Open
Bug 691242
Opened 14 years ago
Updated 3 years ago
"ASSERTION: Want to fire DOMNodeRemoved event, but it's not safe" with NoScript
Categories
(Core :: DOM: Events, defect, P5)
Tracking
()
NEW
People
(Reporter: jdm, Unassigned)
References
()
Details
(Keywords: assertion, reproducible)
Attachments
(1 file)
|
9.69 KB,
text/plain
|
Details |
STR:
1. install noscript
2. visit forums.whirlpool.net.au
From the stacktrace, it looks like we:
* add a script element
* check the content load policies
* one of the policies is a script which ends up removing a node (presumably in the same document or something)
|
Reporter | |
Comment 1•14 years ago
|
||
STR addendum:
3. temporarily allow scripts on the page
4. assert
Keywords: assertion,
reproducible
|
||
Comment 2•14 years ago
|
||
It could be a different document. Doesn't matter. As things stand, content policies modifying any DOM is completely unsafe....
We really need to start calling them async. :(
Keywords: assertion,
reproducible
|
|
||
Updated•14 years ago
|
Keywords: assertion,
reproducible
|
|
Reporter | |
Comment 3•14 years ago
|
||
https://addons.mozilla.org/en-US/firefox/files/browse/133269/file/chrome/noscript.jar/content/noscript/ScriptSurrogate.js#L225
This is the function being called by the noscript content load policy (wait what? is that how policies are supposed to work?).
|
||
Comment 4•14 years ago
|
||
(In reply to Josh Matthews [:jdm] from comment #3)
> https://addons.mozilla.org/en-US/firefox/files/browse/133269/file/chrome/
> noscript.jar/content/noscript/ScriptSurrogate.js#L225
>
> This is the function being called by the noscript content load policy (wait
> what? is that how policies are supposed to work?).
Until there are better hooks (if ever), a content policy callback is the only place for an extension to execute a script instead of a blocked one.
I could use a Sandbox and avoid to touch the DOM (I used to and, in fact, the method is still there) but I settled for the DOM-based approach after being severely bitten by memory/performance issues (maybe related to bug 646575?)
As a middle-ground, changing https://addons.mozilla.org/en-US/firefox/files/browse/133269/file/chrome/noscript.jar/content/noscript/ScriptSurrogate.js#L176 into
this.executeSandbox;
switches back to Sandbox-based execution every surrogate triggered by a content policy call (by default, this happens on any allowed webpage which tries to import blocked Google Analytics scripts, for instance).
|
|
||
Comment 5•14 years ago
|
||
> Until there are better hooks (if ever)
Others have asked for such callbacks; all that's missing is time to implement, fwiw...
|
|
||
Comment 6•14 years ago
|
||
FYI, NoScript 2.1.5rc1 has changes to never modify the DOM during content policy callbacks.
|
|
||
Updated•7 years ago
|
Priority: -- → P5
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•