Closed
Bug 784892
Opened 12 years ago
Closed 12 years ago
Objects frozen by one frame can be modified by another frame
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 674195
People
(Reporter: felix8a, Unassigned)
Details
Attachments
(1 file)
329 bytes,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.81 Safari/537.1 Steps to reproduce: load the attached a.html in ff15 (beta) or ff16 (aurora) Actual results: an alert that says "true,false,,3". an object frozen in one frame appears unfrozen to another frame, and the supposedly frozen object can be modified by code in the other frame. Expected results: an alert that says "true,true,,". ff14 (release) behaves correctly.
Updated•12 years ago
|
Severity: normal → major
Updated•12 years ago
|
Severity: major → critical
Comment 1•12 years ago
|
||
I took the liberty of classifying this as "critical" because it breaks a key security invariant.
Comment 2•12 years ago
|
||
Presumably broken by cpg, because now there's a cross-compartment wrapper there? Looks like bug 674195.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•