783.97 KB, image/png
109 bytes, text/html
1.58 KB, patch
|Details | Diff | Splinter Review|
3.07 KB, patch
|Details | Diff | Splinter Review|
Created attachment 8359773 [details] testcase 959531.html I can't reproduce with Firefox 26 or 29 (Nightly) on Linux.
But I could on Windows 7 with Firefox 26 and 29 but not Firefox 25.
yes it's on windows 7 and not every time, sometimes it happens and sometimes it doesn't.
i figured it out, the innerHTML of the button is case sensitive ("Settings", "History"), it happens in this case only, in addition to the element ID <button type="button" class="abutton" id="settings">Settings</button> <button id="history" class="abutton" type="button">History</button>
Reproducing this requires that the tab in question have loaded about:home first. This is a regression from bug 899222, where about:home adds event listeners to operate the settings/bookmarks buttons. It appears that these listeners are being set on the window and not the document, so they are not unset on page navigation. This is unlikely to be an actual security issue, but since I'm not certain I'll leave it for billm to decide whether to leave this bug private.
Component: Untriaged → General
ok thanks alot .
I think that "Restore Previous Session" is the worst that could happen here. Your current session would be lost, which is pretty bad.
Assignee: nobody → wmccloskey
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
oh ok, thanks Bill !
Created attachment 8360727 [details] [diff] [review] about-home-fix Ugh, a frustrating bug. I used |this| inside an event handler. In the fix, I wanted to use an arrow function, but the function also needs to refer to itself, which arrow functions can't do.
Attachment #8360727 - Flags: review?(felipc)
Created attachment 8360728 [details] [diff] [review] about-home-test Fails without the patch, passes with it.
Attachment #8360728 - Flags: review?(felipc)
Attachment #8360727 - Flags: review?(felipc) → review+
Attachment #8360728 - Flags: review?(felipc) → review+
The patch fixes it, but should we make it more robust by double checking onClick that our doc is about:home?
OK, I can do that.
Somehow this didn't get resolved. https://hg.mozilla.org/mozilla-central/rev/76cf1178c524
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 29
Comment on attachment 8360727 [details] [diff] [review] about-home-fix [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 899222 User impact if declined: A malicious site could make a button that causes the user's session to be lost (and the previous one restored). Testing completed (on m-c, etc.): On m-c. Risk to taking this patch (and alternatives if risky): Pretty low. It's a very straightforward change. String or IDL/UUID changes made by this patch: None
status-b2g18: --- → unaffected
status-b2g-v1.2: --- → unaffected
status-b2g-v1.3: --- → unaffected
status-firefox26: --- → wontfix
status-firefox27: --- → affected
status-firefox28: --- → affected
status-firefox29: --- → fixed
status-firefox-esr24: --- → unaffected
tracking-firefox28: --- → +
tracking-firefox29: --- → +
Do you mind taking care of this Ryan? Thanks.
status-b2g-v1.1hd: --- → unaffected
status-b2g-v1.4: --- → unaffected
status-firefox27: affected → fixed
status-firefox28: affected → fixed
For whatever reason, I wasn't able to reproduce on a Win7 system with Fx26, even when about:home was open previously. However, I am able to see it consistently on the Mac. Verified Fx28 release build. Verified Fx29, build from 2014-02-10.
Status: RESOLVED → VERIFIED
status-firefox28: fixed → verified
status-firefox29: fixed → verified
Setting in-testsuite+ as this bug has a browser chrome test.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.