"Fix the caller!" when datalist fires onselect on a node created from a chrome context

RESOLVED FIXED in mozilla2.0b12

Status

()

defect
RESOLVED FIXED
9 years ago
4 years ago

People

(Reporter: mak, Assigned: mounir)

Tracking

({regression})

Trunk
mozilla2.0b12
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 final+, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [sg:critical?][hardblocker])

Attachments

(3 attachments)

I have a datalist in content context, chrome context fills it up with some <option> through a remote url that content doesn't have access to.

let list = contentDoc.getElementById("mydatalist");
let value = "xyz";
list.appendChild(
  list.ownerDocument.createElement("option")
).value = value;

when the datalist shows the node I created gets a onselect event, and this triggers a "WARNING: fix the caller!"

Smaug asked be to file the bug with a full stack
looking at local values I found a "onselect" in event userType and a "tree" in the target
Seems like the not-so-safe AttributeChanged handling was added in Bug 556007.
Blocks: 556007
Keywords: regression
And this isn't only about AttributeChanged, but all the
mutation observer method.
We should probably use a script runner to call RevalidateDataList();
to reproduce the stack you can use "experiment 2.1" patch in bug 612453, it adds a autocomplete datalist to about:home search field. Just type in the search field to activate autocomplete and you'll see the warnings.
Posted patch Patch v1Splinter Review
This patch is fixing the issue. I guess this is because OnUpdateSearchResult was called from nsIMutationObserver methods.
Assignee: nobody → mounir.lamouri
Status: NEW → ASSIGNED
Attachment #511053 - Flags: review?(Olli.Pettay)
Version: unspecified → Trunk
Attachment #511053 - Flags: review?(dolske)
Attachment #511053 - Flags: review?(Olli.Pettay)
Attachment #511053 - Flags: review+
Whiteboard: [needs review dolske]
Whiteboard: [needs review dolske] → [needs review dolske][needs try]
Why this bug has been marked "security-sensitive"?
Smaug asked me to mark it as security sensitive while it was investigated.
Whiteboard: [needs review dolske][needs try] → [needs review dolske][passed try]
Posted patch Tests fixesSplinter Review
Attachment #511331 - Flags: review?(Olli.Pettay)
(In reply to comment #7)
> Why this bug has been marked "security-sensitive"?

Because nsAutoCompleteController::OnUpdateSearchResult is called at unsafe time, 
and that method seems to trigger some scripts to run.
If those script can include anything in content page, this would be probably
sg:critical.
(In reply to comment #10)
> (In reply to comment #7)
> > Why this bug has been marked "security-sensitive"?
> 
> Because nsAutoCompleteController::OnUpdateSearchResult is called at unsafe
> time, 
> and that method seems to trigger some scripts to run.
> If those script can include anything in content page, this would be probably
> sg:critical.

I don't think nsAutoCompleteController::OnUpdateSearchResult can trigger any content script.
sg:critical, just to be on the safe side. Let's get this landed!
blocking2.0: --- → final+
Whiteboard: [needs review dolske][passed try] → [sg:critical?][hardblocker][needs review dolske][passed try]
Attachment #511053 - Flags: review?(dolske) → review+
Attachment #511331 - Flags: review+
Attachment #511331 - Flags: review?(Olli.Pettay)
Whiteboard: [sg:critical?][hardblocker][needs review dolske][passed try] → [sg:critical?][hardblocker][passed try][needs landing]
Whiteboard: [sg:critical?][hardblocker][passed try][needs landing] → [sg:critical?][hardblocker][passed try][needs landing][has patch]
Pushed:
http://hg.mozilla.org/mozilla-central/rev/23703ec8b73b
http://hg.mozilla.org/mozilla-central/rev/5a9359bc00f6
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [sg:critical?][hardblocker][passed try][needs landing][has patch] → [sg:critical?][hardblocker]
Target Milestone: --- → mozilla2.0b12
blocking2.0: final+ → ---
blocking2.0: --- → final+
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.