ff ui or some extension starts
to handle status updates in a different way.
But this is still a security bug.
Looks like we should probably remove the sg:crit rating here, but there's ongoing discussion of what the ration should be.  Thoughts?
If this is a critical vulnerability only exposed to extension code presently, we should lower the severity to sg:high.  If we think it's likely that FF UI code would add changes triggering this vuln, then sg:critical severity is appropriate.
Or we can just fix this and not care too much about sg:*. :)

Taking. I'll try to write the patch on Thursday.
Assignee: jonas → Olli.Pettay
Um, I can't reproduce this atm.
I've tried on Linux and OSX, with and without html5 parser.

The assertion in this case was changed to a warning, but I can't see that either.

I wonder if bug 557398 changed something here.
Backing out bug 557398 doesn't seem to affect to this bug.
Ah, perhaps LazyFrameCtor changed timing here. Which means this would still
need to be fixed in 1.9.2.
Not LazyFrameCtor. Still trying to find a build where I get the error
I can reproduce this at least on 1.9.2, when I added the same assertion/warning
what trunk has.
But patch needs to wait at least til tomorrow.
Created attachment 441281 [details] [diff] [review]

I posted this to tryserver
Comment on attachment 441281 [details] [diff] [review]

Passed tests on tryserver.

Boris, what do you think about this approach?
A bit ugly, but since I think we want this to 1.9.2 too, I didn't
want to make huge changes. And I'm not even sure what would be
the best way to change nsDocLoader or something.
It would be quite hackish to add onloadblocker-type-of-requests
and handle them specially in docloader.
This relies on script blockers to be on stack and 
PostUnblockOnloadEvent to handle things truly async.
Attachment #441281 - Flags: review?(bzbarsky)
Would it make sense to do:

  if (!nsContentUtils::IsSafeToRunScript()) {
    if (mAsyncOnloadBlockCount == 1) {
         NS_NEW_RUNNABLE_METHOD(nsDocument, this, AsyncBlockOnload));

and have AsyncBlockOnload call BlockOnload mAsyncOnLoadBlockCount times, so as not to thrash things with lots of scriptrunners?

Having an API on docloader (whose job it is to keep track of when onload should fire) to block onload would be a lot less hacky than having this fake request, btw.  But making it work right might be a pain...

Why is the new block in DoUnblockOnload needed?  How can we get there with mAsyncOnloadBlockCount != 0?
(In reply to comment #24)

> Would it make sense to do:
> ...
> and have AsyncBlockOnload call BlockOnload mAsyncOnLoadBlockCount times, so as
> not to thrash things with lots of scriptrunners?
That should work.

> Why is the new block in DoUnblockOnload needed?  How can we get there with
> mAsyncOnloadBlockCount != 0?
If some script runner (which is added before the AsyncBlockOnload script runner, so it runs before it) processes event loop.
Ah, ok.  Do you want to post a patch with my suggestion from the beginning of comment 24?
Yeah, I will, in a minute.
Created attachment 441519 [details] [diff] [review]

Like this?
Attachment #441281 - Attachment is obsolete: true
Attachment #441519 - Flags: review?(bzbarsky)
Attachment #441281 - Flags: review?(bzbarsky)
Comment on attachment 441519 [details] [diff] [review]

Space after "while", please.
Attachment #441519 - Flags: review?(bzbarsky) → review+
Created attachment 441526 [details] [diff] [review]

uh, how did I miss the space :/

Anyway, this is a security bug, so sr is needed.
Attachment #441519 - Attachment is obsolete: true
Attachment #441526 - Flags: superreview?(jonas)
Attachment #441526 - Flags: superreview?(jonas) → superreview+
Comment on attachment 441526 [details] [diff] [review]

Please add documentation on the member describing how it works. Took reading this a few times to figure it out.

And add a comment to ::BlockOnload describing *why* we're entering the if-statement.
Created attachment 441743 [details] [diff] [review]
+some comments
Last Resolved: 7 years ago
Resolution: --- → FIXED
Just wanting to get this on the wanted/blocking list for future 1.9.2 release, as per earlier comments stating that this also affects 1.9.2.
blocking1.9.2: --- → ?
status1.9.2: --- → ?

Comment 35

7 years ago
Does this affect 1.9.1 as well?


7 years ago
blocking1.9.2: ? → .5+
status1.9.2: ? → wanted
blocking1.9.2: .5+ → .6+
Bug 569674 is another regression from this, we need to figure that out before landing this on branches. Sorry I didn't mark it sooner.
Blocks: 569674
No longer blocks: 569674
URL: 569674
Disregard comment 36, I was thinking this was a different bug.
URL: 569674
Attachment #441743 - Flags: approval1.9.2.6?
Attachment #441743 - Flags: approval1.9.1.11?

Comment 38

7 years ago
Comment on attachment 441743 [details] [diff] [review]
+some comments

a=LegNeato for and Please land this on mozilla-1.9.2 default and mozilla-1.9.1 default.

Code freeze is this Friday @ 11:59 pm PST.
Attachment #441743 - Flags: approval1.9.2.6?
Attachment #441743 - Flags: approval1.9.2.6+
Attachment #441743 - Flags: approval1.9.1.11?
Attachment #441743 - Flags: approval1.9.1.11+
blocking1.9.1: --- → .11+
status1.9.1: --- → wanted
status1.9.1: wanted → .11-fixed
status1.9.2: wanted → .6-fixed
Verified for 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20100630 Namoroka/3.6.7pre ( .NET CLR 3.5.30729) using the attached testcase.
Keywords: verified1.9.2
Comment on attachment 441743 [details] [diff] [review]
+some comments

Requesting on this patch so that we can take it in upcoming Camino 2.0.x security and stability updates.  If approved, I'll handle the checkins, unless the patch author requests otherwise.
Attachment #441743 - Flags:
Comment on attachment 441743 [details] [diff] [review]
+some comments

Approved for, a=dveditz
Attachment #441743 - Flags: →
Checking in content/base/src/nsDocument.cpp;
/cvsroot/mozilla/content/base/src/nsDocument.cpp,v  <--  nsDocument.cpp
new revision: 3.837; previous revision: 3.836
Checking in content/base/src/nsDocument.h;
/cvsroot/mozilla/content/base/src/nsDocument.h,v  <--  nsDocument.h
new revision: 3.381; previous revision: 3.380
Keywords: fixed1.9.0.20
Group: core-security

Comment 45

7 years ago
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.