Closed
Bug 304284
Opened 19 years ago
Closed 19 years ago
doc.location.href is URL of document currently loaded in doc's tab
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla1.8beta4
People
(Reporter: jruderman, Assigned: jst)
References
Details
(5 keywords, Whiteboard: (not in 1.7/aviary))
Attachments
(2 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
mrbkap
:
review+
brendan
:
superreview+
|
Details | Diff | Splinter Review |
If you hold a reference to |document| and get its location.href after the user has navigated to another page, you can see the URL of the new page. In July 29 builds and earlier, this resulted in a "permission denied" exception. I think it should give the URL of the old document, but throwing an exception is better than giving another URL. This could be a regression from split windows: Firefox 1.0.6 - not vulnerable Trunk, July 10 - not vulnerable Trunk, July 29 - not vulnerable Trunk, July 31 - broken: no error in JS console, crashed once (TB8275556H) Trunk, Aug 2 - vulnerable Trunk, Aug 10 - vulnerable
|
Reporter | |
Updated•19 years ago
|
Flags: blocking1.8b4?
Whiteboard: [sg:fix]
|
|
Reporter | |
Comment 1•19 years ago
|
||
|
||
Updated•19 years ago
|
Flags: blocking1.8b4? → blocking1.8b4+
|
||
Comment 2•19 years ago
|
||
jst, can you take this? If not, brain-dump here and mrbkap or I will. /be
Assignee: general → jst
|
Assignee | |
Comment 3•19 years ago
|
||
Ok. I've got a fix for this in my tree. The fix is to make the inner window hold the location object and to null out the docshell in it when the inner is torn down (i.e. when we load a different page). This brings us back to throwing an exception (though not a security exception) when the location object is used off of a document that's no longer loaded. Once I have access to a tree clean enough to create a diff from I'll attach a diff...
OS: MacOS X → All
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8beta4
|
|
Assignee | |
Comment 4•19 years ago
|
||
Attachment #192493 -
Flags: superreview?(brendan)
Attachment #192493 -
Flags: review?(mrbkap)
|
||
Comment 5•19 years ago
|
||
Comment on attachment 192493 [details] [diff] [review] Make location be per inner window (and invalidate it when the inner window is no longer the current inner window). r=me
Attachment #192493 -
Flags: review?(mrbkap) → review+
|
|
||
Comment 6•19 years ago
|
||
Comment on attachment 192493 [details] [diff] [review] Make location be per inner window (and invalidate it when the inner window is no longer the current inner window). sr=me Minor thought for later: maybe we should union stuff in nsGlobalWindow.h to save space at some point. /be
Attachment #192493 -
Flags: superreview?(brendan) → superreview+
|
|
||
Comment 7•19 years ago
|
||
This was fixed by the checkin for bug 303267.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Comment 8•19 years ago
|
||
Regression due to split windows, not a problem in aviary/1.7 branches
Keywords: regression
Whiteboard: [sg:fix] → [sg:fix] (not in 1.7/aviary)
|
||
Updated•19 years ago
|
Flags: testcase+
|
|
||
Comment 9•19 years ago
|
||
Mozilla 1.7.13/20060213 winxp on attachment 192352 [details] _will_ track the first url loaded.|
|
||
Comment 10•19 years ago
|
||
(In reply to comment #9) > Mozilla 1.7.13/20060213 winxp on attachment 192352 [details] [edit] _will_ track the first url > loaded. > Mozilla 1.7.13/20060217 winxp on attachment 192352 [details] _will not_ track the first url loaded.
|
|
||
Updated•18 years ago
|
Group: security
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [sg:fix] (not in 1.7/aviary) → (not in 1.7/aviary)
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•