Closed
Bug 731817
Opened 12 years ago
Closed 12 years ago
docShell misbehaves (for top level windows ?)
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: irakli, Unassigned)
Details
I've run into issue where setting `docShell.allowJavascript = false` is ignored and js is still executed. Here are two examples to reproduce this issue: https://gist.github.com/1945248 1st one is more closer to what we actually do and second more simplified that can bu run right out of the jsconsole. Have not tried on other platforms but it does misbehaves on OSX
Reporter | ||
Comment 1•12 years ago
|
||
BTW also there is no difference even if I set frame.setAttribute('type', 'content'). Also if I run `frame.setAttribute('src', 'data:text/html,<script>alert(window.parent && window.parent.location)</script>')` I can see dialog with a parent windows location while I'd expect window.parent to be null when type is content.
Comment 2•12 years ago
|
||
You're loading system-privileged content in those docshells. That may well ignore any docshell settings about script execution. In fact, I'm 100% sure it does, since that check is done as part of the general "ok to run script" security check. Do you actually need .allowJavascript to prevent script execution in system-privileged docuemnts?
Reporter | ||
Comment 3•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #2) > You're loading system-privileged content in those docshells. Why is 'data:text/html,<script>alert("Hello")</script>' system-privileged ? > Do you actually need .allowJavascript to prevent script execution in > system-privileged docuemnts? In fact my intention is to have a non system-privileged documents loaded in created browser elements. Could you point out what am I doing wrong there, why does it get's system principal ?
Reporter | ||
Comment 4•12 years ago
|
||
Ok it looks like it has to do with type of the browser. But using a 'content' as value makes no difference either, but I guess I could play with other values to figure out which one do I need.
Reporter | ||
Comment 5•12 years ago
|
||
Ok so it looks like the main issue I had in my actual code was caused by the fact that I was appending browser element to the document first and then setting a it's type to 'content' which I guess is ignored. Setting type before appending to document solves all the issues. Thanks Boris
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Comment 6•12 years ago
|
||
> Why is 'data:text/html,<script>alert("Hello")</script>' system-privileged ?
Because data: URIs use the security context of whoever loaded them (except when crossing docshell type boundaries), and in this case the thing doing the loading is system-privileged.
And yeah, you have to set the type before the docshell is created, so before insertion into the DOM...
You need to log in
before you can comment on or make changes to this bug.
Description
•