Please report any other irregularities here.
Currently it calls into XPConnect, which uses the most recent XPCCallContext. But for consumers on new bindings, this answer is no longer correct. In particular, I'm worried about NS_NewHTMLOptionElement and NS_NewHTMLImageElement, both of which are on new bindings (I believe) and use GetDocumentFromCaller to determine NodeInfo. I'm not sure what kind of nastiness can be done with an incorrect NodeInfo, but I'm CCing moz_bug_r_a4 in case it proves fruitful. I'm rewriting this function in one of my patches in bug 883450.
NS_NewHTMLOptionElement and NS_NewHTMLImageElement got called with null aNodeInfo from CreateHTMLOptionElement and CreateHTMLImgElement. These can only be invoked when constructing them via contractid or classid. So first of all, in that situation we will in fact be coming from XPConnect and have an XPCCallContext. Second, this used to be done by the |new Option| and |new Image| stuff, but now those are WebIDL constructors. So I think we should just rip out the contract/classids for option and image, rip out the Create methods in nsLayoutModule.cpp, and rip out the special-casing in the NS_New methods: make them assume aNodeInfo is not null. This is all dead code as far as the web is concerned.
Fully support removing support for contractid/classid for Img and Option.
OK, let's morph this to cover that removal and this is not a security issue.
Summary: GetDocumentFromCaller gives the wrong answer for new DOM bindings → Remove use of GetDocumentFromCaller in image and option code
Created attachment 764275 [details] [diff] [review] Remove GetDocumentFromCaller from NS_NewHTMLImage/OptionElement and remove the XPCOM-y bits for creating those, since WebIDL bindings don't use those.
Attachment #764275 - Flags: review?(bugs)
5 years ago
Assignee: nobody → bzbarsky
Attachment #764275 - Flags: review?(bugs) → review+
Could you still check if some addon uses those contractids
I did before writing the patch: no hits in the addons mxr. Can't speak to binary addons...
Target Milestone: --- → mozilla24
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.