If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

changing iframe/browser type attribute from chrome to content after being added should throw error

NEW
Unassigned

Status

()

Core
XUL
6 years ago
6 years ago

People

(Reporter: eviljeff, Unassigned)

Tracking

({addon-compat})

Trunk
addon-compat
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
The type attribute on XUL iframe and browser tags is settable to "content" after the element has been added to the DOM tree even though the level of access is fixed once the element has been added.

https://developer.mozilla.org/en/XUL/iframe#a-browser.type

Developers who do this can then mistakenly load remote websites into xul iframe/browsers as chrome when they believe they are safely loaded as content, creating a security risk for the user.

Setting the type attribute on an iframe/browser after being added to the document should throw an error to protect the user and alert the developer to the issue.

Comment 1

6 years ago
Note that the type attribute can be changed later, and is, for example, by the tabbrowser between 'content' and 'content-primary'
(Reporter)

Comment 2

6 years ago
summary updated slightly to reflect its just chrome -> content that's the issue.
Summary: setting iframe/browser type attribute after being added should throw error → changing iframe/browser type attribute from chrome to content after being added should throw error
Are we talking log an error to the console, or are we talking throw an exception?  I can see doing both, once we have a frameloader...
(Reporter)

Comment 4

6 years ago
I'd prefer throwing an exception - it would break some addons but arguably they're broken at the moment in a way.  

I'm cc'ing Jorge on this in case he has an opinion on addon compatibility.
I agree with making it an exception. Flagging for add-on compat, since we would need to communicate this when implemented.
Keywords: addon-compat
You need to log in before you can comment on or make changes to this bug.