Closed Bug 614151 Opened 14 years ago Closed 14 years ago

setTimeout(close) closes a window the page isn't allowed to close

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
blocking1.9.2 --- .20+
status1.9.2 --- .20-fixed
status1.9.1 --- wanted

People

(Reporter: jruderman, Assigned: mrbkap)

References

Details

(Keywords: csectype-sop, sec-low, testcase, Whiteboard: [hardblocker][qa-examined-192])

Attachments

(4 files, 2 obsolete files)

testcase (closes window)
41 bytes, text/html
Details
Better patch
6.41 KB, patch
jst
: review+
Details | Diff | Splinter Review
Part 2: convert the test for bug 536567 to a chrome test
2.46 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
1.9.2 patch
5.66 KB, patch
jst
: review+
dveditz
: approval1.9.2.18-
dveditz
: approval1.9.2.20+
Details | Diff | Splinter Review
No description provided.
If there aren't any other tabs in the window, I get this assertion failure: ###!!! ASSERTION: should be executing script: 'JS_IsRunning(mContext)', file dom/base/nsJSEnvironment.cpp, line 3551
This is sg:low on its face, but could turn out to be worse.
Whiteboard: [sg:low]
blocking2.0: --- → ?
The reason for this is that we end up running the timeout w/o any script on the JS stack, only a native function call, so we think various capabilities are enabled, even though they are not. Blake, seems like this could be bad if something other than close is passed to setTimeout(). Blocking for now.
Assignee: nobody → mrbkap
blocking2.0: ? → betaN+
Attached patch Proposed fix (obsolete) — Splinter Review
This was broken by the move to entirely-fast natives. We used to create stack frames for XPConnect functions, such as alert and close; however now we don't, and we fall into the "no script code running" case. This patch makes IsCapabilityEnabled respect the principals pushing stack and makes nsJSContext::CallEventHandler clamp the principal for this case exactly. I'll file a bug on fixing JS_IsRunning (which was also broken) and a second bug for making nsScriptSecurityManager get object principals from the compartment, which will be a lot faster than the current code.
Attachment #499104 - Flags: review?(jst)
Summary: setTimeout(close) closes a window the page isn't allowed to close → [ready to land] setTimeout(close) closes a window the page isn't allowed to close
Attachment #499104 - Flags: review?(jst) → review+
Cc:ing reporter of duplicate bug so he can track when this gets resolved.
I pushed this to try along with another change that enabled a few tests that were disabled in the compartment landing, and it looks like this causes mochitest failures. The results are at: http://tbpl.mozilla.org/?tree=MozillaTry&rev=36d1ea34ff7b The reftest failures are not caused by this, but I believe the mochitest ones are (1 and 4).
Summary: [ready to land] setTimeout(close) closes a window the page isn't allowed to close → [needs updated patch] setTimeout(close) closes a window the page isn't allowed to close
Attached patch Better patchSplinter Review
So, there was a glaring bug in the old patch (it didn't always set result), but this patch still fails tinderbox even with that fixed. The problem is that we have a test (layout/forms/test/test_bug536567.html) that sets a JS object as a handler on a file chooser. So the C++ stack looks like <event loop> <file chooser stuff> <xpconnect stuff> <JS impl of file chooser> the JS impl grabs UniversalXPConnect and attempts to return a XOW (cross origin file) back to C++. Because when we obtain the reference to the file object, we have UniversalXPConnect, we're allowed to manipulate it. However, when we return it, XPConnect has to unwrap it. And by that time, we've popped the JS off the stack, and lost the UniversalXPConnect privileges. So XPConnect balks trying to convert a XOW into a C++ object and things break. I don't have any bright ideas about how to fix this, other than changing the test.
Attachment #499104 - Attachment is obsolete: true
I think given what we're dealing with here, changing this one test is a fine option.
Whiteboard: [sg:low] → [sg:low], hardblocker
Whiteboard: [sg:low], hardblocker → [sg:low][hardblocker]
jst asked me on IRC to convert the test for bug 536567 to a chrome test. This is the simplest and quickest way to do so. I've tested it to make sure that with these two patches, the test in question passes successfully.
Attachment #502914 - Flags: review?(jst)
Comment on attachment 502914 [details] [diff] [review] Part 2: convert the test for bug 536567 to a chrome test I like it! Thanks Ehsan!
Attachment #502914 - Flags: review?(jst) → review+
I landed my part, since it's not really dependent on mrbkap's part: http://hg.mozilla.org/mozilla-central/rev/775cfd3f2c87
I backed it out because of an orange: http://hg.mozilla.org/mozilla-central/rev/603f80cfc7fb http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1294789779.1294791160.21310.gz&fulltext=1 It seems like the subframe HTML file can't be found. I'm doing a Linux build locally to investigate.
The subframe file should be accessible through http, and therefore should not be packaged in the chrome package. This should solve the failure (the reason I didn't see this failure locally was that I had that file in the correct path in my objdir).
Attachment #502914 - Attachment is obsolete: true
Attachment #503003 - Flags: review?(jst)
Comment on attachment 503003 [details] [diff] [review] Part 2: convert the test for bug 536567 to a chrome test Thanks a lot for doing this, Ehsan!
Attachment #503003 - Flags: review?(jst) → review+
I pushed this to try just to check my sanity, and if the results are positive, I will push it to mozilla-central tomorrow. Blake, if you think you'll need to land it sooner, you should keep an eye on the try results on this revision: 2b9fa7c33458
Attachment #501186 - Flags: review+
Summary: [needs updated patch] setTimeout(close) closes a window the page isn't allowed to close → setTimeout(close) closes a window the page isn't allowed to close
Fix landed: http://hg.mozilla.org/mozilla-central/rev/910fb1e279d1
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Depends on: 643450
Attached patch 1.9.2 patchSplinter Review
Attachment #537629 - Flags: review?(jst)
Attachment #537629 - Flags: approval1.9.2.18?
Attachment #537629 - Flags: review?(jst) → review+
blocking1.9.2: --- → .18+
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Comment on attachment 537629 [details] [diff] [review] 1.9.2 patch Approved for 1.9.2.18, a=dveditz for release-drivers
Attachment #537629 - Flags: approval1.9.2.18? → approval1.9.2.18+
blocking1.9.2: .18+ → .19+
Comment on attachment 537629 [details] [diff] [review] 1.9.2 patch Guess this didn't make 3.6.18 -- next time.
Attachment #537629 - Flags: approval1.9.2.19+
Attachment #537629 - Flags: approval1.9.2.18-
Attachment #537629 - Flags: approval1.9.2.18+
Blake, can you land this on 1.9.2, please?
(In reply to Jesse Ruderman from comment #1) > Created attachment 492563 [details] > testcase (closes window) This testcase doesn't do anything in 3.6.19 on OS X. If I run it in a window by itself or in a browser with multiple tabs, nothing happens. Was the problem behavior actually observed in 1.9.2?
Whiteboard: [sg:low][hardblocker] → [sg:low][hardblocker][qa-examined-192]
https://bugzilla.mozilla.org/show_bug.cgi?id=650252#c6 references this bug. Are the exploits related as that one is definitely fixed and can be verified.
Group: core-security
Keywords: csec-sop, sec-low
Whiteboard: [sg:low][hardblocker][qa-examined-192] → [hardblocker][qa-examined-192]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: