###!!! ASSERTION: Native anonymous content must have its parent as its own binding parent: '!IsRootOfNativeAnonymousSubtree() || aBindingParent == aParent', file /Users/jruderman/central/content/base/src/nsGenericElement.cpp, line 2508 ###!!! ASSERTION: root of native anonymous subtree must have parent equal to binding parent: '!IsRootOfNativeAnonymousSubtree() || (GetParent() && GetBindingParent() == GetParent())', file ../../dist/include/content/nsIContent.h, line 201 ###!!! ASSERTION: must have binding parent when in native anonymous subtree: '!IsInNativeAnonymousSubtree() || GetBindingParent()', file ../../../dist/include/content/nsIContent.h, line 213

Ugh. We have _got_ to stop giving untrusted script access to native anonymous content. And can we _please_ just remove box objects? :( Or at least make their content-traversal methods throw when hitting native anon content, or skip it or something?

Do we use boxObject.firstChild/.lastChild etc anywhere?

Does an mxr search not show any uses?

firstChild etc are a bit tricky to search. Same names used in some many other places.

Now I get this error message instead of an assertion: Error: uncaught exception: [Exception... "Security Manager vetoed action arg 0 [nsIDOMXULElement.appendChild]" nsresult: "0x80570027 (NS_ERROR_XPC_SECURITY_MANAGER_VETO)" location: "JS frame :: https://bug467869.bugzilla.mozilla.org/attachment.cgi?id=351315 :: boom2 :: line 16" data: no] Is this expected?

Crashtest added: http://hg.mozilla.org/mozilla-central/rev/b85c6ee1b1ab