Closed
Bug 304886
Opened 19 years ago
Closed 19 years ago
[FIXr]content can still shadow real DOM properties from chrome with <img name="links"> etc.
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla1.8beta4
People
(Reporter: jst, Assigned: bzbarsky)
References
Details
(Keywords: fixed1.8, Whiteboard: [sg:fix])
Attachments
(3 files, 2 obsolete files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
Details | Diff | Splinter Review |
In bug 296967 we made XPCNativeWrapper call into the scriptable helper hooks on
our DOM nodes to make an XPCNativeWrapped DOM look more like an unwrapped one,
but this opens up ways for content code to hide things from chrome again. If a
page contains <img name="links">, document.links will not be the collection of
links that it should be, it'll be the image named links.
Some options that were thrown around on IRC were to not expose things by name on
document and forms etc, or to reorder things in XPCNativeWrapper so that any
time a property that is defined in IDL is accessed we'd return that w/o even
calling the hooks... Both have their ups and downs...
|
Assignee | |
Comment 2•19 years ago
|
||
This tests various XPCNativeWrapper stuff, but I added tests for this bug
explicitly -- the typeof() == 'function' ones.
|
|
Assignee | |
Comment 3•19 years ago
|
||
|
|
Assignee | |
Comment 4•19 years ago
|
||
|
|
Assignee | |
Comment 5•19 years ago
|
||
Attachment #193028 -
Flags: superreview?(jst)
Attachment #193028 -
Flags: review?(jst)
|
|
Assignee | |
Updated•19 years ago
|
Priority: -- → P1
Summary: content can still shadow real DOM properties from chrome with <img name="links"> etc. → [FIX]content can still shadow real DOM properties from chrome with <img name="links"> etc.
Target Milestone: --- → mozilla1.8beta4
|
Reporter | |
Comment 6•19 years ago
|
||
Comment on attachment 193028 [details] [diff] [review]
Same as diff -w
Yeah, looks good. r+sr=jst
Attachment #193028 -
Flags: superreview?(jst)
Attachment #193028 -
Flags: superreview+
Attachment #193028 -
Flags: review?(jst)
Attachment #193028 -
Flags: review+
|
|
Assignee | |
Comment 7•19 years ago
|
||
Comment on attachment 193028 [details] [diff] [review]
Same as diff -w
We need this on branch. Risk is low, I think, and I've updated the
XPCNativeWrapper documentation accordingly.
Attachment #193028 -
Flags: approval1.8b4?
|
|
Assignee | |
Updated•19 years ago
|
Summary: [FIX]content can still shadow real DOM properties from chrome with <img name="links"> etc. → [FIXr]content can still shadow real DOM properties from chrome with <img name="links"> etc.
|
|
Assignee | |
Comment 8•19 years ago
|
||
Attachment #193027 -
Attachment is obsolete: true
Attachment #193028 -
Attachment is obsolete: true
|
||
Updated•19 years ago
|
Attachment #193028 -
Flags: approval1.8b4? → approval1.8b4+
|
|
Assignee | |
Comment 9•19 years ago
|
||
Fixed, trunk and branch.
|
||
Comment 10•19 years ago
|
||
Should this bug be made public now?
|
||
Updated•19 years ago
|
Whiteboard: [sg:fix]
|
|
Assignee | |
Comment 11•19 years ago
|
||
I missed a case; filed bug 310069 on that.
|
||
Updated•19 years ago
|
Flags: testcase+
|
|
||
Updated•18 years ago
|
Group: security
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•