I'm not sure whether this is a security bug, but it is strange to let web pages to use DOMWindowUtils APIs.
If exposing the method to web is ok, it should be added to document. Someone in #whatwg was asking about such method.
It doesn't have a check because we decided not to expose it to content at the time. See bug 489127 comment 27 and 37. Or can webpages now access things from DOMWindowUtils? (If they do I believe this changed recently? I don't think they could when we implemented that feature) It would be nice to expose that to content imo. IE and Webkit implemented similar APIs after we did ours, though with some slightly different behavior.
Web pages have always had access to DOMWindowUtils.
Did this turn out to be a problem or not?
Roc, Felipe? Do we expose anything insecure via NodesFromRect? Does it have all the necessary cross-iframe checks etc?
We should not expose anything in DOMWindowUtils to Web content because none of it's standard and we don't want to standardize DOMWindowUtils!
So the reason to protect nodesFromRect, or DOMWindowUtils in general, from Web content is not just security but to stop them from relying on stuff there.
But yeah there's no security risk in this function, the code is very similar to elementFromPoint, with the difference that it returns a list of elements and text nodes instead of just one. It only returns elements from the same document, using the same code as elementFromPoint. So to my best understanding there is nothing insecure here. (can we make the bug public?) Let's protect this code from being called by webpages anyway due to what Roc mentioned.
I think we should add a security check here whether there's a security risk here or not. If we don't then sites might start depending on this, and we're not making any promises about any APIs exposed through DOMWindowUtils. Opening this bug cause there doesn't appear to be anything to hide here.
Created attachment 592035 [details] [diff] [review] Patch Trivial change + moving the test for nodesFromRect to mochitest-chrome where it'll have permission to call the function