Closed Bug 951245 Opened 6 years ago Closed 6 years ago

Forwarding to outer should probably check for active document, not current inner

Categories

(Core :: DOM: Core & HTML, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla29
Tracking Status
firefox26 --- unaffected
firefox27 + fixed
firefox28 + fixed
firefox29 --- fixed
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- fixed

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

Details

Attachments

(2 files)

Otherwise the patch for bug 936056 is broken on this testcase, loaded in an iframe that's same-origin with the parent:

  function foo() {
    document.open();
    alert(parent);
  }
  window.onload = foo;

because the parent getter sees a non-current inner and throws a security exception.  This happens in content/html/content/test/test_bug209275.xhtml for example.
Flags: needinfo?(peterv)
We'll need this on 27/28, since bug 936056 landed there.
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Whiteboard: [need review]
Attachment #8349573 - Flags: review?(peterv) → review+
> since bug 936056 landed there

I meant bug 938640.
Blocks: 938640
Flags: needinfo?(peterv) → in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla29
Comment on attachment 8349573 [details] [diff] [review]
Forwarding to outer should check for active document, not current inner, to handle document.open() cases.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 938640
User impact if declined: Incorrect functioning of some web pages after
   document.open.
Testing completed (on m-c, etc.): Passes tests.
Risk to taking this patch (and alternatives if risky): Low risk.  Aligns us
   better with spec.
String or IDL/UUID changes made by this patch:  None.
Attachment #8349573 - Flags: approval-mozilla-aurora?
Attachment #8350729 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/104ac316a399
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Attachment #8349573 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attachment #8350729 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
This is a fix to the code added in bug 938640, so only really needs to land on the branches where that code landed.

This only blocks bug 936056 because on branches where bug 938640 has landed but this bug has not the fix for bug 936056 will turn the tree orange.
On the other hand, this patch depends on the one in bug 932309; without that the mDoc check doesn't work right.  :(
Depends on: 932309
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.