Closed Bug 731817 Opened 12 years ago Closed 12 years ago

docShell misbehaves (for top level windows ?)

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: irakli, Unassigned)

Details

I've run into issue where setting `docShell.allowJavascript = false` is ignored and js is still executed. Here are two examples to reproduce this issue:

https://gist.github.com/1945248

1st one is more closer to what we actually do and second more simplified that can bu run right out of the jsconsole. Have not tried on other platforms but it does misbehaves on OSX
BTW also there is no difference even if I set frame.setAttribute('type', 'content'). Also if I run `frame.setAttribute('src', 'data:text/html,<script>alert(window.parent && window.parent.location)</script>')` I can see dialog with a parent windows location while I'd expect window.parent to be null when type is content.
You're loading system-privileged content in those docshells.  That may well ignore any docshell settings about script execution.  In fact, I'm 100% sure it does, since that check is done as part of the general "ok to run script" security check.

Do you actually need .allowJavascript to prevent script execution in system-privileged docuemnts?
(In reply to Boris Zbarsky (:bz) from comment #2)
> You're loading system-privileged content in those docshells. 

Why is 'data:text/html,<script>alert("Hello")</script>' system-privileged ?

> Do you actually need .allowJavascript to prevent script execution in
> system-privileged docuemnts?

In fact my intention is to have a non system-privileged documents loaded in created browser elements. Could you point out what am I doing wrong there, why does it get's
system principal ?
Ok it looks like it has to do with type of the browser. But using a 'content' as value makes no difference either, but I guess I could play with other values to figure out which one do I need.
Ok so it looks like the main issue I had in my actual code was caused by the fact that I was appending browser element to the document first and then setting a it's type to 'content' which I guess is ignored. Setting type before appending to document solves all the issues.

Thanks Boris
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
> Why is 'data:text/html,<script>alert("Hello")</script>' system-privileged ?

Because data: URIs use the security context of whoever loaded them (except when crossing docshell type boundaries), and in this case the thing doing the loading is system-privileged.

And yeah, you have to set the type before the docshell is created, so before insertion into the DOM...
You need to log in before you can comment on or make changes to this bug.