Closed Bug 784892 Opened 12 years ago Closed 12 years ago

Objects frozen by one frame can be modified by another frame

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
15 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 674195

People

(Reporter: felix8a, Unassigned)

Details

Attachments

(1 file)

a.html
329 bytes, text/plain
Details
Attached file a.html 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.81 Safari/537.1

Steps to reproduce:

load the attached a.html in ff15 (beta) or ff16 (aurora)


Actual results:

an alert that says "true,false,,3".  an object frozen in one frame appears unfrozen to another frame, and the supposedly frozen object can be modified by code in the other frame.


Expected results:

an alert that says "true,true,,".  ff14 (release) behaves correctly.
Severity: normal → major
Severity: major → critical
I took the liberty of classifying this as "critical" because it breaks a key security invariant.
Presumably broken by cpg, because now there's a cross-compartment wrapper there?  Looks like bug 674195.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: