Steps to reproduce: 1. Load the testcase. 2. Open DOM Inspector. 3. Click the HTML element in the node tree pane. 4. Select "JavaScript Object" mode in the right pane. Result: "Custom __iterator__ called" alert appears, and the normal properties of the object aren't listed in DOM Inspector.

This is a bug in DOM inspector -- it arguably should isolate itself from the page's use of new features such as the iteration protocol. I'm not sure why you filed this against the JS engine. /be

The same thing happens if a document in one domain tries to iterate over the properties of a document in another domain...

How does that cross-site scripting exploit work? Can you get at another window's document object in order to iterate it? It ought to be off limits by the same origin policy. A testcase would be good, since the DOM inspector case doesn't demonstrate this claim. /be

Hmm, that testcase confuses Firefox's address bar.

Address bar confusion --> bug 339928.

For the cross-domain case to work, the script trying to do the for..in has to be top-level. Weird.

I haven't tested the DOMI testcase yet, but this patch fixes the cross-origin problem by doing security checks even when the only script running on cx is the top level script with no function object.

DOMI behavior is not a bug. DOMI sets xpcnativewrappers=no, use it carefully. /be

I missed needsSecurityCheck the first time around.

Comment on attachment 224271 [details] [diff] [review] Better fix - In needsSecurityCheck(): cached_win_cx = cx; cached_win_wrapper = wrapper; - cached_win_needs_check = PR_TRUE; There's a few early returns after this code that relies on the static cached_win_needs_check being set to true here. So what you probably want it so just leave this line in, and add the line where you're setting it to false. r=jst with that changed.

> DOMI behavior is not a bug. DOMI sets xpcnativewrappers=no, use it carefully. Don't use DOM Inspector on untrusted pages? Eww.

Comment on attachment 224284 [details] [diff] [review] Updated sr=me, thanks for fixing. Make this block the js1.7 bug please, and collect any other blockers so we can get their patches landed on the 1.8 branch in due course. /be

Fix checked into trunk.

This caused a significant Tdhtml regression. See bug 340537.

This blocks js1.7 and I think it allows top-level scripts to access properties cross-domain.

Comment on attachment 224284 [details] [diff] [review] Updated If we take this, we're also going to want the patch for bug 340537 to fix the perf regression this introduces.

May fix bug 339918

Fix checked into the 1.8 branch.

Comment on attachment 224284 [details] [diff] [review] Updated approved for 1.8.0 branch, a=dveditz for drivers

Fix checked into the 1.8.0 branch.

(In reply to comment #22) > May fix bug 339918 meant bug 343594

This bug does not affect Firefox 1.0.x or Mozilla 1.7.x

https://bugzilla.mozilla.org/attachment.cgi?id=224017 ff2b2 windows, linux alert custom iterator called https://bugzilla.mozilla.org/attachment.cgi?id=224028&action=view not sure I am testing this right. Jesse, can you verify this is fixed on firefox beta 2?

pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites. adding him to the cc list in these...