Created attachment 566159 [details]
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Build ID: 20110928134238
Steps to reproduce:
Tested with Firefox 7.0.1 and current Nightly 10.0a1 on Windows:
1.) open a file (e.g. the attached one) containing code like this
<circle cx="100" cy="100" r="50" onclick="this.parentNode.removeChild(this);" />
2.) move mouse over circle and click left mouse button (don't stop moving before clicking!)
A title tooltip is shown that contains the text of the last tooltip, even from an other browser tab. If it is the first title tooltip after startup, the tooltip is shown without text.
AFAICS this doesn't happen with HTML elements or if the mouse was not moved right before clicking.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0a1) Gecko/20111010 Firefox/10.0a1 ID:20111010031016
Regression window(cached m-c hourly),
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110630 Firefox/7.0a1 ID:20110702004346
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110702 Firefox/7.0a1 ID:20110702022656
Regression window(cached m-i hourly),
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110630 Firefox/7.0a1 ID:20110701101456
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110701 Firefox/7.0a1 ID:20110701132816
74635b831e9e Robert Longson — Bug 639945 - tooltips are not displayed on inline svg elements. r=dao,bzbarsky
I came across this bug using FF8 in the wild when viewing a svg chart in one tab -- the tooltip showed data from another tab, which looks a little scary from a security perspective.
Updating platform, as I can reproduce in current nightly on linux:
Mozilla/5.0 (X11; Linux x86_64; rv:11.0a1) Gecko/20111212 Firefox/11.0a1
though I needed this additional step in comment 0's STR:
0. Hover over any link with a tooltip (e.g. this one: attachment 566159 [details] )
(In reply to Adam Moore from comment #2)
> I came across this bug using FF8 in the wild when viewing a svg chart in one
> tab -- the tooltip showed data from another tab, which looks a little scary
> from a security perspective.
Not really, the page itself can't read the tooltip data.
But how does the typical user know this?
> which looks a little scary from a security perspective.
Agreed that it could look scary to a typical user, even if it's not actually dangerous. (The appearance of insecurity is worth avoiding. :) )
Created attachment 581618 [details] [diff] [review]
I don't know how to write a testcase as the existing case relies on the content being removed as the tooltip appears. The c++ embedding tooltip code already has a null check so it doesn't need to change.
Note the simplification in the first part of the patch is covered by the existing testcase.
Comment on attachment 581618 [details] [diff] [review]
How about adding document.compareDocumentPosition(tipElement) == document.DOCUMENT_POSITION_DISCONNECTED right at the beginning of FillInHTMLTooltip? Could !tipElement.ownerDocument already be an (unsuccessful) attempt to do this?
(In reply to Dão Gottwald [:dao] from comment #9)
> How about adding document.compareDocumentPosition(tipElement) ==
> document.DOCUMENT_POSITION_DISCONNECTED right at the beginning of
> FillInHTMLTooltip? Could !tipElement.ownerDocument already be an
> (unsuccessful) attempt to do this?
That comes from bug 520729
Ok, so that isn't broken. It would have helped if Ehsan had followed the "Maybe add a comment here that explains what cases this is handling (tipElement is a document)" suggestion.
My example code however is broken... document needs to be tipElement.ownerDocument.
Ehsan did do that on the comment line above the code.
Created attachment 581959 [details] [diff] [review]
address review comment
This isn't a regression from 9, so unless we know of significant fallout, no need to uplift to FF10.
(In reply to Matt Brubeck (:mbrubeck) from comment #15)
When does the fix show up in the nightly builds? The issue is not fixed in 12.0a1 (2012-01-05).
Confirmed, this does not fixed on
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120105 Firefox/12.0a1 ID:20120105083933
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0a2) Gecko/20120105 Firefox/11.0a2 ID:20120105042010
I think this is related Bug 715882
s/I think this is related Bug 715882/I think this is related Bug 664058/
Testcase in the bug works for me and the patch has not been backed out so the correct resolution is still fixed. If you still have issues raise another bug, this one is done.
(In reply to Robert Longson from comment #21)
> Testcase in the bug works for me and the patch has not been backed out so
> the correct resolution is still fixed. If you still have issues raise
> another bug, this one is done.
filed Bug 715999