[LenientThis] behavior does not match spec and other browsers for security error cases
Categories
(Core :: DOM: Bindings (WebIDL), defect, P3)
Tracking
()
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
Details
(Keywords: sec-other, Whiteboard: [post-critsmash-triage][adv-main71-][adv-main108-])
Attachments
(2 files)
Consider this testcase:
<iframe src="https://example.com"></iframe>
<hr>
<pre><script>
onload = function() {
var desc = Object.getOwnPropertyDescriptor(window, "onmouseenter");
desc.get.call(frames[0]);
}
</script>
Per spec, this should throw an exception, because in https://heycam.github.io/webidl/#dfn-attribute-getter step 1.1.2.2, which does the security check, comes before step 1.1.2.3, which does the checking for [LenientThis]. In our code the two steps are sort of combined.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
I closed this because I realized this testcase is too close to the one for bug 1582857. We will want to land that first, then this one...
Assignee | ||
Comment 4•5 years ago
|
||
Assignee | ||
Comment 5•5 years ago
|
||
Given that we already landed bug 1582857, landing this is not a problem.
Comment 6•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/8e5289a67e6af729629fe80c140945d58b3c84fb
https://hg.mozilla.org/integration/autoland/rev/bb9d14131aea0b7464c4d2dc6a97808349dc7090
https://hg.mozilla.org/mozilla-central/rev/8e5289a67e6a
https://hg.mozilla.org/mozilla-central/rev/bb9d14131aea
Comment 7•5 years ago
|
||
Is this something we're going to want to uplift alongside bug 1582857 or can this ride Fx71 to release?
Assignee | ||
Comment 8•5 years ago
|
||
I think this can just ride the trains. It's a riskier change, too, since it changes what exceptions we throw in common cases not just the weird edge case bug 1582857 affects...
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Comment 9•5 years ago
|
||
Hello Boris, Will I need a debug build in order to reproduce this issue ? After saving the Test case from the description as HTML and loading it in Firefox will I be able to see the exception in Browser Toolbox ? or Dev Tools Console ? or in CMD / Terminal ? What are the steps I can use to reproduce this issue in older builds ?
Assignee | ||
Comment 10•5 years ago
|
||
Steps to reproduce are to save the testcase as HTML, open the devtools console, and load the HTML. There should be an exception (and is one on current builds). Old builds will not have an exception.
Updated•4 years ago
|
Comment 11•2 years ago
|
||
Verified as fixed in our latest builds, we are seeing the exception in devtools console.
Updated•2 years ago
|
Description
•