Closed Bug 723388 Opened 12 years ago Closed 12 years ago

Sites depending on cross domain iframe ajax requests are affected by incorrect Array.isArray() behavior

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
10 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 714547
Tracking Flags:
Tracking Status
firefox10 - affected
firefox11 - ---
firefox12 - ---
firefox13 - ---

People

(Reporter: neil, Assigned: Waldo)

References

Details

(Keywords: regression)

Attachments

(1 file)

Test case
765 bytes, text/html
Details 
Our site, groupme.com, received multiple complaints from users who had been upgraded to Firefox 10 last night that they could no longer see messages on our website.

We traced it back to this issue with Array.isArray()
https://gist.github.com/1721221

As you can see in this minimal case, Array.isArray returns false for arrays created in an iframe served from a subdomain and accessed via a shared document.domain 

The javascript on our page is using Array.isArray to determine how to process our API responses. I imagine we are not the only site affected by this, as many sites rely on cross domain iframes to communicate with their own site's API.

Let me know if you have any questions or need any more details, thanks!
Summary: Sites depending on cross domain iframe ajax requests are → Sites depending on cross domain iframe ajax requests are affected by incorrect Array.isArray() behavior
As Neil points out, this is a common pattern used in cross-domain JavaScript development. Our site, Disqus (http://disqus.com), is similarly affected. Our recourse right now is to remove any code that uses Array.isArray since we can't trust the result on Firefox 10.
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Hmm.  An attempt at a shell testcase doesn't fail on trunk, although that might just mean the test wasn't sufficiently similar.  I'll investigate further.
Assignee: general → jwalden+bmo
OS: Mac OS X → All
Hardware: x86 → All
Presumably the issue is isArray on a security wrapper around an actual array, right?  I'm not sure how you'd test that in the shell...

I'm also not sure why the behavior here would have changed for Fx10.
Status: UNCONFIRMED → NEW
status-firefox10: --- → affected
tracking-firefox10: --- → ?
tracking-firefox11: --- → ?
tracking-firefox12: --- → ?
tracking-firefox13: --- → ?
Ever confirmed: true
Meant to cc Blake
Keywords: regression
Blocks: 723785
Attached file Test case 

    
    

    
  
I think this is a dup of bug 714547 which is fixed on nightly and aurora.  Can you confirm this fix?  If so perhaps we can backport the patch to beta so that the fix comes out with FF 11.

    
    

    
  
Yeah, worked on nightly and aurora but broken on beta and release.
Please nominate beta approval.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE

    
    

    
  
Not tracking because this is now fixed on all non-release branches in bug 714547.

          tracking-firefox10:
          ?-

          tracking-firefox11:
          ?-

          tracking-firefox12:
          ?-

          tracking-firefox13:
          ?-

    
    

    
  
We've fixed this by hardcoding a monkeypatch to the previous buildID. You guys did another release and the site broke again for our customers. We don't want to monkeypatch isArray for all browsers -- is there a chance there will be another release without this bug fix?

    
    

    
  
There is always a chance that we'll need to ship a release to fix a zero-day security bug.

What exactly does your buildID test look like?

    
    

    
  
Now it's:

if (parseInt(navigator.buildID) >= 20120129021758)
   shim...

Classy.

    
    

    
  
Firefox 11 should fix this, so waiting until then is the default possibility.

The current plan is to not fix Firefox 10, which would mean there'd be an extended-support release with this issue for the next year-ish.  I'm not convinced that's the right decision, given that Array.isArray being broken this way isn't an edge case but rather a fundamental flaw in the implementation.  So I'm appealing that decision now.  Whether that appeal will be successful, who knows.  Keep an eye on bug 714547 for what happens on that front.

    
    

    
  
John, testing navigator.buildID that way is fundamentally broken.  I'd recommend testing the Gecko version for starting with "10.0" for the moment...

    
    

    
  
K. I'm using navigator.userAgent now instead. Is there a better way to get the Gecko version?

    
    

    
  
Unfortunately, no.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: