Closed Bug 951245 Opened 11 years ago Closed 11 years ago

Forwarding to outer should probably check for active document, not current inner

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla29
Tracking Flags:
Tracking Status
firefox26 --- unaffected
firefox27 + fixed
firefox28 + fixed
firefox29 --- fixed
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- fixed

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

Details

Attachments

(2 files)

Forwarding to outer should check for active document, not current inner, to handle document.open() cases.
7.35 KB, patch
peterv
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Patch for beta 27
8.01 KB, patch
bajaj
: approval-mozilla-beta+
Details | Diff | Splinter Review 
Otherwise the patch for bug 936056 is broken on this testcase, loaded in an iframe that's same-origin with the parent:

  function foo() {
    document.open();
    alert(parent);
  }
  window.onload = foo;

because the parent getter sees a non-current inner and throws a security exception.  This happens in content/html/content/test/test_bug209275.xhtml for example.
Flags: needinfo?(peterv)
We'll need this on 27/28, since bug 936056 landed there.
tracking-firefox27: --- → ?
tracking-firefox28: --- → ?
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Whiteboard: [need review]
Attachment #8349573 - Flags: review?(peterv) → review+
> since bug 936056 landed there

I meant bug 938640.
Blocks: 938640
Flags: needinfo?(peterv) → in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla29
Comment on attachment 8349573 [details] [diff] [review]
Forwarding to outer should check for active document, not current inner, to handle document.open() cases.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 938640
User impact if declined: Incorrect functioning of some web pages after
   document.open.
Testing completed (on m-c, etc.): Passes tests.
Risk to taking this patch (and alternatives if risky): Low risk.  Aligns us
   better with spec.
String or IDL/UUID changes made by this patch:  None.
Attachment #8349573 - Flags: approval-mozilla-aurora?

    
  

        Attachment #8350729 -
        Flags: approval-mozilla-beta?

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/104ac316a399
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

        Attachment #8349573 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

        Attachment #8350729 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
    

    
  
This is a fix to the code added in bug 938640, so only really needs to land on the branches where that code landed.

This only blocks bug 936056 because on branches where bug 938640 has landed but this bug has not the fix for bug 936056 will turn the tree orange.

          status-b2g-v1.2:
          ?unaffected

          status-firefox26:
          wontfixunaffected

          status-firefox-esr24:
          ?unaffected

    
    

    
  
On the other hand, this patch depends on the one in bug 932309; without that the mDoc check doesn't work right.  :(
Depends on: 932309
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: